- \n
- Powerview – https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/dev\/Recon\/PowerView.ps1 (Archived, still useful however).<\/li>\n\n\n\n
- RSAT Active Directory DLL – https:\/\/github.com\/samratashok\/ADModule.git (DLL signed by Microsoft to manage an Active Directory environment from Powershell)<\/li>\n\n\n\n
- SharpHound – https:\/\/github.com\/BloodHoundAD\/BloodHound\/tree\/master\/Collectors (Bloodhound ingestor tool, automates the process of enumerating the internal domain)<\/li>\n<\/ul>\n\n\n\n
Linux:<\/strong><\/p>\n\n\n\n
- \n
- Ldapdomaindump – https:\/\/github.com\/dirkjanm\/ldapdomaindump.git (Previously used tool, Active Directory enumeration tool)<\/li>\n\n\n\n
- bloodhound-python – https:\/\/github.com\/fox-it\/BloodHound.py.git (python based bloodhound ingestor)<\/li>\n<\/ul>\n\n\n\n
For both cases, it’s necessary to have Bloodhound installed correctly, including the Neo4j database.<\/p>\n\n\n\n
NEO4J\/BLOODHOUND installation<\/h2>\n\n\n\n
Windows installation documentation:<\/p>\n\n\n\n
https:\/\/bloodhound.readthedocs.io\/en\/latest\/installation\/windows.html<\/a><\/p>\n\n\n\n
Linux installation documentation:
https:\/\/bloodhound.readthedocs.io\/en\/latest\/installation\/linux.html<\/a><\/p>\n\n\n\nFollowing the guides, we can start recollecting information with the ingestors and analyzing it through Bloodhound.<\/p>\n\n\n\n
AD CONFIGURATION TO EXPLORE MULTIPLE ATTACK VECTORS THROUGH BLOODHOUND<\/h2>\n\n\n\n
We’re going to add a couple of insecure configurations through the ADSI Edit <\/strong>option in the DC.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-1024x542.png\")
<\/figure>\n\n\n\nThe first time we start the console, we need to connect to our AD by clicking on Actions > Connect To<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-1.png\")
<\/figure>\n\n\n\nWe can leave the default values for this exercise.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-2.png\")
<\/figure>\n\n\n\nOnce the connection has been established, we expand our main tree until we identify the CN=Users<\/strong> folder, where we’ll see our domain groups and users.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-3.png\")
<\/figure>\n\n\n\nHere we can modify the DACL properties for any domain object, in this scenario, we’ll give the hank.scorpio<\/strong> user privileges over the admin<\/strong> user.<\/p>\n\n\n\n
Right click on the admin<\/strong> user object and we access to Properties<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-4.png\")
<\/figure>\n\n\n\nWe move to the Security<\/strong> tab and we click on Add<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-5.png\")
<\/figure>\n\n\n\nIn the new window, we write the desired username and click on Check Names<\/strong> so the object gets searched for within our Forest.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-6.png\")
<\/figure>\n\n\n\nWe click OK<\/strong> and then define which permissions we want to give the hank.scorpio<\/strong> over the admin<\/strong> user, for this post, we’re going to assign the Change Password<\/strong> privilege.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-7.png\")
<\/figure>\n\n\n\nWe apply the changes and switch to another user.<\/p>\n\n\n\n
Repeating previous steps, we’re going to give the user Service_BD<\/strong> privileges over the Administrators<\/strong> group.<\/p>\n\n\n\n
To identify the group, we move into the CN=Builtin <\/strong>folder on the main tree.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-8.png\")
<\/figure>\n\n\n\nModifying the group, we add the Service_BD<\/strong> user to the list.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-9.png\")
<\/figure>\n\n\n\nWe assign the Write<\/strong> privilege over the Administrators<\/strong> group.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-10-1024x638.png\")
<\/figure>\n\n\n\nThen, we can click on Update Schema Now<\/strong> to make sure the changes were applied.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-15.png\")
<\/figure>\n\n\n\nWith these configurations, we’ll proceed to extract information regarding possible attack paths using SharpHound\/bloodhound-python.<\/p>\n\n\n\n
SHARPHOUND EXECUTION<\/h2>\n\n\n\n
Sharphound comes both in exe and PS1, in this case, we’re going to use the Windows binary.<\/p>\n\n\n\n
We’re going to use the TECNOLOGIA01<\/strong> host to execute the ingestor since it’s a domain joined machine.<\/p>\n\n\n\n
For simplicity sake, we’ll disable the antivirus to execute the binary.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-17-1024x661.png\")
<\/figure>\n\n\n\nSince we’re logged in as a domain user, the CMD window runs under the domain user’s context, so we don’t need to specify credentials unless we want to use a different user to run the enumeration tasks. (We’re going to explore options on how to execute the tool using a non domain joined machine)<\/p>\n\n\n\n
We execute Sharphound with the flag “-c all”<\/strong> so it obtains as much information as possible (very noisy).<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-18-1024x631.png\")
<\/figure>\n\n\n\nOnce the extraction finishes, a compressed file is generated, which we can move into the host that has Bloodhound and Neo4j installed.<\/p>\n\n\n\n
Using bloodhound-python from Linux is pretty similar, the only notable difference is that we would need to specify the domain controller and the credentials, or establish the domain controller as a DNS server on our Linux host.<\/p>\n\n\n\n
We can edit the \/etc\/resolv.conf file to manually add a DNS server.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-25.png\")
<\/figure>\n\n\n\nExecuting bloodhound-python with the mentioned parameters, we start the enumeration process.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-26.png\")
<\/figure>\n\n\n\nOnce it finishes, we get 4 json files ready to be imported into Bloodhound.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-27.png\")
<\/figure>\n\n\n\nWe can drag and drop the files into the Bloodhound main window, where the data will start to get uploaded and analyzed.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-19-1024x626.png\")
<\/figure>\n\n\n\nOnce it’s done, we can use pre-existing queries to find possible attack paths.<\/p>\n\n\n\n
Find all Domain Admins<\/strong>.<\/p>\n\n\n\n
It identifies members of the Domain Admins<\/strong> group.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-20-1024x672.png\")
<\/figure>\n\n\n\nThere, we can observe multiple domain admins, including a machine account, indicating that if we get to compromise the TECNOLOGIA01<\/strong> host and obtain the machine account NTLM hash, we could perform a DCSync attack to compromise the domain.<\/p>\n\n\n\n
But this is a group membership problem, since we’re trying to explore ACL attack paths, we can use a different pre-built query in Bloodhound, Find Shortest Paths to Domain Admins<\/strong>, where we’ll see the following result.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-21-1024x455.png\")
<\/figure>\n\n\n\nAnalyzing all of this possible paths can be overwhelming, but by doing so, we can identify if there’s a direct path to compromise a Domain Admin.<\/p>\n\n\n\n
We observe that the PWNED, ADMIN, JSEC, ADMINISTRATOR <\/strong>users and the TECNOLOGIA01<\/strong> host belong to the Domain Admins group, however, if we focus on the upper part, we can identify a different path.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-23.png\")
<\/figure>\n\n\n\nWe see that SERVICE_BD<\/strong> has a GenericWrite<\/strong> link pointing to the ADMINISTRATORS<\/strong> group, meaning that by compromising this user, we can modify this group’s properties.<\/p>\n\n\n\n
Simplifying some Active Directory concepts, we can consider the existing users, groups, machines, group policies, organizational units and more as Objects<\/strong>, each with specific and different properties according to the type of object (a user object will have different properties than a group object), the identified link can be interpreted as a special privilege the Service_BD<\/strong> has over the ADMINISTRATORS<\/strong> group, even when the user is not a member of it, so we can use this privilege to add any domain user into this group.<\/p>\n\n\n\n
The pre-build query identified this path, but I always recommend to find valuable users and explore their Explicit Object Controllers, since we can identify other possible attack paths.<\/p>\n\n\n\n
Going back to Bloodhound, we explore all of the high privilege users, eventually reaching the admin<\/strong> user where we expand the Explicit Object Controllers property.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-24-1024x683.png\")
<\/figure>\n\n\n\nHere we can find a special privilege granted to the hank.scorpio<\/strong> user that allows it to forcefully reset the admin<\/strong> user password.<\/p>\n\n\n\n
This is how we can identify a previously unknown attack path, which is why it’s recommended to carefully analyze Bloodhound results.<\/p>\n\n\n\n
Now we can proceed with the exploitation.<\/p>\n\n\n\n
ACL EXPLOITATION<\/h2>\n\n\n\n
We can use Powerview to exploit these misconfigurations, however, the tool is widely known and detected by most Antivirus solutions. We could disable the antivirus to proceed with the exploitation, but personally, I like to use the Microsoft signed Active Directory management DLL over Powerview to maintain a certain level of stealthiness, and since a common scenario during these types of engagements involves access to domain joined hosts where we can’t simply disable the antivirus, knowing how to use these legitimate tools can be advantageful.<\/p>\n\n\n\n
We can download the DLL into the TECNOLOGIA01<\/strong> host and import it through Powershell.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-29-1024x458.png\")
<\/figure>\n\n\n\nSometimes we can get an error, but most of the time just importing again will work. We can proceed with the exploitation.<\/p>\n\n\n\n
Service_BD user account with writing privilege over Administrators group.<\/h2>\n\n\n\n
For this scenario, we’re going to create a new low privileged user.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-30.png\")
<\/figure>\n\n\n\nTo list the available commands of the imported module, we can use the Get-Command cmdlet.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-31.png\")
<\/figure>\n\n\n\nTo obtain information about the target group, we use the Get-ADGroupMember cmdlet.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-34.png\")
<\/figure>\n\n\n\nWe can see we have 6 members, legendario.esquilax<\/strong> and Service_BD <\/strong>are not.<\/p>\n\n\n\n
