Domain Admin: Bloodhound, Mimikatz, Pass-The-Hash & Golden ticket.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I've been asked so many times to demonstrate active directory hacking and now I've stumbled upon a lab that I was working on and today I'm going to share with you the different techniques that we can use to abuse active directory we're going to demonstrate three attacks in four attacking scenarios and we're going to start off with domain enumeration to collect all the domain objects and their relationships I'm connected to a workstation so if I type hostname it's called ws04 and I'm using the account poll Canon who is part of the SB Cloud lab domain so if we do net user domain we can see actually he he's part of domain users and information security so we don't have privileged groups but we're going to perform domain enumeration even though we are using just this limited user because we are part of the domain so to do that I'm going to use Bloodhound and it's Powershell ingester so I'm going to import sharphound.ps1 and I'm going to run my function it is simple as using invoke Bloodhound Dash collection method there are a bunch of them we're going to use all which covers most of them I've just gone ahead and renamed invoke Bloodhound to just ibh in an attempt to bypass AV we're going to talk about AV evasion in potential next videos but for now we're just going to run it and so let it run in the background it's going to generate a zip file for us so it says here 30 1332 objects are collected and here is our ZIP so we will take this ZIP and import it into Bloodhound Bloodhound is an application desktop application that you can install it's available open source on GitHub so I'm using version three of Bloodhound but you can use version 4 I'm going to upload the data using this button right here and then select the zip file so it's processing the file it's extracting its Json files users computers organization units gpos Etc and it's going to generate a beautiful graph for us to perform our domain enumeration while it's running I'm going to just open a Powershell prompt and verify what are the local admins of this machine if we are lucky this current user could be a local admin yes it is a local admin which means that we can do many things including dumping the hashes that are stored in the LSS process so let's go ahead and directly Target the machine that we are connected to I just want to see what are the sessions that are established on this machine so if I click on sessions here I can see that there are two users who have a session on the box the first one is bony scaly and the second one my cray so if I click on my crate to look for his privileges I can see that he is not local admin doesn't have local admin rights doesn't have SQL admin rights and he doesn't have any outbound objects meaning that he doesn't control anything what about bony scaly so if I take this one oh it jumped to 260. that's huge and that's promising he can also RDP into a machine and he is also a he has local admin rights and he's a member of three groups let's click on those he's a member of domain users information technology and SP Pam admins what about the outbound object control if we click on those 260 oh boy we have a lot so he controls pretty much all the objects with a right dackle as you can see here he also has get changes I mean he can DC sync so if we go to queries and look for the query that allows us to find accounts that can perform DC sync find principles with DC sync rights if we click on that as you can see we have two users first one is bonus Kelly and the second one is John this means that with this user we can actually oh we have also two other users administrator and SP admin okay so we can control this user and hence we will control the domain as well let's do that so I'm going to first close this prompt and open a Powershell prompt with local admin privileges because remember our current user is local admin on this machine and I'm going to load mimikats in order to dump the hashes from the LSS process well it's as simple as running invoke mimikats and from there I'm just going to run the command invoke mimic ads give it some time and we should see the golden output this lab has been developed by Netflix Cloud lab engineering and I've worked with them for a event and they let me share how to hack this lab on this channel so if I scroll up oh we already see that there is a use the user my cray has the plain text password right here but we're not after this one we're actually after the Bony scale user we all also see another one super admin account with this password right here but we want actually to use this one bony scaly so we will grab his hash we don't have his plain text password but Windows allows us to perform what we call past the hash attacks this essentially means that we just need the hash in tlm hash of bonus Kelly in order to impersonate him so with that said I'm going to just run past the hash targeting bonus Kelly on this domain and using his ntlm hash and I'm going to run a Powershell prompt let's give it a try and as you can see we have a new Powershell prompt now if I run who am I I'm still Paul Canon but I have the privilege to perform DC sync so I can't like list the content of the domain controller which means I'm not a domain admin but let's try to grab the curb TGT hash of the domain so we're using once again mimic cats and I'm going to use the DC sync and I'm going to grab the user curb TGT this is the most um let's say powerful account on the domain controller or on the domain in general because it allows us to persist our access and generate whatever took tokens we want so I'm just importing mimikans once again because that's a new prompt and I'm going to run it so if everything goes well we should have the hash of curb TGT from there we will generate a golden ticket to allow us to access anything on the domain as domain admin bear in mind that generating a golden ticket is a big red flag in the face of the blue team so you might want to look for other ways to persist your access here we go we'll take the curb TGT ntlm hash this one right here and we're going to use mimic ads once again to generate a golden ticket and I'm going to inject in this golden ticket the S ID of my domain the curb TGT hash and a user which in this case I just named it I don't exist at all it could be anything it's going to be forged with our own values whatever you put in them because we have the hash of the curb TGT all right the ticket has been generated and saved into a file called ticket.kirby so I'm going to use that ticket in order to launch a Powershell prompt with the domain admin privileges so the command is Kerberos has the ticket and then the path to my newly generated ticket run it we should be able to have a well not to run a new Powershell prompt but to inject our ticket into our current session and from there we will be able to list the content of this C drive on the domain controller we can also connect to the domain controller we can do pretty much whatever we want because we would have just compromised the entire domain okay the ticket has been injected and now if we do moments of Truth dc02 C drive and hit enter we indeed have access to the C drive all right so that was how we could use mimikats to generate a to extract the hash of a user and perform DC sync generate a golden ticket in the next episode we're going to explore other attack paths and learn more techniques

Info

Channel: thehackerish

Views: 7,194

Rating: undefined out of 5

Keywords: infosec, cybersecurity, bug bounty, appsec, ethical hacking, pentest, penetration testing, learn ethical hacking, red team lab, Certifications, active directory, hacking lab, free lab, free training, password, privesc, rce, file upload, owasp

Id: 3lBPEyQaptI

Channel Id: undefined

Length: 10min 41sec (641 seconds)

Published: Mon Aug 14 2023