OffSec Live | PEN-200 (2023): Active Directory Enumeration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everyone to offset live what we are doing today is we are going to look at active directory an introduction and some enumeration from the content developer who developed this module so you're in for a treat but first let's just do a little bit of an introduction so your first presenter is Remy no it's me again I was hoping I could shut up a little bit now but yeah I guess here we go obviously not me in a picture but this is kind of turned into some sort of meme in in offsec so so this is my handle or my my picture on social media Discord and that kind of stuff so my name is Remy I work as a Content developer in avsec I've been in offsec now for well since 2016 we started off as a Student Admin back then I worked the stat for for two years had a lot of interactions with the students enjoy that quite a lot and then I went into a lead position then some technical management and then the kovid hits and we started something called upstick Academy I don't know if we have any former obstacle Academy students here today but if we do I hope you enjoyed it and I hope you still enjoy it because that's still a product that that absec delivers right uh then after that I I did a live training uh in person uh then I took a little bit of a break to get my hands dirty in the penetration testing industry in the real world to to keep myself updated a little bit and that kind of stuff uh and now I'm back yes accounting developer and I wrote the the active directory introduction and enumeration module so uh so I'm happy to to give a demo on that one today uh Amy made the slides here so I don't know what to say to those uh she's 100 that I like donuts a little bit too much and I like to lift things so power lifting that kind of stuff so lifting things eating things and hacking things that's kind of the that's the three things I like in life and also my kids obviously right they are on the same level as Donuts basically so back to you Amy oh all right so my name is Amy I work for offensive security as a vulnerable machine engineer uh my uh past before joining offsec was I was working as a pen tester so that's the experience that I come to offstik with um I call myself an offset Noob because I have been here for a just over a year and a half so not as long as the other people um I also like lifting things not nearly as heavy as Remy but maybe one day you know I Can Dream of of being just as good as Remy um and I try to stay away from the donuts because watermelon is where it's at for me um and for anyone who doesn't know what a vulnerable machine engineer does it means that we create the machines so what I do is I help to create the labs and exam boxes for offsec um and this is just a quick little overview of all the things that we're going to be chatting to you about today um so Remy is going to explain a few of the differences between the pin 200 2022 and the new 2023 uh so that you can get an understanding of the differences there um we're then going to have a quick look at enumeration methodology and uh why I'm explaining this is that each step kind of carries over from one to the next so when we start looking at manual enumeration we're going to start with Legacy tools these are tools that are already on Windows which people are very familiar with using once you get some kind of foothold and then we're going to move into looking how to do a basically a similar or the same thing with Powershell and net classes and the step after that we're going to move into using scripts like Power view which is a very popular script with specific focus on object permissions and then we're going to segue into automated enumeration with a special focus on Sharp hand and Bloodhound uh it's going to be a really really cool demo you're welcome to ask questions in the chat I'll be monitoring their chats and asking Remy questions as we go and if the questions are directly related to what he's showing and if we don't ask answer a question immediately we can get to it at the end because we do have some time for Q and A go out over to Emmy again yes yes so yeah obviously we are talking about the new version of pwk the 2023 version so uh next slide uh Amy please here we go so I just want to touch base on some of the differences in the modules from the 2020 additional pwk to the 2023 right so as I mentioned earlier I have been talking to students for many many years and I really really appreciate the feedback we are getting and I wrote this module quite a lot based on the feedback that I was getting when I was working directly with the students right um active directory can be a little bit of an intimidating thing because it's so huge and so complex and it can be a little bit difficult to grasp it um in addition to that in the previous version of pwk we kind of threw a Powershell script at you guys and told you to hey script this and and you know everything is going to be fine and the script works right but it was a little bit Powershell heavy uh so for this Edition right now we are taking a deeper dive into Powershell and net classes in the directory services namespace and we are still building our own script as a transition into Power review right because you kind of want to understand what your scripts are doing and if you don't understand the Powershell code then you don't really know what power review is doing either if you use that or blow down for that matter right so we take a deeper dive there uh we're using way more power view now for the manual enumeration there's been some changes from Microsoft when it comes to logged on session enumeration which is kind of painful it was introduced in in a somewhat specific Windows 10 version and we're going to touch base on that in the call today and in a courseware of course a new introduction is object permissions which is very important to enumerate when you look through active directory they can be a little bit tricky to get a grasp on but I hope that with a with a current courseware you will be able to learn it pretty fast right also domain shares is a new thing that we enumerate more in the course now and of course sharpand and Bloodhound is kind of two go-to tools that we really really need to understand uh if we're gonna enumerate especially bigger organizations right so it gives you some some fancy graphics and that kind of stuff and we're going to do that in the demo today as well now the last Point here is the dedicated environments tailored with exercises for each section and this is not only true for the ad module this is true for every single module right so you will be able to spin up your own group of virtual machines to follow along the course material so you can do exactly what we are doing in a course and then you have another VM Group which is called the kind of exercises right where we do some slide changes and you will be able to kind of test your abilities based on what you learned right I can assure you that those are not super complex but I really really recommend going through them to you know at least as a verification that you understand the content right then of course we have a capstones as well which we've talked a lot about before uh I think there is a Capstone for each module and I really recommend going through those as well because they're going to test everything that you learned in the module right so you can't really know what to expect there um and they're gonna act as a really really good primer uh before you dive into the challenge Labs right so I think that's it's what I have to say on the slide there Amy if if you guys have any questions about anything feel free to type it into the into the chat right we're gonna try to monitor that as much as possible so I don't remember what the next slide is Amy sorry I didn't memorize this okay it's your turn yes it's my turn again yay okay so this is a uh a graphic that we created just to try and explain a little bit what we mean when it comes to active directory enumeration and methodology to do that um and this is a combination of something that is linear and circular and that's because um the process isn't somewhere that you just start and you finish up and it's very easy to get to Point from point A to point B so uh the demo that we're showing today is um is we're starting with the foothold already we don't have to get that foothold so we're not covering that stage um of attacking but once you've got that foothold you're then going to want to enumerate um and if you do an enumeration really thoroughly and really carefully you're likely to find something that we are referring to as an additional foothold an additional foothold could be accessed to a different user access to a different machine that then helps you get uh make extra steps on your way to trying to compromise that domain and what I've added here is a section for notes because uh whatever your methodology is whatever's most comfortable to you uh get in the habit of documenting everything that you do because you don't know at what Point as part of your test or as part of your studying that that information is actually going to be valuable and the thing that you need to get to that actual domain compromise so uh and you'll see there's a little um there's three little arrows inside that uh circular diagram and that shows that that's not just a process that you do once it's a process that you have to do over and over and over again to actually be able to move all the way through an active directory environment and once you've got a little bit more information you can then start with lateral movement um that Arrow starts with blue and ends in purple because it's also hinting back at the circular section that you may have to do a few other things before you can actually make progress again before you get to domain compromise and being able to submit your report or whatever it is to your clients uh and that is it for ad enumeration and we're going to I'm going to now explain to you the corp.com environment which Remy is going to be doing his demo in there are six machines in corp.com three clients a web box a file server and a domain controller um there are seven users in this domain uh you can read their names there and it's just this is obviously a small environment