[Book] Attack and Denfense About Domain Penetration

First Post:

Last Update:

Word Count:
3.9k

Read Time:
24 min

El libro

Introduction

This article is used to keep notes and summaries of the book “Attack and Denfense About Domain Penetration”.
The content will be continuously updated as I read through the book.

Reflection

This book might be difficult for readers who are not familiar with Windows.
Chapter 1 (Windows Protocols) and Chapter 2 (Fundamentals of Domain), may be tedious, abstract, and confusing for beginners.

This book introduces many protocols and tools related to Active Directory penetration. It is not necessary to understand all the content in the book, such as the usage of tools or the detailed implementation of different protocols and exploitation techniques, because doing so would be time-consuming and difficult for beginners to Windows domains.

My suggestion is to first understand the terminology, and then grasp the fundamentals (DON’T GO TOO DEEP!). You will master this knowledge and these skills through hands-on practice.

LET’S GO!

Chapter.1 - Windows Protocols

1.1 - NTLM Protocol

NTLM(New Technology LAN Manager) protocol is a well-known authentication protocol introduced by Microsoft and used in Windows environments.

SSPI and SSP

  1. SSPI(Security Service/Support Provider Interface) is a suite of interfaces provided by Microsoft Windows. Its functions include:
    • Authentication
    • Provides Session Security mechanism for other protocols.
  2. SSP(Security Service Provider) implements SSPI interface. Microsoft has implemented multiple SSPs including:
    • NTLM SSP
    • Kerberos SSP
    • Digest SSP
    • Negotiate SSP
    • Cred SSP
    • Schannel SSP
    • PKU2U SSP

SSPI and SSP architecture

Source: https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture

LM Hash Cryptographic Algorithm

  1. Convert the user’s plaintext password to uppercase.
  2. Encode the password using the OEM character set.
  3. Pad the password with null bytes (0x00) or truncate it to exactly 14 bytes.
  4. Split the 14-byte password into two 7-byte halves.
  5. Each 7-byte half is used as a 56-bit DES key material and expanded to a 64-bit DES key by inserting parity bits.
  6. Each DES key is used to encrypt the fixed ASCII string "KGS!@#$%".
  7. Concatenate the two 8-byte ciphertexts to produce the final 16-byte LM hash.

LM Hash Algorithm

Source: https://www.hackercoolmagazine.com/how-windows-authentication-works/?srsltid=AfmBOopVgjnW7fm4wUOG7pfkjyrq--TEYBE0ULgNVM02-XNCYUbeT7V1

NTLM Has Cryptography Algorithm

Windows 2000 Windows XP Windows Server 2003 Windows Vista Windows 7 Windows Server 2008 Windows 8 Windows Server 2012
LM
NTLM

  1. NTLM Hash Encryption Procedure

    1. Convert user’s password into hexadecimal.
      1
      P@ss1234 -> Hex() = 5040535331323334
    2. Convert ASCII into Unicode.
    3. Perform MD4 hash to unicode encoded.
    1
    2
    3
    4
    import hashlib
    import binascii

    print("NTLM_Hash: " + binascii.hexlify(hashlib.new("md4", "P@ss1234".encode("utf-16le")).digest()).decode("utf-8"))

  2. How Windows Store NTLM Hash:
    Windows stores NTLM password hashes in the Security Account Manager (SAM) database, located at C:\Windows\System32\config\SAM. The hashes are stored in encrypted form and protected by the SYSTEM key.

    When a user attempts to log in, the Local Security Authority Subsystem Service (lsass.exe) is responsible for authentication. The user’s plaintext password is not stored on disk. Instead, LSASS computes the NTLM hash of the provided password and compares it against the encrypted NTLM hash stored in the SAM database.

    The winlogon.exe process is responsible for displaying the logon interface when a user signs out, restarts, or logs on. The entered credentials are passed to LSASS for authentication processing.

    During authentication, credential material such as NTLM hashes, Kerberos tickets, and, in some cases, plaintext passwords may temporarily reside in LSASS memory. Tools such as mimikatz can extract these credentials by reading the memory of lsass.exe with sufficient privileges.

