OSINT stands for open source intelligence and it’s the collection and gathering of information using publicly available sources to define and identify a persona.

Usually OSINT centers around uncovering activities as part of an investigation about an identity on the internet. Google, Facebook, Twitter, Github and other available public sources are places OSINT practitioners go to to gather information.

In this post, We covered what is OSINT and how to gather information using public resources. We solved a case where we uncovered a persona using Google and Github. This was part of TryHackMe Advent of Cyber 3 Day 16

The challenge scenario goes as follows

Grinch Enterprises has decided to use the best festival company to try their new ransomware service. While they think that this is a great proving ground, McSkidy is adamant to determine their goals and share them with the wider security community – can you use your open source intelligence methods to find out more information about their ransomware gang!

Learning Objectives

  • Understanding what OSINT is and where it originates
  • Understand the implications of OSINT and how it can be used for reconnaissance and information gathering
  • Learn how to conduct an OSINT investigation to gather information on an individual

Finding Our Way In

My first step is always reconnaissance. I run an Nmap scan to see what services are running on the target machine. The scan reveals that it’s a domain controller, with services like Kerberos, DNS, and LDAP running.

Next, I use a tool called Enum4linux to enumerate users on the domain. This gives me a list of potential targets. I then use another tool, Kerbrute, to test which of these users have “pre-authentication” disabled. Pre-authentication is a security feature in Kerberos, and if it’s turned off for a user, it makes them vulnerable to an attack called AS-REP Roasting, which can be used to get their password hash. In this case, I find a user named “svc-admin” that is vulnerable.

AS-REP Roasting and Getting a Foothold

With a vulnerable user identified, I use a script from the Impacket suite called GetNPUsers.py to perform the AS-REP Roasting attack. This script requests a ticket-granting ticket (TGT) for the “svc-admin” user, and because pre-authentication is disabled, the domain controller sends back an encrypted TGT that contains a piece of the user’s password hash.

I take this hash and use John the Ripper with the rockyou.txt wordlist to crack it. It doesn’t take long to find the password. With the credentials for the “svc-admin” account, I can now access the machine.

Kerberoasting for Privilege Escalation

Now that I’m in, my goal is to escalate my privileges. This is where Kerberoasting comes in. I use another Impacket script, GetUserSPNs.py, to query the domain controller for any Service Principal Names (SPNs) associated with user accounts. I find one for the “backup” user.

Just like with the AS-REP Roasting attack, this gives me a hash that I can crack offline. I use John the Ripper again and get the password for the “backup” user.

The Final Step: DCSync

The “backup” user has some interesting permissions. I check its group memberships and find that it has the “Replicating Directory Changes” permission, also known as DCSync rights. This is the holy grail of Active Directory permissions. It allows a user to replicate directory changes from a domain controller, which means I can essentially ask the domain controller to give me the password hash for any user, including the domain administrator.

I use the secretsdump.py script from Impacket with the “backup” user’s credentials to perform a DCSync attack. This dumps all the password hashes from the domain controller, including the one for the “administrator” account.

With the administrator’s hash, I can now use a Pass-the-Hash attack with a tool like psexec.py to get a shell on the domain controller with full administrative privileges. And that’s it—the machine is owned!

Technical Commands

Here’s a list of the commands I used in my terminal during this engagement:

  • Nmap Scan:
    • nmap -sV -sC <target_ip>
  • User Enumeration:
    • enum4linux -U <target_ip>
  • Kerbrute for Pre-Auth Check:
    • kerbrute userenum --dc <target_ip> -d <domain> <user_list>
  • AS-REP Roasting:
    • python3 GetNPUsers.py <domain>/<user> -no-pass
  • Password Cracking:
    • john --wordlist=/usr/share/wordlists/rockyou.txt <hash_file>
  • Kerberoasting:
    • python3 GetUserSPNs.py -request <domain>/<user>
  • DCSync Attack:
    • python3 secretsdump.py <domain>/<user>@<target_ip>
  • Pass-the-Hash:
    • python3 psexec.py -hashes <administrator_hash> <domain>/administrator@<target_ip>

TryHackMe Advent of Cyber Room Answers

What is the operator’s username?

GrinchWho31
What social media platform is the username associated with?

Twitter
What is the cryptographic identifier associated with the operator?

1GW8QR7CWW3cpvVPGMCF5tZz4j96ncEgrVaR
What platform is the cryptographic identifier associated with?

keybase.io
What is the bitcoin address of the operator?

bc1q5q2w2x6yka5gchr89988p2c8w8nquem6tndw2f
What platform does the operator leak the bitcoin address on?

GitHub
What is the operator’s personal email?

DonteHeath21@gmail.com
What is the operator’s real name?

Donte Heath

Video Walk-Through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles