Hacking Active Directory: Redux - Back to the Start.

Look at banner, Michael!

This was an idea that if you're reading this blog and have looked at previous posts, you will see isn't new. It's a rehash of the thing I wanted to do when I started this blog. My goal here has been to post about things that I've had success with as a means to helping others, but also to force me to really understand and examine the concepts I'm posting about.

The goal for these posts was to have a "real life" small scale pentest to show how you can enumerate and attack Windows hosts in an Active Directory network. When I first started in on this idea, I quickly realized the problem with my idea...I was trying to blog about something I was still learning, which makes for a very slow and tedious process. Now that I've completed the wonderful TCM Security Practical Ethical Hacking course, along with the other Windows and Linux Privilege Escalation courses, I'm in the stage of going back and re-examining my knowledge and notes before taking the PNPT to find weaknesses and strengths. It also helps that I've got a bit of time to kill, since my life is in a bit of an in-between phase, with my moving in a few weeks.

On to the lab! Here's the basic setup, and I'll throw a bit of story in for fun. The setup of this virtual lab will be based around the lab in the PEH course material, and also my time when I first got into IT working as help desk, despite having no real knowledge and no one above me to help out. There was a lot of Google and trial and error. The lab itself is just running on my ESXi home lab server that's keeping all of my hoodies warm for the coming fall. My Kali Linux VM is dual-homed with a virtual ethernet port connecting to my home network, allowing me to remotely connect to it, and the other port connects to the isolated FunCo test lab network.

The FunCo Story

FunCo is a small company that handles medical data. The company started as a Mom and Pop type setup, just working from their home. Eventually, they moved into a real office and as their son was interested in computers and the only person of the family who didn't need the Chrome Browser icon renamed "Internet", the defacto IT person for the company. Having Googled and read about the wonders of Active Directory, the son, Bob Loblaw, has convinced his parents to invest in some licenses. Since the company is still small, they only have 3 devices setup, and Bob can't remember the IP addresses. What he's asking is for us to come in and check out their security stance, so he can be sure things are safe and sound before he leaves for college at the end of the summer. And that's what we'll do, and where we'll start.

Finding Hosts on the Network

With that out of the way, here's where we will kick off. We take our computer into the FunCo offices, sit down at an open desk and plug into the nearest network port. We get an IP address immediately and make a note to talk to Bob about what kind of switches they have, and if we could possibly incorporate some port protection...but that's a problem for the future.

We see that our Kali laptop is grabbing a 192.168.2.x address, so we go ahead and run an ARP (Address Resolution Protocol) command to see what other computers we can find. By running arp -i eth1 -a we can specify that we want to listen on our ethernet 1 adapter (-i eth1) and that we want to scan for all devices listening ( -a). (side note:You probably wouldn't need to do this just directly plugging into a wall outlet, but since this is running on a VM that's dual-homed to my home network and the test lab, I wanted to specify the eth1 adapter to only get the test lab's network). We get back a list of IP addresses that responded:

  • 192.168.2.50
  • 192.168.2.51
  • 192.168.2.52
  • 192.168.2.100
This is perfect to start with, and we can now scan these machines a little more to try and find out what we're seeing in the network. We're already pretty sure that everyone is running Windows, thanks to Bob talking about wanting to get Active Directory up and running, but we will want to scan using a tool like nmap anyway. 

Scanning with Nmap
Now that we've got some IP's to work with, we can dig a little deeper with nmap. Nmap will give us a clue as to what kind of operating systems we are working with, and more importantly, what ports are open and exposed. Our first order of business will be to cd to our Desktop and use mkdir to create a new directory that we can shove all of our findings and files in. Not wanting to run the same command multiple times, we can just run Nmap against multiple machines at once and see what we find. To do this, we will run nmap -sC -sV -A 192.168.2.50,51,52,100 -o ./FunCo_nmap.txt. This command specifies a few things we can make note of:
  • -sC - This flag scans with default scripts. This may trigger alerts in a secure environment, but it's probably a safe bet that we're not in the most secure environment.
  • -sV - This flag scans for "Service and Version" detection to try and determine what's running on open ports that are found.
  • -A - This flag runs the "aggressive" scan, again, this may be too noisy for more tightly controlled and monitored networks, but from the sound of things, this network is pretty basic.
  • 192.168.2.50,51,52,100 - This lets us specify which specific IP addresses we want to scan. If we aren't sure which machines are there, we could scan against 192.168.2.0/24 to scan the entire IP space, or we could scan a set range of IP addresses with something like 192.168.2.1-100
  • -o ./FunCo_nmap.txt - Lastly, this command will output the results of our scan directly into a text file that we can read through a bit more easily than having to scroll through a Terminal window. Or, worse still, having to re-scan because you accidentally close out of the window you had open. When possible, save all of your documentation and findings! It's easier to reference some notes you made than it is to go back and scan all over again. It also allows you to run the scan again later and check for changes. 
For the last part of this post, we'll check out our findings and see what we can learn from them. We'll take the results of our scan and start to build the foundation of our network map that we can then expand on later. 

