We covered a scenario of Windows active directory penetration testing where we demonstrated basic enumeration using Nmap then performed ASREPRoasting against the Kerberos protocol to list the active users and their tokens. Then we escalated the privileges using the NTDS database.
Windows Active Directory Penetration Testing Study Notes
Challenge Description
99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
Video Highlights
Basic enumeration starts out with an nmap scan. Nmap is a relatively complex utility that has been refined over the years to detect what ports are open on a device, what services are running, and even detect what operating system is running. It’s important to note that not all services may be deteted correctly and not enumerated to it’s fullest potential. Despite nmap being an overly complex utility, it cannot enumerate everything. Therefore after an initial nmap scan we’ll be using other utilities to help us enumerate the services running on the device.
A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Room Answers
What tool will allow us to enumerate port 139/445?
What is the NetBIOS-Domain Name of the machine?
What command within Kerbrute will allow us to enumerate valid usernames?
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
What mode is the hash?
Now crack the hash with the modified password list provided, what is the user accounts password?
What utility can we use to map remote SMB shares?
Which option will list shares?
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
What is the content of the file?
Decoding the contents of the file, what is the full contents?
What method allowed us to dump NTDS.DIT?
What is the Administrators NTLM hash?
What method of attack could allow us to authenticate as the user without the password?
Using a tool called Evil-WinRM what option will allow us to use a hash?
backup
Administrator