How i got domain admin ?
Hi guys, I want to show you a step by step, how I got domain admin, during an internal pentest, I will obfuscate most of the sensitive information, remembering that, I will not go into details on how to use the tools, if you want that, i make a tutorial of each tool used in this post, leave a comment, on twitter or leave some feedback. I’ll call the company/victim name XXX.
Arriving at the company, and properly positioned on their internal network (near a clear coffee machine =] and with the network cable working correctly =P), I did the network recognition using nmap and right after checking that the network was in mostly Windows, I used the tool called Responder, (more info https://github.com/lgandx/Responder) to obtain hashes from users of the internal network poisoning the LLMNR and NBT-NS requests, as in the image below:
After getting some user hashs, the next step was to use the john the ripper tool, (more info https://www.openwall.com/john/) see the image below, using the tool to break the found hashs:
The next step was to obtain credentials of greater privilege, to accomplish this, i used the tool crackmapexec using the mimikatz module
$ crackmapexec <ips> -u USER -p 'M' -M mimikatz
(more info https://github.com/byt3bl33d3r/CrackMapExec) with users and passwords recovered with the tools jonh and Responder, as in the following image:
The next step was to authenticate to the 172.xx.xx.60 server using the remote desktop with a user recovered with crackmapexec:
After searching for a while on the machine accessed via Remote Desktop, I was able to find a .vbs file containing credentials with administrative privileges on 80% of the network:
The next step was to use crackmapexec again using this username and password and with that, i was able to access a machine that had a session from a user in the DOMAIN ADMINS group. The following image shows the access with the machine with the user recovered in the .vbs script:
The next step was to use the metasploit tool for and use the impersonate module with the user xxxxxes, this user was part of the domain admins group:
after impersonating the user xxxxxxes, his session was used to create a user for me in the Domain admins group:
That’s all, folks :)
Doubts send on twitter @incogbyte