Attack Active Directory

Written by Erik on 30 Aug 2021

On this machine we compromised an Active Directory domain.

Enumeration Active Directory
Explotation

Enumeration AD:

Nmap:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-30 16:59:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49665/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC

Dominio:

vulnnet-rst.local

SmbClient:

In the samba enumeration list all shared files, and then we’ll inspect them one by one.

SmbClient

smbclient_listing

SMB: VulnNet-Enterprise-Anonymous

VulnNet-Enterprise-Anonymous

SMB: VulnNet-Business-Anonymous

VulnNet-Business-Anonymous

We analyze the names that the files show us to create a custom dictionary and use it when listing the possible users in the AD.

recogeruser

Dictionary:

dictionary

Kerbrute:

We brute force to know which users are valid at the domain level using our previously created dictionary

Kerbrute

kerbrute

Impacket-lookupsid:

Extract valid users from the system.

Lookupsid

lookupsid

Impacket-GetNPUsers:

If we have a list of valid users we do the attack as-rep roast

The "AS-REP Roast" attack is a technique that allows retrieving password hashes for users who have the Kerberos "No Pre-Authentication Required" property selected: those hashes can be decrypted offline, similar to how it is done in T1208: (Kerberoasting).

GetNPUsers will attempt to collect the AS_REP responses that are not preauthenticated for a given list of usernames. These responses will be encrypted with the user’s password, which can then be decrypted offline.

GetNPUsers

impacket-GetNPUsers

John The Ripper:

Crack the hash to get the user’s password

JohnTheRipper

John

Usuario: t-skid
Contraseña: tj072889*

Crackmapexec:

This tool is used to collect information about the active directory.

Crackmapexec

Crackmapexec

Crackmapexec module spider_plus: Recursively displays the files to which the specified user has access.

spider

It creates the result in tmp. We inspect it and find an interesting path.

spiderresult

Smbclient NETLOGON:

We enter the netlogon folder and extract the file to analyze it later.

netlogon

Password User: In the script we found a password for a user.

password user Once we have the user’s password we try to see what hashes we can dumpear with the pass the hash technique.

Explotation:

Pass the hash

This allows us to access the server without having to provide a password.

passthehash

The administrator’s hash allows us to log in remotely to your account without a password. For this we use psexec:

Psexec

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d  Administrator@10.10.204.28

We are already domain admin

psexec

Erik

Hi! Im Erik I love computer security and in my spare time I do bug bounty or research.
Every day I try to learn something new, no matter how small it is.