Active Recon

The key data points we are looking for here are:

Traffic Analysis

We can start by capturing network traffic to get information on IP addresses, internal DNS servers etc. We can use tools like Wireshark if there is GUI, if not we can use tcpdump, net-creds, and NetMiner. All recent Windows 10 has a built-in program pktmon.exe that we can also use. Its a good idea to save whatever we captured as .pcap file for analysis.

We can use Responder to analyze network traffic and determine if anything else in the domain pops up. We can run it on Analyze mode:

sudo responder -I ens224 -A

We can perform a quick ICMP sweep of the subnet using fping. Here is an example:

fping -asgq 172.16.5.0/23

a to show targets that are alive, s to print stats at the end of the scan, g to generate a target list from the CIDR network, and q to not show per-target results.

Enumerate Services

Next, we would want to look for what services each of the hosts are running, and find critical hosts such as Domain Controllers, Web Servers etc. We should look for what AD services they are running such as DNS, LDAP, SMB, Kerberos etc. Here is an example of nmap:

sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum

The -A (Aggressive scan options) scan will perform several functions. One of the most important is a quick enumeration of well-known ports to include web services, domain services, etc.

Enumerate User Credentials

Next step would be finding users and user credentials. Kerbrute can be a stealthier option for domain account enumeration. It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts. Here is how to install it:

sudo git clone https://github.com/ropnop/kerbrute.git

We can use a username list for example https://github.com/ropnop/kerbrute.

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

awk -F'[: ]+' '/VALID USERNAME/ {split($NF, a, "@"); print a[1]}' valid_ad_users.txt > usernames.txt

Note: The local system account NT AUTHORITY\SYSTEM is a built-in account in Windows operating systems. It has the highest level of access in the OS and is used to run most Windows services. It is also very common for third-party services to run in the context of this account by default. A SYSTEM account on a domain-joined host will be able to enumerate Active Directory by impersonating the computer account, which is essentially just another kind of user account. Having SYSTEM-level access within a domain environment is nearly equivalent to having a domain user account.

There are several ways to gain SYSTEM-level access on a host, including but not limited to:

• Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep.

• Abusing a service running in the context of the SYSTEM account, or abusing the service account SeImpersonate privileges using Juicy Potato. This type of attack is possible on older Windows OS' but not always possible with Windows Server 2019.

• Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day.

• Gaining admin access on a domain-joined host with a local account and using Psexec to launch a SYSTEM cmd window

By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to:

• Enumerate the domain using built-in tools or offensive tools such as BloodHound and PowerView.

• Perform Kerberoasting / ASREPRoasting attacks within the same domain.

• Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks.

• Perform token impersonation to hijack a privileged domain user account.

• Carry out ACL attacks.