C-COI Week 7
ServicePrincipleName
A SPN is the name by which a client uniquely identifies an instance of a service
Domain Controller
A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.
Silver Ticket
All-access pass for a single service or computer account. Forged using a dumped computer account hash and can impersonate any user for that system.
DCE/RPC
Distributed Computing Environment / Remote Procedure Calls used for domain replication
PsExec
Execute process remotely - runs on port 135 RPC
Kerberos Attacks
Golden Ticket Pass-the-ticket silver-ticket
Two Types of Trust Relationships
Implicit Trust - two way transitive trust explicit trust - one way non-transitive
LAPS
Local Administrator Password Solution - provides management of local admin passwords
LSASS
Local Security Authority Subsystem Service passwords stored here in hash or plaintext
LDAP (Lightweight Directory Access Protocol)
Port 389 A communications protocol that defines how a client can access information, perform operations, and share directory data on a server.
Kerberos Change Password Protocol
Port 464
Kerberos
Port 88 An authentication system used to verify the identity of networked users.
Delegation
capability of Active Directory, delegation of administration. Constrained or unconstrained.
netsh advfirewall show allprofiles
command to show firewall settings on a box
whoami /groups
displays groups user is a member of, group name, type, sid, and attributes
ffuf
https://github.com/ffuf/ffuf A fast web fuzzer written in Go.
Domain vs. Workgroup
1. Domain :Domain is a client/server network where user can login from any device of the office. Also known as Remote login. It has a centralized administration and all devices can be managed from a centralized device. It prefers a centralized storage and all the users data is stored at a centralized storage device which can be NAS or SAN. 2. Workgroup :Workgroup is a peer to peer windows computer network, where users can use his login credentials only on his or her system and not others. It holds an distributed administration wherein each user can manage his machine independently. Most storage is distributed. Each device has its own dedicated storage.
Golden Ticket
A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs). This gives the attacker access to any resource on an Active Directory Domain (thus: a "Golden Ticket"). Golden ticket attack needs: The FQDN (Fully Qualified Domain Name) of the domain The SID (Security Identifier) of the domain The username of the account they want to impersonate The KRBTGT password hash
net localgroup
A Windows TCP/IP command that adds, displays, or modifies local user groups. shows all groups accessible on a workstation, some of these groups could be empty.
Active Directory
A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.
Universal Group
A group scope that can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest.
Global Group
A group that can contain user accounts and other global groups. Global groups are designed to be "global" for the domain. After you place user accounts into global groups, the global groups are typically placed into domain local groups or local groups.
domain local group
A group that contains global groups and universal groups, even though it can also contain user accounts and other domain local groups. It is usually in the domain with the resource to which you want to assign permissions or rights.
rainbow table
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Pass the Ticket Attack
A technique used for authenticating a user to a system that is using Kerberos tickets without providing the user's password. Kerberos authentication allows users to access services provided by remote servers without the need to provide passwords for every requested service. To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools
Pass the Hash Attack
An expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
API
Application Programming Interface - software that allows two applications to talk to each other Think of a rideshare app like uber, they leverage data from google maps, and bring it into their native application using APIs.
Authentication vs session
Authentiction - I am who I say I am Session - running actions
Bloodhound
BloodHound (https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours. It can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access control lists (ACLs), users, groups, trust relationships and unique AD objects. The tool can be leveraged by both blue and red teams to find different paths to targets. The subsections below explain the different and how to properly utilize the different ingestors.
CrackMapExec
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
net users
Displays all users in the Windows system, LOCAL ACCOUNTS
systeminfo
Displays machine specific properties and configuration.
Windows Enumeration Cheatsheet
Get-Service -Name *ssh* Start-Service ssh-agent whoami /groups systeminfo net users net users Administrator net localgroup ipconfig /all route print sc query windefend netstat -ano netsh firewall show state reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" wmic service list brief wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ driverquery
Guacamole Server
Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP). Guacamole is also the project that produces this web application, and provides an API that drives it. This API can be used to power other similar applications or services.
inveigh
Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided
Multi/handler
Located within the exploit modules, used to connect to a listener. Used when a payload is delivered to the target outside the metasploit framework
NTHash
Method for storage on modern windows systems sam database or mimikatz hashes are actually nonces, each nonce is different nonce used to prevent attacks in ntlm NET NTLMv2 is the authentication protocol that uses the NT or LM hashes
ntds.dit
Primary Active Directory database file. Big target. Ntds.dit is the main AD database file. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain. c:\windows\system32\ntds.dit
TCP 135
RPC , seen on Domain Controllers
Password Salt
Random number added to the password before being hashed to make pre-computed dictionary attack (rainbow table) difficult.
SID history
SID History is an attribute that supports migration scenarios. Every user account has an associated Security IDentifier (SID) which is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one.
SQL
Structured Query Language SQL, or Structured Query Language, is a data management language used to handle data in relational databases. With the help of SQL, you can create and modify the structure of databases and tables. You can also store, manipulate, and retrieve data from databases and tables using SQL. It is a non-procedural or declarative query language, which means that the user specifies which data is required without specifying how to retrieve it.
SAM
The Security Account Manager (SAM) is a registry file for Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores local user's account passwords. The file is stored on your system drive at C:\WINDOWS\system32\config
Pagefile.sys
The Windows swap file that is used to hold the virtual memory that is used to enhance physical memory installed in a system.
Tokenization
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. security measure in NTLM
NTLM (New Technology LAN Manager)
Used for authenticating in a Windows domain, was replaced by Kerberos for the most part.
Impacket
__ is a collection of Python classes for working with network protocols. ▪ Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. ▪ Collection of Python classes for working with network protocols ▪ Focused on low-level program access for SMB and MSRPC protocol implementation
IPC$ share
__ is used to provide information about the domain, but can be accessed through null sessions (i.e., anonymously). __ also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares.
msfvenom
is a combination of msfpayload and msfencode, putting both of these tools into a single framework. It can be used to generate malware as a standalone .exe file. We use this to build payloads
Kerberoasting
is a method used to steal service account credentials. ▪ Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS) ▪ Ticket can be requested by any user in the domain and allows for offline cracking of the service account plaintext password ● Privilege Escalation (Windows)
Mimikatz
one of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory.
zero knowledge proof
prove knowledge of a fact to a third party without revealing the fact itself