NTLM Protocol Authentication

NTLM Protocol based on Challenge/Response, constituted by 3 types of message:

  • Type 1: Negotiate
  • Type 2: Challenge
  • Type 3: Authentication

There are NTLMv1 and NTLMv2, and NTLMv2 is the most popular version. The most significant differences are, the value of Challenge and its algorithm. The common characteristics is they both use NTLM Hash.

  1. Authentication In A Workgroup
    1. Negotiation(Type 1):
      The client initiates contact, sending a message to the server listing its supported NTLM features and capabilities.
    2. Challenge(Type 2):
      The server responds, acknowledging the client’s message and sending back a unique, random 16-byte number called a “challenge”(or nunce).
    3. Response(Type 3):
      The clients takes the server’s challenge and encrypts it using a hash of the user’s password(not the password itself).
    4. Verification:
      The server receives the response and either verifies it directly or forwards the username, challenge, and response to the DC.

  2. Authentication In A Domain

    1. Negotiation:
      The user provides cerdentials(Username, password, domain) to the client. The client creates a NTLM hash of password , stores it in local, and sends NTLMSSP_NEGOTIATE message which is created by NTLM SSP. This Type 1 message is constituted by username only.

    2. Challenge:
      The server(or resource server) receives the username, then sends back a Challenge message(Type 2, aka NTLMSSP_CHALLENGE, created by NTLM SSP) containing a random 16-byte number(nonce) and server flags.

  3. NTLMv1 v.s. NTLMv2

    1. Challenge
      • NTLMv1: 8-byte
      • NTLMv2: 16-byte

    2. Net-NTLM Hash Cryptography Algorithm:

      • NTLMv1: DES
      • NTLMv2: HMAC-MD5

      How NTLMv1 create Response message:

    3. Padding 16B NTLM Hash to 21B.
    4. Divided into 3 groups, 7B for each. Use for the keys of DES algorithm.
    5. Encrypted the Challenge message from the server using DES algorithm with those 3 keys.

    6. Concate them.

      Format of Net-NTLMv1 Hash:

      1
      username::hostname:LM response:NTLM response:challenge

      Extracting Net-NTLM v1 Hash:

      1
      > InternalMonologue.exe

  4. LmCompatibilityLevel
    | Value | Description |
    | —- | —- |
    | 0 | |
    | 1 | |
    | 2 | |
    | 3 | |
    | 4 | |
    | 5 | |

    • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel. Generally, lmcompatibilitylevel does not exist.

      Set lmcompatibilitylevel to 2: 

      1
      > reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 2 /f

Security issues of NTLM Protocol

The client creates Type 3 message(NTLMSSP_AUTH) with hash of user’s password. If the attacker doesn’t have user’s password but hash of user’s password, the attacker might perform PTH(Pass The Hash) attack. Also, Type 3 message contains Net-NTLM Hash, the attacker might performs MITM(Man In the Middle), relaying the Net-NTLM hash, this is known as NTLM Relay attack.

  1. Pass The Hash(PTH):
    The attacker performs PTH if the hash cannot be cracked. Passing the hash to other machines, and exploitatinng through port 135 or 445.
  2. NTLM Relay:
    More specifically, Net-NTLM Relay.

  3. Net-NTLM v1 Hash Cracking
    Net-NTLM v1 Hash can be cracked, regardless strength of password.

    Enable NTLMv1:

    1
    > reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 2 /f

    To ensure NTLMv1 is enable:

    1
    2
    > reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v NtlmMinClientSec /t REG_DWORD /d 536870912 /f
    > reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v RestrictSendingNTLMTraffic /t REG_DWORD /d 0 /f

1.2 - Kerberos Protocol

  • Operating on DC.
  • krbtgt
  • KDC : Key Distribution Center
  • Ticker
  • ST : Service Ticket
  • TGT : Ticking Gainting Ticket

TGT is required to obtain ST.

