Read on Twitter
ok lets have some lab fun and see if I can remember what I'm doing... :P haha i forget stuff so easily, so we've found a DC... lets' enum the shit out of this!
so let's nmap it... it's a modern OS so it doesn't respond to ICMP out of the box
ok so we can enum the name of the directory via LDAP (TCP 389... no shit i've seen too many servers with this port open on the internet!) - see pic from @shodanhq below
ok so we know its a domain controller coz its running LDAP, LDAPS, SMB, NETBIOS, it's got RDP on as well... lets do a full port scan coz its probably got WINRM enabled
pew pew, @ZephrFish gave this cool tip before about not using -p- and using 0 coz some shit people do weird and run services on 0 :P
BANGING FUCKING TUNES! Tron LEGACY is one of the best soundtracks to pwn to ! also run Nessus when you start a test in the background coz its good in case u miss shit manually and this isn't a CTF 'try harder' game... u need to get the job done and have traceability
so here we go we have WINRM on 5895... oh yeah sysadmin and devs please stop leaving these open on ur cloud service provider VMS... it would make me sleep better ;) x
ok so let's update our attack map! since we don't have creds (yet) we are doing to need to try some stuff.. let's do some more enum on DNS and see where we go from there! time to send to TCP + UDP 53
ok since i've not tool3d up we need some more goodies! we are gonna want to get evil WINRM, COVY or POSH etc.
ok let's check DNS :) first let's get some lists installed! such as sudo apt -y install seclists
ok so dnsrecon probably is a bit old lulz but hey so am I :p we can see here that we've found an SOA and NS records etc. we can see that we can't transfer the zone (that's good!)
so that's now showing a lot.. this domain is empty AF :P so let's look at what else we can do... now we've got a few options for attack... we've got SMB, WINRM and RDP....
so lets' do some RDP brute coz no one monitors this shit anyway :P so we hit up hydra (it now has NLA support before we had to use crowbar) what's funny is if u google hydra pwndefend comes up :P (see right!)
and we are in! super secret password of: Pa55w0rd1
now let's see what we can do!
now let's see what we can do!
now we could jump straight into RDP but.... if someone is logged in they might notice so we can jump into WINRM :) and we haz admin access!
and that is basically how 70%+ of orgs get pwn3d in ransomware attacks.. which is mental...
so now we can do evil via winrm, SMB/RPC or just RDP in and go wild :P
so shall we copy what a IRL TA would do.. so now we are on the box... let's check out some shizzle! what defences have we got?
great... protected... now IRL we would say.. hmm it's got defender on it.. let's check if it's also got ATP.. also can we find any event forwarders or things like filebeat/logstash etc. coz we don't wanna get caught..
now one way forward is to do this! but it's load AF...........
so maybbe... just do this leave them on... but add an exception for err EVERRYTHING :D
so another thing u need to do is disable smart screen coz logs :) you can do that via gpmc :)
also ur not gonna want to use the off the shelf mimikatz but alot of crims do ...
so we enable debug mode, we elevate our token to system and we dump lsa
now that's the local security db .. what we want is the active directory database :D
so we enable log and dump the creds into a file!
so now we can crack some hashes or steal tokens.. obvs i forgot i had designed this with a bit of privesc in but lol
so if u wanna just check for low hanging fruit crack station is good but remember ROE and OPSEC.. u might not be authorized to send to someone else's server, don't make assumptions with other peoples data!
so what do we do if we didn't want to login the to DC.... coz that's not a great idea in all scenarios!
so what we can do is take a domain joined box (windows env. ) and run mimikatz there.... this means we aren't super noisy fucking with the DC's av etc.
so we can runas the administrator account and we can dcsync from the machine we own (domain joined) and steal all the hashes this way! you can see here the hashes are all the same coz i'm guessing i never completed this build :D right i'm off to sleep! hopefully that was useful
ok so when i built this i configured the server with a username enumeration vuln in SMB, the idea was you enum users, then you would get access to a low priv account... then you could kerberoast the SVC_ accounts and get admin rights that way
