Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)

A Scary Thought: I’ve worked in the Cyber ​​Security space performing a wide breadth of penetration and red team services for years. Yes it's still easy to get Domain Admin "before lunch" as it was when I first started pen-testing.

Back in September of 2013, Spider Labs wrote an article titled " Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network " This article is written to compliment and serves as an unofficial “Part 2” to the original SpiderLabs Blog post.

  1. Netbios and LLMNR Name Poisoning

I wish I could say that Netbios / LLMNR is not as prevalent as it was in 2013; but a vast majority of assessments, result in assessors obtaining NTLMv1 &NTLMv2 hashes and recovering usable credentials. To assist you with cracking your intercepted hashes, there are now advanced frameworks to help with password brute forcing like hate_crack.

Both man-in-the-middle tools are designed to assist penetration testers / red teamers that find themselves limited to a Windows system.

2. Relay attacks

The newer MultiRelay tool is maintained by: Laurent Gaffie, which is designed for seem-less integration with SMB relay attacks.

I personally prefer impacket's tools, for relaying and other penetration testing needs. Impacket's tools I found to be reliable and stable on most unixes and run natively on Mac OS. Comparatively to other free open source tools, they leave a relatively small forensic footprint when executed on a host (if you're worried about noise, are trying to be evasive, or have to fend off the Blue Team).

To prepare for some DA pwnage lets get impacket installed.

SMB Relaying explained:

smbrelayx.py

NTLM Relaying explained

ntlmrelayx.py

ntmlreayx and a randomized selection of targets

Both SMBRelay and the newer attacks take advantage of SMB signing, allowing a privileged user to authenticate via SMB / NTLM authentication mechanisms.

  • It is important to note that the targets contained in the list of Windows hosts on different networks. A nice trick of mine is to create your target lists of non smb signed hosts in a randomized fashion
  • The host below, which expedited me getting domain admin allowed domain users local admin access to a SQL server that shared the same local admin password with a Domain Controller

By default, ntlmrealyx runs secretsdumps if you do not specify a binary to execute.

Administrator hash

After a successful NTLM Relay you'll find the file with hashes named "IP_samhashes" in the directory where you executed ntmrelayx.

Using this administrator hash, I obtained DA with the infamous pass-the-hash technique 'using impacket's wmiexec.py

Shell access to the Domain Controller
mitm6 + ntlmrelayx + pth = Domain Amin

In the scenario above, I was able to relay credentials from one network to another and retrieve an administrator hash that could be passed with wmiexec.py. This particular local administrator hash allowed me to gain Domain administrator without cracking the password, or even having a valid Domain user account beforehand.

3. MS17-010

nmap -Pn -p445 - open - max-hostgroup 3 - smb-vuln-ms17-010 script <ip_netblock>

2018's "8067"

4. Kerberoasting

Example below from mubix's website

root@wpad:~/impacket/examples# ./GetUserSPNs.py -dc-ip 192.168.168.10 sittingduck.info/notanadmin
Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies

Password:
ServicePrincipalName Name MemberOf PasswordLastSet
---------------------------------- ---------- ------------------------------------------------ -------------------
http/win10.sittingduck.info uberuser CN=Domain Admins,CN=Users,DC=sittingduck,DC=info 2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info sqladmin01 2016-05-13 19:13:20

5. mitm6

Mitm6 is an incredibly powerful tool for obtaining and escalating privileges on your typical Windows broadcast network. When other attacks above fail on their own; try chaining smbrelay + mitm6 or it's default counterpart ntlmreayx. Use your imagination, and harness the power of mitm6 to gain DA before lunch!

mitm6 spoofing

Usage with ntlmrelayx:

Reference below: Many parts of this blog are directly cited and copied from the sources below. All credit goes to those, whose amazing work I have either cited or used for obtaining Domain Admin in the realz.

Hack all things and be responsible !!!

https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+MS17010+CVE20170143+EternalBlue/22574

--

--

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT