- Patch Extractor : https://gist.github.com/moshekaplan/e8d16ed91dc3ca53e73145ba3b2baebd https://gist.github.com/anonymous/d55f494982c0097111d3263cf7099c9d
Active Directory forensic framework
Extract users from ESE DB export:
dsusers.py kotarak.dit.export/datatable.3 kotarak.dit.export/link_table.5 hashdump --syshive kotarak.bin --passwordhashes --lmoutfile lmout.txt --ntoutfile ntout.txt --pwdformat ophc
Practice: - HTB: Kotarak
libesedb is a library to access the Extensible Storage Engine (ESE) Database File (EDB) format.
The ESE database format is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
esedbexport -m tables 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
Practice: - HTB: Kotarak
Winexe remotely executes commands on Windows NT/2000/XP/2003 systems from GNU/Linux (and possibly also from other Unices capable of building the Samba 4 software package).-
- Dumping Active Directory Domain Info – with PowerUpSQL!: https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
- GitHub: https://github.com/BloodHoundAD/BloodHound
Find where domain admins are logged in:
python http://bloodhound.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN_NAME> -dc <DOMAIN_CONTROLLER_HOSTNAME> neo4j start bloodhound
- Mimikatz 2.0 - Golden Ticket Walkthrough: https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html
mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator”
“impersonates” a Domain Controller and requests account password data from the targeted Domain Controller.
Required Permissions: Any member of
Domain Admins, or
Enterprise Admins as well as
Domain Controller computer accounts. Read-Only Domain Controllers are not allowed to pull password data for users by default.
- Prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the
KRBTGT password hashto create
- With DCSync, the attacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit).
Internals: * Discovers Domain Controller in the specified domain name. * Requests the Domain Controller replicate the user credentials via GetNCChanges (leveraging Directory Replication Service (DRS) Remote Protocol)
“The client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects updates from the second one. The response contains a set of updates that the client has to apply to its NC replica. It is possible that the set of updates is too large for only one response message. In those cases, multiple DSGetNCChanges requests and responses are done. This process is called replication cycle or simply cycle.” “When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from.”
PsExec- Execute processes on remote machine
PsFile- Displays list of files opened remotely.
PsGetSid- Translate SID to display name and vice versa
PsKill- Kill processes on local or remote machine
PsInfo- Displays installation, install date, kernel build, physical memory, processors type and number, etc.
PsList- Displays process, CPU, Memory, thread statistics
PsLoggedOn- Displays local and remote logged users
PsLogList- View Event logs
Utility to generate a summary of a Windows system
- BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment: https://github.com/BloodHoundAD/BloodHound
- Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent: https://github.com/EmpireProject/Empire
- A little toolbox to play with Microsoft Kerberos in C: https://github.com/gentilkiwi/kekeo/
- A little tool to play with Windows security: https://github.com/gentilkiwi/mimikatz
- C# toolset for raw Kerberos interaction and abuses: https://github.com/GhostPack/Rubeus
- C# project that performs a number of security oriented host-survey "safety checks": https://github.com/GhostPack/Seatbelt