we don't want to have something too big that gets overwhelming um but this is just to give you an idea of exactly what is in this environment before we jump into the demo and it's back over to you Remy cool let's see if I can share my screen then that would be pretty cool uh uh let's see let's see okay I think we're good can someone in accept Okay so you can see it on your end chess I've always seen streamers talk to their chat it's uh it's uh I like to do this where's the Rick Roll we might get a Rick Roll eventually uh can you guys see the the screen there now Cali and the windows box I know there is a little bit of a delay okay nice cool thank you for for verifying that okay so we're gonna start enumerating active directory eventually right I actually want to introduce active directory first because I don't know how many are about heard about active directory and I've played around inside active directory while you guys answer that I'm actually just going to go ahead and start there so okay we have one probably have a few more but in case someone hasn't seen ad before uh I just want to show you guys around a little bit right so we are not working as a penetration tester at this point at this point we are actually a Swiss admin right I'm connected to a Windows box here this is the domain controller for the corp.com domain and it's kind of the end goal for the penetration test right at least in this case it's not I'm not saying that domain administs then go for all penetration tests but for this one it's gonna be our end goal right but I'm logged in here now as Jeff admin which is a domain admin for the corp.com domain right so being logged in on a domain controller and if I type active directory here on the start menu we have some different apps right we have active directory domains and trusts sites and services uh the Ed module for Windows Powershell this is a pretty cool one because you can actually manage active directory just using Powershell uh it sounds hardcore but it's it's actually pretty cool we have administrative Center and we have users and computers users and computers is the management app for active directory this is the app most the submits spend most of their time in when they are dealing with ad especially when they are making changes and that kind of stuff right so we're going to focus on this one I'm going to start it here and we can see that we are met with a graphical user interface of some sort and before even talking about you know enumeration and that kind of stuff I want you guys to just look at this as kind of a database right that contains a bunch of objects and an object that can be a user object it could be a group object it could be a computer right it could be a wealth of other things as well everything stored here is basically an object and those are the the things we are interested in in enumerating from the penetration testing perspective right on the left side here we see that we have corp.com in this case we only have one domain controller we only have one domain in other cases you might see several domains here right like for example sales.corp.com or development.corp.com I mean there might be many domains but in this case we only have one court.com if I expand this we can see that we have a bunch of folders and this is as default as it gets really in active directory we haven't really made a lot of changes in active directory here this is kind of what you get when you install the ad service and this is basically it some of those are I mean we can see this this is folders right but some of them are actually called organizational units and you can create as many as you'd like in your ad environment right in this case we haven't really separated a lot of stuff because it's a small domain uh according to to Amy's slide we only have like nine users or something and six machines right so it doesn't really make sense uh separating it too much but let's have a look at for example the computers folder or organizational unit right under here we can see that we have five machines client 74 75 76 files of four web before those are the computers in the domain known as objects so whenever I say object I might be talking about users groups computers whatever right uh if you go into domain controllers we also have an object in this case DC one this is the machine we are currently connected to right the central piece the the central component storing ad serving ad right storing all the objects and everything so this is the most important server in the network without this the the domain just wouldn't function right I want to go back to computers real quick and we can double click one of them for example client 74. keep in mind that we are still working as a c submin at this point right we are not penetration testing this right yet we're going to get to that eventually but this is just the ad introduction I wanted to do for this call so double clicking client 74 for example we have some information we have a general tab it says client 74 here we have a DNS name which is client74.corp.com if I go to operating system for example we can see Windows 11 pro version 10 version well actually version 22 000 here right so the information you see in those boxes are known as attributes and those attributes are what we are interested in trying to enumerate as much as we can from the outside as a normal domain user right at this point it's really easy for us to to see what's here because we are logged in as domain admin so we are kind of cheating ourselves a little bit maybe but keep in mind that this is just an introduction so that that's basically it for the computer sir there are so many things we can go through here uh you will have the option to log in as domain admin uh in the in the module so I recommend doing that if you haven't seen ad before and just get to know it a little bit right if you go down to users by default we have a bunch of groups here as well in the users folder right plus the users it's a little bit weird I have to admit but this is the default setup so we went with that if you for example double click the domain admins group and we click members for example right here we can see that administrator and Jeff admin they are domain admins if we as a c admin wanted to add someone else here we could just click add and we could add another domain admin and essentially they would be you know they would have the highest privilege possible within a domain right so keep in mind Jeff admin an administrator they are the main admits so hopefully we can figure that out without having to log into ad and check uh if you click on Jeff admin here for example his user we under General we have a bunch of other attributes as well we can see that we haven't really filled out a whole lot there uh so there is not really a much to enumerate for those particular attributes for Jeff admin right but let's add for example a description here we can do oversell call 24th of March right we can apply it and then we can see if we are able to enumerate this from the penetration testing perspective afterwards that would be cool right um we can go to account here we can see his username it's a domain name and then Jeff admin we can see in this case that the password never expires is set for example which I would say is a bad security practice in active directory uh if you know the account gets compromised and you don't need to change the password it might stay compromised for quite a while right but even though if you gain access to a domain admin you will be able to set this setting yourself as well right so but yeah I would say don't have password never expires on your stuff right um in the lab we had to do this because we obviously want you guys to to log in without having to Brute Force the password every every time it has to be changed right we aren't that evil so also if you go to member offer we can see again rather than going to the domain admins group and see who's a member we can also enormate the user and see that okay gfab is a part of the domain admins right so look at this as kind of a database we want to enumerate this and we're going to try to do that right now if you have any questions just type them out in the chat we can revisit this later as well if needed but for now I'm gonna log out to the domain controller and we're going to start our penetration tests right so I'm currently logged in to client 75 as the user Stephanie uh this is a low privileged domain user we are not local admin on the box or anything like that I mean we can check that real quick for example by trying to start command prompt as administrator we're getting prompted for a password and we don't have any passwords so we are not the local admin here most likely right I mean there are several other ways we could use to check as well uh but yeah this is our standpoint and or starting point right we could for example say this is an assumed breach scenario so it's a gray box penetration test let's say we were handed a laptop with a username and a password that allows us to log into the domain or maybe we compromised Stephanie Via some sort of client-side attack or something like that right so we can use our imagination for that uh can you guys see the text here or should I increase it I would like to keep it like this but if not let me know if it's if it's too small bigger I can go one one bigger maybe let's see font we can try 28 and see see how it looks like it's a little bit bigger okay so we are now in a command prompt we can type Umi I'm pretty sure all of you know what to hear my command is but I've seen some confusion when it comes to to your domain versus local machines um on where exactly you're logged in right so in this case we can see that we have the Corp backslash this means that we are logged into the domain itself as the user Stephanie if this said line 75 we would not be logged into the domain then we would have a local user account on the client 75 right and speaking of local user accounts we can type net user I'm sure most of you have heard about this before this is a legacy tool that has been you know in in Windows forever pretty much and if we type this we can see that we can we have the user accounts for client 75 which is an administrator some default accounts and an offsec account right now we can use net