Press "Enter" to skip to content

Category: redteaming

Abusing GPO Permissions

Published March 17, 2016 by harmj0y

A friend (@piffd0s) recently ran into a specific situation I hadn’t encountered before: the domain controllers and domain admins of the environment he was assessing were extremely locked down, but he was able to determine that a few users had edit rights on a few specific group policy objects (GPOs). After a bit of back and forth, he was able to abuse this to take down his target, and we were able to integrate some new functionality into PowerView that facilitates this process. This post will cover these new features and demonstrate how to enumerate and abuse misconfigured GPOs in case you encounter…

Continue ReadingAbusing GPO Permissions

Local Group Enumeration

Published March 9, 2016 by harmj0y

I’ve found that one of the most useful features of PowerView (outside of its user hunting capabilities) is its ability to enumerate local group membership on remote machines. I’ve spoken about this briefly before, and gave some details on its utilization of the ADSI WinNT Provider in the “Pass-the-Hash is Dead: Long Live Pass-the-Hash” post. My colleague @sixdub wrote an excellent post titled “Derivative Local Admin” that shows the power this functionality can give attackers, and fellow ATD member @_wald0 expanded on this with his “Automated Derivative Administrator Search” post. This functionality has been indispensable on both our pentests and longer-term red-team engagements. I wanted…

Continue ReadingLocal Group Enumeration

Targeted Plaintext Downgrades with PowerView

Published December 16, 2015 by harmj0y

Following my pattern of weaponizing Sean Metcalf‘s work in PowerView, I’m here with another update. Sean recently released a post titled “Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync“. He describes a legacy feature for Active Directory user accounts called ‘reversible encryption’. According to Microsoft, “This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS)“. There’s a bit more a detailed explanation of its workings here and here. Sean describes a cool way to set this policy…

Continue ReadingTargeted Plaintext Downgrades with PowerView

Sheets on Sheets on Sheets

Published December 3, 2015 by harmj0y

After a few requests, I’ve built out a series of cheat sheets for a few of the tools I help actively develop- PowerView, PowerUp, and Empire. I hope to illustrate the full functionality available in each tool and provide a quick reference for new adopters (as well as seasoned operators). PDF versions of these will be kept in a master repository at https://github.com/HarmJ0y/CheatSheets/ under the Creative Commons v3 “Attribution” License. They are versioned in the footnotes and I will them appropriately as time goes on. Note: PowerView and PowerUp are in the process of being integrated into the PowerSploit repository. The bit.ly links in the current sheets…

Continue ReadingSheets on Sheets on Sheets

Abusing Active Directory Permissions with PowerView

Published November 12, 2015 by harmj0y

One of my favorite presentations at Derbycon V was Sean Metcalf (@pyrotek3)’s talk “Red vs. Blue: Modern Active Directory Attacks & Defense“. In it, Sean had a section focused on “Sneaky AD Persistence Tricks”, meaning methods “by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes“. I wanted to show how one of the methods covered, the abuse of AdminSDHolder and SDProp, can be facilitated with new PowerView 2.0 functionality. Note: I did not discover this attack method. I also will only give a brief background on the underlying components, as Sean has…

Continue ReadingAbusing Active Directory Permissions with PowerView

PowerView 2.0

Published October 13, 2015 by harmj0y

PowerView is a tool that I’ve spoken frequently about on this blog. It debuted as part of the Veil-Framework in March of 2014, and has gone through a huge number of changes over the last year and a half. It is now a part of the PowerTools repository under the PowerShellEmpire GitHub account, and may be integrated soon into the central PowerSploit repository. Today marks probably the biggest change to PowerView and how people use it since its inception. PowerView v2.0 is a major refactor that eliminates some code components, renames others, absorbs some functions into existing ones, and adds a chunk of new functionality. As…

Continue ReadingPowerView 2.0

Mimikatz and DCSync and ExtraSids, Oh My

Published September 22, 2015 by harmj0y

Edit: Benjamin reached out and corrected me on a few points, which I’ve updated throughout the post. Importantly, with the ExtraSids (/sids) for the injected Golden Ticket, you need to specify S-1-5-21domain-516 (“Domain Controllers”) and S-1-5-9 (“Enterprise Domain Controllers”), as well as the SECONDARY$ domain controller SID in order to properly slip by some of the event logging. Benjamin Delpy is constantly adding new features to Mimikatz. In June, he added the ability to include ExtraSids in golden tickets. This was built in coordination with Sean Metcalf‘s work on the subject, and something I talked about here. Benjamin and Vincent Le Toux also recently…

Continue ReadingMimikatz and DCSync and ExtraSids, Oh My

The Trustpocalypse

Published August 7, 2015 by harmj0y

I’ve talked about domain trusts more than many people probably care about. A few weeks ago I posted “Domain Trusts: We’re Not Done Yet” – apparently there’s even more! I’ve said before that trusts will not let you magically exploit a domain. I now need to add one caveat to that statement concerning Golden Tickets and external sids, as some recent work in this area from Sean Metcalf and Benjamin Delpy will likely change the way we operate. Sean presented on this during his “Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection” Blackhat presentation, and has a post up on his site on this topic as well. The Mimikatz Trustpocalypse Bejamin recently…

Continue ReadingThe Trustpocalypse

Domain Trusts: We’re Not Done Yet

Published July 16, 2015 by harmj0y

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindUserTrustGroups  ->  Find-ForeignUser Invoke-FindAllUserTrustGroups  ->  Find-ForeignUser -Recurse Invoke-FindGroupTrustUsers  ->  Find-ForeignGroup Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Get-NetDomainControllers  ->  Get-NetDomainController Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Invoke-EnumerateLocalTrustGroups  ->  Invoke-EnumerateLocalAdmin -TrustGroups A few months ago, my colleague @sixdub and I presented our talk “Trusts You Might Have Missed” at BSides Chicago (the slides are posted here). We covered a lot of information that we’ve talked about in the “Trusts You Might Have Missed”, “Nodal Analysis of Domain Trusts – Maximizing the Win!”, and the “Domain Trusts: Why You Should Care” posts, as well as a few new developments. I wanted to do a writeup on the new material for anyone…

Continue ReadingDomain Trusts: We’re Not Done Yet

Identifying Your Prey

Published June 18, 2015 by harmj0y

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroup  ->  Get-NetGroupMember Get-NetGroups ->  Get-NetGroup [Note: This has been cross posted on the Adaptive Threat Division blog] User hunting is one of my favorite phases of an engagement. Whether it’s performed for lateral spread and escalation, or to demonstrate impact by tracking down incident responders and executives, we end up hunting for users on nearly every assessment we go on. I presented on this topic at the Shmoocon ’15 Firetalks, and published the “I Hunt Sys Admins” post to help highlight some of the ways we…

Continue ReadingIdentifying Your Prey