To keep things simple, we’re going to use the password for the Service_BD<\/strong> user we found before.<\/p>\n\n\n\n
Firstly, we define a credential type object to execute commands under the Service_BD<\/strong> user context, without the credential object, we would be running commands as cosme.fulanito<\/strong> user context, which is not useful given that Service_BD<\/strong> has the privileges we’ll exploit.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-35.png\")
<\/figure>\n\n\n\nThe $pass <\/strong>object stores the known password “P4ssw0rd123” as a secure string, which is required to use credential objects.<\/p>\n\n\n\n
The $cred<\/strong> object will store logon information for the account we define, in this case, Service_BD<\/strong> referencing the $pass<\/strong> object as its password, allowing us to use the object to impersonate the respective user.<\/p>\n\n\n\n
To exploit the ACL misconfiguration, we’ll use the Add-ADGroupMember<\/strong> cmdlet.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-36.png\")
<\/figure>\n\n\n\nIf we execute the command without parameters we’ll be prompted for the required information, however, we can also use a one-liner to execute the desired task.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-37.png\")
<\/figure>\n\n\n\nThe first line is adding the legendario.esquilax<\/strong>, defined by the parameter Members<\/strong>, into the Administrators<\/strong> group, defined by the Identity<\/strong> parameter, using the created credential object, defined by the parameter Credential<\/strong>.<\/p>\n\n\n\n
The second line is querying the group members again, this time showing the user we just added to the group, confirming the privilege abuse worked.<\/p>\n\n\n\n
We can easily confirm the validity of the user from our Kali host, successfully executing a DCSync and compromising the domain.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-38.png\")
<\/figure>\n\n\n\nHANK.SCORPIO WITH PASSWORD RESET PRIVILEGES OVER THE ADMIN USER<\/h2>\n\n\n\n
The second attack path involves the hank.scorpio<\/strong> user, given that it can forcefully change the admin<\/strong> user’s password. We’ll be using the Active Directory signed DLL for this task.<\/p>\n\n\n\n
Once again, we create the $pass<\/strong> and $cred<\/strong> objects in order to impersonate the hank.scorpio<\/strong> user.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-39.png\")
La credencial expiro, por lo que la actualice a ese valor.<\/figcaption><\/figure>\n\n\n\n Within our Kali host, we’ll try to login into the DC with the admin<\/strong> user and the password Test1234!!<\/strong>, the attempt fails.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-41-1024x208.png\")
<\/figure>\n\n\n\nTo change the user’s password, we’ll use the Set-ADAccountPassword<\/strong> cmdlet, by defining a second secure string object named $newpass<\/strong> and the desired value.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-40.png\")
<\/figure>\n\n\n\nThe second line is the password change command, defining the target account through the Identity<\/strong> parameter, the user context through the Credential<\/strong> parameter and the new password, defined by the NewPassword<\/strong> parameter.<\/p>\n\n\n\n
Once we execute the command, we don’t get any errors or output, however, if we try to authenticate to the domain once again with the set password, we obtain administrative access.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/07\/image-42-1024x74.png\")
<\/figure>\n\n\n\nThis is the first part of misconfigured or permissive ACL privileges, we’ll delve further on future posts (Attacks such as Resource Based Constrained Delegation and arbitrary SPN tickets registration for Kerberoasting attacks).<\/p>\n\n\n\n
Also, we’re going to use a non-domain joined host to execute this attacks, through Powershell objects and running proceses under a different user context through runas<\/strong>.<\/p>\n\n\n\n
For Blue Team members, it’s recommended to search for this type of misconfigurations in your internal infrastructure, analyzing Bloodhound in depth, mostly because these type of attack paths are slightly more complicated to exploit, but are also stealthier.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post we will use different tools to analyze an Active Directory environment, both from Linux and Windows. This post is useful for both Pentesters and Blue Team members, as it identifies possible attack vectors and insecure configurations on a domain. Both to exploit from the attacker’s side, and Continue Reading<\/i><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,22],"tags":[26,28,30],"class_list":["post-394","post","type-post","status-publish","format-standard","hentry","category-bt-en","category-p-rt-en","tag-bt","tag-english","tag-rt"],"_links":{"self":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/comments?post=394"}],"version-history":[{"count":3,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/394\/revisions"}],"predecessor-version":[{"id":424,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/394\/revisions\/424"}],"wp:attachment":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/media?parent=394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/categories?post=394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/tags?post=394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}