  • Port 88: Authentication.
  • Port 464: Password reset.

AS_REQ & AS_REP and TGS_REQ & TGS_REP.
S4U: Using for delegation

  • S4u2Self, S4u2Proxy.
  • PAC

Kerberos Message Summary

Source: https://www.tarlogic.com/blog/how-kerberos-works/

PAC (Privilege Attribute Certificate)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
    ULONG cBuffers;
    ULONG Version;
    PAC_INFO_BUFFER Buffers[1];
    
} PACTYPE;

typedef struct _PAC_INFO_BUFER {
    ULONG ulType;
    ULONG cbBufferSize;
    ULONG64 Offset;
} PAC_INFO_BUFFER;

PAC_VALIDATION_INFO

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
typedef struct _KERB_VALIDATION_INFO {
  FILETIME LogonTime;
  FILETIME LogoffTime;
  FILETIME KickOffTime;
  FILETIME PasswordLastSet;
  FILETIME PasswordCanChange;
  FILETIME PasswordMustChange;
  RPC_UNICODE_STRING EffectiveName;
  RPC_UNICODE_STRING FullName;
  RPC_UNICODE_STRING LogonScript;
  RPC_UNICODE_STRING ProfilePath;
  RPC_UNICODE_STRING HomeDirectory;
  RPC_UNICODE_STRING HomeDirectoryDrive;
  USHORT LogonCount;
  USHORT BadPasswordCount;
  ULONG UserId;
  ULONG PrimaryGroupId;
  ULONG GroupCount;
  [size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
  ULONG UserFlags;
  USER_SESSION_KEY UserSessionKey;
  RPC_UNICODE_STRING LogonServer;
  RPC_UNICODE_STRING LogonDomainName;
  PISID LogonDomainId;
  ULONG Reserved1[2];
  ULONG UserAccountControl;
  ULONG SubAuthStatus;
  FILETIME LastSuccessfulILogon;
  FILETIME LastFailedILogon;
  ULONG FailedILogonCount;
  ULONG Reserved3;
  ULONG SidCount;
  [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
  PISID ResourceGroupDomainSid;
  ULONG ResourceGroupCount;
  [size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;

AS-REQ & AS-REP

TGT is generated by KDC’s AS(Authentication Service).

The AS-REQ represnets the initial message clients send to the KDC when requesting authentication. This message contains the username.

The AS-REP message contains the requested TGT encrypted with a key derived form the user’s password hash. Under normal circumstances, this message is only sent after successful pre-authentication validation.

TGS-REQ & TGS-REP

AP-REQ & AP-REP Bidirectional Authentication

AP: Application Protocol

Security Issues of Kerberos Protocol

  • PTH: Attacker may performs PTH if the attacker obtained the hash of user’s password.
  • PTK: Attacker may performs PTK if the attacker obtained the AES key of user’s password.
  • Domain Account Enumeration
  • Password Spraying: Fixed password, different username.
  • Golden Ticket Attack: Kerberos authentication relies on a KDC(Key Distribution Center), which issues TGTs(Ticket Granting Tickets) for user authentication. Attackers abuses this process by forging valid Kerberos tickets.
  • Silver Ticket Attack: To execute a silver ticket attack, an attacker must already have local administrator access on a compromised machine and obtain the NTLM hash of the targeted service account. Unlike a golden ticket attack, which grants full domain control, a silver ticket attack is more targeted, allowing adversaries to abuse a specific service account while bypassing certain security controls.
  • AS-REP Roasting: It is a Kerberos-based credential harvesting technique that targets accounts configured without Kerberos preauthentication. An attacker can request an AS-REP for such an account, receive data encrypted with the account’s long-term key, and crack that encrypted blob offline to recover the plaintext password

1.3 - LDAP

LDAP(Lightweight Directory Access Protocol) is a open, vendor-neutral protocol for accessing and managing distributed directory information service. Think of X.500 as the foundational standard for a vast, hierarchical phone book.

