NETWORK SECURITY

CrackMapExec in Action: Enumerating Windows Networks (Part 2)

Strategically Mapping Targets inside the Internal Network

Credit — Photo by Dmitrii Zhodzishskii on Unsplash

CrackMapExec, known as CME, is a useful tool to use during internal pentesting assessments to assess the security of Windows networks. It performs network enumeration and identifies hosts and services while enumerating shares, users, and groups within the network.

In Part 1 of our previous post, we discussed network enumeration from the perspective of a non-domain user. We looked at various methods to obtain domain credentials that we can use to perform a thorough recon and discover more details about groups, users, and policies.

In this post, we will take things further and perform a credentialed recon with CrackMapExec to uncover more information about domain users, groups, computers, and access controls to identify interesting targets we can exploit for escalation and lateral movement activities.

We will use exercises from Hack The Box Academy as examples.

Table of Contents

• Enumerating Group Policy Preferences (GPP)
• Enumerating LDAP
  – User Description
  – User Information
  – Group Membership
  –Domain Computers
  – Read DACLS
  – Active Directory Certificate Services (AD CS)
• Resources

Enumerating Group Policy Preferences (GPP)

Group Policy is a set of configurations that enforces and controls specific settings on domain-joined computers and users. Examples of Group Policy settings include password complexity requirements, software installation restrictions, and firewall rules.

On the other hand, Group Policy Preferences are a set of preferences that provide a baseline configuration to users and computers that are not enforced and can be changed if needed. Some examples of these settings include selecting a default printer, setting a desktop background, and configuring power options.

Group Policy Preferences use XML files for configuration data; these files are stored in the SYSVOL share on domain controllers in a folder called “GroupPolicy\User\Preferences.”

Figure 1 — shows the path to the Group.xml file that stores GPP information.

In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link).

Figure 2 — shows the encrypted password in the cpassword parameter.

To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — gpp_password and gpp_autologin modules.

The gpp_password decrypts passwords stored in the Group.xml file, while gpp_autologin retrieves autologin information from the Registry.xml file in the preferences folder.

As seen in the example below, we obtained the usernames and passwords of additional domain users, which we can use to gain further access to the network.

 sudo poetry run crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! -M gpp_password

Figure 3 — shows names and passwords retrieved from the GPO policies.

sudo poetry run crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! -M gpp_autologin

Figure 4 — shows retrieving username and password from the Registry.xml file.

Enumerating LDAP

To enumerate the AD environment, we can utilize CrackMapExec much like we use PowerView. CrackMapExec has several modules that enable us to enumerate LDAP information for authenticated users. By running LDAP with the -L option, we can see the list of all the available modules.

Note if you do not see all the LDAP modules in the provided screenshot, it may indicate that you are running an older version of CrackMapExec, such as v5.4.0 — Indestructible G0thm0g. In this case, you can either upgrade the tool or download the missing module and add it to the modules directory (/cme/modules/).

The version shown below is Version:6.1.0 — Codename: John Wick.

sudo poetry run crackmapexec ldap -L

Figure 5 — shows the available modules for the LDAP protocol.

User Description

To enumerate users, we have 2 modules: get-desc-users and user-desc. The get-desc-users module returns all users and their descriptions, as seen below.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M get-desc-users

Figure 6 — shows the get-desc-users returns all domain users’ accounts and their descriptions.

The other module user-desc retrieves users descriptions that matches the keywords defined in the script user_description.py . The default keywords are in the self.keywords = {‘pass’, ‘creds’, ‘creden’, ‘key’, ‘secret’, ‘default’} located at /cme/modules/user_description.py.

Figure 7— shows the default keywords that the user_description module uses in searching the description field.

If the description field doesn’t contain any of the default keywords, the module won’t be able to retrieve it. Remember that when enumerating LDAP with this module.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M user-desc

Figure 8 — shows the user-desc module returns user accounts with the IP keyword in their description fields.

If we want to search for specific values not included in the default keywords, we can use the -o option, and the KEYWORDS parameter equals the value we want to look up.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M user-desc -o KEYWORDS=IP

Figure 9 — shows using the KEYWORDS option to search for specific values i.e., IP

User Information

Another useful module is the whoami; it allows us to obtain information about the user we are authenticated as or specify another user with -o option and the USER parameter.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M whoami

Figure 10 — shows the whoami module returns information about the user Grace.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M whoami -o USER=alina

Figure 11 — shows the whoami module with the USER options to query another user, i.e., Alina.

