CTF Notes: 2024-06-30 Active Directory, SPN, DCsync
intro: PowerSploit
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. https://github.com/PowerShellMafia/PowerSploit
In this study, we’ll take a particular look at PowerView:
PowerView
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Targeted Kerberoasting
If the subject (e.g attacker) has WriteProperty, GenericWrite or GenericAll rights to an object (e.g a target user). Then attacker can overwrite the ServicePrincipalName (i.e SPN) of the target and conduct a kerberoasting attack.
When asking the Key Distribution Center (KDC) for a Ticket Granting Service (TGS), the requester sends a valid Ticket Granting Ticket (TGT) and the Service Principal Name (SPN) of the intended service. If the TGT is valid and the SPN exists, the KDC sends back the TGS to the requester. The TGS is encrypted with the requested service account’s NT hash (can be cracked offline).
Set-DomainObject: Modifies a given property for a specified active directory object.
> Set-DomainObject -Identity <user-identity> -SET @{serviceprincipalname='asdfasdf/asdfasdf'}
Get-DomainSPNTicket: Request the kerberos ticket for a specified service principal name (SPN).
> Get-DomainSPNTicket -SPN asdfasdf/asdfasdf
# exmaple output
SamAccountName : UNKNOWN
DistinguishedName : UNKNOWN
ServicePrincipalName : asdfasdf/asdfasdf
TicketByteHexStream :
Hash : $krb5tgs$23$*UNKNOWN$UNKNOWN$asdfasdf/asdfasdf*$.......$...
Hash resulting Hash can be trimmed and cracked using john
> john hash --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt
Logon script for a domain user
https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/assign-logon-script-profile-local-user This article describes how to assign a logon script to a profile for a local user’s account in Windows Server 2003. This logon script runs when a local user logs on locally to the computer. This logon script does not run when the user logs on to the domain.
NOTE: If the logon script is stored in a subfolder of the default logon script path, put the relative path to that folder in front of the file name. For example, if the Startup.bat logon script is stored in \\ComputerName\Netlogon\FolderName, type FolderName\Startup.bat.
To get the identity and change the logon ScriptPath of an AD user
Get-ADUser <user> | Set-ADUser -ScriptPath <value>
DCSync
The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.
- The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
- Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges by default.
- If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
If the condition satisfies, mimikatz can be used to achieve the goal.
Also read more here: mimikatz
mimikatz.exe "lsadump::dcsync /user:administrator \krbtgt" "exit"