user to prod for example offsec directly and looking here we can see that offsec is a part of the local admin group on the system itself on client 75 and we need to keep in mind now that we don't have local admin privileges on this box so it could be one of our goals eventually to try to find a service or maybe somehow take over the office account to get admin privileges but we kind of did this on purpose starting with a low producer just to show how much stuff you can actually do just with a regular domain user right so we're starting the course with what I like to call Legacy tools net exe because you can actually do some some enumeration with it in the domain as well now if I just type net user as we saw it's going to enumerate the local accounts on Clan 75 but if I add slash domain to the account we can see here or not to the account to the command sorry we can see that request is being processed at a domain controller for domaincorp.com right and we can see that it actually outputs the user account stored on DC on the domain controller for the domain so just from a low privileged user we are actually able to enumerate which users are present in a domain we have Dave we have IIs service Jeff Jeff admin Jen krbtgt Pete and Stephanie right this is what we saw earlier when we had a look at active directory itself and we can now start prodding users directly what I like to do is to have a look at my own user you should always know what your your you know fit tool can do right so let's clear the screen and do a net user Stephanie and do slash domain well actually just to Showcase this because I know that there is a little bit of confusion sometimes on this local versus domain thing right if I just do net user Stefan here we can see that the username could not be found and this is because this query is being run locally on the client 75 so in order to figure out this in a domain you need the slash domain flag to run this via ldap which is the communication protocol used by active directory right we dive much deeper into ldap in the course I don't want to talk too much about ldap here I rather want to show some some cool enumeration and maybe do some hacking as well right so let's check Stephanie we can see now that the process is uh the command is processed at the DC for corp.com uh we have a bunch of uh attributes here this is uh similar to what we saw in active directory earlier um and we can see we are a part of the domain users right that's something we could expect otherwise we wouldn't be able to log in here but we can also see that Stephanie is a part of the sales department which is a group as well probably not standard inactive directory right so this is a group that we possibly want to try to enumerate at some point let's run the same command on Jeff admin right so instead of Japanese Stephanie we do Jeff admin domain and we can see that he's a domain admin right so we don't actually need to cheat and go into active directory to figure out the domain admins we can do that from a low print domain user and if you look at the comment there as well this is the comment we added as an attribute earlier in the description field right 4gf admin and I have found many many weird things in description fields in my life including passwords because some C submits may think that hey no one is ever going to see this anyway only once looking at ad right little do they know that you can actually enumerate this from a remote standpoint with a low preview user I'm not saying all of these admins are doing that obviously but I've seen some weird setups from time to time during penetration tests right so this essentially wraps up what we want to do with the Legacy tools because there are some restrictions on this uh net exe that we we may not be aware of but we actually we have no other choice than to diving into Powershell a little bit when it comes to ad enumeration right in the course we build our own script own enumeration script uh I didn't want this to be a scripting call so we're simply just going to skip that for now and we're just gonna Dive Right into Power review right and try to do some you know nasty stuff so I'm going to clear my screen I'm going to start Powershell actually let me do Powershell EP bypass because Power view is a script and we need to bypass the execution policy in Powershell in order to run it right so I'm going to go into the C column rules folder on the client 75 if you take the course you will also have access to this it's already pre-built right we have a bunch of tools here but for now we're going to focus on power review before we eventually move into sharpen right we're going to do that in this call as well which is why I might be talking a little bit too fast here I'm sorry about that tell me to calm down if it goes too fast right so to import power review we just do import modules and we point to power review we hit enter and power review is now loaded in memory uh Amy I don't know if you have the link for power review if you could maybe share that well actually I have it here as well maybe I can share that in the chat okay yeah I also shared it we can spam it a little bit so so people can see it right I've seen big streamers spam stuff but they have like 30k viewers we have we are not quite there yet but you know it is what it is so that's the link for power review and the reason we are giving the link now is that power review has so many commands it's actually kind of insane how many commands you have there so I don't want to go ahead and run get help and then go through all the commands I would rather uh you guys to to just check the script out and you can see all the commands available um also if you want to learn something about a specific Commander which I had to do when actually creating this module I highly recommend doing that because there are some really cool stuff going on I also want to mention that power review is not I don't think it's maintained anymore and it's a pretty old script but it still works so we decided to add it into pwk 2023 as well way more now than we did it back in 2020 um actually I think what we had for 2020 doesn't really work that well anymore uh for newer operating systems right which is also something we need to troubleshoot a little bit so we have imported power review here now and let's try to repeat some of the enumeration that we did win at txt right so instead of using net user now we can just do a get net user that's the commandlet in power review to pump out all the users in the domain and when it comes to ldap power review is actually doing the same as the script we develop ourselves in pwk to acquire the correct Elder path right uh yes you can use power review in Cali but it's a I mean it's a Powershell script right so I mean you could start Powershell there and and go ahead but yeah I'm using it in Windows in this case so let's run get net user and see what we get right I can yeah sorry I yes the rest of the I don't know if I got your name correctly there but yeah I can I can move the cursor so we run get net user and we get a bunch of information I would maybe expect to just get the usernames but if we scroll here a little bit we can see that we we I wouldn't say endless because we don't have a lot of objects in this domain but we have quite a lot of output and this is one of the disadvantages when it comes to power review right you need to find a way to parse the data because let's imagine you're a pen testing an organization with 10 000 users this output would just be I mean not really manageable right so we're gonna have a look here so this bottom marking here is the attributes and properties we get for one single user in the domain right some of those might be more interesting than others um for example knowing the sum account type which is a user object we don't really need to know that right because we are actually looking for users here uh but just to come with a come up with an example for example some account name which is the username for the user most likely and maybe let's see last logon for example this could also be interesting when they logged on the last time the cool thing with power review is that you can actually pipe the whatever you want into select so like this and I can simply now just say Okay I want the Sam account name I just need to learn how to type I think some account type no no name account name and then last logon for example right if I do this we get a nice list of users on the left side and we can see here that we have the last login for the users as well on the right side so if we see users here that hasn't been logged in for quite a while then the account might just be dormant I mean it's enabled most likely but because I I if I remember correctly disabled accounts doesn't show here so if we see someone being logged in for four ages ago that might be an account we are interested in trying to compromise right at some point also if the the account isn't used on a daily basis we have a higher chance of flying under the radar when it comes to being caught and that kind of stuff now I just want to mention as well that power review and this ad enumeration we are doing here is pretty noisy so if you're working in a red team engagement for example you probably don't want to run those commands right but for pen testing medical Linux we don't really care too much about the radar and we can do whatever we want right which is what I'm planning to do right here so this is get net user now obviously if you just want a clean list of users we just remove the the last login here we re-run it and we get a nice list of users there which we could add to our broad list or something like that right in either case we need to make sure that we are documenting our work here that's something I also need to touch based on because right now I'm not documenting what I'm doing it would simply take too much time in the call but make sure that you are documenting everything from you start to the end of the penetration test because you might get some surprises along the way right so this is it for the user enumeration with the power review we can also have a look at the groups with power review we can do get net group for example like this and again we are getting a bunch of attributes a lot of them trying to parse this would be or try to