Group Membership

There are 2 modules that enable us to query group memberships — groupmembership and group-mem. The groupmembership helps us retrieve the groups that a user belongs to.

To run this module, we can use the -o option and specify the user in the USER parameter. The example below shows that the Grace user is a member of the SQL admins and Domain Users groups.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M groupmembership -o USER=grace

Figure 12 — shows the groupmembership module turns all groups that the user Grace is a member of.

With the group-mem module, we can get all the users of a specific group with the -o option and the GROUP parameter. As seen below, the “Domain Admins” group has 3 members — Administrator, Julio, and David.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M group-mem -o Group='Domain Admins'

Figure 13 — shows the group-mem module returns all of the domain admins group members.

Domain Computers

To locate domain computers, the find-computer module searches for specified text. For instance, if we need to find all servers within the domain, we can use the -o option with the TEXT parameter set to “servers”.

We can also look for Windows workstations and servers by searching for “windows” or operating system versions, such as “2003, 2008, 2016”, to identify older systems.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M find-computer -o TEXT='server'

Figure 14 — shows the find-computer module returns all machines with servers in their descriptions or names.

Read DACLS

We can read the Access Control List properties to search for privileges that can be abused to either escalate to domain admin or add ourselves to different groups that would provide us additional rights we use for pivoting.

We can use the daclread module with the -o option and the TARGET parameter to view a user’s ACL properties. In the screenshot below, we retrieved Alina’s ACLs.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina

Figure 15 — shows the daclread module returns the ACL properties for the user Alina.

We can also granularly search for interesting rights to filter on to see who has more privileges to go after in the domain. To do so, we add the RIGHTs parameter to the previous command and specify the type of filter we want to use.

The available filters are ‘FullControl,’ ‘ResetPassword’, ‘WriteMembers’, and ‘DCSync’. In the example below, we searched for the ResetPasssword rights related to the user Alina and found that the user Peter has the right to change Alina’s password.

We can infer that compromising Peter’s account would also give us access to Alina’s account via password reset.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina RIGHTS=ResetPassword

Figure 16 — shows the user Peter has ResetPassword rights over Alina.

We can also check what groups or users have FullControl privileges over the user Alina; we can grep for Trustee to list them. As seen below, the domain admins and Account Operator groups are the ones who have full control over the user Alina.

If we compromise a user in the Account Operator group, we can have full control over Alina by checking its ACL privileges.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina RIGHTS=FullControl

Figure 17— shows the daclread module is used with the rights filter to identify users who have Full control over the user Alina.

Figure 18 — shows the Trustees list with FullControl rights over the user Alina.

To gain insight into a user’s privileges over others, we can filter by principals such as user accounts, computer accounts, or processes. This is particularly helpful in situations where we have compromised a user and need to understand the extent of their access.

For instance, if we have compromised the user Peter, we may want to investigate what privileges he holds over Alina. In the example below, we can see that Peter has the ability to change Alina’s password, which can be exploited to gain further access to the network.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M daclread -o Target=alina PRINCIPAL=peter

Figure 19- shows the user Peter can change Alina’s password.

Active Directory Certificate Services (AD CS)

The adcs module finds information about the Certificate Enrollment Service and Certificate Templates. We run the adcs module first to get the server and certificate authority names.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M adcs  

Figure 20— shows the adcs module returns info about the Certificate Authority service.

Then, we add the -o option with the SERVER parameter specifying the CA name “inlanefreight-DC01-CA” to get the available templates. This is good information to see if an attack like PetitPotam would work against the CA server.

sudo poetry run crackmapexec ldap 10.129.204.177 -u grace -p Inlanefreight01! -M adcs -o SERVER=inlanefreight-DC01-CA

Figure 21 — shows the adcs module with the SERVER parameter returning the available certificate templates.

With this, we reach the end of this post. Today, we learned to utilize CrackMapExec to enumerate domain objects in instances where we already have access to the domain. This allows us to understand the network better and aids us in mapping out the next steps in the internal assessment.

Thanks for reading; until next time!

🔔You can find a list of all the commands that have been used in this post at R3d Buck3T Notion (Internal Pentesting Methodology — CrackMapExec)

Resources

• https://github.com/Porchetta-Industries/CrackMapExec
• https://academy.hackthebox.com/course/preview/using-crackmapexec
• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be
• https://r3dbuck3t.notion.site/CrackMapExec-458d2660dc5c48d2a04cf51321d49b28?pvs=4
• https://medium.com/r3d-buck3t/crackmapexec-in-action-enumerating-windows-networks-part-1-3a6a7e5644e9#ad38