Active Directory Penetration Test Report Jacob Scheetz PDF
Active Directory Penetration Test Report Jacob Scheetz PDF
TryHackMe
Attacktive Directory
Penetration Test Report | Attacking AD Domain
Table of Contents
Introduction
With over 96% of the corporate world running on Windows, it is absolutely critical to
understand the largest attack surface in the world. Security research firm, Okta, estimates
that of those vast majority of businesses powered by Windows, 95% of them use Active
Directory to manage users and policies1. This is why it is absolutely critical in understanding
the weaknesses and methods used to undermine Windows Active Directory based
businesses. In this module, the goal is to exploit a mock corporate network simulating a
real Active Directory infrastructure. This is a blackbox style penetration test where the only
information known about the target is the use of AD. In this report on the simulation,
different techniques of exploiting Windows Active Directory protocols are shown such as:
1
https://www.okta.com/businesses-at-work/2017-01
Kerberoasting, ASREProasting, SMB enumeration, NTLM hashing, Passing the Hash, etc.
Additionally, all solutions to these exploits are of my own work. All explicit flags will be
blurred or covered to prevent flag sharing on behalf of TryHackMe. All important aspects of
each process will be described in a step by step fashion and all critical information from
each step will be highlighted in the screenshots below. Any inquiries about the methods or
procedures used (or to simply contact me) can be sent to: j [email protected]
Enumeration
To begin my enumeration phases I always begin with an nmap scan, even when working
with Windows machines. The open ports can be seen in the results below:
2
From this point, I got a good idea of what is on the machine, we know there is an AD
because of open LDAP and Kerberos. Additionally, I also received confirmation from the
version on the LDAP that there is in fact AD running and the domain is “spookysec.local”
Since further enumerating this machine will only paint the picture clearer as to how to
establish access and how we want to attack this machine, I used another enumeration tool
but this time it is specifically geared towards Windows. I used the tool enum4linux to see if
any users or shares could be gained without credentials:
3
While the shares or users could not be gained this way, the name of the Workgroup for the
domain was gained- “THM-AD”
Knowing that the machienthat we are attacking has Kerberos open, we can utilize a
technique called Kerberoasting to gain an idea of what users are on this domain controller.
At a high level, in Kerberoasting we are asking the domain controller if there is a TGT for a
specific username and if there is the DC will respond with a TGT for that user. Once we
have the TGT for a user we can request a Service Ticket which contains a password hash.
This hash can be taken and cracked offline and then we are able to gain access to an
account without authenticating to a service. This technique is used in the tool Kerbrute,
and the results of this are below:
4
There is a lot of information that this tool turned over- first and most importantly, kerbrute
notified me that the svc-admin account did not have pre-authentication required so it
dumped the password hash for me to crack offline. This gives us admin access to the
environment. Secondly, the backup account for the environment was also enumerated
which could potentially be alarming.
Exploitation
Password Cracking
Now that the password ASREP hash for the service admin account has been enumerated
via Kerbrute, I took it over to HashCat to crack it. The cracking results in the password being
revealed as “management2005”, which shows organizations that weak passwords on admin
accounts can be a critical vulnerability- this weak password only took me roughly 20
minutes to crack!
5
Now that I have the logon information for the service admin account, I moved to trying to
connect to the available shares on the domain. To see what shares are available shares
there were I used smbclient:
6
All of these shares are standard and expected to be seen here besides the backup share. I
first tried connecting to the ADMIN$ and C$ shares but I did not have access to. This lead
me to try and connect to the backup share since it was the abnormal share in this list which
was done with:
This successfully connected and as seen above once the directory contents were listed
there was a file containing backup credentials which I was able to download to my own
machine. The contents of the backup credentials are as follows:
This looked like base64 encoding to me so I used CyberChef to decode the contents:
7
This appears to be the backup user’s credentials on the domain- now we have credentials
to two users on the DC. Since the last account did not have admin privileges, I tried this new
backup account for the same privileges but was not able to get a shell. However, since it is a
backup account, we now have access to the history the of DC which includes stored
passwords.
Now that I was able to get access the backup account, that consequently has access to all of
the stored passwords on the domain controller, I want to dump all of the stored NTLM
hashes that I can get ahold of. To do this part of the impacket kit, secretsdump, is used:
8
The output of secretsdump provided me with lots of valuable information, there are Golden
tickets in this as well as NTLM hashes that I can use to gain access to other accounts.
Circled in blue is the NTLM hash of the local admin account on the DC. I was able to bypass
cracking the hash for this account by passing the hash. This can be done because I knew
that the hash I have is the hash for the correct password, so to gain access all I have to do is
pass the hash. To do this another tool from impacket was used called psexec which can be
seen below:
As seen above, psexec was able to pass the hash to the DC, Authenticate to the ADMIN$
share with write privileges, and then upload a malicious file that enabled it to launch a shell
on the system as the authority\system (admin). This DC has now been completely
compromised with admin access to everything.
9
Flags
*** All flags can be found on the respective users Desktop. The flags provided here are solely for
proof of completion and are covered to prevent flag sharing. ***
10
11
12