Continuing from our previous post, Defending Against Common Attacks, the next step was to utilize the newly created local administrator account, ripleye. With this project’s goal of compromising a domain administrator account.
First, we used Justin’s tool, Neko, to conduct local machine reconnaissance, which gave information about network configurations, processes running, local accounts, services and their permissions.
We found a service had been created on this machine, Backup Service, which had a domain service account tied to this process. This was our first high-value target, a domain account with privileges that were likely to be higher than a standard user.
Our next step was to dump the credentials of the backupsvc account using everyone’s favorite, Mimikatz. This was made easier because our local account was an administrator. For those not familiar with Mimikatz, Adsecurity has a great write-up on the tool, its usage, and protections for it. For this lab, we used the following commands:
- log notes.txt – The name of our output file
- privilege::debug – Gets debug rights, for Mimikatz this or System are required for most commands
- token::elevate – Impersonates a token, used to get SYSTEM on the machine
- sekurlsa::logonpasswods – Lists all provider credentials and recently logged on users and computers
We were able to get the NTLM hash for the backupsvc account and ran it through a password cracker, and found that the password for the account – Superman123.
Now that we had domain credentials, the next step for our attack was to use these credentials to conduct additional domain reconnaissance with the goal of moving laterally and elevating our privileges further. For this, we again used Neko and its LDAP recon functionality.
Viewing the results, we were looking for any user that was part of an administrators group and to confirm that, anything with an AdminCount of 1. Admin count is a great way to see accounts that are or may have previously been administrators, and if used on its own, can be a quiet way of determining high-value targets on the network. In this instance, we found Indiana Jones, a member of Domain Admins, an AdminCount of 1, and best of all, they hadn’t logged on to the domain for a couple of days.
Now it was time to figure out what machine(s) this domain administrator may have logged in to, we used Neko’s network IP scanning functionality, specifically on port 135, which also launches of a slew of WMI information gathering commands upon a successful connection. In this case, we found a 2012 Server machine that Indy had logged in to. It was now clear where we needed to move laterally to gain access to the credentials for this account.
Next, we used Neko’s LDAP Computer Recon to check when this target machine was last logged into, so that we could confirm no one was actively using it, in the chance that they might notice our presence.
As our target machine is a server, we decided to conduct another scan using Neko to see if 3389 or other common ports might be open, in this case, Remote Desktop was enabled on the server. We then downloaded NLBrute, a RDP brute forcing tool and specified the machine we wanted to target. Then, based off previous LDAP User Recon, we saw that the default administrator account was enabled on this machine, so that was specified as the user. Last, we gave NLBrute a password .txt file to use.
In short order, NLBrute was able to brute force the local administrator password (for our lab we just kept it the same for simplicity).
We then were able to open Remote Desktop and successfully authenticate to the target machine.
Upon successfully logging into the target machine, which we know Indy has logged into previously, we can then repeat our steps using Mimikatz on this machine, only now we will get the password hash for a domain admin account. There are significant portions of this attack that are preventable, however, this attack was done on in a test setting that replicates common real-world configurations that due to misconceptions about what privileges are required for fully-functional environments.