Fundamentals

  1. Fundamental Model
    1. Information Model: Defines how data is structed and stored.
    2. Naming Model: Defines how entries are named and organized. DN(Distinguished Name), RDN(Relative Distinguished Name). 
      1
      cn=John Doe,ou=Users,dc=example,dc=com
    3. Functional Model: Defines what operations LDAP can perform.
    4. Security Model: Defines how LDAP is protected.
  2. Application Factors
    1. Unique: Every LDAP entry has a unique Distinguished Name(DN).
    2. Inherit Characteristics: LDAP entries inherit characteritics from object classes.
    3. Replication: Directory data can be copied across multiple LDAP servers.
    4. Cross-Platform: LDAP is an open standard(RFC-based).
    5. Tree Hierarchy

Global Catalog

A Global Catalog is a special domain controller that stores:

  1. A full copy of all objects in its own domain.
  2. A partial copy of objects from all other domains in the forest.

Generally, the first domain controller (DC) in a new forest is configured as a Global Catalog (GC).
A Global Catalog stores a partial replica of all domains in the forest.
The GC listens on port 3268 for LDAP and 3269 for LDAP over SSL.

Chapter.2 - Domain Fundamentals

2.1 - Common Terminologies

  1. stores information about network objects such as user accounts, computer accounts, and groups. Clients use LDAP to query and manage directory information in Active Directory, while Kerberos is used for authentication.
  2. ADDS: Active Directory Domain Service
  3. LDAP: Lightweight Directory
  4. DC: Domain Controller
  5. X.500 Standard
    1. DC: Domain Component(NOT Domain Controller), the concept is similar to DNS(Domain Name Resolution). For example: foo.com
    2. OU: Organization Unit
    3. CN: Common Name
    4. DN: Distinguished Name
    5. RDN: Relative Distinguished Name
    6. UPN: User Principle Name
    7. Container:
    8. FQDN: Fully Qualified Domain Name

2.2 - Workgroup And Domain

Workgroup

Domain

  1. Types of Domain
    1. Single Domain
    2. Domain Tree
    3. Domain Forest
  2. Characteristics of Domain

Domain Functionality Level and Forest Functionality Level

  1. Domain Functionality Level

  2. Forest Functionality Level

2.3 - Domain Trust

Domain Trust enables resource sharing between multiple domains. Such access is available only when a trusted relationship exists. Domain Trust relies on the Kerberos Protocol for cross-domain authentication.

Trust Types

  1. One-Way Trust:
    In a one-way trust, domain A trusts domain B. This means users from domain B can access resources in domain A, but users from domain A cannot access resources in domain B. In other words, “I trust you, but you don’t trust me.”
  2. Two-Way Trust:
    Domain A trusts domain B and domain B trusts domain A. Since Windows Server 2003, two-way trust has been the default configuration for domains within the same forest. When a domain is added to a domain tree, a two-way transitivee trust is automatically established.
  3. Shortcut Trust:
    A shortcut trust is a manually created two-way trust between two domains, typically used to improve authentication performance by shorten the trust path. It DOES NOT OCCUR AUTOMATICALLY and is commonly used in complex or large AD environments.

Interal Trust, External Trust And Forest Trust

Cross-Domain Access

2.4 - Configuration And Setting A Domain

2.5 - Local Account and AD Account

Local Account

The local accounts can only access resources on the local system and are ioslated to a single machine. The default local accounts are built-in accounts(e,g,m Administrator, Guest). They are created during Windows installation and cannot be deleted.

