0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3575] No subject

This commit is contained in:
CPol 2022-10-06 23:16:43 +00:00 committed by gitbook-bot
parent 4e1e83fadd
commit cbd40bbf74
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
5 changed files with 61 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -170,7 +170,7 @@
* [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
* [AD DNS Records](windows-hardening/active-directory-methodology/ad-dns-records.md)
* [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
* [BloodHound](windows-hardening/active-directory-methodology/bloodhound.md)
* [BloodHound & Other AD Enum Tools](windows-hardening/active-directory-methodology/bloodhound.md)
* [Constrained Delegation](windows-hardening/active-directory-methodology/constrained-delegation.md)
* [Custom SSP](windows-hardening/active-directory-methodology/custom-ssp.md)
* [DCShadow](windows-hardening/active-directory-methodology/dcshadow.md)

3
windows-hardening/active-directory-methodology/README.md
View File

@ -175,7 +175,8 @@ Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulner
* You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
* You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
* [**DNS records of the AD**](ad-dns-records.md) **** as they might contain interesting information.
* **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
* ****[**DNS records of the AD**](ad-dns-records.md) **** as they might contain interesting information.
* A **tool with GUI** that you can use to enumerate the directory is **AdExplorer.exe** from **SysInternal** Suite.
* You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
* If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview).

79
windows-hardening/active-directory-methodology/bloodhound.md
View File

@ -1,22 +1,42 @@
# BloodHound
# BloodHound & Other AD Enum Tools
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## What is BloodHound
## AD Explorer
[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) is from Sysinternal Suite:
> An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to navigate an AD database easily, define favorite locations, view object properties, and attributes without opening dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
### Snapshots
AD Explorer can create snapshots of an AD so you can check it offline.\
It can be used to discover vulns offline, or to compare different states of the AD DB across the time.
You will be requires the username, password, and direction to connect (any AD user is required).
To take a snapshot of AD, go to `File` --> `Create Snapshot` and enter a name for the snapshot.
## ADRecon
****[**ADRecon**](https://github.com/adrecon/ADRecon) is a tool which extracts and combines various artefacts out of an AD environment. The information can be presented in a **specially formatted** Microsoft Excel **report** that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
```bash
# Run it
.\ADRecon.ps1
```
## BloodHound
> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us), compiled with [Electron](http://electron.atom.io), with a [Neo4j](https://neo4j.com)database fed by a PowerShell ingestor.
>
@ -34,7 +54,7 @@ The **ingestors** are used to **enumerate the domain and extract all the informa
The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
## Installation
### Installation
1. Bloodhound
@ -67,7 +87,7 @@ Installation process:
$ curl -o "~/.config/bloodhound/customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"
```
## Visualisation app Execution
### Visualisation app Execution
After downloading/installing the required applications, lets start them.\
First of all you need to **start the neo4j database**:
@ -94,8 +114,6 @@ And bloodhound will be ready to ingest data.
![](<../../.gitbook/assets/image (171) (1).png>)
## Ingestors
### SharpHound
They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
@ -138,18 +156,31 @@ This script will **quietly enumerate an Active Directory Domain via LDAP** parsi
Check it out in [**SilentHound github**](https://github.com/layer8secure/SilentHound).
## Group3r
[**Group3r**](https://github.com/Group3r/Group3r) **** is a tool to find **vulnerabilities** in Active Directory associated **Group Policy**. \
You need to **run group3r** from a host inside the domain using **any domain user**.
```bash
group3r.exe -f <filepath-name.log>
# -s sends results to stdin
# -f send results to file
```
## PingCastle
****[**PingCastle**](https://www.pingcastle.com/documentation/) **evaluates the security posture of an AD environment** and provides a nice **report** with graphs.
To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**.&#x20;
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

2
windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
View File

@ -42,7 +42,7 @@ MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=Fo
## Trust Account Attack
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_ trusts A), a trust account is created in domain **A**, named **B. Kerberos trust keys**,\_derived from the **trust accounts password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_\*\* trusts **\_**A**\_), a \_**trust account**\_** is created in domain **\_**A**\_**, named **\_**B$**\_. Kerberos \_**trust keys\*\*,\_ derived from the **trust accounts password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
It's possible to obtain the password and hash of the trusted account from a Domain Controller using:

22
windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
View File

@ -74,37 +74,19 @@ In the previous enumeration it was found that the user **`crossuser`** is inside
If you **couldn't** find any **special** access of your user in the other domain, you can still go back to the AD Methodology and try to **privesc from an unprivileged user** (things like kerberoasting for example):
You can use **Powerview functions** to **enumerate** the **other domain** using the `-Domain` param like in:
```powershell
Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
```
{% content-ref url="./" %}
[.](./)
{% endcontent-ref %}
## Impersonation
### Logging in
Using a regular method with the credentials of the users who is has access to the external domain you should be able to access:
```powershell
Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator
```
### SID History Abuse
You could also abuse [**SID History**](sid-history-injection.md) across a forest trust.
If a user is migrated **from one forest to another** and **SID Filtering is not enabled**, it becomes possible to **add a SID from the other forest**, and this **SID** will be **added** to the **user's token** when authenticating **across the trust**.
### With signing key
{% hint style="warning" %}
As a reminder, you can get the signing key with
```powershell
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
```
{% endhint %}