Hacking Active Directory: Redux - Back to the Start.
This was an idea that if you're reading this blog and have looked at previous posts, you will see isn't new. It's a rehash of the thing I wanted to do when I started this blog. My goal here has been to post about things that I've had success with as a means to helping others, but also to force me to really understand and examine the concepts I'm posting about.
The goal for these posts was to have a "real life" small scale pentest to show how you can enumerate and attack Windows hosts in an Active Directory network. When I first started in on this idea, I quickly realized the problem with my idea...I was trying to blog about something I was still learning, which makes for a very slow and tedious process. Now that I've completed the wonderful TCM Security Practical Ethical Hacking course, along with the other Windows and Linux Privilege Escalation courses, I'm in the stage of going back and re-examining my knowledge and notes before taking the PNPT to find weaknesses and strengths. It also helps that I've got a bit of time to kill, since my life is in a bit of an in-between phase, with my moving in a few weeks.
On to the lab! Here's the basic setup, and I'll throw a bit of story in for fun. The setup of this virtual lab will be based around the lab in the PEH course material, and also my time when I first got into IT working as help desk, despite having no real knowledge and no one above me to help out. There was a lot of Google and trial and error. The lab itself is just running on my ESXi home lab server that's keeping all of my hoodies warm for the coming fall. My Kali Linux VM is dual-homed with a virtual ethernet port connecting to my home network, allowing me to remotely connect to it, and the other port connects to the isolated FunCo test lab network.
The FunCo Story
FunCo is a small company that handles medical data. The company started as a Mom and Pop type setup, just working from their home. Eventually, they moved into a real office and as their son was interested in computers and the only person of the family who didn't need the Chrome Browser icon renamed "Internet", the defacto IT person for the company. Having Googled and read about the wonders of Active Directory, the son, Bob Loblaw, has convinced his parents to invest in some licenses. Since the company is still small, they only have 3 devices setup, and Bob can't remember the IP addresses. What he's asking is for us to come in and check out their security stance, so he can be sure things are safe and sound before he leaves for college at the end of the summer. And that's what we'll do, and where we'll start.
Finding Hosts on the Network
With that out of the way, here's where we will kick off. We take our computer into the FunCo offices, sit down at an open desk and plug into the nearest network port. We get an IP address immediately and make a note to talk to Bob about what kind of switches they have, and if we could possibly incorporate some port protection...but that's a problem for the future.
We see that our Kali laptop is grabbing a 192.168.2.x address, so we go ahead and run an ARP (Address Resolution Protocol) command to see what other computers we can find. By running arp -i eth1 -a we can specify that we want to listen on our ethernet 1 adapter (-i eth1) and that we want to scan for all devices listening ( -a). (side note:You probably wouldn't need to do this just directly plugging into a wall outlet, but since this is running on a VM that's dual-homed to my home network and the test lab, I wanted to specify the eth1 adapter to only get the test lab's network). We get back a list of IP addresses that responded:
- -sC - This flag scans with default scripts. This may trigger alerts in a secure environment, but it's probably a safe bet that we're not in the most secure environment.
- -sV - This flag scans for "Service and Version" detection to try and determine what's running on open ports that are found.
- -A - This flag runs the "aggressive" scan, again, this may be too noisy for more tightly controlled and monitored networks, but from the sound of things, this network is pretty basic.
- 192.168.2.50,51,52,100 - This lets us specify which specific IP addresses we want to scan. If we aren't sure which machines are there, we could scan against 192.168.2.0/24 to scan the entire IP space, or we could scan a set range of IP addresses with something like 192.168.2.1-100.
- -o ./FunCo_nmap.txt - Lastly, this command will output the results of our scan directly into a text file that we can read through a bit more easily than having to scroll through a Terminal window. Or, worse still, having to re-scan because you accidentally close out of the window you had open. When possible, save all of your documentation and findings! It's easier to reference some notes you made than it is to go back and scan all over again. It also allows you to run the scan again later and check for changes.