  1. Administrator:
    The Administrator account is created during Windows installation and has full control over the system. It cannot be deleted, but it can be renamed or disable. For security reasons, this account is disabled by default in recent versions of Windows. Instead, Windows provideds the Administrators group for privilege management.
    To enable the Administrator account:
    1
    net user Administrator /active:yes
  2. Guest:
    The Guest account has a well-known RID of 501 (SID formatL S-1-5-21-XX-501). It is disabled by default.
    This account allows users to log in with very limited privileges and is the only member of the Guests group.
    1
    net localgroup Guests
  3. DefaultAccount:
    The DefaultAccount is also known as DSMA(Default System Managed Account). It is a built-in account introduced in Windows 10 version 1607 and Windows Server. It is used to run multi-user aware applications(MUMA apps), such as Xbox Shell.
    It is disabled by default on desktop Windows and Windows Server 2016. The account has a well-known RID of 503, and its SID format is S-1-5-21-XX-503.
    DSMA is a member of the System Managed Accounts Group, which has the SID S-1-5-32-581.
    1
    2
    > net localgroup "System Managed Accounts Group"
    > wmic group get name,sid | findstr "System Managed Accounts Group"
  4. WDAGUtilityAccount:
    The WDAGUtilityAccount is an account used by Windows Defender Application Guard, introduced in Windows 10 version 1709 and Windows Server 2016.
    The account has a well-known RID of 504.

AD Account

An AD account (Active Directory account) refers to a security principal stored in Active Directory.

In Active Directory, accounts are mainly represented by different object types, such as User accounts and Computer accounts.
A Service Account is not a distinct account type in AD; it is usually implemented as a User account that is used to run services.

An SPN (Service Principal Name) is a Kerberos identifier for a service instance.
The presence of an SPN does not strictly indicate a service account, as SPNs can also be assigned to computer accounts.

To identify a computer account, properties such as objectClass or a sAMAccountName ending with $ are commonly used.

  1. User Account
    User Account represents a physical entity, such as a person.

    1. Local Account on DC(Domain Controller):
    2. Administrator:
    3. Guest:
    4. krbtgt:

    5. User account’s properties:

      | Property | Meaning |
      | —- | —- |
      | sn | Surname |
      | giveName | Name |
      | initials | English |
      | displayName, cn and name | Name |
      | co | Country, region |
      | postalCode | Postal code |
      | st | State |
      | l | City |
      | streetAddress | Street address |
      | postOfficeBox | Post office box |
      | badPasswordTime | Date time of last log in failed. |

    6. User account’s options:

  2. Service Account
    A service account is a special user account.

  3. Computer Account
    A computer account is also a special user account, but users cannot log in.

    1. Create a computer account:
      1. Python
      2. PowerShell
    2. Computer Account’s Proprities:
    3. Computer Account and system Account

2.6 - Local Group and Domain Group

Local Group

1
2
> net localgroup
> wmic group get name,sid
  1. Administrators
  2. Users
  3. Guests
  4. Backup Operators
  5. Remote Desktop Users
  6. Power Users
  7. Network COnfiguration Operators:
    Members of this group are able to configurate settings of TCP/IP, update and offer TCP/IP addresses.

Domain Group

  1. Types of Domain Group
    1. Securiy Group
    2. Distribution Group

  2. Scope of Domain Groups

    | Type | Members | Scope Conversion | Privilege Providence |
    | —- | —- | —- | —- |
    | Universal Group |
    | Global Group |
    | Domain Local Group |

    1. Domain Local Group
    2. Global Group
    3. Universal Group
  3. Built-In Groups of AD
    1. Built-in domain local group
    2. Built-in global group
    3. Built-in universal group

2.7 - Directory Partition

Every Domain Controller (DC) running Active Directory Domain Services (AD DS) hosts replicas of one or more directory partitions.

A directory partition is also known as a Naming Context (NC).

In a typical Active Directory forest, the following directory partitions exist.

  1. Domain Directory Partition——contains domain-specific objects such as users, groups, and computers.
  2. Configuration Directory Partition——stores forest-wide configuration data, including sites and replication topology.
  3. Schema Directory Partiton——defines all object classes and attributes used in Active Directory.
  4. Application Directory Partiton——an optional partition used to store application-specific data and replicate it to selected DCs.

Domain Directory Partition

Configuration Directory Partition

Schema Directory Partition

Application Directory Partition

2.8 - SPN

2.9 - Group Policy of A Domain

Security Issues of Group Policy

2.10 - ACL

  1. Security Principals:
    Security Principal is any entity that can be authenticated(e.g, user’s account, computer’s account, or threads which are running in Security Context)
  2. Security Identifiers (SID):
    SID is a distinguished identifier of a Security Principal or Security Group

Chapter.3 - Domain’s Tools

3.1 - BloodHound

BloodHound is based on Linkerious.

