- This room contains a Domain Controller, a Windows Server with Active Directory.
- Initial enumeration is performed with a linux version of enum.exe, enum4linux, gathering the NetBIOS name, and AD domain.
- Kerbrute tool can perform a dictionary attack against the DC to enumerate valid usernames, provided a usernames list.
- Impacket’s GetNPUsers.py script attacks Kerberos authentication with a method called ASREPRoasting, provided a list of valid usernames from the previous step. This tool will display the user’s Kerberos hashes, which may be cracked with Hashcat.
- With user credentials, an attempt can be made to enumerate any shares the DC is giving out with smbclient utility.
- A text file with encoded user credentials is found on the share and may be used to escalate privileges.
- The credentials belong to a ‘backup’ user, who has DCSync rights; this allows all Active Directory changes to be synced with this user account, including password hashes.
- Impacket’s secretsdump.py can be used to dump all the hashes on the DC, provided the backup user’s credentials.
- The domain admin’s NTL hash is printed, and can be used in a pass-the-hash attack with evil-winrm to get a semi-interactive escalated shell. With domain admin access, all the user flags can be found.
Use Rustscan to quickly perform a port scan and then pass those open ports to Nmap, executing default scripts.
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-03-03 02:39:23Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| DNS_Tree_Name: spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-03-03T02:40:20+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Issuer: commonName=AttacktiveDirectory.spookysec.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-03-02T00:37:08
| Not valid after: 2021-09-01T00:37:08
| MD5: 9402 876f 964b 12ab d76f 5c4e ea0a e71b
| SHA-1: c4e4 f4fc 0fd3 8290 5e41 aabb 1fd2 b005 12ea c9e4
| -----BEGIN CERTIFICATE-----
|_ssl-date: 2021-03-03T02:40:31+00:00; +3s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49672/tcp open msrpc syn-ack Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49680/tcp open msrpc syn-ack Microsoft Windows RPC
49685/tcp open msrpc syn-ack Microsoft Windows RPC
49698/tcp open msrpc syn-ack Microsoft Windows RPC
49840/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_ Message signing enabled and required
| date: 2021-03-03T02:40:25
|_ start_date: N/A
Flags for each user account are available for submission. You can retrieve the flags for user accounts via RDP (Note: the login format is spookysec.local/User at the Window’s login prompt) and Administrator via Evil-WinRM.
Basic enumeration tactics will yield a number of ports open. Using a popular enumeration tool that’s built on Linux 4 Windows will reveal some information, not a lot to work with however.
What tool will allow us to enumerate port 139/445?
What is the NetBIOS-Domain Name of the machine?
What invalid TLD do people commonly use for their Active Directory Domain?
A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!
For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.
What command within Kerbrute will allow us to enumerate valid usernames?
What notable account is discovered? (These should jump out at you)
- In order for kerbrute to work, add spookysec.local to /etc/hosts
What is the other notable account is discovered? (These should jump out at you)
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Impacket has a tool called “GetNPUsers.py” (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.
Instead of manually extracting the usernames, they can be piped to the cut command and parsed by separating each line by the space ” ” character and selecting the 8th field:
With this list of usernames saved to a file, they can be queried with GetNPUsers.py:
Hashcat’s example hashes page helps identify the type of hash returned, and the associated hashcat mode needed to crack the hash.
hashcat -m 18200 <hash_file> <rockyou.txt>
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5 AS-REP etype 23
What mode is the hash?
Now crack the hash with the modified password list provided, what is the user accounts password?
With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.
Using what utility can we map remote SMB shares?
Which option will list shares?
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
What is the content of the file?
Decoding the contents of the file, what is the full contents?
Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?
Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes
Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.
What method allowed us to dump NTDS.DIT?
What is the Administrators NTLM hash?
- This just wants the last half of the colon (:) delimited hash (NT)
What method of attack could allow us to authenticate as the user without the password?
pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
Submit the flags for each user account. They can be located on each user’s desktop.