just read this it would be close to Impossible right and keep in mind that this is a small environment so we need to parse the data somehow and we can for example do selects some account name for groups as well if we do that we have a nice list of the groups in a domain and we see a lot more groups here than we did earlier with ftxt right this is because we are using.net classes in a directory services namespace which is kind of tailored for those kind of things and instead of just seeing the global groups we can actually see the domain local groups as well which could also be of interest to to enumerate right if you go to the bottom here we see at least three groups that is probably not standard in ID sales department management department and Development Department right so earlier we enumerated well did we though I'm actually going to enumerate the sales department with net exe once more just to show you guys net group sales department domain right so this is net exe right now this is not Powershell or power review we can see it at Stephanie and Pete they are a member of the sales department group correct if I do get net grouper now with Powershell or power review and we point to the sales department and let's go ahead and select member we don't need all the attributes that we saw earlier right we see something quite different than we did before let me just explain the output here a little bit we don't just see Stephanie here we see uh all sorts of other kind of weird things as well DC Corp DC com for example and CN users C and Stephanie this is actually known as a distinguished name in active directory which is a unique value for Stephanie in this case Stephanie is the common name users is also a company which represent the container that Stephanie stored DC in this case does not stand for domain controller it stands for domain component and DC Corp DC com is kind of the what should we call it root or based domain right so this is where our searches start but this is a unique identifier for Stephanie which is required by ldap to function so this is why it looks a little bit weird maybe um but we are explaining this in a courseware so don't worry if you if you may not have seen this before right but looking at this output compared to what we did with net exe do you guys see a difference here in the outputs we need some more hype in attack I hope someone sees the difference there hi thank you Jim I appreciate that hi so is that everything you can see here hi I'm sure you can see something else as well right based on the outputs here more hype okay I guess I will just have to spell it out we're gonna have more of those quizzes eventually by the way so be prepared right I may just stop and not not to do anything else before we either get a gift gifted sub or someone gives me the answer right anyway Jokes Aside with net group or with net exe we can see that Stephanie is a member and we can see that Pete is a member right however with power review the get net group command we can see Stephanie we can see Pete which makes sense but we also see development departments right so net txc kind of lied a little bit to us earlier when it said that only Pete and Stephanie was members but the development department is actually a member as well and this has to do with the abilities of net exe to be able to enumerate groups right we can see direct user members but with net exe under the right circumstances you cannot see the direct you or group members right hope that makes sense and I hope that now that I pointed it out that that you can see the difference here right so this makes me a little bit curious let's go ahead and enumerate the rest of the groups as well so we redo the command from the sales department well actually not the net uh net exe we're going to do get net group with power review so we see Development Department is a member of sales department so let's go ahead and enumerate the development department as well okay so in Development Department we have Management Department okay so let's enumerate that one boom there you go Jen is a member of the management department and Wally V4 you are correct this is nested groups right and we just unraveled them using a power review here nested groups is absolutely something you will I will say that you will see this in active directory during penetration test right this is a great way to scale and all of that stuff and I think actually for every single pen test I have done I have seen the nested groups but looking here we start from a sales department and go all the way to the management department can anyone tell me which group or groups Jen is actually a member of here in a default active directory setup with inheritance enabled I kind of gave away the answer there maybe but we'll see I want to see if anyone follows along uh on what's going on here we're gonna have the the awkward silence I know you like awkward silence Amy yeah so you guys are absolutely on the correct path here right gem is a memorial the management department Management Department is a member of the development department and Development Department is a member of the sales department so in theory she's actually a part of all three groups right yes all nested groups so imagine if this was the main admin for example it fortunately it's not we didn't make it that you know super easy to get through the course but imagine as a c submin you do a mistake when you do the nested groups like this I mean who knows maybe the development department in this case has local admin privileges almost all clients maybe even on servers in the domain via GPO right that's going to be up to us to enumerate but if that's the case Jen will also have that access so if we are able to control gen here somehow we may at some point Elevate our privileges in a domain right make sense so this is cool cool I'm glad it makes sense I'm happy to happy to see that so this kind of wraps up the group and user enumeration we need to move on we need to enumerate some more cool stuff right so I'm going to clear my screen here normally in a penetration test if you have a bunch of ips reply and see you would have to run nmap for example or yes this is live Manish uh you would have to run nmap or various Recon Tools in order to figure out what kind of operating systems are running right with active directory however as we saw earlier this is an actual attribute and we we don't we don't really need a map in this case maybe we do at some point but let's run get net computer for example like this I'm sorry I'm going to mirror the mouse I keep forgetting that let's run get net computer much like the users and the groups we are getting a bunch of attributes those are the attributes available to us and our properties for one single computer object in the domain right we need to parse data this is one of the downsides I will have to say with power review in in larger operations it's gonna be really tricky unless you have everything under total control right but let's see we can have for example Operating System since we want to enumerate operating systems that's a good one to filter on and maybe DNS hostname right so let's do operating system Let Me Clear My screen I'm gonna do select and I'm gonna choose operating system and maybe add DNS hostname right to see what we are dealing with here and this gives us a really nice list we have three server 2022s here we have a domain controller we have a web 04 most likely web server I would guess file server or file sub4 which is hopefully a file server right cloud74 send 576. this is the information we saw earlier when we were see submitting around right but now we are just enumerating this based on attributes and this is pretty cool now if you are to run an nmap scan for example on those from Cali you may not if you don't have the DNS correctly setup you may not be able to resolve the hostname for that we can just do a resolve Let's see we could do NS lookup as well I mean we many ways we could do this but we have a resolve IP address uh commandlet in power review so I'm just going to do an example here on client 76. and we have the IP address as well which we could add directly into a text file and feed it to nmap right obviously with a bunch of computers you would probably script this and get a nice list of our piece right so that was kind of what I wanted to show for the computer enumeration we're going to move into something way cooler in my opinion now but this is kind of how you start gathering information in active directory I would start with users groups possibly computers and try to parse the data and look at what you got right so far we we have no attack Vector like whatsoever it seems we are pretty far away from it as well right so I was talking about getting to know our user a little bit better earlier right there's a tool or a command called find local admin access in power review this is noisy as this is actually insanely no it's going to try to connect to every single machine in a domain establish a handle and if success is gonna deem that you have local admin access on the machine right so if there isn't a stock analyst in the pwk lab right now they should hopefully get some alarms but we don't really care about the stock analysts at this point because we are we we don't need to fly under the radar right so we we will just go on in this case we can see that find local admin access didn't give us anything right which might be expected seems like Stephanie might not be a very powerful account it doesn't really have access to anything as far as I can tell and this moves into what we're going to cover next which is logged on sessions because we need to be able to figure out the relationships in the domain and try to find some attack vectors right for this we will still use power review for the time being we will dive into blowdown in a couple of minutes here but that there is a command called get net session and we can for example do files of four here we want to see the sessions and files before all of those tools are allowed on the exam Wallas no restrictions on the power review or Bloodhound or net txe so get that session if we dive into the power review code a little bit it's actually using two apis it's using the network station e m API which require administrative access on a Target machine in