💾
👁️
infosec stuff
infosec stuffwriteups
infosec stuff
infosec stuffwriteups
  • infosec stuff
  • Archive
    • Kerberos
  • Cheatsheet
    • Mimikatz
    • Rubeus
  • Initial Access
    • Passwords
    • Payloads
    • Recon-AssetDiscovery
  • Linux
    • Linux Enumeration
    • Command Cheatsheet
      • TAR
    • Privilege Escalation
      • Cron Jobs
      • Kernel Exploit
      • SUID
      • Sudo
      • Weak File Permission
  • Physical
    • Basics
  • Tools
    • Impacket
    • Msfvenom
    • psexec
  • Uncategorized
    • Alternate Data Stream
    • Check applocker rules/policy
    • UACme
    • Data Exfilteration
    • Port Forwarding
    • WebDAV Exploitation
    • WinRM
    • winexe
  • Windows
    • Windows Enumeration
    • Commands
      • net
      • reg
      • sc
    • Evasion
      • Query Installed Antivirus
    • Local Privilege Escalation
      • Automated Tools
      • Enterprise Application
      • Insecure GUI Apps
      • Kernel Exploitation
      • Passwords
      • Potato
      • Registry Exploits
      • Scheduled Tasks
      • Service Exploits
      • Startup Apps
      • Vulnerable Software
      • Windows Privileges
    • Persistence
      • Adding Privileged Users
      • Backdoor Files
      • Existing Services
      • Login Screen (RDP)
      • Logon Triggered
      • Scheduled Tasks
      • Services
    • Powershell
      • Cheatsheet
      • Detections & Bypass
    • System Programming
      • Fundamentals
    • Windows Internals
      • Process & Jobs
        • Fundamentals
        • Process Internals
      • Security
        • Access Token
        • Elevation
        • Integrity Levels
        • Privilege
        • SID
        • Security Descriptor
        • User Account Control
      • System Architecture
        • Architecture Overview
        • Operating System Model
      • Uncategorized
        • DPAPI
        • LocalAccountTokenFilterPolicy
        • Privileges
        • SID
        • accesschk.exe
        • WMI
  • Active Directory
    • AD Concepts
      • Authentication
      • Authorization
      • Basics
      • Computers
      • Credentials
      • Database
      • Group Policy
      • Groups
      • Kerberos
      • Logon Types
      • NetNTLM
      • Services
      • Trusts
      • Users
    • Credential Dumping
      • Credential Manager
      • DC Sync
      • Domain Controller
      • LAPS
      • LSASS
      • Local Credentials
    • Domain Enumeration
      • CMD
      • Credential Injection
      • Defence
      • Management Console
      • Sharphound-BloodHound
      • Powershell
        • ACLs
        • Computers
        • Domain
        • Forest
        • GPOs
        • Groups
        • Organisational Unit
        • Shares and File Servers
        • Trusts
        • Powerview
        • Users
    • Exploitation
      • ACLs
    • Initial Foothold
      • ASREPRoast
      • Kerberos
    • Lateral Movement and Pivoting
      • Abusing User Behaviour
      • Kerberos
      • NTLM
      • PSEXEC
      • Remote Windows Service
      • Schedule Tasks
      • WMI-CIM
      • WimRM (PowerShell Remoting)
    • Persistence
      • ACLs
      • Custom SSP
      • DSRM
      • Diamond Ticket
      • Golden Certificates
      • Golden Tickets
      • SID History
      • Silver Tickets
      • Skeleton Key
    • Privilege Escalation
      • Constrained Delegation
      • DNSAdmins
      • Kerberoast
      • Unconstrained Delegation
    • Protocols
      • MSRPC
      • SMB
      • WinRM
Powered by GitBook
On this page
Edit on GitHub
  1. Active Directory
  2. Domain Enumeration

Credential Injection

"If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer defeat." - Sun Tzu, Art of War.

runas.exe

  • A command line tool to inject credentials into memory

  • Usefull when we have a valid domain credentials but no access to a domain joined machine.

  • As we are not domain joined, we need to specify the domain in the management console or powershell

runas /netonly /user:<domain>\<username> cmd.exe

  • /netonly: Loads crendetials for network authentication. Commands are executed locally but network authentication will be performed over the domain account context.

  • /user:<domain>\<username>: Username of the domain account we want to authenticate. It is recommended to use Fully quallyfied domain name instead of netbions name

  • cmd.exe: Command to execute.

  • The logon type used by runas is logon type 9, which is different from the normal logon. Only programs that requires remote authentication, will use the new injected credentials. Eg., using dir on a remote share, will use the injected credentials.

Credential Verification

The credentials are not verfied when we pass it to runas. To Verify the credentials, we cal try to list the SYSVOL directory.

The SYSVOL directory is a special directory that is available to all the domain users. It is required to push the GPOs to the Users or Computers.

PS C:\Windows\system32> dir \\za.tryhackme.com\SYSVOL

    Directory: \\za.tryhackme.com\SYSVOL             
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d----l         2/24/2022   1:57 PM                za.tryhackme.com

IP vs HOSTNAME

When we provide the hostname, network authentication will attempt first to perform Kerberos authentication. Since Kerberos authentication uses hostnames embedded in the tickets, if we provide the IP instead, we can force the authentication type to be NTLM.

In some instances, organisations will be monitoring for OverPass- and Pass-The-Hash Attacks. Forcing NTLM authentication is a good trick to have in the book to avoid detection in these cases.

Change DNS of Non-Domain machine via Powershell

$dnsip = "<DomainControllerIP>"
$index = Get-NetAdapter -Name '<Interface>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Last updated 6 months ago