Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 127 views

    Attacking and Defending ActiveDirectory - Bootcamp SlideNotes

    Uploaded by

    Antonio Sanchez Moscoso
    This document provides links to resources for conducting offensive security assessments and penetration testing within Active Directory environments. It includes techniques for bypassing security restrictions, credential theft, privilege escalation, lateral movement, and maintaining access. Specific tools, commands, and steps are referenced for actions like exploiting Kerberos vulnerabilities, abusing Active Directory permissions, and compromising domain trusts. The document aims to serve as a knowledge base for red team operations targeting Windows authentication and directory services.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Attacking and Defending ActiveDirectory - Bootcamp SlideNotes

    Uploaded by

    Antonio Sanchez Moscoso
    127 views303 pages
    This document provides links to resources for conducting offensive security assessments and penetration testing within Active Directory environments. It includes techniques for bypassing security restrictions, credential theft, privilege escalation, lateral movement, and maintaining access. Specific tools, commands, and steps are referenced for actions like exploiting Kerberos vulnerabilities, abusing Active Directory permissions, and compromising domain trusts. The document aims to serve as a knowledge base for red team operations targeting Windows authentication and directory services.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides links to resources for conducting offensive security assessments and penetration testing within Active Directory environments. It includes techniques for bypassing security restrictions, credential theft, privilege escalation, lateral movement, and maintaining access. Specific tools, commands, and steps are referenced for actions like exploiting Kerberos vulnerabilities, abusing Active Directory permissions, and compromising domain trusts. The document aims to serve as a knowledge base for red team operations targeting Windows authentication and directory services.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    127 views303 pages

    Attacking and Defending ActiveDirectory - Bootcamp SlideNotes

    Uploaded by

    Antonio Sanchez Moscoso
    This document provides links to resources for conducting offensive security assessments and penetration testing within Active Directory environments. It includes techniques for bypassing security restrictions, credential theft, privilege escalation, lateral movement, and maintaining access. Specific tools, commands, and steps are referenced for actions like exploiting Kerberos vulnerabilities, abusing Active Directory permissions, and compromising domain trusts. The document aims to serve as a knowledge base for red team operations targeting Windows authentication and directory services.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 303
    At a glance
    Powered by AI
    The document discusses various techniques for Active Directory attacks including enumeration, credential dumping, privilege escalation and defense techniques.

    Some techniques discussed for Active Directory enumeration include using tools like Invoke-Recon to discover users, groups and computers. DCSync and Get-DomainController are also mentioned.

    Common tools discussed for credential dumping include Mimikatz, SharpKatz, pypykatz and others. These tools allow dumping credentials from memory, LSA secrets and other sources.

    1

    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://technet.microsoft.com/en-us/library/cc780036(v=ws.10).aspx

    11
    12
    13
    14
    15
    16
    Check out Invoke-CradleCrafter:
    https://github.com/danielbohannon/Invoke-CradleCrafter

    18
    19
    20
    15 ways to bypass PowerShell execution policy
    https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
    execution-policy

    21
    22
    https://github.com/OmerYa/Invisi-
    Shell/blob/master/InvisiShellProfier/InvisiShellProfiler.cpp
    https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-
    api/profiling/profiling-overview

    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    Microsoft Cloud Red Teaming Paper: https://gallery.technet.microsoft.com/Cloud-
    Red-Teaming-b837392e

    36
    37
    38
    39
    40
    https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
    without-installing-the-remote-server-tools/
    https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-
    PowerShell-CLM.html

    41
    53
    58
    Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-
    aces
    Active Directory Rights: https://docs.microsoft.com/en-
    us/dotnet/api/system.directoryservices.activedirectoryrights1
    Extended Rights: https://docs.microsoft.com/en-us/previous-versions/tn-
    archive/ff405676(v=msdn.10)
    64
    Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-
    pro/windows-server-2003/cc773178(v=ws.10)
    76
    82
    NTLM Relaying example - https://github.com/antonioCoco/RemotePotato0

    83
    86
    87
    http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

    88
    See more at http://www.labofapenetrationtester.com/2014/08/script-execution-and-
    privilege-esc-jenkins.html
    http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-
    day-1.html

    89
    90
    91
    92
    93
    https://docs.microsoft.com/en-us/previous-versions/technet-
    magazine/ff700227(v=msdn.10)

    94
    97
    https://github.com/gentilkiwi/mimikatz
    Unofficial mimikatz guide:
    https://adsecurity.org/?p=2207
    https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-
    find-credentials-in-them
    https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
    https://github.com/b4rtik/SharpKatz
    https://github.com/outflanknl/Dumpert
    https://github.com/Flangvik/BetterSafetyKatz
    https://github.com/GhostPack/SafetyKatz
    https://github.com/skelsec/pypykatz
    https://github.com/Hackndo/lsassy
    https://github.com/SecureAuthCorp/impacket/
    https://github.com/FSecureLABS/physmem2profit
    Reference for logon types: https://www.alteredsecurity.com/post/fantastic-windows-
    logon-types-and-where-to-find-credentials-in-them
    https://github.com/GhostPack/Rubeus/
    A repo of popular Offensive C# tools - https://github.com/Flangvik/SharpCollection

    109
    110
    111
    112
    113
    https://github.com/gentilkiwi/mimikatz
    https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/O
    ut-CompressedDll.ps1

    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    126
    http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-
    and.html

    127
    128
    Krbtgt hash could also be dumped from NTDS.di.

    129
    130
    131
    132
    133
    134
    List of SPNs: https://adsecurity.org/?page_id=183

    136
    137
    138
    141
    http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-
    malware-analysis/
    145
    https://adsecurity.org/?p=1785
    https://adsecurity.org/?p=1714
    151
    https://docs.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-
    by-Microsoft
    https://attack.mitre.org/wiki/Technique/T1101
    https://docs.microsoft.com/en-us/previous-versions/technet-
    magazine/ee361593(v=msdn.10)
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
    practices/appendix-c--protected-accounts-and-groups-in-active-directory
    https://adsecurity.org/?p=1906
    https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
    11_Active_directory_v2.5.pdf
    Ref for PowerView command: http://www.harmj0y.net/blog/redteaming/abusing-
    active-directory-permissions-with-powerview/
    https://gallery.technet.microsoft.com/Invoke-SDPropagator-to-c99ae41c
    169
    170
    Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings

    171
    https://github.com/samratashok/RACE
    https://github.com/samratashok/nishang/tree/master/Backdoors
    https://docs.microsoft.com/en-us/archive/blogs/wmi/scripting-wmi-namespace-
    security-part-1-of-3

    172
    Note: Ignore the 'I/O operation' error.
    https://github.com/samratashok/nishang/tree/master/Backdoors

    173
    https://github.com/HarmJ0y/DAMP
    https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
    descriptor-modification-2cf505ec5c40

    174
    175
    https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%
    20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-
    %20Tim%20Medin%281%29.pdf

    176
    177
    Request a ticket using .NET classes
    Add-Type -AssemblyNAme System.IdentityModel
    New-Object
    System.IdentityModel.Tokens.KerberosRequestorSecurity
    Token -ArgumentList "MSSQLSvc/dcorp-
    mgmt.dollarcorp.moneycorp.local"

    Invoke-Kerberoast from BC Empire (https://github.com/BC-SECURITY/Empire)


    can be used as well for cracking with John or Hashcat.
    . .\Invoke-Kerberoast.ps1
    Invoke-Kerberoast -Identity svcadmin
    Crack ticket using tgsrepcrack
    Check if the ticket has been granted
    klist.exe
    Export all tickets using Mimikatz
    Invoke-Mimikatz -Command '"kerberos::list /export"'
    Crack the Service account password
    python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt
    '.\2-40a10000-studentuser@USSvc~serviceaccount-
    US.TECHCORP.LOCAL.kirbi'
    181
    Reference: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

    182
    183
    184
    185
    https://github.com/HarmJ0y/ASREPRoast

    186
    Reference: http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

    187
    188
    https://room362.com/post/2016/kerberoast-pt3/

    189
    https://room362.com/post/2016/kerberoast-pt3/

    190
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
    kerberos-unconstrained-delegation.html
    https://adsecurity.org/?p=1667
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
    server-2012-R2-and-2012/dn466518(v=ws.11)
    195
    https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-
    active-directory/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
    rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
    http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-
    trusts/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
    efsr/08796ba8-01c8-4872-9221-1000ec2eff31
    201
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-
    8135-400e-bdd9-33b552051d94
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    https://www.secureauth.com/blog/kerberos-delegation-spns-and-more
    214
    https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
    220
    221
    222
    223
    224
    https://adsecurity.org/?p=1588

    225
    226
    227
    List of Active Directory SPNs https://adsecurity.org/?page_id=183

    228
    229
    230
    231
    232
    http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-
    my/

    233
    234
    235
    236
    https://adsecurity.org/?p=1588

    237
    238
    List Active Directory SPNs https://adsecurity.org/?page_id=183

    239
    240
    241
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
    server-2012-r2-and-2012/hh831740(v=ws.11)

    242
    243
    Diagram source - https://www.specterops.io/assets/resources/Certified_Pre-
    Owned.pdf

    244
    See page 4 and 5 for summary of attack techniques -
    https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    More at: https://docs.microsoft.com/en-us/sql/relational-databases/linked-
    servers/linked-servers-database-engine

    258
    259
    260
    261
    262
    263
    264
    265
    266
    https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
    and-management/protected-users-security-group
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
    configure-protected-accounts#BKMK_AddtoProtectedUsers

    267
    268
    269
    https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)
    271
    272
    273
    274
    275
    https://technet.microsoft.com/en-us/windows-server-docs/security/securing-
    privileged-access/securing-privileged-access-reference-material#ESAE_BM

    276
    277
    https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
    the-Hash-Separation-Of-Powers-wp.pdf

    278
    279
    280
    https://blogs.technet.microsoft.com/cbernier/2015/10/06/microsoft-advanced-
    threat-analytics/
    https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-
    explore/ata-threats
    https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
    for-ActiveDirectory-Domination.pdf
    285
    286
    Configuring Additional LSA Protection: https://docs.microsoft.com/en-us/windows-
    server/security/credentials-protection-and-management/configuring-additional-lsa-
    protection
    https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
    298
    299
    300
    301
    302
    303

    You might also like