Press "Enter" to skip to content

harmj0y Posts

Push it, Push it Real Good

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-SearchFiles  ->  Find-InterestingFile Get-NetFileServers  ->  Get-NetFileServer My boss comes from a red teaming background; I do not. When I started to move beyond simple pentests and absorb his more advanced tradecraft, I was amazed that I hadn’t heard of much of it before. I wondered why there wasn’t more public information on these powerful tactics, techniques, and procedures. Now that I have a bit better of a grasp on red teaming, I think I might know why. One of the big differentiators…

Domain Trusts: Why You Should Care

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrusts  ->  Get-NetDomainTrust Get-NetForestTrusts  ->  Get-NetForestTrust Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Invoke-FindUserTrustGroups  ->  Find-ForeignUser Get-NetDomainControllers  ->  Get-NetDomainController Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public infosec discussions. While the community has started to talk more about Active Directory exploitation (see Carlos Perez’s talk at Derbycon ’14) I haven’t seen a huge amount of information discussing domain trusts from an offensive perspective. I have to admit, this topic was pretty murky for me…

“I Hunt Sys Admins”

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroups  ->  Get-NetGroup Get-UserProperties  ->  Get-UserProperty Invoke-UserFieldSearch  ->  Find-UserField Get-NetSessions  ->  Get-NetSession Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-UserProcessHunter  ->  Invoke-ProcessHunter -Username X Get-NetProcesses  ->  Get-NetProcess Get-UserLogonEvents  ->  Get-UserEvent Invoke-UserEventHunter  ->  Invoke-EventHunter [Note] This post is a companion to the Shmoocon ’15 Firetalks presentation I gave, also appropriately titled “I Hunt Sys Admins”. The slides are here and the video is up on Irongeek. Big thanks to Adrian, @grecs and all the other organizers, volunteers, and sponsors for putting on a cool event! [Edit] I gave an expanded version of…

Mining a Domain’s Worth of Data With PowerShell

On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to protect and then targeting those crown jewels. Access is obviously a necessary component, but data mining is just as important. Some of my previous posts have covered using PowerShell to quickly search for files of interest. These techniques were later incorporated into PowerView and have proved useful on many of our engagements. Being able to get a CSV of interesting files (all sortable by creation/access date) has really…

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI. A few months ago, @obscuresec posted a great article on using PowerShell as a quick and dirty web server. I started thinking about how to incorporate Chris’ work with Rob’s approach to simplify the attack flow a bit. The result is Invoke-MassMimikatz, a PowerShell script that utilizes @clymb3r’s…

Targeted Trojanation

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-CopyFile  ->  Copy-ClonedFile Additionally, the -ExcludeIPC and -ExcludePrint flags for Invoke-ShareFinder are no longer needed So you’re on an engagement and everything seems pretty locked down. Group Policy Preferences doesn’t have any deployment passwords left lying around, you’re not a local administrator on the machine, and PowerUp can’t find any common escalation vectors. You even try to see where else your current user token might have local administrator rights but nothing pops. How can you go about spreading laterally? One method, related to mining file shares for…

The Case of a Stubborn ntds.dit

The awesomesauce of the Kerberos Golden Ticket (based on the spoofed-PAC whitepaper from BlackHat 2012) has started to change how I operate on my engagements, especially during repeat assessments done for the same customer. I’m now maniacally intent on getting the krbtgt hashes for as many domains as I can in the target network. Most often, I’ll try to do some trust enumeration and then target the forest root if I can realistically reach it. Once I get to a DC, I try not to use Meterpreter’s smart_hashdump if I can help it. There is a particular defensive product that has given us heartburn…

PowerShell and Win32 API Access

Several functions in PowerView are dependent on the lower-level Windows API. Specifically, Get-NetSession utilizes the NetSessionEnum call, Get-NetShare utilizes the NetShareEnum call, Get-NetLoggedOn utilizes the NetWkstaUserEnum call, and Invoke-CheckLocalAdminAccess utilizes the OpenSCManager call. PowerView has gone through a few iterations of how to access this lower-level functionality. It started with using Add-Type to embed inline C# to compile all functionality in memory. This is what most PowerShell WinAPI examples utilize, as it’s the ‘easiest’ method. There are a few downsides though: although this compiles the C# code in memory, some temporary files do touch disk. Also, we ran into a scenario where the particular csc.exe instance used to compile the code…

Derbycon + PowerShell Weaponization

Derbycon Wrapup This past Friday, my boss (@davidpmcguire) and I had the awesome experience of speaking at Derbycon 4.0. Our talk was titled “Passing the Torch: Old School Red Teaming, New School Tactics?“. The slides have been uploaded here and the video was recorded and posted here by the much appreciated @irongeek_adc. In the talk we covered our interpretation of red team operations, and went over five tactical areas applicable to red team engagements. In each section, we covered the background on the tradecraft, went over the ‘old school’ way of achieving a specific goal, and then showed the ‘new school’ implementations of the same tactics.…

Trusts You Might Have Missed

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestTrusts  ->  Get-NetForestTrusts Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrust  ->  Get-NetDomainTrust How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even know it. Abusing active directory trust relationships is an effective tactic to expand access both during penetration tests and red team engagements. In this post, I’ll offer some background on domain trusts, how to enumerate and abuse them, and describe how PowerView‘s features can help you…