https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/ Recent content on SpellBook Hugo en-us https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/bloodhound-setup/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/bloodhound-setup/ <h2 id="collector">Collector<a class="anchor" href="#collector">#</a></h2> <h3 id="bloodhound-python"><code>bloodhound-python</code><a class="anchor" href="#bloodhound-python">#</a></h3> <p>Install</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sudo apt update <span style="color:#f92672">&amp;&amp;</span> sudo apt install bloodhound-python -y</span></span></code></pre></div><p>Run</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodhound-python -c ALL -ns 172.16.8.3 -u <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">&#34;</span> -p <span style="color:#e6db74">&#34;</span>$pass<span style="color:#e6db74">&#34;</span> -d inlanefreight.local --zip</span></span></code></pre></div><p>If <code>ldaps</code>, use <code>--use-ldaps</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodhound-python -c ALL -ns 172.16.8.3 -u <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">&#34;</span> -p <span style="color:#e6db74">&#34;</span>$pass<span style="color:#e6db74">&#34;</span> -d inlanefreight.local --use-ldaps --zip</span></span></code></pre></div><p>If can&rsquo;t use <code>udp</code>, or behind a pivot box, is using <code>proxychains</code>, use <code>--dns-tcp</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodhound-python -c ALL -ns 172.16.8.3 -u <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">&#34;</span> -p <span style="color:#e6db74">&#34;</span>$pass<span style="color:#e6db74">&#34;</span> -d inlanefreight.local --dns-tcp --zip</span></span></code></pre></div><h3 id="rusthound-ce"><code>rusthound-ce</code><a class="anchor" href="#rusthound-ce">#</a></h3> <p>install</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>git clone https://github.com/g0h4n/RustHound-CE.git </span></span><span style="display:flex;"><span>cd RustHound-CE </span></span><span style="display:flex;"><span>sudo apt update <span style="color:#f92672">&amp;&amp;</span> sudo apt install cargo rustup -y </span></span><span style="display:flex;"><span>rustup default stable </span></span><span style="display:flex;"><span>make release</span></span></code></pre></div><p>Run</p> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/deleted-objects/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/deleted-objects/ <h1 id="deleted-objects">Deleted objects<a class="anchor" href="#deleted-objects">#</a></h1> <h2 id="from-powershell">From <code>Powershell</code><a class="anchor" href="#from-powershell">#</a></h2> <p>Query everything of deleted object</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>Get-ADObject -Filter <span style="color:#e6db74">&#39;IsDeleted -eq $true&#39;</span> -IncludeDeletedObjects -Properties *</span></span></code></pre></div><p>Query specific things like Description,ObjectSid,ObjectGUID,LastKnownParent</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>Get-ADObject -Filter <span style="color:#e6db74">&#39;IsDeleted -eq $true&#39;</span> -IncludeDeletedObjects -Properties Description,ObjectSid,ObjectGUID,LastKnownParent</span></span></code></pre></div><h3 id="restore-object">Restore object<a class="anchor" href="#restore-object">#</a></h3> <p>Restore the object, using <code>ObjectGUID</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>Restore-ADObject -Identity aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa</span></span></code></pre></div><h2 id="from-linux">From linux<a class="anchor" href="#from-linux">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#75715e"># Query everything</span> </span></span><span style="display:flex;"><span>bloodyAD --host dc.domain.name -d domain.name get search -c <span style="color:#e6db74">&#39;1.2.840.113556.1.4.2064&#39;</span> -c <span style="color:#e6db74">&#39;1.2.840.113556.1.4.2065&#39;</span> --filter <span style="color:#e6db74">&#39;(isDeleted=TRUE)&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Query specific properties</span> </span></span><span style="display:flex;"><span>bloodyAD --host dc.domain.name -d domain.name get search -c <span style="color:#e6db74">&#39;1.2.840.113556.1.4.2064&#39;</span> -c <span style="color:#e6db74">&#39;1.2.840.113556.1.4.2065&#39;</span> --attr <span style="color:#e6db74">&#39;Description,ObjectSid,ObjectGUID,LastKnownParent&#39;</span> --filter <span style="color:#e6db74">&#39;(isDeleted=TRUE)&#39;</span></span></span></code></pre></div><blockquote class='book-hint '> <p>If you want Kerberos authentication with <code>ldapsearch</code>, set <code>KRB5CCNAME=user.ccache</code> variable add <code>-Tx -Y GSSAPI</code> flag</p> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/direct-object-rights/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/direct-object-rights/ <h1 id="direct-object-rights">Direct Object Rights<a class="anchor" href="#direct-object-rights">#</a></h1> <p>This is a cypher query <strong>used in bloodhound</strong>. See how to set up bloodhound at <a href="https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/bloodhound-setup/#server">8. Lateral Movement/AD Enumeration/Bloodhound setup#Server</a></p> <p>This query shows you what rights accounts have <strong>directly assigned</strong>. Very good in CTF or small AD environments.