IP | Name | Hostname | Domain |
---|---|---|---|
192.168.X.10 | dc01 | kingslanding | sevenkingdoms.local |
192.168.X.11 | dc02 | winterfell | north.sevenkingdoms.local |
192.168.X.12 | dc03 | meereen | essos.local |
192.168.X.22 | srv02 | castelblack | north.sevenkingdoms.local |
192.168.X.23 | srv03 | braavos | essos.local |
192.168.X.31 | ws01 | casterlyrock | sevenkingdoms.local |
To use kerberos we need add DNS in /etc/hosts
file, mandatory for Kerberos (FQDN resolution)
You can generate hosts file with netexec
User | Password | Host | Domain | Comments |
---|---|---|---|---|
samwell.tarly | Heartsbane | winterfell | north.sevenkingdoms.local | SMB Enumeration users on winterfell |
brandon.stark | iseedeadpeople | winterfell | north.sevenkingdoms.local | ASREP Roasting on north.sevenkingdoms.local |
hodor | hodor | winterfell | north.sevenkingdoms.local | Password spraying on winterfell |
jon.snow | iknownothing | winterfell | north.sevenkingdoms.local | Kerberoasting on north.sevenkingdoms.local |
robb.stark | sexywolfy | winterfell | north.sevenkingdoms.local | Poisoning and cracking hash |
By default, Microsoft enables SMB signing on Domain Controllers. In secure environments, SMB signing should be enforced network-wide to prevent NTLM relay attacks.
3 Domains found!!
Found credentials of Samwell Tarly in description field.
NORTH\samwell.tarly:Heartsbane
We were able to enumerate users and groups because WINTERFELL
allows anonymous connections.
The GOT website contains name and firstname of all actors.
With the following command we obtain a list FirstName + LastName
extracted from the HTLM field aria-label
, we eliminate the special characters, sorted alphabetically without repeating and taking into account that there may be actors without a last name.
The following code is a modification of Namemash script to be able to generate users only with the first name, without last name.
Found 7 users in sevenkingdoms.local
domain.
Found 5 users in essos.local
domain.
I create a north_users.txt
with all usernames previously found.
Found NORTH\brandon.stark:iseedeadpeople
credentials.
This technique can block users
The password policy show us that if we fail 5 times in 5 minutes we lock the accounts for 5 minutes.
We need any user credentials
Found NORTH\hodor:hodor
credentials.
We can request users from sevenkingdoms.local domain because there is a trust present.
We have no credentials to list this domain, at the moment. 😈
DO NOT USE bloodhound.py
Enumerate too sevenkingdoms.local and essos.local domains.
Search users with SPN (Server Principal Name) enabled.
Found NORTH/jon.snow:iknownothing
credentials.
In the lab, there are two bots to simulate LLMRN, MDNS and NBT-NS requests. One user has a weak password but no admin right. Another user has admin rights but uses a strong password.
The bot try to make a smb connection to bravos instead of braavos. The DNS doesn’t know bravos without two ‘a’ so by default windows will send a broadcast request to find the associated computer. With responder we answer to that broadcast query and say that this server is us, and so we get the connection from the user.
The NetNTLM hashes are not usable to do pass the hash, but you can crack them to retrieve the password.
Cracking with hashcat
Found credentials of Robb Stark when cracking hash.
NORTH\robb.stark:sexywolfy
With Robb Stark we pwned NORTH domain, is an Administrator of Winterfell (North DC).
Now we have a list of computer with signing:False
Before starting Responder to poison the answer to LLMNR, MDNS and NBT-NS request we must stop the responder SMB and HTTP Server as we don’t want to get the hashes directly but we want to relay them to NTLMRelayx.
Start Responder (check if HTTP and SMB is OFF)
Start NTLMRelayx
-tf
: list of targets to relay the authentication-of
: output file, this will keep the captured smb hashes just like we did before with responder, to crack them later-smb2support
: support for smb2-socks
: will start a socks proxy to use relayed authenticationIf you get a error of jinja2, try:
pip3 install Flask Jinja2 --upgrade
The poisoned connections are relayed to castelblack (192.168.56.22) and essos (192.168.56.23) and a socks proxy is setup to use the connection.
As eddard.stark is a domain administrator of north.sevenkingdoms.local he got administrator privileges on castelback.
Now we can use this relay to get an access to the computer as an administrator.
(Pending)
Check MachineAccountQuota (by default any user can create 10)
(Pending…)
nightmare.c
Compile
Download and execute exploit
Testing new user
The above exploit works but does not add the user to the admin group because it is caught by Windows Defender.
https://github.com/newsoft/adduser
adduser.c
Dumping all hashes
Connect RDP
You will find your dlls inside:
C:\Windows\System32\spool\drivers\x64\3
C:\Windows\System32\spool\drivers\x64\3\Old\{id}\
https://github.com/topotam/PetitPotam
This attack not works on update AD