If you aren’t super familiar with WinRM, it’s a remote management tool designed to allow systems to access and exchange management information across an IT infrastructure.
The forest hax windows#
After some hardcore googling around remote services for windows I stumbled upon WinRM. Now that we have credentials, how are you supposed to use them? This part took quite a bit of research on my part as again I’m not super familiar with #pwning windows servers. And of course you need a solid wordlist such as rockyou which comes by default on Kali ??Īs always #boomgoesthedynamite now we have our service account username AND password! svc-alfresco:s3rvice Got Creds.
The forest hax code#
Since you’re stealing TGT’s from kerberos the 18200 code is what you’ll want to use. HERE is a list of all the hashcat hash-types.
The forest hax crack#
I will neither confirm nor deny how much time I spent failing to crack this TGT because of an incorrect hash-type code #neededcaffine One thing you have to make sure you get right with hashcat is the “hash-type” (-m switch). Since I am more familiar with Hashcat and it’s been years since i’ve touched JTR thats what I went with. Which leads us to our next step, cracking our TGT! GetNPUsers gives you many different formatting options depending which cracking suite you want to use. Service tickets can be used to crack passwords offline. Any domain account can request Kerberos service tickets. Part of the service ticket is encrypted with the NT hash of the user. What is Kerberoasting? Kerberoasting is a method used to steal service account credentials. If you are at all familiar with AD and kerberos security you probably have an idea of whats coming next… KERBEROASTING! #RoastinKerbs bruh Unfortunately there was no luck… until one specific service level account:Īndd again #boomski. With the knowledge of how GenNPUsers.py works in the background I start firing it at our AD server with each user. FINALLY! Okay now that my compulsive itch has been scratched I can move on ? That’s the only time this flag should be set is when older systems which are unable to support kerberos need authentication to AD. until finally after some #blackbelt #googlefoo I found the answer. So I took to some of my AD admin buddies and asked them what the setting would be used for? Even they didn’t know what to tell me, just that they make sure it’s not set. But it seemed impossible to actually find a legitimate use for this flag. Which makes sense right? But what bothered me with this is why would any Active Directory admin ever legitimately use this setting? Doing some light googling the only thing you’ll find is “HOW TO KERBEROAST” or “IMPACKET GETS TGTS”. This script is going to request the TGT (Ticket Granting Ticket) for each user we feed it and then spit out those results in an output nicely formatted for cracking! Now before I just fired this bad boy up I wanted to review the code to see exactly what this script is looking for and precisely why would the DC just hand over the TGT? This script will attempt to list and get TGTs for those users that have the property: 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).Īh there it is, the UF_DONT_REQUIRE_PREAUTH flag. With this list I then peeked back at the impacket scripts to see if there was anything else there I could use before looking elsewhere… NOICE! Now we have a list of users that the DC so graciously spit out for us.
The forest hax trial#
To kick it off (and with some trial & error) I decided to go with GetADUsers.py which is going to query the DC (Domain Controller) to get some basic user information. Here is a great resource for your reading pleasure: It just so happens that there are some scripts within this suite perfect for hitting Active Directory Domain Controllers ?īe sure to spend some time reading about each script within impacket as it’s possible that a few of these could come in handy later. After some researching around I came across Impacket ( ) which is an amazing tool-set of python scripts used to work directly with different networking protocols. So now that we have our bearings of what kind of server we are dealing with lets look for some tools to make our job easier. We also get the Domain that is used: htb.local Picking our Axe! First things that stand out is all of the Active Directory services running as well as the Windows server version 2016.