Best approach to Active Directory : 1

I am penning down my methodology and experience for a beginner who can learn active directory attacks , as it remains a mysterious and confusing topic on what to cover and what to learn. Since the attacks vectors are so many , we’ll cover as much as possible still keeping it beginner friendly , don’t worry.

It is a long post so keep notes in side and make them frequent.

So before starting exploiting it , first we look what Active directory is:

Active Directory {The hero itself}

Imagine a bustling city where residents and buildings interact under a set of rules and organization. Active Directory (AD) for your computer network operates similarly, managing resources and access with a defined structure. Let’s explore this “digital city” and understand its workings!

Purpose and Role of Active Directory:

Think of AD as a central hub responsible for keeping track of all users, computers, printers, and other resources on your network. It stores information about them, organizes them logically, and controls access permissions. This ensures smooth operation, security, and efficient resource management for your network.

Main Components of Active Directory:

Imagine dividing your city into districts and neighborhoods. In AD, we have similar levels:

1. Domains: Like districts, domains group related users and resources. Each domain has its own security boundary and administrator.
2. Trees: Similar to a cluster of districts, trees group domains that share a common administrative structure and schema (rules for storing information).
3. Forests: Imagine a city with multiple districts clusters (trees). A forest combines multiple trees under a single root domain, sharing a similar structure and schema.
4. Organizational Units (OUs): Think of them as neighborhoods within a district. OUs allow further granular organization based on department, location, or function within a domain.
5. Objects: These are the individual residents and buildings of your network. Users, computers, printers, groups, and more are all considered objects in AD.

Hierarchy and Interaction:

The structure resembles a pyramid: Forests contain trees, trees contain domains, domains contain OUs, and OUs contain objects. Each level inherits settings and permissions from the one above, creating a well-defined chain of command.

Alright So much info to keep , but since we are now mature we need to understand that to learn a great topic some efforts must be put from your side too, Rest leave to me ;)

Exploitation Begins

Enumeration

I’ll take different scenarios everytime to cover as much as possible. Now we cannot take the opponent head-on , the components of a system running AD also has these services running to , look for them . Leveraging them can help us get into the target smoothly:

Kerberos and Ldap

Imagine a giant phonebook for your digital world, holding information about users, devices, and other resources. That’s what directory services do, and both LDAP and Kerberos play crucial roles in managing and securing this information. Let’s break down each concept:

LDAP (Lightweight Directory Access Protocol):

• Think of it as: A simplified phonebook protocol for accessing and managing information in directories.
• How it works: Imagine a client (software) asking a server (directory) for information like “Find John Doe’s email address.” The client and server communicate using LDAP “language” to understand each other.
• Structure: Entries are like individual phonebook listings, containing attributes like email, phone number, etc.expand_more Distinguished names (DNs) uniquely identify entries like “John Doe, IT Department, Acme Corporation.”
• Usages: Authentication (verifying user credentials), authorization (controlling access to resources), and information retrieval (finding user details).
• Example: When you log in to your work computer, LDAP might be used to check your username and password against the directory entry for John Doe.

Kerberos Authentication Protocol:

• Think of it as: A secure ticket system for network authentication.

The kerberos is named after the 3 headed dog of hades cerberus. Similarly there are 3 heads of kerberos also:

• User who want’s to access any service
• The key distribution centre which authenticates and generates allowances for user to access service
• The service provider itself

Flow:

Don’t worry if you don’t understand looking at it , just read and follow

• The user tries to access a service on the network.
• The client on the user’s workstation contacts the key distribution centre.The KDC has two parts:
  — The first one is the Authentication Service {AS}
  — The second one is the Ticket granting Service {TGS}

Imagine you are John. You want to access Service “S” and when you approach to KDC , if the Administrator of the system has “Pre-authentication” is enabled then

• The AS is responsible for verifying the identity of users and ensuring they are who they claim to be.
• Without the AS, there would be no centralized authentication mechanism in place, making it difficult or impossible to authenticate users reliably.

Now AS has verified you , you are now authorized to generate the tickets which then can be used to access specific services. Now when you get this ticket, you can access the resource with that person’s accountability and power.{That ticket is also shared with service provider so that it may cross check}

Also remember every service running whether privigeled user or normal, has SPN to identify themselves:

SPN stands for Service Principal Name. It is a unique identifier for a service instance in a network environment using Kerberos authentication. An SPN is associated with a specific service offered by a server and represents the service’s location and the service account under which the service runs.

And sometimes to access the service after getting the ticket we need SPN to access it. {If you don’t understand this , just follow and remember only what SPN is, we’ll get on it after in future again.}

Now how to exploit this?

Scenario 1 Preauth disabled

When the preauth is disabled , one can just give it’s usename registered in the system and can get the Ticket from the TGT without any authentication as the Authentication service won’t ask for credentials. This is known as

AS-REP-roasting. As-rep meaning As-response

Now Since the TGT provides the ticket in hash format which can be cracked with hashcat, we can get the access to the service or password for the service users.

So you are saying we only need the registered username and can get the hash ticket? YESS , see how lethal it can be , just with the username

Let’s look at the example of HTB : Sauna.

It has kerberos running , port 88 is default for kerberos

We get the usernames via enumeration from webpage , AND WE GENERATE a user-list :

Now to check for Asrep-roasting we use a tool called Impacket. it’s a series of tools which is used in various active-directory attack scenarios.

