Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)

Adam Toscher
8 min readMar 9, 2018

--

A Scary Thought: I’ve worked in the Cyber ​​Security space performing a wide breadth of penetration and red team services for years. Yes it's still easy to get Domain Admin "before lunch" as it was when I first started pen-testing.

Back in September of 2013, Spider Labs wrote an article titled " Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network " This article is written to compliment and serves as an unofficial “Part 2” to the original SpiderLabs Blog post.

  1. Netbios and LLMNR Name Poisoning

I wish I could say that Netbios / LLMNR is not as prevalent as it was in 2013; but a vast majority of assessments, result in assessors obtaining NTLMv1 &NTLMv2 hashes and recovering usable credentials. To assist you with cracking your intercepted hashes, there are now advanced frameworks to help with password brute forcing like hate_crack.

I personally had great success using a common word-list that can be obtained for a nominal fee: " uniqpass" and the out of box common hashcat ruleset "best64". But sometimes complex passwords are enforced, and you're left with no other option but to crack some hashes.

Responder, is arguably the go-to tool for all things related to mitm poisoning and spoofing. Its still actively maintained by Laurent Gaffie

Inveigh, is the native Windows .NET sibling of the Unix/Linux Python based Responder.

Inveigh its core is a .NET packet sniffer that listens for and responds to LLMNR / mDNS / NBNS requests while also capturing incoming NTLMv1 / NTLMv2 authentication attempts over the Windows SMB service.

Both man-in-the-middle tools are designed to assist penetration testers / red teamers that find themselves limited to a Windows system.

2. Relay attacks

The newer MultiRelay tool is maintained by: Laurent Gaffie, which is designed for seem-less integration with SMB relay attacks.

I personally prefer impacket's tools, for relaying and other penetration testing needs. Impacket's tools I found to be reliable and stable on most unixes and run natively on Mac OS. Comparatively to other free open source tools, they leave a relatively small forensic footprint when executed on a host (if you're worried about noise, are trying to be evasive, or have to fend off the Blue Team).

To prepare for some DA pwnage lets get impacket installed.

SMB Relaying explained:

smbrelayx.py

This module performs the SMB Relay attacks originally discovered by cDc. It receives the list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first authenticate against the client connecting to us.
It is implemented by invoking SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce the server SPN checks and or signing. If the authentication against the targets succeed, the client authentication success as well as a valid connection is set against the local smbserver. It's up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it's connected to a valid SMB server. All that is done through the smb.conf file or programmatically.

NTLM Relaying explained

ntlmrelayx.py

NTLM Authentication is a challenge-response based protocol. Challenge-response protocols use a commonly shared secret, in this case the user password, to authenticate the client. The server sends a challenge, and the client replies with the response on this challenge. If the challenge matches the one calculated by the server, the authentication is accepted. The NTLM Authentication is a complex protocol, and how it is explained here is the simplification. A very good and detailed description can be found at http://davenport.sourceforge.net/ntlm.html

ntmlreayx and a randomized selection of targets

Both SMBRelay and the newer attacks take advantage of SMB signing, allowing a privileged user to authenticate via SMB / NTLM authentication mechanisms.

  • It is important to note that the targets contained in the list of Windows hosts on different networks. A nice trick of mine is to create your target lists of non smb signed hosts in a randomized fashion
  • The host below, which expedited me getting domain admin allowed domain users local admin access to a SQL server that shared the same local admin password with a Domain Controller

By default, ntlmrealyx runs secretsdumps if you do not specify a binary to execute.

Administrator hash

After a successful NTLM Relay you'll find the file with hashes named "IP_samhashes" in the directory where you executed ntmrelayx.

Using this administrator hash, I obtained DA with the infamous pass-the-hash technique 'using impacket's wmiexec.py

Shell access to the Domain Controller
mitm6 + ntlmrelayx + pth = Domain Amin

In the scenario above, I was able to relay credentials from one network to another and retrieve an administrator hash that could be passed with wmiexec.py. This particular local administrator hash allowed me to gain Domain administrator without cracking the password, or even having a valid Domain user account beforehand.

3. MS17-010

nmap -Pn -p445 - open - max-hostgroup 3 - smb-vuln-ms17-010 script <ip_netblock>

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that uses seven Equation Group vulnerabilities. Petya is a ransomware program that first uses CVE-2017-0199, the vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.

2018's "8067"

4. Kerberoasting

I have had a lot of success with privilege escalation in an Active Directory domain environment using an attack called Kerberoasting. Tim Medin presented this technique at SANS Hackfest 2014 and since then there have been numerous awesome articles and conference talks on the details of the attack and tools written for different techniques to pull it off (reference links at the bottom of the post).

The Microsoft implementation of Kerberos can be a bit complicated, but the gist of the attack is that it takes advantage of legacy Active Directory support for older Windows clients and the type of encryption used and the key material used to encrypt and sign Kerberos tickets. Essentially, when a domain account is configured to run a service in the environment, such as MS SQL, the Service Principal Name (SPN) is used in the domain to associate the service with a login account. When a user wishes to use the specific resource they receive a Kerberos ticket signed with NTLM hash of the account that is running the service

Example below from mubix's website

root@wpad:~/impacket/examples# ./GetUserSPNs.py -dc-ip 192.168.168.10 sittingduck.info/notanadmin
Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies

Password:
ServicePrincipalName Name MemberOf PasswordLastSet
---------------------------------- ---------- ------------------------------------------------ -------------------
http/win10.sittingduck.info uberuser CN=Domain Admins,CN=Users,DC=sittingduck,DC=info 2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info sqladmin01 2016-05-13 19:13:20

5. mitm6

Mitm6 is an incredibly powerful tool for obtaining and escalating privileges on your typical Windows broadcast network. When other attacks above fail on their own; try chaining smbrelay + mitm6 or it's default counterpart ntlmreayx. Use your imagination, and harness the power of mitm6 to gain DA before lunch!

mitm6 spoofing

Usage with ntlmrelayx:

mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario it will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the -6option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with -wh HOSTNAME(any non-existing hostname in the local domain will work since the DNS server is mitm6). Optionally you can also use the -wa Nparameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. The DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see our blog about mitm6 . Mitm6 is designed to work together with ntlmrelayx from impacket for WPAD spoofing and credential relaying.

Reference below: Many parts of this blog are directly cited and copied from the sources below. All credit goes to those, whose amazing work I have either cited or used for obtaining Domain Admin in the realz.

Hack all things and be responsible !!!

https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+MS17010+CVE20170143+EternalBlue/22574

--

--

Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT