SecJournal
  • 👋Welcome
    • SecJournal
    • About Me
  • 👨‍💻Blogs
    • My Blogs
      • Malware
        • Fake WinRAR 0-Day
        • Github 0 Days
      • Scams
        • Social Engineering
        • May Chong
        • Liu Hongtian
        • Packing Green
        • Richard Spindler
        • Ukraine
        • Coalition Tech
        • Telegram Customer Service
      • Exploits
      • Random
        • Upgrade Shells
    • Course Reviews
      • OSCP / PEN-200 Review
      • Certified Red Team Operator (CRTO) Review
      • Certified Red Team Expert (CRTE) Review
      • OSWE / WEB-300 Review
      • OSED / EXP-301 Review
  • 🔐What is Security
    • Information Security
    • Getting Started
      • CTFs
      • Hacking
  • 🖱️Website Security
    • Disclosed Bugs
      • Dutch Government
      • Algolia API Misconfiguration
    • Web
      • MVC Framework
    • SQL Injection
      • Portswigger Labs
    • Access Control
      • Portswigger Labs
    • Authentication Bypass
      • Portswigger Labs
    • Business Logic
      • Portswigger Labs
    • Information Disclosure
      • Portswigger Labs
    • Directory Traversal
      • Portswigger Labs
    • Command Injection
      • Portswigger Labs
    • File Upload Vulnerabilities
      • Portswigger Labs
    • Server-Side Request Forgery
      • Portswigger Labs
    • Cross-Origin Resource Sharing
      • Portswigger Labs
    • Cross-Site Request Forgery
      • Portswigger Labs
    • Cross-Site Scripting
      • Portswigger XSS Labs
      • Portswigger DOM-XSS Labs
    • JSON Web Tokens
      • Portswigger Labs
    • API Testing
      • Portswigger Labs
    • WebSockets
      • Portswigger Labs
    • Deserialization
      • Portswigger Labs
    • Prototype Pollution
      • Portswigger Labs
    • Server-Side Template Injection
      • Portswigger Labs
    • XXE Injection
      • Portswigger Labs
    • Web Cache Poisoning
      • Portswigger Labs
    • HTTP Request Smuggling
      • Portswigger Labs
    • OAuth Authentication
      • Portswigger Labs
  • 👀Buffer Overflows
    • Buffer Overflows
      • System Architecture
      • Compilers, Assemblers, Debuggers and Decompilers
      • Binary Security
      • Address Manipulation
    • OSCP BOF (OUTDATED)
    • Ret2Libc
    • ROP Chaining
    • Canary Bypass
    • ASLR Bypass
  • 🖥️Active Directory
    • Active Directory
    • Tools
    • Windows Authentication
    • Kerberos
      • Delegation
      • Attacking Kerberos
    • ACLs and GPOs
      • Abusing ACLs and GPOs
    • LDAP
  • ✍️Writeups
    • HTB Season 3
      • Analytics
      • Appsanity
      • Codify
      • Devvortex
      • Drive
      • Hospital
      • Manager
      • Napper
      • Surveillance
      • Visual
    • HTB Season 2
      • Authority
      • Bookworm
      • Cozyhosting
      • Cybermonday
      • Download
      • Gofer
      • Intentions
      • Keeper
      • Pilgrimage
      • Rebound
      • RegistryTwo
      • Sandworm
      • Sau
      • Zipping
    • HTB Season 1
      • Agile
      • Busqueda
      • Cerberus
      • Coder
      • Format
      • Inject
      • Mailroom
      • MonitorsTwo
      • OnlyForYou
      • PC
      • Socket
      • Snoopy
    • HackTheBox
      • Easy
        • Academy
        • Access
        • Active
        • Admirer
        • Antique
        • Arctic
        • Armageddon
        • Backdoor
        • Bank
        • Bashed
        • Bastion
        • Blue
        • Blocky
        • Blunder
        • Bounty
        • Broker
        • Buff
        • Curling
        • Doctor
        • Driver
        • Explore
        • Forest
        • FriendZone
        • Frolic
        • GoodGames
        • Granny
        • Heist
        • Help
        • Horizontall
        • Irked
        • Jerry
        • Knife
        • Laboratory
        • Legacy
        • Luanne
        • Love
        • Mirai
        • MetaTwo
        • Nest
        • Netmon
        • Networked
        • Nibbles
        • NodeBlog
        • Omni
        • OpenAdmin
        • OpenSource
        • Optimum
        • Paper
        • Pandora
        • Photobomb
        • Postman
        • Precious
        • Previse
        • RedPanda
        • Remote
        • Return
        • RouterSpace
        • Sauna
        • ScriptKiddie
        • Secret
        • Sense
        • Servmon
        • Shoppy
        • Support
        • Soccer
        • Spectra
        • Squashed
        • SteamCloud
        • Stocker
        • SwagShop
        • Tabby
        • Timelapse
        • Toolbox
        • Topology
        • Traceback
        • Trick
        • TwoMillion
        • Valentine
        • Validation
        • Wifinetic
        • Writeup
      • Medium
        • Ambassador
        • Arkham
        • Atom
        • Backend
        • BackendTwo
        • Bagel
        • Bart
        • Bastard
        • Book
        • BroScience
        • Bucket
        • Cache
        • Canape
        • Cascade
        • Catch
        • Chaos
        • Chatterbox
        • Clicker
        • Cronos
        • Devoops
        • dynstr
        • Encoding
        • Epsilon
        • Escape
        • Faculty
        • Forge
        • Forgot
        • Fuse
        • Giddy
        • Haircut
        • Hawk
        • Intelligence
        • Interface
        • Investigation
        • Jeeves
        • Json
        • Jupiter
        • Lazy
        • Lightweight
        • Magic
        • Mentor
        • Meta
        • Monteverde
        • Nineveh
        • Noter
        • Obscurity
        • October
        • Ophiuchi
        • Outdated
        • Passage
        • Pit
        • Poison
        • Popcorn
        • Querier
        • Ransom
        • Resolute
        • Retired
        • Schooled
        • Scrambled
        • Shared
        • Shibboleth
        • Silo
        • SolidState
        • StreamIO
        • TartarSauce
        • Tenet
        • TheNotebook
        • Time
        • Unattended
        • Undetected
        • Unicode
        • Union
        • UpDown
        • Vault
      • Hard
        • Acute
        • Blackfield
        • BreadCrumbs
        • CarpeDiem
        • Extension
        • Falafel
        • Flight
        • Holiday
        • Kotarak
        • Mantis
        • Monitors
        • Object
        • Oouch
        • Pikaboo
        • Pollution
        • Quick
        • RainyDay
        • Reel
        • Registry
        • Search
        • Seventeen
        • Talkative
        • Unobtainium
        • Vessel
        • Zipper
      • Insane
        • Absolute
        • Anubis
        • APT
        • BrainFuck
        • CrossFit
        • Derailed
        • Fighter
        • Fulcrum
        • Hathor
        • Multimaster
        • pivotapi
        • Sekhmet
        • Sink
        • Sizzle
        • Stacked
    • Proving Grounds Practice
      • Windows
        • Access
        • Algernon
        • AuthBy
        • BillyBoss
        • Butch
        • Craft
        • Craft2
        • DVR4
        • Heist
        • Helpdesk
        • Hutch
        • Internal
        • Jacko
        • Kevin
        • Medjed
        • Nickel
        • Resourced
        • Shenzi
        • Slort
        • Squid
        • Symbolic
        • Vault
        • Vector
      • Linux
        • Apex
        • BadCorp
        • Banzai
        • Blackgate
        • Bratarina
        • Breakout
        • BunyIP
        • Cassios
        • Catto
        • Charlotte
        • Chatty
        • ClamAV
        • Cobweb
        • CookieCutter
        • Deployer
        • Depreciated
        • Develop
        • Dibble
        • Escape
        • Exfiltrated
        • Exghost
        • Fail
        • Fantastic
        • Flasky
        • Forward
        • Hawat
        • Hetemit
        • Hunit
        • Illusion
        • Injecto
        • KeyVault
        • G00g
        • Malbec
        • Mantis
        • Maria
        • Matrimony
        • Megavolt
        • Muddy
        • Nappa
        • Nukem
        • Payday
        • Pebbles
        • Pelican
        • Peppo
        • Phobos
        • Postfish
        • PlanetExpress
        • QuackerJack
        • Readys
        • Reconstruction
        • Roquefort
        • Sirol
        • Shiftdel
        • Shifty
        • Snookums
        • Sona
        • Sorcerer
        • Spaghetti
        • Splodge
        • Surf
        • Sybaris
        • Synapse
        • Tico
        • Thor
        • Twiggy
        • UC404
        • VoIP
        • Walla
        • Wheels
        • XposedAPI
        • ZenPhoto
        • Zino
  • 🐍Evasion
    • Evasion
      • Windows Fundamentals
      • Detection
      • Malware Techniques
  • 🔺Adversary Emulation
    • Red Teaming
      • Adversary Emulation
Powered by GitBook
On this page
  • Powershell
  • PowerView
  • Powermad
  • Sharphound
  • Mimikatz.exe
  • Importing Modules
  • Impacket
  • Evil-Winrm
  • Rubeus
  • Mimikatz
  • Bloodhound
  • Setting up
  • Collectors
  • Bloodhound in Action
  1. Active Directory