The syntax for it is:

impacket-GetNPUsers AD-DOMAIN/ -dc-ip DC-IP -usersfile <LIST OF USERS> -o hash

Now how to get this Ad-domain?: we can get it via various scans from nmap , enum4linx-ng etc… Remeber to add the domain to hosts file.

we start the attack:

impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile users -o hash

and we get the hash for a user whose pre-auth isn’t enabled.

Poor FSmith

look at the starting of the hash: $krb5asrep$23$ which reveals it’s asrep hash and has different mode for hashcat. we can get the mode via: Look the number $23$ and it’s asrep so: 18200

Quite useful trick right?

Now we get the password!!! for fsmith

Scenario 2 Preauth enabled

Now in most of the scenarios we ane not so fortunate we can get the pre-auth disabled. So in that case we need credentials. But imagine we get our hands on it , but we need more power!!!. We can now generate tickets to powerful users and services to leverage ourself. This practice is called Kerberoasting.

Now we approach a machie HTB: Active

We get the usename and password and we need to look further.
Look you guys must be asking how to get user/pass also !!! . First learn this then I’ll cover it later because is more related to enum than ad-exploitation.

So we use a tool called Imapcket {like earlier}. remember SPN? We define each service uniquely. So we query each SPN and ask for it’ s service usernames and it responds in the form of user password encrypted and we dercypt it:

Impacket-GetUserSPNs -request -dc-ip <Ip> <AD-DOMAIN>/<user> -save -outputfile GetUserSPNs.out

It prompts for password and we give it then:

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

We get the hash:

Look at the beginning now: $krb5tgs$23$ . 23 and TGS so:13100

and we get it cracked!!!

There’s also another scenario in this kerberoasting where we have to give specific SPN to exploit to in the HTB machine: scrambled . We’ll look into it after as it’ll be too heavy for now.

Now comes the question BROTHER HOW DO I GET HANDS ON USERNAME AND PASS??

Enumeration

My first blog where enum is after exploitaton , but it was necessary as we then would have gone off topic.

Okay so our main goal is to get the username and password

Web

Websites reveal very very much about the usernames,hints what’s running in bg. Take the above machines for example:

Sauna had the users listed , while the machine scrambled had this simple image exposed:

Look at the username from cmd

we can also create some user list for validating the usernames and we can check the valid usernames via kerbrute , if we don’t find anything we acn bruteforce via userlist also.

It queries and gives the right users {htb manager}

kerbrute userenum --dc <ip> -d <domain-name> <your-user-list>

Enumeration via LDAP

We can get the usernames , the hostname and even sometimes the stored credentials for either SMB or winrm with the the help of the ldap. Consider the case these ports are opened: 389,636,3268,3269.

we’ll use the tool called ldapsearch. So let’s say the scan from nmap came something like this:

NOTE The domain i.e egotistical-bank.local

Look at the domain

We now have to give the ldapsearch :

• H defines the host
• D defines the username , while the wstands for password {here we create null session}
• s base for “search scope”
• ‘DC=egotisical-bank,DC=local’: we split the domain from TLD and Domain

This is the base DN (Distinguished Name) for the LDAP search. It specifies the starting point for the search in the LDAP directory tree.In LDAP, DNs are hierarchical and typically represent organizational units (OUs) or domains in the directory tree.'DC=egotisical-bank,DC=local' represents the base DN for the search, indicating that the search should start from the domain components (DC) of the "egotisical-bank.local" domain.

ldapsearch -x -H "ldap://<host>" -D "" -w "" -s base 'DC=egotisical-bank,DC=local'

Now the result maybe a bit long so redirect it to a file, I’ll tell you what we need to find:

Now let’s say the output is stored in ldap_output we need the user names first for asrep-roasting and then for kerbe-roasting too, we filter:

cat ldap_output | grep -i userprincipalname | cut -d " " -f 2 > User_p_names.txt

we also look for SAM-account-Names:

ldapsearch -H ldap://<host> -x -b DC=egotistical-bank,DC=local "(objectClass=person)" | grep -i samaccountname

If we get something ,some users we can check them via kerbrute.

Now why I was saying to read a bit carefully , we sometimes get the stored passoword also:

HTB: cascade

We just need to decode from base64 and we get the password.

Now when we have the usernames.

For passwords we might need to do

• Asreproasting
• get hints form other services-> web , smb , ftp
• Also we sometimes have to bruteforce

But the question comes how to bruteforce or check which password is correct with which username? There comes

crackmapexec , netexec to the rescue:

Imagine w have a list of users and password , we now can try password spraying , also this is really OSCP oriented too.

The syntax for command goes:

crackmapexec <protocol> <ip> -u <user> -p <password>

netexec <protocol> <ip> -u <user> -p <password>

 crackmapexec smb 10.10.10.193 -u users.txt -p pass.txt

The successful attempt looks like this:

HTB: flight

It checks for every permutation.

Also when in SMB especially you get a purple symbol saying password reset meaning it needs a new password before logging in , we can change it via smbpasswd:

It won’t let you login with right password before changing

smbpasswd -r 10.10.10.193 -U user

we can try winrm also:

crackmapexec winrm 10.10.10.193 -u users.txt -p pass.txt

When we get the creds , just login and play further

Will cover more in next post.If you like what I do:

follow me Twitter Linkedin

$krb5tgs$23$