Post Exploitation - Pulling NTDS and extracting with SecretsDump

To continue our example of targeting Active Directory, below is an example of how an attacker can pillage the NTDS file after obtaining a Domain Admin account that has access to a Domain Controller.

Gaining a foodhold: The Rubber Ducky and Powershell Empire

So, I recently acquired my first rubber ducky and I've been messing around with it quite a bit. I wanted to document the basic setup and provide some links for further reading.

All of my write-ups are conducted in a lab, but I try to emulate what can happen in real life. In our example below, I want to emulate a rubber ducky being plugged into a corporate managed windows device. This could have been done by either an attacker gaining physical access and plugging the rubber ducky in directly, or as done in past years, dropping them in parking lots and having employees pick them up and plugging them into their workstation. Either way, let's demonstrate what can happen.

We will be utilizing Kali as our payload generating machine and PowerShell Empire Server; and we will be attacking a Windows 7 host.

To start, we need to make sure we know which pieces of the rubber ducky do what. In it's simplest form, we will be utilizing 3 pieces. The micro SD card that carry our payload, the USB that allows us to write to it, the USB that will be delivering our payload.

USB used to write payload


Post Exploitation - DCSync


Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.

As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.



To continue about our example, we will assume the following:

Gaining a foothold: Using Responder and NTLM Relay attack

A previous post showed how to capture hashes and cracking them. But what if you can't crack the passwords? Is there anyway to pass this captured hash instead? Lucky for us, there is! A great post written by byt3bl33d3r back in 2017 that covers exactly what I'm about to briefly show, I suggest you check out his post for more information.

Like most my posts, I only scratch the surface and emulate a real attack. I don't go in depth since there are tons of other write-ups out there that do. Instead, I make more of a step-by-step illustration of how the attack was conducted.



To get started, it is important to know the difference between some of the technology:

Post Exploitation - Kerberoasting

Below is a real world use case of kerberoasting. This is not intended to be a guide on kerberoasting, there are way better guides out there and explanations on how it all works. Rather, this is more of a step by step walk-through of using kerberoasting to escalate privileges from a regular domain user to a higher privileged user.


Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.


Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls

About

The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.

Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.

Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.


Privilege Escalation thru CyberArk Viewfinity

A while ago I encountered a bug within Viewfinity 5.5 (5.5.10.95). Viewfinity is a product owned by CyberArk that provides Endpoint Privilege Management. It bolsters administrator's ability to control user privileges on corporate desktops. Below is a use case in which I was able to elevate privileges from a normal user to Admin through this product.

Step 1: Verify you are a low privilege user by running the command "net session". Net session displays information about all sessions within the local computer. The user will get Access is denied if they do not have Administrator privileges.