Tools

Here are a list of tools that we need to know and use when attacking an AD network. There are loads of alternatives and other tools out there, but normally these few here get the job done:

  • Powershell scripts

  • Impacket suite of tools

  • Evil-winrm

  • Rubeus

  • Mimikatz

  • Bloodhound

Others, such as gMSAdumper.py and their use cases is on you to learn!

Powershell

Powershell scripts are used to make enumeration and exploitation easy. Powershell commands to add users, and enumerate the domain are long, complicated and hard to use.

PowerView

By far my favourite, because it makes enumeration easy. In essence, this circumvents the need for hard enumeration and allows us to view the domain objects clearly, and also exploit where needed.

Powermad

Sort of like PowerView, but easier in some aspects to use. Some of the commands used here, such as adding users, is more simple than that of PowerView.

Sharphound

Just a powershell implementation of a bloodhound collector in case the .exe cannot run.

Mimikatz.exe

Just a powershell implementation of mimikatz in case the .exe cannot run.

Importing Modules

Generally, the modules can be imported like so.

. .\Powerview.ps1

. .\Sharphound.ps1
Invoke-Sharphound <flags>

Impacket

A collection of Python classes for working with certain network protocols. The suite of tools from impacket cover a huge range of uses, from Kerberoasting to dumping all credentials.

In my experience, if you're trying to find a script for an AD attack, impacket probably has it somewhere.

Evil-Winrm

Basically, the SSH thing of Windows with loads of easy to use additional commands. Supports file transfer to and fro, as well as passing the hash for authentication. This tool abuses the service typically listening on port 5985.

Rubeus

A C# toolset for raw Kerberos interaction and abuses. Has a wide range of tools and use cases, from impersonating users, forging tickets, extracting tickets, extracting credentials and many, many more. Most abuses from Kerberos can be done via this tool.

Mimikatz

Mimikatz is an open-source application used to retrieve Windows credentials from the registry, interact with authentication tokens, impersonating users using existing tokens, storing and forging tickets, get password data and so on.

There are loads of implementations of Mimikatz and the use cases for this application are wide. However, it should be noted that most of the applications do not work unless we have some sort of superuser. Trying to dump out credentials from the Windows registry as a non-admin would not work out well.

This tool is mainly useful for when we are trying to pillage the domain for more information, or perhaps move laterally to another computer within the domain through passing the hash or password re-use.

There is also a Powershell implementation of this as well witin Powersploit.

Bloodhound

This is an amazing tool that does enumeration of the domain automatically. This would basically map out all the possible objects and ACLs, then draw links between each object and present this information using graphs

There are 2 parts to Bloodhound, one is the collector and another is the graphing application.

The collectors are used to extract the information about the domain in .json format, and the graphing application is where we can upload the data and map out the objects.

In order to use this, we would need to have a neo4j database on our linux device.

Setting up

sudo apt install bloodhound

sudo apt install neo4j

sudo neo4j start
#starts neo4j, and we can access http://localhost:7474/browser/. 
#then, we need to change the default password of neo4j to something else.

./Bloodhound

Collectors

These require access to a domain account, and are performed on that system itself.

./SharpHound.exe --CollectionMethod All

. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All

Alternatively, if we have valid credentials but don't have a shell, we can use bloodhound-python.

bloodhound-python -u user -p password -ns 10.10.10.10. -d domain.local -c all

proxychains bloodhound-python -u user -p password -ns 10.10.10.10. -d domain.local -c all
#if we are doing pivoting

Once we have run the ingestor, we would just need to upload the data onto the graphing application.

Here's a use case of the Sharphound.ps1, and the zip file it generates containing all the .json data of the domain.

Bloodhound in Action

Ths is an example of what the graphing application would look like, and we can see how each node (object) is mapped and linked to other objects.

For this example, we can see how a group has WriteDacl privileges over another part of the domain, and that the user svc-alfresco is part of the group, and hence has the same privileges by transitivity.

We can find out more information from each line and whether it can be abused by right-clicking on it and using more info.

Bloodhound is insanely useful and fast for mapping a domain out, and it even gives clear instructions and information about each abusable privilege.

PreviousActive DirectoryNextWindows Authentication
🖥️
GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub
PowerViewHackTricks
Basic Commands for PowerView
GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation FrameworkGitHub
Repo with everything PowerShell you need
GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub
Logo
Logo
Logo
Kerberoasting using Impacket-GetUserSPN
Evil-winrm with Password
Evil-winrm with LM Hash
Taken from
Using SharpHound.ps1
Viewing Files Generated
Abuse Info on GenericAll Privilege
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
Logo
GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentestingGitHub
Logo