Vulnerable Active Directory Scripts (Part 2)

 





Constrained Delegation

This is used to set up authentication delegation for one of the accounts and establish new user accounts in AD.

The following three lines add new AD user accounts. To create new user accounts, use the New-ADUser cmdlet and supply the required parameters, like the account's name, path, and password. The parameters -Name, -Path, and -AccountPassword indicate the user's name, account password, and location in the AD hierarchy, respectively. The ConvertTo-SecureString cmdlet transforms the supplied plaintext password into a secure string.

The script's final line enables user 1 to assign authentication to user 2. The Set-ADUser cmdlet is used to change an AD user's attributes in order to do this. The users or groups that are permitted to delegate to this account are specified using the -PrincipalsAllowedToDelegateToAccount argument. Any user can delegate to this account by using the wildcard (*) character.

GPO Abuse

This script is used in a Windows environment to handle Group Policy Objects. The Group Policy Management Console (GPMC) feature, a collection of tools that let administrators administer GPOs, is installed by the script's first line.

This script modifies the wallpaper's style and other associated parameters in addition to changing the computer's background image to a specified picture.

Kerberoasting

Using this script, a user account in AD can be made "kerberoastable." An attacker can use the attack method known as "kerberoasting" to obtain service tickets for a service account and then decipher the password for the account offline.

By providing the account name to the $user variable, the script defines the user account that has to be made "kerberoastable." The user object is then retrieved from AD using the Get-ADUser cmdlet and assigned to the $userObject variable.

Lastly, the script uses a foreach loop to run over the list of SPNs defined in the $spns variable in order to add a list of SPNs to the user account. The script adds each SPN to the user's ServicePrincipalName property by using the Set-ADUser cmdlet with the -Add argument. Because it enables the attacker to submit service requests for the service account linked to the SPN, this is essential to the Kerberoasting attack.

NTLM Relay

This script is used to set up a Windows computer as a scheduled process that connects to a server called "son.goku" and creates a new PowerShell drive named "Public" by executing a PowerShell command. Additionally, the script specifies that the task will run every five minutes.

The script begins by establishing a number of variables that define the account, task, and scheduling details:

  1. $task contains the PowerShell command to create new PowerShell drive.
  2. $repeatInterval defines the time interval for the task to repeat, every 5 minutes in this case.
  3. $taskName is the name of the scheduled task.
  4. $user and $password define the user account and its password that the task will run under.

The script also checks if a task with the same name exists and unregisters if it does. Lastly, the script uses the Register-ScheduledTask cmdlet to register the task, providing the task name, action, trigger, user, password, and settings. 

Note- This script uses NTLM authentication to connect to the network share.

Conclusion

This part talks about more Vulnerable Active Directory Scripts.









































Comments

  1. Securing an AWS certification validates advanced cloud skills, crucial for career growth in today's tech-driven industries and competitive job market.
    From:
    Regards AWS Certification

    ReplyDelete

Post a Comment

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)