Following blog post is nothing but a copy of actual post from my friend‘s post on getting domain admin in internal penetration testing. It is very simple and easy to understand so thought of putting it on my website.
root@kali: python Responder.py -I eth1 -A
From above screen we can say, the network looks vulnerable to LLMNR and NBT-NS poisoning. Firing up the Responder with respective flags we captured the hashes of users over the network.
root@kali: python Responder.py -I eth1 -Pbv
Yay.. we got some cleartext credentials of the users using WPAD flag (-w). But most of them were normal internal users, continued running Responder on the network we captured hash of Servicedesk account.
Then we cracked the hash using Hashcat with aid of dictionary file. Now its time to abuse the cracked Servicedeskcredentials to dig more in the infrastructure. So using the trick explained by @sixdb in article we used /netonly flag with runas.exe. This allowed us to launch cmd.exe running in context of domain user (Servicedesk) from non-domain joined system.
Once connected you can run various tools, like we used Powersploit to dump more information about Domain being authenticated user. We enumerated information about Domain Controllers and Domain Admins in the infrastructure.
Now we need to find the path to compromise the Domain Admin account, for this we used BloodHound. It aids us to reveal the hidden and often unintended relationships within an Active Directory environment in turn expediting the escalation process.
Bloodhound generates 3 csv for visualization.
Using visualization generated using Bloodhound we found “Shortest Path to Domain Admins”.
The generated graph shows the no. of hops required to reach machine where Domain Admin is logged-in. Hence using cmd.exe access we can run Invoke-Mimikatz.ps1 to dump credentials from first hop server. But now days all AV engines flag these scripts.
So in order bypass AV detection we used Lazykatz. Its automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software, developed on top of @subtee work.
Running the Lazykatz using Servicedesk account against first hop server, we got clear text credentials of one of the member of Domain Admin group. Using those credentials we added our user to Domain Admin group.
Finally, we are member of Domain Admin group. Happy Hunting.