How i got domain admin ?

Hi guys, I want to show you a step by step, how I got domain admin, during an internal pentest, I will obfuscate most of the sensitive information, remembering that, I will not go into details on how to use the tools, if you want that, i make a tutorial of each tool used in this post, leave a comment, on twitter or leave some feedback. I’ll call the company/victim name XXX.

Arriving at the company, and properly positioned on their internal network (near a clear coffee machine =] and with the network cable working correctly =P), I did the network recognition using nmap and right after checking that the network was in mostly Windows, I used the tool called Responder, (more info https://github.com/lgandx/Responder) to obtain hashes from users of the internal network poisoning the LLMNR and NBT-NS requests, as in the image below:

an image alt text

After getting some user hashs, the next step was to use the john the ripper tool, (more info https://www.openwall.com/john/) see the image below, using the tool to break the found hashs:

an image alt text

The next step was to obtain credentials of greater privilege, to accomplish this, i used the tool crackmapexec using the mimikatz module

$ crackmapexec <ips> -u USER -p 'M' -M mimikatz

(more info https://github.com/byt3bl33d3r/CrackMapExec) with users and passwords recovered with the tools jonh and Responder, as in the following image:

an image alt text

The next step was to authenticate to the 172.xx.xx.60 server using the remote desktop with a user recovered with crackmapexec:

an image alt text

After searching for a while on the machine accessed via Remote Desktop, I was able to find a .vbs file containing credentials with administrative privileges on 80% of the network:

an image alt text

The next step was to use crackmapexec again using this username and password and with that, i was able to access a machine that had a session from a user in the DOMAIN ADMINS group. The following image shows the access with the machine with the user recovered in the .vbs script:

an image alt text

The next step was to use the metasploit tool for and use the impersonate module with the user xxxxxes, this user was part of the domain admins group:

an image alt text

after impersonating the user xxxxxxes, his session was used to create a user for me in the Domain admins group:

an image alt text

That’s all, folks :)

Doubts send on twitter @incogbyte

<3

Written on January 23, 2020