NETWORK SECURITY
CrackMapExec in Action: Enumerating Windows Networks (Part 2)
Strategically Mapping Targets inside the Internal Network
CrackMapExec, known as CME, is a useful tool to use during internal pentesting assessments to assess the security of Windows networks. It performs network enumeration and identifies hosts and services while enumerating shares, users, and groups within the network.
In Part 1 of our previous post, we discussed network enumeration from the perspective of a non-domain user. We looked at various methods to obtain domain credentials that we can use to perform a thorough recon and discover more details about groups, users, and policies.
In this post, we will take things further and perform a credentialed recon with CrackMapExec to uncover more information about domain users, groups, computers, and access controls to identify interesting targets we can exploit for escalation and lateral movement activities.
We will use exercises from Hack The Box Academy as examples.
Table of Contents
Enumerating Group Policy Preferences (GPP)
Group Policy is a set of configurations that enforces and controls specific settings on domain-joined computers and users. Examples of Group Policy settings include password complexity requirements, software installation restrictions, and firewall rules.
On the other hand, Group Policy Preferences are a set of preferences that provide a baseline configuration to users and computers that are not enforced and can be changed if needed. Some examples of these settings include selecting a default printer, setting a desktop background, and configuring power options.
Group Policy Preferences use XML files for configuration data; these files are stored in the SYSVOL share on domain controllers in a folder called “GroupPolicy\User\Preferences.
”
In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword”
parameter that can get decrypted with Microsoft’s public AES key (link).
To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — gpp_password
and gpp_autologin
modules.
The gpp_password
decrypts passwords stored in the Group.xml file, while gpp_autologin
retrieves autologin information from the Registry.xml file in the preferences folder.
As seen in the example below, we obtained the usernames and passwords of additional domain users, which we can use to gain further access to the network.
sudo poetry run crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! -M gpp_password
sudo poetry run crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! -M gpp_autologin
Enumerating LDAP
To enumerate the AD environment, we can utilize CrackMapExec much like we use PowerView. CrackMapExec has several modules that enable us to enumerate LDAP information for authenticated users. By running LDAP with the -L
option, we can see the list of all the available modules.
Note if you do not see all the LDAP modules in the provided screenshot, it may indicate that you are running an older version of CrackMapExec, such as v5.4.0 — Indestructible G0thm0g. In this case, you can either upgrade the tool or download the missing module and add it to the modules directory (/cme/modules/
).
The version shown below is Version:6.1.0 — Codename: John Wick.
sudo poetry run crackmapexec ldap -L
User Description
To enumerate users, we have 2 modules: get-desc-users
and user-desc
. The get-desc-users
module returns all users and their descriptions, as seen below.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M get-desc-users
The other module user-desc
retrieves users descriptions that matches the keywords defined in the script user_description.py
. The default keywords are in the self.keywords = {‘pass’, ‘creds’, ‘creden’, ‘key’, ‘secret’, ‘default’}
located at /cme/modules/user_description.py
.
user_description
module uses in searching the description field.If the description field doesn’t contain any of the default keywords, the module won’t be able to retrieve it. Remember that when enumerating LDAP with this module.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M user-desc
If we want to search for specific values not included in the default keywords, we can use the -o
option, and the KEYWORDS
parameter equals the value we want to look up.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M user-desc -o KEYWORDS=IP
User Information
Another useful module is the whoami
; it allows us to obtain information about the user we are authenticated as or specify another user with -o
option and the USER
parameter.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M whoami
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M whoami -o USER=alina
Group Membership
There are 2 modules that enable us to query group memberships — groupmembership
and group-mem.
The groupmembership
helps us retrieve the groups that a user belongs to.
To run this module, we can use the -o
option and specify the user in the USER
parameter. The example below shows that the Grace user is a member of the SQL admins and Domain Users groups.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M groupmembership -o USER=grace
With the group-mem
module, we can get all the users of a specific group with the -o
option and the GROUP
parameter. As seen below, the “Domain Admins” group has 3 members — Administrator, Julio, and David.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M group-mem -o Group='Domain Admins'
Domain Computers
To locate domain computers, the find-computer
module searches for specified text. For instance, if we need to find all servers within the domain, we can use the -o
option with the TEXT
parameter set to “servers”.
We can also look for Windows workstations and servers by searching for “windows” or operating system versions, such as “2003, 2008, 2016”, to identify older systems.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M find-computer -o TEXT='server'
Read DACLS
We can read the Access Control List properties to search for privileges that can be abused to either escalate to domain admin or add ourselves to different groups that would provide us additional rights we use for pivoting.
We can use the daclread
module with the -o option and the TARGET
parameter to view a user’s ACL properties. In the screenshot below, we retrieved Alina’s ACLs.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina
We can also granularly search for interesting rights to filter on to see who has more privileges to go after in the domain. To do so, we add the RIGHTs
parameter to the previous command and specify the type of filter we want to use.
The available filters are ‘FullControl,’ ‘ResetPassword’, ‘WriteMembers’, and ‘DCSync’.
In the example below, we searched for the ResetPasssword
rights related to the user Alina and found that the user Peter has the right to change Alina’s password.
We can infer that compromising Peter’s account would also give us access to Alina’s account via password reset.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina RIGHTS=ResetPassword
We can also check what groups or users have FullControl
privileges over the user Alina; we can grep for Trustee to list them. As seen below, the domain admins and Account Operator groups are the ones who have full control over the user Alina.
If we compromise a user in the Account Operator group, we can have full control over Alina by checking its ACL privileges.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina RIGHTS=FullControl
To gain insight into a user’s privileges over others, we can filter by principals such as user accounts, computer accounts, or processes. This is particularly helpful in situations where we have compromised a user and need to understand the extent of their access.
For instance, if we have compromised the user Peter, we may want to investigate what privileges he holds over Alina. In the example below, we can see that Peter has the ability to change Alina’s password, which can be exploited to gain further access to the network.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina PRINCIPAL=peter
Active Directory Certificate Services (AD CS)
The adcs
module finds information about the Certificate Enrollment Service and Certificate Templates. We run the adcs
module first to get the server and certificate authority names.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M adcs
Then, we add the -o
option with the SERVER
parameter specifying the CA name “inlanefreight-DC01-CA” to get the available templates. This is good information to see if an attack like PetitPotam would work against the CA server.
sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M adcs -o SERVER=inlanefreight-DC01-CA
With this, we reach the end of this post. Today, we learned to utilize CrackMapExec to enumerate domain objects in instances where we already have access to the domain. This allows us to understand the network better and aids us in mapping out the next steps in the internal assessment.
Thanks for reading; until next time!
🔔You can find a list of all the commands that have been used in this post at R3d Buck3T Notion (Internal Pentesting Methodology — CrackMapExec)
Resources
- https://github.com/Porchetta-Industries/CrackMapExec
- https://academy.hackthebox.com/course/preview/using-crackmapexec
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be
- https://r3dbuck3t.notion.site/CrackMapExec-458d2660dc5c48d2a04cf51321d49b28?pvs=4
- https://medium.com/r3d-buck3t/crackmapexec-in-action-enumerating-windows-networks-part-1-3a6a7e5644e9#ad38