We use SharpHound to obtain information:

https://github.com/BloodHoundAD/SharpHound3
https://github.com/SpecterOps/SharpHound

1
> SharpHound3.exe -c all

We then import the *.zip from last step into BloodHound.

3.2 - Adfind

Adfind is a C++ based AD searching tool.

https://github.com/mai-lang-chai/AD-Penetration-Testing-Tools

1
> Adfind.exe /?
1
> Adfind.exe [switches] [-b basedn] [-f filter] [attr list]
1
> Adfind.exe -f objectclass=trusteddomain -dn

Querying DC

1
2
3
4
5
# Query name of DC (Domain Controller)
> Adfind.exe -sc dclist 

# Query version of DC (Domain Controller)
> Adfind.exe -schema -s base objectversion

Querying Computer

1
2
3
4
5
# Query all computers, display DN only.
> Adfind.exe -f "objectcategory=computer" dn

# Query all computers, display name and operating system.
> Adfind.exe -f "objectcategory=computer" name operatingSystem
1
2
3
4
5
# Query active computer, display DN only.
> Adfind.exe -sc computers_active dn

# Query active computer, display name and OS.
> Adfind.exe -sc computers_active name operatingSystem
1
2
# Query specified computer's mail.
> Adfind.exe -f "&(objectcategory=computer)(name=mail)"

Querying Users

Querying Groups

Querying Delegation

3.2 - Admod

https://github.com/mai-lang-chai/AD-Penetration-Testing-Tools

Admod is a C++ based tool, used for AD modification.

3.4 - LDP

LDP is a Microsoft built-in tool, used for AD information querying. This tool is similar to ADExplorer, both of them are LDAP querying tool.

3.5 - Ldapsearch

This is a tool on Unix-like platform. It is a built-in tool of Kali Linux.

1
> Ldapsearch -h
Parameter Description
-H LDAP URI
-h IP or resolvalbe hostname of LDAP server, cannot be used with -H
-p
-x
-D
-w
-W

Usage

  1. Connection

    1
    Ldapsearch -H ldap://x.x.x.x:389 -D "hack@apt.com" -w P@ss1234
    1
    Ldapsearch -h x.x.x.x -p 389 -D "hack@apt.com" -w P@ss1234

    Important: -H-h

  2. Filtering
    1

  3. Display
    1

3.6 - PingCastle

PingCastle is a tool built by CERT of ENGINE on France.

It is a free, open-source tool and methodology for assessing AD security.

  1. healthcheck
  2. conso
  3. carto
  4. scanner
  5. export
  6. advanced

3.7 - Kekeo

Kekeo is a tool for exploiting Kerberos. It is written by Benjamin, the author of mimikatz

https://github.com/gentilkiwi/kekeo

This tool has the following modules:

  1. standard(coffee…?)
  2. others(Significant parts!)

3.8 - Rubeus

Rubeus is a C# based tool. It is used for exploiting Kerberos Protocol.

https://github.com/GhostPack/Rubeus

3.9 - mimikatz

mimikatz is a powerful tool used for Windows security.

https://github.com/gentilkiwi/mimikatz

3.10 - Impacket

https://github.com/fortra/impacket/tree/master/examples

Chapter.4 - Penetration Methods In Domain

4.1 - Domain Account Enumeration

During the AS-REQ stage of Kerberos authentication, the cname (client principal name) field in the request corresponds to the user principal being authenticated.

The KDC responds differently depending on the state of the account, such as whether the user exists, is enabled, or does not exist.
These differences can be observed through distinct Kerberos responses or error codes.

As a result, it is possible to enumerate domain user accounts by analyzing the KDC responses to AS-REQ messages.

