Domain Trusts: We’re Not Done Yet

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindUserTrustGroups  ->  Find-ForeignUser Invoke-FindAllUserTrustGroups  ->  Find-ForeignUser -Recurse Invoke-FindGroupTrustUsers  ->  Find-ForeignGroup Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Get-NetDomainControllers  ->  Get-NetDomainController Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Invoke-EnumerateLocalTrustGroups  ->  Invoke-EnumerateLocalAdmin -TrustGroups A few months ago, my colleague @sixdub and I presented our talk “Trusts You Might Have Missed” at BSides Chicago (the slides are posted here). We covered a lot of information that …

Domain Trusts: We’re Not Done Yet Read More »

Identifying Your Prey

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroup  ->  Get-NetGroupMember Get-NetGroups ->  Get-NetGroup [Note: This has been cross posted on the Adaptive Threat Division blog] User hunting is one of my favorite phases of an engagement. Whether it’s performed for lateral spread and escalation, or to …

Identifying Your Prey Read More »

PowerQuinsta

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetRDPSessions  ->   Get-NetRDPSession I wanted to do a quick writeup on one of PowerView‘s latest features- the ability to enumerate RDP sessions on remote machines. Qwinsta For those unfamiliar, qwinsta is a built in Windows command that …

PowerQuinsta Read More »

Push it, Push it Real Good

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-SearchFiles  ->  Find-InterestingFile Get-NetFileServers  ->  Get-NetFileServer My boss comes from a red teaming background; I do not. When I started to move beyond simple pentests and absorb his more advanced tradecraft, I was amazed that …

Push it, Push it Real Good Read More »

Domain Trusts: Why You Should Care

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrusts  ->  Get-NetDomainTrust Get-NetForestTrusts  ->  Get-NetForestTrust Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Invoke-FindUserTrustGroups  ->  Find-ForeignUser Get-NetDomainControllers  ->  Get-NetDomainController Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public …

Domain Trusts: Why You Should Care Read More »

“I Hunt Sys Admins”

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroups  ->  Get-NetGroup Get-UserProperties  ->  Get-UserProperty Invoke-UserFieldSearch  ->  Find-UserField Get-NetSessions  ->  Get-NetSession Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-UserProcessHunter  ->  Invoke-ProcessHunter -Username X Get-NetProcesses  ->  Get-NetProcess Get-UserLogonEvents  ->  Get-UserEvent Invoke-UserEventHunter  ->  Invoke-EventHunter [Note] This post is a companion to the Shmoocon …

“I Hunt Sys Admins” Read More »

Mining a Domain’s Worth of Data With PowerShell

On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to protect and then targeting those crown jewels. Access is obviously a necessary component, but data mining is just as important. Some …

Mining a Domain’s Worth of Data With PowerShell Read More »

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI. A few …

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2 Read More »

Targeted Trojanation

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-CopyFile  ->  Copy-ClonedFile Additionally, the -ExcludeIPC and -ExcludePrint flags for Invoke-ShareFinder are no longer needed So you’re on an engagement and everything seems pretty locked down. Group Policy Preferences doesn’t have any deployment passwords left lying around, you’re not a …

Targeted Trojanation Read More »

The Case of a Stubborn ntds.dit

The awesomesauce of the Kerberos Golden Ticket (based on the spoofed-PAC whitepaper from BlackHat 2012) has started to change how I operate on my engagements, especially during repeat assessments done for the same customer. I’m now maniacally intent on getting the krbtgt hashes for as many domains as I can in the target network. Most often, I’ll try to …

The Case of a Stubborn ntds.dit Read More »