</p> <pre tabindex="0"><code class="language-cypher" data-lang="cypher">MATCH p=(source)-[r]-&gt;(target) WHERE (source:Computer OR source:User) AND type(r) &lt;&gt; &#39;MemberOf&#39; return p</code></pre> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/get-all-properties/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/get-all-properties/ <h1 id="get-all-properties">Get All Properties<a class="anchor" href="#get-all-properties">#</a></h1> <p>See all attributes of an object</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodyAD --host <span style="color:#e6db74">&#34;dc01.domain.name&#34;</span> -d <span style="color:#e6db74">&#34;domain.name&#34;</span> -u <span style="color:#e6db74">&#39;user&#39;</span> -p <span style="color:#e6db74">&#39;pass&#39;</span> get object <span style="color:#e6db74">&#39;victim&#39;</span> --resolve-sd</span></span></code></pre></div><p>Or, get a specific attribute</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodyAD --host <span style="color:#e6db74">&#34;dc01.domain.name&#34;</span> -d <span style="color:#e6db74">&#34;domain.name&#34;</span> -u <span style="color:#e6db74">&#39;user&#39;</span> -p <span style="color:#e6db74">&#39;pass&#39;</span> get object <span style="color:#e6db74">&#39;victim&#39;</span> --attr logonHours </span></span></code></pre></div> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/password-policy/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/password-policy/ <blockquote class='book-hint '> <p>Can skip this part if you know for sure there is no account lockout policy</p> </blockquote><h2 id="linux-attacker">Linux Attacker<a class="anchor" href="#linux-attacker">#</a></h2> <h3 id="netexec"><code>netexec</code><a class="anchor" href="#netexec">#</a></h3> <p>If null session is available, use this</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>netexec smb -u <span style="color:#e6db74">&#39;&#39;</span> -p <span style="color:#e6db74">&#39;&#39;</span> $target --pass-pol</span></span></code></pre></div><p>If not, then need valid credential</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>netexec smb $target -u <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">&#34;</span> -p <span style="color:#e6db74">&#34;</span>$pass<span style="color:#e6db74">&#34;</span> --pass-pol</span></span></code></pre></div><h3 id="rpcclient"><code>rpcclient</code><a class="anchor" href="#rpcclient">#</a></h3> <p>If null session is available, use this</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>rpcclient -U <span style="color:#e6db74">&#34;&#34;</span> -N $target </span></span><span style="display:flex;"><span>rpcclient $&gt; getdompwinfo</span></span></code></pre></div><p>If not, then need valid credential</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>rpcclient -U <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">%</span>$pass<span style="color:#e6db74">&#34;</span> $target </span></span><span style="display:flex;"><span>rpcclient $&gt; getdompwinfo</span></span></code></pre></div><h3 id="ldapsearch"><code>ldapsearch</code><a class="anchor" href="#ldapsearch">#</a></h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ldapsearch -h $target -x -b <span style="color:#e6db74">&#34;DC=INLANEFREIGHT,DC=LOCAL&#34;</span> -s sub <span style="color:#e6db74">&#34;*&#34;</span> | grep -m <span style="color:#ae81ff">1</span> -B <span style="color:#ae81ff">10</span> pwdHistoryLength</span></span></code></pre></div><h2 id="domain-joined-windows">Domain joined Windows<a class="anchor" href="#domain-joined-windows">#</a></h2> <h3 id="netexe"><code>net.exe</code><a class="anchor" href="#netexe">#</a></h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-cmd" data-lang="cmd"><span style="display:flex;"><span>net accounts</span></span></code></pre></div><h3 id="powerview"><code>Powerview</code><a class="anchor" href="#powerview">#</a></h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>import-module .\PowerView.ps1</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Get-DomainPolicy</span></span></code></pre></div> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/user-enumeration/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/user-enumeration/ <h2 id="netexec"><code>netexec</code><a class="anchor" href="#netexec">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>netexec smb $target -u <span style="color:#e6db74">&#34;</span>$user<span style="color:#e6db74">&#34;</span> -p <span style="color:#e6db74">&#34;</span>$pass<span style="color:#e6db74">&#34;</span> --users</span></span></code></pre></div><h2 id="enum4linux"><code>enum4linux</code><a class="anchor" href="#enum4linux">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>enum4linux -U $target | grep <span style="color:#e6db74">&#34;user:&#34;</span> | cut -f2 -d<span style="color:#e6db74">&#34;[&#34;</span> | cut -f1 -d<span style="color:#e6db74">&#34;]&#34;</span></span></span></code></pre></div><h2 id="impacket-samrdump"><code>impacket-samrdump</code><a class="anchor" href="#impacket-samrdump">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>impacket-samrdump $target</span></span></code></pre></div><h2 id="ldapsearch"><code>ldapsearch</code><a class="anchor" href="#ldapsearch">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ldapsearch -h $target -x -b <span style="color:#e6db74">&#34;DC=INLANEFREIGHT,DC=LOCAL&#34;</span> -s sub <span style="color:#e6db74">&#34;(&amp;(objectclass=user))&#34;</span> | grep sAMAccountName: | cut -f2 -d<span style="color:#e6db74">&#34; &#34;</span></span></span></code></pre></div><h2 id="kerbrute"><code>kerbrute</code><a class="anchor" href="#kerbrute">#</a></h2> <p>Clone username list repo</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>git clone https://github.com/insidetrust/statistically-likely-usernames.git</span></span></code></pre></div><p>Download <code>kerbrute</code> binary. Yes, it does not exist in kali&rsquo;s package manager. And sadly, at the time of writing, it hasn&rsquo;t been updated since 2019</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 </span></span><span style="display:flex;"><span>mv kerbrute_linux_amd64 kerbrute </span></span><span style="display:flex;"><span>chmod +x kerbrute</span></span></code></pre></div><p>Depends on the account naming convention, chose the correct username list file.</p> https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/writable-objects/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/8.-lateral-movement/ad-enumeration/writable-objects/ <h1 id="writable-objects">Writable Objects<a class="anchor" href="#writable-objects">#</a></h1> <p>Sometimes, we have permission to write specific things on another object, and bloodhound doesn&rsquo;t show that.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>bloodyAD --host <span style="color:#e6db74">&#34;dc01.domain.name&#34;</span> -d <span style="color:#e6db74">&#34;domain.name&#34;</span> -u <span style="color:#e6db74">&#39;user&#39;</span> -p <span style="color:#e6db74">&#39;pass&#39;</span> get writable --detail</span></span></code></pre></div>