Recently we have been on Internal Network Pentest with end goal to
demonstrate the compromising Domain Admin account or be one of them.
root@kali: python Responder.py -I eth1 -Pbv
Yay.. we got some cleartext credentials of the users using WPAD flag (-w). But most of them were normal internal users, continued running Responder on the network we captured hash of Servicedesk account.
Then we cracked the hash using Hashcat with aid of dictionary file. Now its time to abuse the cracked Servicedesk credentials to dig more in the infrastructure. So using the trick explained by @sixdb in article we used /netonly flag with runas.exe. This allowed us to launch cmd.exe running in context of domain user (Servicedesk) from non-domain joined system.
Once connected you can run various tools, like we used Powersploit to dump more information about Domain being authenticated user. We enumerated information about Domain Controllers and Domain Admins in the infrastructure.
Now we need to find the path to compromise the Domain Admin account, for this we used BloodHound. It aids us to reveal the hidden and often unintended relationships within an Active Directory environment in turn expediting the escalation process.
Bloodhound generates 3 csv for visualization.
Using visualization generated using Bloodhound we found "Shortest Path to Domain Admins".
So in order bypass AV detection we used Lazykatz. Its automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software, developed on top of @subtee work.
Running the Lazykatz using Servicedesk account against first hop server, we got clear text credentials of one of the member of Domain Admin group. Using those credentials we added our user to Domain Admin group.
Finally, we are member of Domain Admin group. Happy Hunting.
First tool of choice is Responder with
Analyze mode. This mode allows you to see NBT-NS, BROWSER, LLMNR, DNS
requests on the network without poisoning any responses, in simple words
perform passive reconnaissance for you.
root@kali: python Responder.py -I eth1 -A
From above screen we can say, the
network looks vulnerable to LLMNR and NBT-NS poisoning. Firing up the
Responder with respective flags we captured the hashes of users over the
network.root@kali: python Responder.py -I eth1 -A
root@kali: python Responder.py -I eth1 -Pbv
Then we cracked the hash using Hashcat with aid of dictionary file. Now its time to abuse the cracked Servicedesk credentials to dig more in the infrastructure. So using the trick explained by @sixdb in article we used /netonly flag with runas.exe. This allowed us to launch cmd.exe running in context of domain user (Servicedesk) from non-domain joined system.
Once connected you can run various tools, like we used Powersploit to dump more information about Domain being authenticated user. We enumerated information about Domain Controllers and Domain Admins in the infrastructure.
Now we need to find the path to compromise the Domain Admin account, for this we used BloodHound. It aids us to reveal the hidden and often unintended relationships within an Active Directory environment in turn expediting the escalation process.
Bloodhound generates 3 csv for visualization.
Using visualization generated using Bloodhound we found "Shortest Path to Domain Admins".
The generated graph shows the no. of hops required to reach machine
where Domain Admin is logged-in. Hence using cmd.exe access we can run
Invoke-Mimikatz.ps1 to dump credentials from first hop server. But now
days all AV engines flag these scripts.
So in order bypass AV detection we used Lazykatz. Its automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software, developed on top of @subtee work.
Running the Lazykatz using Servicedesk account against first hop server, we got clear text credentials of one of the member of Domain Admin group. Using those credentials we added our user to Domain Admin group.
Finally, we are member of Domain Admin group. Happy Hunting.
Tidak ada komentar:
Posting Komentar