🐇Deeper Down the Rabbit Hole
Enumerating Security Controls
After gaining a foothold, we could use this access to get a feeling for the defensive state of the hosts, enumerate the domain further now that our visibility is not as restricted, and, if necessary, work at "living off the land" by using tools that exist natively on the hosts.
Windows Defender
We can use the built-in PowerShell cmdlet Get-MpComputerStatus to get the current Defender status. Here, we can see that the RealTimeProtectionEnabled
parameter is set to True
, which means Defender is enabled on the system.
Credentialed Enumeration - from Linux
We are interested in information about domain user and computer attributes, group membership, Group Policy Objects, permissions, ACLs, trusts, and more.
CrackMapExec
CME offers a help menu for each protocol (i.e., crackmapexec winrm -h / crackmapexec smb -h
, etc.).
We still have some few flags that we are very interested in are:
-u Username
The user whose credentials we will use to authenticate
-p Password
User's password
Target (IP or FQDN)
Target host to enumerate
(in our case, the Domain Controller)--users
Specifies to enumerate Domain Users
--groups
Specifies to enumerate domain groups
--loggedon-users
Attempts to enumerate what users are logged on to a target, if any
CME - Domain User Enumeration
This command is very useful since it showcases the badpwdcount parameter, We could build a target user list filtering out any users with their badPwdCount
attribute above 0 to be extra careful not to lock any accounts out.
CME - Domain Group Enumeration
CME - Logged On Users
We see that many users are logged into this server which is very interesting.
CME Share Searching
It's good to enumerate available shares on the remote host and the level of access our user account has to each share (READ or WRITE access).
The module spider_plus
will dig through each readable share on the host and list all readable files.
When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>
SMBMap
SMBMap is great for enumerating SMB shares from a Linux attack host
SMBMap To Check Access
Recursive List Of All Directories
rpcclient
It can enumerate, add, change, and even remove objects from AD, we can perform authenticated or unauthenticated enumeration using rpcclient
An example of using rpcclient from an unauthenticated standpoint would be:
rpcclient Enumeration
Now we are going to talk about the Relative Identifier (RID) utilized by Windows to track and identify objects
Here's how it works ->
The SID for the INLANEFREIGHT.LOCAL domain is:
S-1-5-21-3842939050-3880317879-2865463114
.When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
So the domain user
htb-student
with a RID:[0x457] Hex 0x457 would = decimal1111
, will have a full user SID of:S-1-5-21-3842939050-3880317879-2865463114-1111
.
RPCClient User Enumeration By RID
The RID is a decimal value that needs to be converted in HEX for this to work (Hex 0x457 would = decimal 1111)
If we wished to enumerate all users to gather the RIDs for more than just one, we would use the enumdomusers
command.
Impacket Toolkit
Psexec.py
The tool creates a remote service by uploading a randomly-named executable to the ADMIN$
share on the target host. It then registers the service via RPC
and the Windows Service Control Manager
. Once established, communication happens over a named pipe, providing an interactive remote shell as SYSTEM
on the victim host.
To connect to a host with psexec.py, we need credentials for a user with local administrator privileges.
wmiexec.py
Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation, this is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.
Windapsearch
Windapsearch is a Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries
The --da
(enumerate domain admins group members ) option and the -PU
( find privileged users) options. The -PU
option is interesting because it will perform a recursive search for users with nested group membership.
Windapsearch - Domain Admins
it enumerated 28 users from the Domain Admins group.
we can run the tool with the -PU
flag and check for users with elevated privileges that may have gone unnoticed. This is a great check for reporting since it will most likely inform the customer of users with excess privileges from nested group membership.
Bloodhound.py
It creates graphical representations or "attack paths" of where access with a particular user may lead
Executing BloodHound.py
Once the script finishes, we will see the output files in the current working directory in the format of <date_object.json>.
Upload the Zip File into the BloodHound GUI
First we need to type sudo neo4j start
to start the neo4j service
Next, we can type bloodhound
from our Linux attack host
We can either upload each JSON file one by one or zip them first with a command such as zip -r ilfreight_bh.zip *.json
and upload the Zip file.
To upload the files ->
Now that the data is loaded, we can use the Analysis tab to run queries against the database. There are many great cheat sheets to help us here.
Searching for Relationships
The query chosen to produce the map above was Find Shortest Paths To Domain Admins
This will be extremely helpful when planning our next steps for lateral movement through the network.
Practical example
First i start by connecting through RPC with a null session and enumerate users
What AD User has a RID equal to Decimal 1170?
Now i need to find the hex value that i'm looking for:
We can now look for him:
And to find the membercount: of the "Interns" group?
We just need to grep out what we look for
Credentialed Enumeration - from Windows
In this section we are going to use some tools such as SharpHound/BloodHound, PowerView/SharpView, Grouper2, Snaffler, and some built-in tools useful for AD enumeration.
ActiveDirectory PowerShell Module
The ActiveDirectory PowerShell module is a group of PowerShell cmdlets for administering an Active Directory environment from the command line. there are 147 different cmdlets at the time of writing
The Get-Module cmdlet will list all available modules. This is a great way to see if anything like Git or custom administrator scripts are installed. If the module is not loaded, run Import-Module ActiveDirectory
to load it for use.
Discover Modules
Load ActiveDirectory Module
Get Domain Info
Get-ADUser
This will get us a listing of accounts that may be susceptible to a Kerberoasting attack
Checking For Trust Relationships
This will be useful later on when looking to take advantage of child-to-parent trust relationships and attacking across forest trusts.
Group Enumeration
And to get more detailed information about a particular group ->
Now we can get even more specific by getting a member listing using the Get-ADGroupMember cmdlet.
We can see that one account, backupagent
, belongs to this group.
PowerView
Useful documentation about Powerview: Active Directory PowerView module
Some useful cmdlets:
Command | Description |
| Append results to a CSV file |
| Convert a User or group name to its SID value |
| Requests the Kerberos ticket for a specified Service Principal Name (SPN) account |
Domain/LDAP Functions: | |
| Will return the AD object for the current (or specified) domain |
| Return a list of the Domain Controllers for the specified domain |
| Will return all users or specific user objects in AD |
| Will return all computers or specific computer objects in AD |
| Will return all groups or specific group objects in AD |
| Search for all or specific OU objects in AD |
| Finds object ACLs in the domain with modification rights set to non-built in objects |
| Will return the members of a specific domain group |
| Returns a list of servers likely functioning as file servers |
| Returns a list of all distributed file systems for the current (or specified) domain |
GPO Functions: | |
| Will return all GPOs or specific GPO objects in AD |
| Returns the default domain policy or the domain controller policy for the current domain |
Computer Enumeration Functions: | |
| Enumerates local groups on the local or a remote machine |
| Enumerates members of a specific local group |
| Returns open shares on the local (or a remote) machine |
| Will return session information for the local (or a remote) machine |
| Tests if the current user has administrative access to the local (or a remote) machine |
Threaded 'Meta'-Functions: | |
| Finds machines where specific users are logged in |
| Finds reachable shares on domain machines |
| Searches for files matching specific criteria on readable shares in the domain |
| Find machines on the local domain where the current user has local administrator access |
Domain Trust Functions: | |
| Returns domain trusts for the current domain or a specified domain |
| Returns all forest trusts for the current forest or a specified forest |
| Enumerates users who are in groups outside of the user's domain |
| Enumerates groups with users outside of the group's domain and returns each foreign member |
| Will enumerate all trusts for the current domain and any others seen. |
Domain User Information
If we want to grab information about a specific user, mmorgan
Recursive Group Membership
I we want to recursivly find any groups that are part of a target group (nested group membership) to list out the members of those groups. For example, the output below shows that the Secadmins
group is part of the Domain Admins
group through nested group membership.