order to figure out whether or not or who is logged into the system we know already that we are not local admin on any boxes so that option is going to fail for us 100 percent the second API is the net session enum API which it has different query levels but Power review is operating by default on query level 10 which I believe Bloodhound is doing as well and it's trying to connect to a specific registry Hive in Windows to figure out whether or not there is someone logged in on the box so it doesn't require admin privileges right so let's try to run this files of four no sessions web before no sessions let's do client 74. I like the number four today for some reason no sessions right so we could probably now say that okay there are no sessions on those machines but if we add some verbosity to our Command here right we can actually see that we are getting access denied message on file support let's do web before as well o404 doesn't exist so I just need to learn how to type like this access denied let's do client 74. access denied why is that right this is actually where I kind of run into a little bit of a rabbit hole when writing this module um because this was this used to be such a great way to enumerate sessions in the domain right but it seems like getting a session enum just doesn't really work that well anymore and it has to do with the operating systems we have in the labs I'm gonna go ahead and copy and paste the commander now so we're going to have a look at the operating systems and their versions with the get-net computer right so we saw saw this earlier the oldest machine is a Windows 10 Pro machine it's running version 16 299 which I believe corresponds to build 1709 and right around the area the documentation for Microsoft is not really clear on this when this change happened but around Windows 10 build 1709 and Windows Server 2019 built 1809 there was a change to a registry Hive that we need for net session enum to work we're going to have a quick look at that Hive now on the Windows 11 box this might be a little bit different for the Windows 10 box but we'll we'll have a look at it right we're going to get ACL here on the landman server default security and we're going to have a little look at the access permissions on it so if we for net session in them to work we need to be able to read this key right built-in users they are allowed to read the key built-in administrators are allowed to read the key well they have full control same with empty Authority system they have full control as well greater owners full control application package Authority all application packages are allowed to read the key and this is a seed or unforgeable token in Windows um that you know gives access to certain items but if you Google they see this actually I think I wonder if this is going to be the same on almost all windows 11 systems right it's allowed to read the key but from a remote standpoint those permissions does not allow us to actually read this key from plan 75 as Stephanie right doesn't work here if we had older systems in the lab then yes it would probably work so I wouldn't just throw that session in them away um but I know that many people think that sharpond and blowdown is like okay those are the the guard tools when it comes to this kind of stuff but that sharpand is also used in get net session in them and get network station in them or network station enum rather I think that's two out of three ways that blowdown is also trying to enumerate lockdown sessions in the in the network right so Microsoft made ad enumeration much harder right there is a third option however which we have introduced in the pem 200 course which is called PS lockdown PS logdon is essentially well actually let's just run it first and I'm gonna explain later let's run it against files of four right based on the output area Jeff is logged in on the files of four machine and the reason we are seeing this is because PS login is using something completely different than get message to to find this information it's actually relying on the remote registry which also has some restrictions we need to think about right because I think if I remember correctly the remote registry has been disabled by default since Windows 8 or something like that and on servers it's actually running by default however well actually on later service or server versions is running by default but it's being disabled after 10 minutes of inactivity but there is a trigger so when someone tries to connect to the remote registry it's gonna start again so on the clients we may not be able to get a lot of information but I have seen on penetration tests that clients also have this enabled for different reasons they might replace or deploy some agents into the network or backwards compatibility I mean so many different things it could be right but at least PS logdon was able to find Jeff logged in on file so4 here right let's do web before as well nope let's do client 74 since those are the machines we focused on so far and based on the output does anyone see anything of interest at all so far Bloodhound uses remote sound curatory yeah yeah also true it might be able to find more sessions than I'm doing here we'll we'll have a look in a few there but does anyone see anything of interest in the output uh I currently have here Jeff admin DP cipherbytes you are absolutely correct Jeff admin is indeed an interesting account right we don't have any attack path just yet because we don't have access to to client 74. but if we at some point are able to get access to client 74 and Elevate ourselves to administrator there we could actually do a targeted attack on Jeff admin and we could become the main admins ourselves we could possibly dump this ntlm hash or we could inject into some process that Jeff admin is running on the machine and then just impersonate him running commands as domain admin right I also want to highlight Jeff being logged in on on the file software here because in my opinion this is just my opinion Jeff admin is doing something he shouldn't be doing here he's browsing around on clients with his domain admin account and this is something I see way too much on penetration tests as well uh yes it's an easy way to log into a machine your local admin you have access to everything and you can do your job but if you if an attacker takes over your account your whole domain might just be completely blocked uh and as also mentioned about a Golden Ticket earlier in the chat as well and you could actually Forge one of those and have access to the domain for God knows how long right so if you're a system admin just don't browse around with your domain admin account it is a bad idea right in this case I would probably guess that Jeff has the same password as Jeff admin as well I think they're the same person so if we're able to to get a control of Jeff and get his password then who knows maybe password review reuse also comes to play right so many options here but we don't have an attacked path just yet let's remember though that Jeff admin is connected to client 74 because that seems to be a significant you know thing for us right now that wraps up the user or the lockdown sessions for now we're gonna move on to something else that we introduce in the course a completely new thing called object permissions and I'm actually going to start notepad here and give a little bit of a history around it before we just dive in let me edit and change the font here a little bit to make it let's see 24 Maybe yeah I think I think this is probably good enough right so objects permissions are permissions or actually you can call it ACLS it stands for Access Control list right in Access Control list you have a bunch of Aces which stands for Access Control entry so short we say Aces right or Asus or whatever you want to want to call it a bunch of Aces eventually makes up an ACL which is essentially what we're going to try to enumerate here right keep in mind that those are set on specific objects in active directory right and if time permits after we're done with the demo I can show how to set this as well uh inactive directory as the Cs admin right now looking at some of the AC ACLS here or or object permissions we have something called generic all this is the most powerful one and as a written there it gives you full permission on the object so for the object you have generic column you might as well just be the domain admin because you can do exactly what you want everything you want to be in that object you are in complete control right generic all is very powerful we also have generic rights where you can edit certain attributes on the objects so if we are able to edit attributes we might be able to take over the the object as well right right owner we can change their ownership for for an object write the ACL here we can edit Aces on the object eventually we could probably give ourselves full control using this right all extended rights this is something that I've seen well actually write the ACL all extend the rights and generic all is what I've seen the most all extended rights is kind of a cool thing because it allows you to change the password or reset the password on our domain object right so we know that Pete and Stephanie they are working in the sales department based on our enumeration let's just imagine that Pete keeps on forgetting his password every single day right he calls to Jeff admin and goes hey Jeff can you reset my password I I forgot it and maybe Jeff admin is getting a little bit pissed off about this and he doesn't want to reset Jeff or Pete's password every day then he might let's say he gives all extended rights to Stephanie for as an example allowing her to change the password for Jeff or Pete sorry right so Jeff admin doesn't have to do this job all the time he's just delegating it to to Stephanie by giving all extended rights on the paid user object so in that case Stephanie can just go ahead and change Pete's password each time you forget it forgets it right or a pen tester comes in and takes advantage of this first change password obviously a very powerful one as well uh if you're able to set this on an object and we try to log in with that object they are prompted for a password change and it doesn't ask you about the old password you just need to