Credentialed Enumeration - from Linux

CrackMapExec

Using -h we can see that we can use the tool with MSSQL, SMB, SSH, and WinRM credentials. CME also offers a help menu for each protocol.

Some flags we might be interested in:

• u Username The user whose credentials we will use to authenticate

• -p Password User's password

• Target (IP or FQDN) Target host to enumerate (in our case, the Domain Controller)

• --users Specifies to enumerate Domain Users

• --groups Specifies to enumerate domain groups

• --loggedon-users Attempts to enumerate what users are logged on to a target, if any

For domain users enumeration:

sudo crackmapexec smb 172.16.5.5 -u $username -p $password --users

it provides us the user information, it includes data points such as the badPwdCount attribute. This is helpful when performing actions like targeted password spraying. We could build a target user list filtering out any users with their badPwdCount attribute above 0 to be extra careful not to lock any accounts out.

For domain group enumeration:

sudo crackmapexec smb 172.16.5.5 -u $username -p $password --groups

It lists the groups within the domain and the number of users in each. We can begin to note down groups of interest. Take note of key groups like Administrators, Domain Admins, Executives, any groups that may contain privileged IT admins, etc. These groups will likely contain users with elevated privileges worth targeting during our assessment.

enumerating logged-on users:

sudo crackmapexec smb 172.16.5.130 -u $username -p $password --loggedon-users

If the current user is a local admin it will show (Pwn3d!) beside the username.

searching shares:

sudo crackmapexec smb 172.16.5.5 -u $username -p $password --shares

If it reveals that our current user has READ access to file shares we can use spider_plus to dig through each readable share and directories. For example:

sudo crackmapexec smb 172.16.5.5 -u $username -p $password -M spider_plus --share 'Department Shares'

When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>.

SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible. Once access is obtained, it can be used to download and upload files and execute remote commands.

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5

We can also do a recursive listing by searching a specific directory for sub-directories.

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only

rpcclient

rpcclient is a handy tool created for use with the Samba protocol and to provide extra functionality via MS-RPC. It can enumerate, add, change, and even remove objects from AD.

As we did previously to leverage SMB NULL session:

rpcclient -U "" -N 172.16.5.5

We can enumerate many number of different things.

To enumerate RIDs for all domain users:

enumdomusers

If we know the RID for an object such as a user we can use the following command to enumerate details about that user:

queryuser 0x457

Some objects will have the same RID that is fixed such as the built-in Administrator for a domain will have the RID value Hex 0x1f4, or 500 in decimal.

Impacket Toolkit

Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.

One of the most useful tools in the Impacket suite is psexec.py. Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the ADMIN$ share on the target host. It then registers the service via RPC and the Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as SYSTEM on the victim host.

Note: To connect to a host with psexec.py, we need credentials for a user with local administrator privileges.

psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125  

It will land us on system32 folder and if we type whoami we will see we landed as a SYSTEM.

Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does not drop any files or executables on the target host and generates fewer logs than other modules. After connecting, it runs as the local admin user we connected with (this can be less obvious to someone hunting for an intrusion than seeing SYSTEM executing many commands). This is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5  

Note: The downside of this is that if a vigilant defender checks event logs and looks at event ID 4688: A new process has been created, they will see a new process created to spawn cmd.exe and issue a command. This isn't always malicious activity since many organizations utilize WMI to administer computers, but it can be a tip-off in an investigation.

Windapsearch

Windapsearch is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.

We have several options with Windapsearch to perform standard enumeration (dumping users, computers, and groups) and more detailed enumeration. The --da (enumerate domain admins group members ) option and the -PU ( find privileged users) options. The -PU option is interesting because it will perform a recursive search for users with nested group membership.

Searching domain admins:

python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p password123 --da

Searching for privileged users:

python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p password123 --PU

Bloodhound.py

The tool consists of two parts: the SharpHound collector written in C# for use on Windows systems, or for this section, the BloodHound.py collector (also referred to as an ingestor) and the BloodHound GUI tool which allows us to upload collected data in the form of JSON files. Once uploaded, we can run various pre-built queries or write custom queries using Cypher language. The tool collects data from AD such as users, groups, computers, group membership, GPOs, ACLs, domain trusts, local admin access, user sessions, computer and user properties, RDP access, WinRM access, etc.

As we can see the tool accepts various collection methods with the -c or --collectionmethod flag. Here is an example of running bloodhound with all option to collect as much data as possible:

sudo bloodhound-python -u 'username' -p 'password123' -ns 172.16.5.5 -d inlanefreight.local -c all

We could then type sudo neo4j start to start the neo4j service, firing up the database we'll load the data into and also run Cypher queries against.

Once all of the above is done, we should have the BloodHound GUI tool loaded with a blank slate. Now we need to upload the data. We can either upload each JSON file one by one or zip them first with a command such as zip -r ilfreight_bh.zip *.json and upload the Zip file. We do this by clicking the Upload Data button on the right side of the window . When the file browser window pops up to select a file, choose the zip file (or each JSON file) and hit Open.

After that we can run queries that are pre-built on the left side such as Find Shortest Paths To Domain Admins.