Exploit Active Directory Using PowerShell Remoting (PART-1)

Sharing is caring!

powershell-remoting-for-redteam

We have always used Secure Shell (SSH) for remote administration in a Linux environment. We have also used PuTTY (Free SSH and telnet client for Windows) but have we looked upon Windows in-built remote management utility? Most probably, the answer would be NO!

Why PowerShell Remoting?

As the name depicts PowerShell Remoting that means we are able to run remote commands or access full PowerShell sessions of a trusted Windows system ONLY through PowerShell. We can compare it straight away with the SSH utility for Linux environment.

It is very useful in remote administration of a system but in this blog, we will have a look upon the following topics:

  1. PowerShell Remoting Basics.
  2. Executing commands in Remote system.
  3. Redirecting the remote PowerShell session to a variable (Pretty Cool, huh?).
  4. Bypassing Real-Time Security Control in the Windows environment (is not daydream  :p).

Note: The environment build is fully patched against exploits as we are trying to mimic the real world scenario ????

Let’s dive into Part 1 which is PowerShell Remoting basics.

Let us understand about the environment, we have a Windows Server 2016 box which is a Domain Controller having Domain name hacknpentest.local. A Windows 10 x64 machine is a part of the domain and flop is a domain user currently logged in to this box (Domain Computer).

Note: All the information provided on this site are for educational purposes only. The site and authors of the website is no way responsible for any misuse of the information.

Network Architecture:

Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

                                     

The Domain user hacknpentest\flop would be able to PowerShell remote to the Domain Controller after the setup. We will be using the domain user as the initial point to move forward in the network.
The Domain user hacknpentest\flop would be able to PS remote to the Domain Controller after the setup. We will be using the domain user as the initial point to move forward in the network.
 
As PowerShell is an inbuilt utility in most Windows boxes and it is the one that is least focused upon. So, we will be using PowerShell for performing every task. Windows PowerShell includes an interactive prompt and a scripting environment which can be used independently or in combination.

So let’s get started with getting familiar with the environment.

Domain Name: hacknpentest.local

Windows SystemHotfixes Installed
Windows Server 2016[01]: KB3192137
[02]: KB3211320
[03]: KB3213986
Windows 10 x64[01]: KB3176936
[02]: KB3188128
[03]: B4033631
[04]: B4049411
[05]: B4103729
[06]: B4485447
[07]: KB3193494

Table 1: Hotfixes

Role of Windows SystemIP AddressDomain NameComputer NameOS InformationOS Version
Windows Server 2016 (Domain Controller)192.168.245.144hacknpentest.localWIN-RARNBU1BGS2Microsoft Windows Server 2016 Standard Evaluation10.0.14393
N/A Build
14393
Windows 10 x64 (Domain Computer)192.168.245.145hacknpentest.localDomainComputerMicrosoft Windows 10 Enterprise 2016 LTSB10.0.14393 N/A Build 14393

Table 2: Domain and System Information

 

PowerShell Remoting Basics

To remotely communicate with the box, we need to start WinRM or Windows Remote Management Service. This service runs by default on TCP port 5985 for HTTP protocol and TCP. port 5986 for HTTPS. It uses Simple Object Access Protocol (SOAP) structure to communicate with remote computers & servers.

PowerShell Remoting Basics - hacknpentest

Figure: Remoting Basics in Windows Environment

 

We can understand this by breaking it into smaller parts.

  1. The client is assumed to be at the bottom and this end user will be initiating remote activities.
  2. WS-MAN (or Web Services for Management) protocol will be the source of communication starting from the client end. On the default settings this protocol works using HTTP (which could be changed to HTTPS).
  3. The Remote Computer (or Server) runs WinRM service which is listening on port 5985. After starting WinRm service, all the traffic from the client end will be redirect to WinRM service.
  4. The traffic could be anything. For example: Running PowerShell or performing any WMI query.

Note: The following commands need to be run with administrator privileges.

Enabling PowerShell Remoting:

The below command will start the WinRM service on the local computer and add the service as an exception for any remote connection in the firewall.

Figure: Run on both the computer

Adding Remote Computer as Trusted Host:

To be able to PS Remote to a computer, we need to add it as a trusted host. We will add computer WIN-RARNBU1BGS2 as a trusted host for DomainComputer using the following command.

We need to accept the warning to YES (Y)

3 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Computers added in trustedhosts would be able to communicate via PS Remoting.

With all of the above settings, we will just add the flop domain user to be allowed for PS Remoting via the following configuration.

A new box for PS Remoting permissions configuration will be displayed. We will be adding hacknpentest\flop user to it and specify the permissions for the user.

5 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Figure: Specifying user permissions

Now, we are all set to PS Remote to the WIN-RARNBU1BGS2 Domain Controller. Let’s begin the awesome work!!

Running Remote commands:

We will use Invoke-Command utility to run commands on remote computers.

Note: Run the following command with hacknpentest\flop user privileges.

1. Listing whoami

Let’s run our first command to have a look at the current user.

ScriptBlock = Command to execute in the remote system.

ComputerName = The remote computer name.

Verbose = For detailed output.

2.Listing the currently logged on users

We can list currently logged on users in our remote computer as follows:

7 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

 

Currently, the administrator is logged in on WIN-RARNBU1BGS2.

3.Enumeration through Microsoft’s AD Module (Jackpot!):

In some rare cases, if the AD module is default loaded in the target server, we can seamlessly enumerate about the domain from the remote computer. (We can read more about the ActiveDirectory Module here). The AD Module is Microsoft signed trusted module which could be used extensively for enumeration.

We can see that the AD Module is by default added in the remote computer.

8 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Figure: Listing all loaded modules

From our attacker computer, we query the following command to gather information about the domain.

9 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Figure: Enumerating the Domain Controller

Stealing the SID of the krbtgt account (like a BOSS!)

10 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Figure: Enumerating ktbtgt account

Listing group members:

Listing the group members of “Domain Admins”.

11 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

Figure: Enumerating group members

Listing the group members of “Remote Desktop Users”.

12 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

We have seen that we can enumerate a lot about the domain but the following command will help us moving laterally in the Active Directory environment as it will list all the computers in the domain.

Listing all the computers in the domain will surely provide a larger view of the network architecture.

13 Exploiting Active Directory AD Using PowerShell Remoting - hacknpentest

 

We can enumerate a lot about the Domain Users, Domain Computers and Group Policies in the Active Directory environment. We have learned some of the following things:-

  • About Powershell Remoting.
  • The configuration of Powershell Remoting in Active Directory environment.
  • Enumerating Domain using Powershell session.
  • Enumeration of the domain using Microsoft signed trusted Active Directory Module.

In our next blog, we will play with PowerShell sessions and focus upon bypassing security controls. Till then hacknpentest!!

Share

You may also like...

7 Responses

  1. Avatar Dheerendra chourasiya says:

    Good work yash bro

  2. Avatar Chinmay Malviya says:

    Amazing
    Keep the hard work up????

  3. Avatar Victor says:

    Great work Yash!

  4. Avatar oprol evorter says:

    This site is my breathing in, very great layout and perfect written content.

Leave a Reply

Your email address will not be published. Required fields are marked *