input the new password so essentially you get full control over the over the the account or or object self is also pretty cool we could for example add ourselves to a group right so there are many many many more object permissions than this but I just wanted to point out some of the interesting ones for a pen tester and we're going to focus on the generic all one right so let's close notepad and go back to our power view script and now I need to do some copy and paste because those commands are a little bit long we're gonna run something called get object ACL there is a simpler way of doing it uh which it will probably realize eventually if you take the course but we are going to do this super manually for now so we're going to get the object ACL the identity is going to be Management Department because this is the department we we want to see right now and we want to see the active directory rights that equal to generic wall on the management department right so anyone has generic all on the management department it's going to show up when we run this command so let's try this and again as usual we get a bunch of data right it seems like we have like yeah five or six objects or something here what a marking here now is one object that has generic all permissions on the management department right so we should probably parse the data a little bit and try to make sense of this the object DN here we are not really interested in because we already know that we are enumerating the management department right object said might be interesting but we can see that the object said is the same throughout our output area so I would take an educated guess here and say that this is the seed for the management department we don't necessarily care about that one either what we actually care about here is the active directory right and this seed in the security identifier the security identifier is the seed for the object that has generic wall permissions on the management department right so let's try to make a little bit more sense of this I'm going to copy and paste again we're going to run the same well actually let me I need to learn how to to actually use the keyboard here right there so we're running the same command all the way up here this is the same command that we just run but we are piping it into select and we want to see security identifier and the active directory writes and those only right let's do this and now we have a little bit more manageable output we have the Sid for whoever has generic all permissions on the management department right now you can also run a command called find I think it's called find interesting ACL with power review and it's going to do that's a hint if you want to go through the labs or or the courseware it's going to be a little bit easier because now we have to translate those seeds and everything they find the interesting ACL I think it's translating the seeds into friendly name directly so we need to translate those numbers we see here somehow we can do that with power review as well yeah and as being mentioned in a in a chapter every single object in ad has a scene right so let's try to convert those into a name and I'm gonna comma separate them like this um this is an awful lot of manual work on a Friday I I kind of regret doing this on a Friday uh not for you Jeremy uh later right but we can't separate them and we piped this into convert Sid to name right so now we are translating the seeds into actual names so we see here domain admins not really a big surprise because they do you have full access to pretty much everything but do you guys see anything of interest in the output here I really really hope you do right let's do some awkward silence until I until I see some uh yeah doing shank or something here Stephanie marker pen nice Steph Yes this is not something you would normally see in a domain right I would say unless it's a misconfiguration or maybe it's by attention I mean who knows but Stephanie in fact has generic all permissions on the management department so what can we do with the management department any suggestions on what we can do here now since we have full access to it we could do pretty much anything but I want to see some some uh we could even more I mean yeah we we could start mimikats at this point but we wouldn't really be able to get much right since we we don't have any other I mean if Jeff admin was logged into cloud75 even at this point we wouldn't be able to do me because because we are not domain or local admin you will you will need to have admin rights to to use Mema cats but keep in mind we are in full control over the group right we can't really impersonate any tokens here because we don't have any tokens impersonate add Stephanie to admin I'm gonna go ahead and say that Alice is on the right path there I think what you mean is we could add Stephanie to Management Department right since we have full access to the group we could go ahead and do that before doing it let's do a get net group and choose Management Department and select member we only have gender right if I do net user let's see net user Stephanie no we need to do net group management department and we can point to Stephanie add we need to remember our slash domain otherwise this is going to be running on our client which it won't work we can see that the command succeeded let's do a get net group on the management department again and we can see instead of just having gender now we have both gen and Stephanie due to the generic all privilege on the group right so we have full access on the on the management department and if we recall back now Jen was a member of the management department which again was a member of the development department which again was a member of the sales department we now have the same permissions with Stephanie so at this point I would say it would be a really good idea to repeat parts of the enumeration we have done this kind of goes back to what the Amy showed with a with a methodology earlier right the the cycle kind of repeats itself because we don't really know yet but we may have just escalated our privileges within a domain due to the group membership right but I want to show you another cool thing instead so let's go ahead and remove Stephanie from the management department group and verify that we did a cleanup after ourselves now only Jen is there given the name of the management department group I think Jen might be an interesting account to look closer at right so let's enumerate the objects permissions on the user gen as well exactly the same command as before we just replaced Management Department with Jen we are looking for generic all permissions and we are interested in seeing the security identifier and the active directory rights boom let's see what happens so again we have five things here we remember earlier that the 502 512 here seed belong to the main admins let's just be a little bit more on pointer I'm gonna I'm gonna try and convert this Sid into a friendly name what's his current use right now okay so we are still before I translate this I just want to show we are still connected as Stephanie right but with with the permissions by adding ourselves to different groups we may have more permissions in the domain but we are removed ourselves from the from the domain groups right to do some new enumeration so we are still operating under Stephanie here let me redo the the commander get the ACL and I'm going to copy this and convert save to name what does this tell us about Stephanie and the relationship here with the Gen object it's essentially the same as before we had Management Department we could add ourselves to the group but what can we potentially do with a user if we have full access to it we're going to do some awkward silence again until until I get some some uh some recommendations on what to do here I'm stuck in my dentist I'm totally stuck yes we could potentially impersonate but how it's not like we have a intlms or anything right enum domain more yes we could do that as well we could continue to do many enumeration with Stephanie now but we we could potentially do something else the seed is just another way of saying the username essentially every object has hasn't said uh and we just converted it to Stephanie so the seed won't really help us here but we are full access to gem what can we do to the Gen user object to gain access to the Gen user change permissions yes we could do that but why we already have full permissions yes we could change the password right I like it we can change the password we should be able to do that using that txt right let's try net user gen let's do a very strong password password with a capital P one two three this is my favorite password I also know that Amy uses it on pretty much everything so I didn't say that but yeah net user free account yep password one two three slash domain we need to run this via the domain controller right because Jen doesn't have a user on the client 75. let's do this and we can see that the command completed successfully which is pretty cool right due to the generic wall we have now changed Jen's password and now we kind of get into the impersonate kind of stuff we're gonna move now from Stephanie to Jen in the domain right to do that we could log out and log in again but I'm a little bit lazy it's Friday after all we're gonna do a run-ness let's do slash user specify the domain then and let's start powershell.exe right this is now still going to launch on clients M5 but let's try this password one two three we have a Powershell prompt here a new one let me just do Powershell EP bypass and then increase the font otherwise it's going to get a little bit messy here let's see 28 I think that was what we had earlier right yeah so let's clear screen who am I we are now logged in as Corp Dem right so we have a new user and again this goes back to what Amy said earlier about repeating the enumeration and this is this is gonna gonna work as kind of an eye-opener when it comes to that kind of stuff with our new user gen let's go ahead and load Powershell I mean Power view we go into the tools folder import module power review right good old lateral movement yes that's terrible there so just to show her who am I we are now Corp gen right let's run find local admin access