Users’ State AS-REP information
User exists and is enabled KDC_ERR_PREAUTH_REQUIRED
User exists and is disabled KDC_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_DISABLED (Unavailable)
User does not exist KDC_ERR_C_PRINCIPAL_UNKNOWN
  1. Kerbrute
    1
    > kerbrute_windows_amd64.exe userenum --dc x.x.x.x -d apt.com user.txt
  2. pyKerbrute
    1
    2
    3
    4
    5
    # TCP mode
    > python EnumADUser.py x.x.x.x apt.com user.txt tcp

    # UDP mode
    > python EnumADUser.py x.x.x.x apt.com user.txt udp

4.2 - Password Spraying

Password spraying is usually performed after domain account enumeration.

During the AS-REQ stage of Kerberos authentication, the cname (client principal name) field corresponds to the target username.
This behavior allows attackers to enumerate valid domain accounts.

Password spraying involves testing a single common password against multiple usernames, rather than multiple passwords against a single account.
The goal of this technique is to reduce the likelihood of account lockouts enforced by domain lockout policies.

  1. Kerbrute
    1
    > kerbrute_windows_amd64.exe passwordspray --dc x.x.x.x -d apt.com user.txt P@ssword
  2. pyKerbrute
    1
    2
    3
    4
    5
    6
    7
    # Plain text password
    > python ADPwdSpray.py x.x.x.x apt.com user.txt clearpassword P@ssword tcp
    > python ADPwdSpray.py x.x.x.x apt.com user.txt clearpassword P@ssword udp

    # Hashed password
    > python ADPwdSpray.py x.x.x.x apt.com user.txt ntlmhash <Your NTLM Hash> tcp
    > python ADPwdSpray.py x.x.x.x apt.com user.txt ntlmhash <Your NTLM Hash> udp

4.3 - AS-REP Roasting

AS-REP Roasting is an offline password cracking technique targeting user accounts. This method is limited because it requires Kerberos pre-authentication to be disabled.

  1. Extract AS-REP Hashes:

    1. Rubeus:
      If the compromised host is domain-joined:

      1
      > Rubeus.exe asreproast /format:john /outfile:hash.txt

    2. ASREPRoast.ps1:
      If the compromised host is not domain-joined, AS-REP Roasting cannot be performed directly and requires alternative enumeration methods:

      1
      PS> Import-Module .\ASREPRoast.ps1 Invoke-ASREPRoast | select -ExpandProperty Hash

    3. Computer is not in a domain

  2. Hash Cracking:
    John:

    1
    > john --wordlist=/opt/pass.txt hash.txt

    hashcat: 

    1
    hashcat -m 18200 hash.txt pass.txt --force

4.4 - Kerberoasting

Kerberoasting happens at the TGS-REP stage of Kerberos authentication. TGS service of KDC responses a hashed ST to user’s of the client. The attacker might performs offline cracking after the ST was received.

The nutshell of Kerberoasting is: RC4_HMAC_MD5 is used during Negotiation stage.

SPN Discovery

  1. RiskySPN
  2. GetUserSPNs

4.5 - Delegation

Types of Delegation

  • UD (Unconstrained Delegation)
  • CD (Constrained Delegation)
  • RBCD (Resource Based Constrained Delegation)
  1. Unconstrained Delegation
  2. Constrained Delegation
  3. Resource Based COnstrained Delegation

4.6 - Kerberos Bronze Bit

4.7 - NTLM Relay

4.8 - Abusing DCSync

4.9 - PTH

4.10 - Locating Logged In Computer

4.11 - Domain Forest Penetration

Chapter.5 - Domain Exploitation

5.1 - MS14-068

5.2 - CVE-2019-1040 NTLM MIC

5.3 - CVE-2020-1472 NetLogon Privilege Escalation

5.4 - Windows Print Spooler Privilege Escalation

5.5 - ADCS Exploitation

5.6 - CVE-2021-42287 Privilege Escalation

5.7 - Exchange ProxyLogon Exploitation

5.8 - Exchange ProxyShell Kill Chain

Chapter.6 - Persistence And Post-Exploitation Password Extraction

THANKS FOR READING!