PowerShell PSRemoting Pwnage

Scenario

You have obtained some level of admin creds, (local, domain or otherwise) to a windows server/domain, there is no RDP. There is however the WinRM service, PSRemoting to give it its other name, this allows an admin to create a remote PowerShell session to the server and run commands or scripts, very much like the ssh service used on Linux systems.
The admin level creds you have will allow you to connect to the remote server(s) via PSRemoting, and you will want to run hacker PowerShell tools in the remote session to further infiltrate the server or systems, however, given the lack of RDP and the locked down state of the network and services, you may struggle to get the likes of PowerSploit onto the remote system.

So for instance we might want to run Invoke-Mimikatz on the remote server to extract clear text credentials stored on the server. Lets explore PSRemoting in a liitle more depth.

Continue reading

Easily Find Domain Controllers – More Active Directory Kung-Fu

Following on from the previous Active Directory Kung-Fu post, I thought I would add a few more things that could be useful on a Pentest.

The tools used are not installed on a standard XP build and will have to be downloaded from Microsoft and installed.

First off get the 2 new tools, AdminPack and Group Policy Management.

http://www.microsoft.com/en-us/download/details.aspx?id=16770 – Admin Pack for XP

http://www.microsoft.com/en-us/download/details.aspx?id=21895 – Group Policy Management for XP

Extract and install the Admin Pack and install gpmc.msi

Once these 2 tools are installed you will find that there are new gui tools.

Continue reading

Active Directory KungFu – Messing With Users & Computers

Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.

I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.

So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.

DSQUERY Command @ Technet

http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

DSMOD Command @ Technet

http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx

So, OK lets have a look at these command and what to do with them.

Continue reading