we didn't get any output from this and Stephanie earlier so let's see if we're in we are in luck with with a Jen here and all of a sudden we start seeing some some nasty stuff coming up here right we have local admin access on a web before file so for client 74 and client 76. so does anyone from the chat recognize some potential attack characters we could do here to compromise the entire thing and become the main admin Jen is not the domain I've been no the only domain admins are Jeff admin and administrator yeah so uh Cipher here Cypher bytes client 74 that's that's interesting right why is the client 74 interesting I'll show you just to you know combine all of this together let's start PS logged on again and point to files no Client Center for clients 74. I have to agree on the license here we have with Jen right we are logged in as gen here we have local admin access to four boxes including client 74. where Jeff admin is logged in and yes the Cypher buys now we can get well hopefully right we can potentially get Jeff admins token we could log in to client 74 and possibly hijack into one of the processes the F admin is running as well and just impersonate him that way that's for a different ad module though now we are dealing with enumeration although I'm gonna have to admit that we did some attacks here as well um resetting the the Gen password and logging in as gen is considered an attack right but this just proves that you you will have to layer out your animation a little bit you need to start somewhere and once you get a new foothold you have to repeat the process it's kind of a rinse and repeat right which goes back to the to the chart that Amy showed earlier there there's a little small chance that you might just get domain admin in your first lateral movement but often you will have to chain different attacks together and we can see how much we were able to to get there by just moving to gen and getting local admin on a bunch of boxes I mean this even if Jeff admin wasn't logged in on client 74 I would consider this is a great win because you can now log into those boxes and get a whole lot of information from them as well right so in a normal pen test you would probably do that and gather as much information as possible does it make sense what we have done so far if it doesn't feel free to reach out on Discord as well after the call will will probably be there and and help out if needed I'm glad it makes sense so the downside to what we have done now is that it's a lot of text right even for just this very tiny environment we are working in here this has been a lot of tests a moon cake I'm not sure if this is actually being recorded uh I will have to check but yeah well I will have to check that you can reach out to me at Discord after the call my hand there is mighty uh and I'll I'll get that checked out and yeah the the marker pen the the I don't think PS Lowdown is covered in pen 200 2022 uh or object permissions so this is a part of the new course the panda 200 2023 there's a lot of differences between the courses okay so so Wally let me just read your question I may have missed some stuff so Stephanie had generic all permissions for the management department Group which the animal is a part of and because of that we had generic all access to Jen no so those are actually two different those are actually two different axises maybe I should have made that a little bit more clear but we had generic all on the management department and we added ourselves to the group and we moved ourselves just to kind of show it right the Gen generical was a different one so two different ones the management department didn't have anything to do with with the attack we just did on gen here I hope that makes sense if not we can we can talk more about it later I am more to so right what I wanted to say is that this is a lot of text and I can understand that this might be a little bit scary to get into the active directory I really hope that we are explaining things in a way in the course that this just you know it's going to be your second nature I think so I've seen students and also you know people uh I've worked with earlier being kind of afraid of active directory I don't really get why but but I think it's just the fact that it's so complex and a huge like a huge thing right but I would pick ad any day in a pen test over doing something else I would 100 focus on ad because you you have so much stuff there and the chances for Success are really high right so with that said let me clear my screen and go back to our folder the tools folder we're going to have a look at blowdown since I sh I promised that now in order to use blow down blowdown is actually the the tool you use to analyze data in order to collect data you're using something called sharpound which is also installed by default uh on the Windows 11 client 75 bucks so sharpand is the collector this is important to remember sharp pound the sharpbound is the collector blowdown is what you use to analyze right so we're going to run sharpound in a domain first and then we're going to transfer the data over to Cali where we will use blow down so we're gonna run this under gen right let's do a Umi we are still logged in as gen we could do it from Stephanie as well it won't really matter because blowdown is going to see it regardless let's do our import module sharpound right uh that was power review I'm sorry uh it's getting late we're going to import sharpown now sharpen is in memory and to see the help the command this is actually a little bit weird I I don't understand why they did this but in order to start sharpbound you actually need to run the command invoke Bloodhound I I really don't know why it's like that I think it might just have been a mistake or something from from all the days and it just stayed like that so I understand this is a little bit confusing but let's have a look at the invoke blow down Command right the syntax is here we need to run in work blow down we need to choose a collection method and we can choose whatever we want there we can do search for stealth ldap filter distinguish name computer file there are so many things we can do uh for now we're gonna do it pretty simple I'm gonna copy and paste the command here we're gonna start in walk Bloodhound use collection Method All this is pretty nasty it's gonna be a lot of noise in this network right you need to think a little bit about whether you should run this on a pen test or not but in pwk just go ahead right uh the output directory is going to be C column tools and the output free prefix we want the file to start with Corp audit right so let's run this and in a bigger production environment this might take hours right but in our case it's probably not going to take us long in the output here we can see what we are enumerating group local admin GPO local group sessions log down trusts Etc dcom SBN targets many many different things we are enumerating here um Bloodhound also supports something called looping so that you can tell blow down to Loop for x amount of hours because right now we are essentially taking a snapshot of the domain how it looks like now right so if someone logs in in let's say two hours we won't be able to see that but you may have logo or a blow down or sharp on just running for a longer amount of time to be able to gather more information but in this case and in pen 200 you don't need to worry about looping everything is there already right so we can see that it completed let's have a look in our tools folder and see if we have some files there we have a core project I know this is a little bit small but we have the file here it's a zip file which now contains a bunch of Json files which is used for the graphing right we're going to talk a little bit more about that later now we could install blottam on Windows but I'm rather just gonna use the one I have in Cali and I'm going to start some file transfers here um earlier today I want to discussed this uh this presentation with a colleague I was using FTP and it was like you use FTP in 2023 right but I've been using FTP now for like I don't know 30 years or something and it just works but I decided okay maybe I should try to be one of the cool guys as well so I'm just gonna set up a share on my calendar box using in packet s b server called share we're gonna put this file into my desktop and we're going to enable smb2 support right so the share should be running now let me go grab my IP address because I never remember that we are connected to the VPN so it's this one let's just exit with the share running we can now go ahead and do it backslash backslash from the IP address we can see the share folder and let's go ahead and open a new file explorer here and just uh yes blow down is allowed on the exam extending or something I I don't know how to to to state your name but yeah you can use blood on me next time so let's go ahead and copy the zip file into our nice share there you go now I'm just going to minimize Windows we're done with Windows finally back to good or Cali right let's go to the desktop we have a core project file here in order for blowdown to work we need a service running called neo4j which is a nosql database and instead of having rows and columns it supports graphs right and we will see why in uh in a couple of minutes here or seconds rather let me start neo4j okay it was already running so let's start blow down right we go through detailed how to start and you know configure blowdown in the course so I'm not going to go through that right here but I'm gonna log into the database the neo4j database and let's see we probably get yeah we get no data returned from query here which makes sense because we don't have any data we need to upload the seek file we could do that either by dragging it into the window or we could go to the upload data on the right side here I know this is a little bit small but I'm explaining everything I'm doing and I won't be able to make it this bigger I'm sorry let's go to desktop and choose the bloodhound.zip file that we just generated on the Windows machine using sharpam we hit open and we can see that it's now currently unzipping a bunch of Json files right so there is one Json file for computers for example this file contains all the information about the computers