This could later help for potential elevation of privileges
Trust Enumeration
Testing for Local Admin Access
Finding Users With SPN Set
SharpView
Let's use SharView to enumerate information about a specific user, such as the user forend
Snaffler
Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment.
It's used the following way:
We may find passwords, SSH keys, configuration files, or other data that can be used to further our access.
BloodHound
We'll start by running the SharpHound.exe collector
Next, we can exfiltrate the dataset to our own VM or ingest it into the BloodHound GUI tool
Practical Example
Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer)
What PowerView function allows us to test if a user has administrative access to a local or remote host?
Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?
What is the password for the database user?
Living Off the Land
To enumerate the host and the network we're on, here are some basic commands:
| Prints the PC's Name |
| Prints out the OS version and revision level |
| Prints the patches and hotfixes applied to the host |
| Prints out network adapter state and configurations |
| Displays a list of environment variables for the current session (ran from CMD-prompt) |
| Displays the domain name to which the host belongs (ran from CMD-prompt) |
| Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt) |
The systeminfo
command is a nice one to run if we want to know a lot about our host without triggering to much logs
Here are some quick powershell cmdlets that we can use for our recon:
| Lists available modules loaded for use. |
| Will print the execution policy settings for each scope on a host. |
| This will change the policy for our current process using the |
| With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords. |
| Return environment values such as key paths, users, computer information, etc. |
| This is a quick and easy way to download a file from the web using PowerShell and call it from memory. |
Downgrade Powershell
It's very good to know that several versions of PowerShell often exist on a host, if we are able to downgrade , our actions from the shell will not be logged in Event Viewer. This is a great way for us to remain under the defenders' radar while still utilizing resources built into the hosts to our advantage.
Let's try this out:
Firewall Checks
Windows Defender Check (from CMD.exe)
Using qwinsta to check if you're alone on the host:
Network enumeration:
| Lists all known hosts stored in the arp table. |
| Prints out adapter settings for the host. We can figure out the network segment from here. |
| Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host. |
| Displays the status of the host's firewall. We can determine if it is active and filtering traffic. |
WMI
Windows Management Instrumentation (WMI) is a scripting engine that is widely used within Windows enterprise environments to retrieve information and run administrative tasks on local and remote hosts. Here are some useful commands you should know:
| Prints the patch level and description of the Hotfixes applied |
| Displays basic host information to include any attributes within the list |
| A listing of all processes on host |
| Displays information about the Domain and Domain Controllers |
| Displays information about all local accounts and any domain accounts that have logged into the device |
| Information about all local groups |
| Dumps information about any system accounts that are being used as service accounts. |
Net Commands
Net commands can be beneficial to us when attempting to enumerate information from the domain.
It's good to know that net.exe
commands are typically monitored by EDR solutions and can quickly give up our location. But if we don't care about being evasive, here are some commands:
| Information about password requirements |
| Password and lockout policy |
| Information about domain groups |
| List users with domain admin privileges |
| List of PCs connected to the domain |
| List PC accounts of domains controllers |
| User that belongs to the group |
| List of domain groups |
| All available groups |
| List users that belong to the administrators group inside the domain (the group |
| Information about a group (admins) |
| Add user to administrators |
| Check current shares |
| Get information about a user within the domain |
| List all users of the domain |
| Information about the current user |
| Mount the share locally |
| Get a list of computers |
| Shares on the domains |
| List shares of a computer |
| List of PCs of the domain |
If there is a network defender up, you can trick & bypass it but using net1
command rather than net
. It will do the same thing and will not trigger a net string alert
Dsquery
Dsquery is a helpful command-line tool that can be utilized to find Active Directory objects. By default, the dsquery dll can be found at C:\Windows\System32\dsquery.dll
.
User search
Computer search
Wildcard Search
to view all objects in an OU, for example.
Users With Specific Attributes Set (PASSWD_NOTREQD)
It's good to know the UAC Values
Last updated