Examining Our Findings
Here's the output we got from nmap:

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 11:29 EDT
Nmap scan report for 192.168.2.50
Host is up (0.00041s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
135/tcp open  msrpc   Microsoft Windows RPC
MAC Address: 00:0C:29:71:31:46 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.2.50

Nmap scan report for 192.168.2.51
Host is up (0.00041s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
MAC Address: 00:0C:29:34:9F:AB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10|XP (91%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows Server 2019 (91%), Microsoft Windows 10 1909 (90%), Microsoft Windows XP SP3 (85%), Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -26s
| smb2-time: 
|   date: 2023-08-31T15:29:39
|_  start_date: N/A
|_nbstat: NetBIOS name: FUNCO-IT-01, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:34:9f:ab (VMware)

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.2.51

Nmap scan report for 192.168.2.52
Host is up (0.00035s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
135/tcp open  msrpc   Microsoft Windows RPC
MAC Address: 00:0C:29:2B:66:4A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|2019 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows Server 2019 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.2.52

Nmap scan report for 192.168.2.100
Host is up (0.00036s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-08-31 15:29:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: FunCo.org0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: FunCo.org0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-08-31T15:30:19+00:00; -25s from scanner time.
| ssl-cert: Subject: commonName=FunCo-DC-01.FunCo.org
| Not valid before: 2023-08-24T13:31:56
|_Not valid after:  2024-02-23T13:31:56
| rdp-ntlm-info: 
|   Target_Name: FUNCO
|   NetBIOS_Domain_Name: FUNCO
|   NetBIOS_Computer_Name: FUNCO-DC-01
|   DNS_Domain_Name: FunCo.org
|   DNS_Computer_Name: FunCo-DC-01.FunCo.org
|   DNS_Tree_Name: FunCo.org
|   Product_Version: 10.0.17763
|_  System_Time: 2023-08-31T15:29:39+00:00
MAC Address: 00:0C:29:82:A4:75 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
Aggressive OS guesses: Microsoft Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FUNCO-DC-01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: FUNCO-DC-01, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:82:a4:75 (VMware)
|_clock-skew: mean: -25s, deviation: 0s, median: -25s
| smb2-time: 
|   date: 2023-08-31T15:29:40
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.2.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 61.79 seconds

There's quite a bit there to look into more, but what we can pretty easily tell is that we definitely have an all Windows network, at least of machines that are online, and we can take an educated guess as to which machine is likely the Domain Controller (DC). We can tell by looking across the room that the OS guess of Windows XP on the hosts is definitely incorrect (RIP beautiful rolling green hills background) but they are all Windows machines. This takes care of our initial scan, and the first blog post on the topic. It's taken longer than I was hoping to get this post up, but it's finally up, at the very least.

The next post will be geared towards scanning the network and looking around the office for any clues that are left in the open. We have an idea what Bob's username is, since he emailed us, but we will still need to see if there's anything else in the network that's exposed, and that will give us a chance to use some new tools and have a little more fun than a simple network scan. 

Thanks for sticking around, and see you all next time!

(Full disclosure: the next post may take a few weeks. I'm currently about a week away from moving, and my home lab is about to get unplugged and packed into a truck. I guess I'll at least have Fiber internet at the new place to celebrate with.)

Comments

Popular posts from this blog

Small Life Update!

Hacking Windows Domains: Introduction