in the domain easy as that right we could also tell bloodan not to do zip file and just drag and drop Json files in here but we can see that the process is complete let's clear and close this window on the top left we click we can see the database info here we can see for example on-prem object user 0 this I know this is wrong right what you sometimes have to do when you are in blowdown is to refresh the database stats click down here and if you go up again we can see that it updated right now we can see 10 users 57 groups six computers etc we also appear to have seven sessions 710 ACLS we enumerated two of them earlier and we got all that output imagine how difficult this would be to enumerate 710 and we only have a small domain right node info is not populated right now we actually need to choose or or click on some nodes in order to get info here I know I'm going a little bit fast but we are running out of time so I want to show this if you go to analysis tab there is a bunch of pre-built queries already built into blowdown we can run our own queries as well we are searching based on that in a course but for now let's click the find all domain admins query right we click it we get some nodes here and we can arrange those the way we want drag them a little bit closer together maybe like this and then we can zoom in the text is really getting bigger but this is Jeff admin and the line you see in between Here is known as an edge so Jeff admin here is a node the liner is an edge I like to just call them lines to be honest even though that's kind of not the technical term for them but we can see here very small text that Jeff admin is a member of the domain admins and we can see the administrator also is a member of the domain admins right so instead of going through a bunch of texts in power review or net exe we just see this in graphs which is pretty cool right now let's go a little bit further down I want to show two more queries for the call we have something called find shortest path uh to domain admins right let's click it and choose the domain admins group we're going to have a lot more nodes here now this may not always show you an attack path in the active directory I actually like to run this in penetration tests and have a look at the shortest path because it's so easy to see what servers and users are kind of a central component in the network right this is a small network but we can still see some centralized things here for example client 74 we can easily see that this is an important thing because so many nodes have edges towards it right and we also see that has session from Jeff admin air right so if you look a little bit closer starting on the left Stephanie for example if we hover over Stephanie here we can see a red line directly into the main admins and this states that if you have access to Stephanie you should be able to get the main admin as well somehow right you just need to follow the lines and figure out exactly what's going on here I'm gonna try to make this a little bit more clear the attack path we found earlier because there is another query that is that you you will be able to to add users or objects you have owned right so in this case I'm going to click on Stephanie and see that node info is being populated we can see the same or some of the same um attributes we saw earlier when we did Manual enumeration so now the info is also a great one but if we right click Stephanie here and we click Mark users owned it's going to get a scholar icon next to it I I can zoom in maybe a little bit more I don't know if you guys can see this but we have not marked Stephanie as owned right let's do the same with client 75 let's forget all the enumeration we did earlier right let's just say we know that we have control over Stephanie we have control over client 75 because that was our starting point right even though owning client 75 might be a little bit of a lie here because we haven't escalated our privileges right but at least we have partial control over it now we can go back to analysis and there is another query called shortest paths to domain admin from own principle right this is a really cool one because this is now going to show the shortest path from Stephanie or Clan 75. so let's click it choose the domain admins group and let's just get rid of this and let's also just rearrange rearrange this a little bit to make it a little bit easier to see so we can we can zoom in a little bit sorry if you're hearing a dog barking by the way in the background here I have a very angry neighbor dog right now he sounds a little bit pissed maybe it's his ad we're enumerating I mean who knows okay no barking good that means my micro microphone is working right so we owned client 75 and we own Stephanie and we can I mean this is pretty easy to see what we can do here right the edges between Stephanie and Jen here says we have generic wall permission on gen so we can well actually we did already we reset our password right so we can take over or in personal gem we can see between gen and client 74 it says execute dcom here we know that genus local admin and client 74 which I would say is probably a little bit more powerful but if we right click The Edge and click help and click abuse info we actually get some commands we can run from client 75 as gem as well to get a shell on client 74. we are going over execute dcom in the lateral movement module for ad so you will get to know this stuff pretty well um we can also go to appsec considerations right we get a lot of information about how the Ecom is built up and what to kind of look out for from a soft well if you need to fly under the radar right this is kind of a nice place to to go if you want to see what you need to consider during the attack but we know that we can just log into client 75 and and you know the admin there the F admin he has a session so we can right click the edge here as well and click help uh and if we click abuse here we can see some references to mimikats for example I saw that mimikatz was mentioned in a chat earlier we can use that for password thefts or or you know getting ntlm hashes right we can also do token impersonation which is also something we are talking about in the course itself so that's for another call right we are dealing with the enumeration here but I would say we're doing a pretty good job on it because we we have a pretty straightforward attack path right here and then obviously in the end Jeff admin is a member of the domain admins so if we're able to impersonate Jeff admin we have full control over the domain right and that's it Amy it's your turn to talk a little bit I've been talking too much now I think any questions to to anything uh on what we have gone through we only have three minutes left so we kind of need to end the stream soon there is an office hour coming up in in three minutes so I don't see any questions in the chat that you haven't already answered Remy um I wasn't sure on the recording Amy yes uh I did get confirmation it is being recorded and it will be available on YouTube um I see someone who's asking about the resolution I'm not entirely sure what the resolution will be um I know that it's not been very easy to see um the output of uh Bloodhound but at least Remy has explained every single step of the way um we can show we do have a copy a screenshot of this it might be a little bit clearer in the presentation [Music] actually let me just we have some questions about that there is some confusions about gen here um let me if we have the time for it I'm gonna log into the domain controller again let's say we just compromise the whole thing right uh we can imagine that we we are we are just in total control and we're gonna go into the domain controller and check what exactly happened with Jen right if we start active directory here as domain admin again and we search for the user gen and we go into the security tab we see Stephanie here if we go to Advanced uh let's see Stephanie where are you there you are she has full control right if we double click this those are actually the ace or this is the ACL that I was talking about earlier Access Control list so this is being verified okay it's definitely really allowed to change Jen's password yes she is because she has full control over the accounts right I hope that clears it up if not hit me up on Discord and I'll I'll gladly go through this once again I'm sorry I'm sorry Amy uh you're wrong no problem I was about to hijack your screen so I'm glad that I waited a second uh q a I don't see any questions um you're sharing your screen by the way yeah oops on the screen it was wondering I need that background as well there we go uh I was hoping that to share the right screen but you know how uh computers don't want to comply when they need to um uh I was talking about our screenshot and this is it uh for anyone who would like to see it maybe a little bit clearer than it was um directly from bloodhound I'm just typing a little bit in the inner chapter sorry all right yeah I think I mean really was asking about those dates sorry I mean there someone has just posted in the in the chat all the dates of the orcig labs for anyone that was asking all right there oh we even have a thank you this slide that's awesome that's cool no problem week seven uh this was uh this was a fun time hopefully we can do it again at some point as well uh I'm happy that that many of you guys liked it so so that's cool I think it's time to end this stream then Amy um yep and uh it is you both you both did awesome thank you so much thank you Jeremy I forgot that you were here even so I'm sorry for I'm sorry it's just a little fly on the wall yeah I'm sorry for going one minute over that was not cool right thank you guys to do offset live right now got last request Discord office hours we need to end this stream right for that or how yeah we're gonna end the stream and then stay around we'll be back in just a moment yeah hang around guys I wish you all a nice Friday enjoy your time and Happy pen testing ad it's good I promise it's gonna be fun so thank you for me have a good lunches everyone bye bye

Info

Channel: OffSec

Views: 20,175

Rating: undefined out of 5

Keywords:

Id: x5qREhf5lgA

Channel Id: undefined

Length: 98min 39sec (5919 seconds)

Published: Mon Mar 27 2023