Hacking Book | Free Online Hacking Learning

 Home

from brute force enumeration of users to getting all information of domain

Posted by truschel at 2020-02-27
all

In the process of Intranet penetration, we will encounter the situation that there is a Windows domain environment. When we obtain the permissions of an intranet host, the host may not join the domain, and we cannot directly obtain the relevant information in the domain through this host. How is domain penetration?

We can obtain the permissions of ordinary users in a domain through phishing, spoofing, information collection, password guessing, etc. Let's see how to brutally enumerate the user names in the domain.

Brute force enumeration user name

If we don't know the information in the domain, we don't have the host permission in the domain or the account information of users in the domain, then we can enumerate the account names in the domain by using the dictionary.

For user name enumeration, it is necessary to distinguish whether the user name is correct according to the following error information:

Here are a few tools to do this.

Krbguess

Download address:

http://www.cqure.net/tools/krbguess-0.21-bin.tar.gz

The enumeration command is as follows:

Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]

Nmap krb5-enum-users NSE Script

usage method:

nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list][DC IP]

Metasploit's modules:

The module information is as follows:

auxiliary/gather/kerberos_enumusers

Using this module, we need to provide three parameters:

1. Domain name

2. Domain control IP (rhost)

3. User? List

The result after running run is as shown in the figure:

After running, the results will be saved in the database of Metasploit, and the existing users can be viewed by entering the command creds.

creds

Enumerate user credentials

You can use Metasploit's auxiliary / scanner / SMB / SMB login to enumerate the user's password credentials. The help is as follows:

auxiliary/scanner/smb/smb_login

Get user information in domain

After the above operations, we may have obtained one or several domain user credentials. In this case, we do not need to use violent enumeration to obtain user information as before. We can use the user's identity in the domain to search the data we want in the domain database in a fair way.

The following are our objectives:

1. Get user account

2. Get user rights information (such as domain Admin Group or remote desktop management group)

3. Enumerate domain password policies

4. Get further attack path

Here are a few tools to meet the above requirements.

Windapsearch

Download address:

https://github.com/ropnop/windapsearch

This tool is written in Python and can query user, group and computer information through domain controlled LDAP service. The commands are as follows:

windapsearch --dc-ip [IP_ADDRESS] -u [DOMAIN]\USERNAME -p [PASSWORD] -U

-The meaning of the U parameter gets all users in the domain, for example:

-U

windapsearch --dc-ip 192.168.5.1 -u mydomain\ops -p Pa55word -U | grep cn: | cut -d " " -f 2

We can use grep and cut to clean up some information. The results are as follows:

Use the - Da parameter to get the members of the Domain Admins group:

-da domain admins

windapsearch –dc-ip 192.168.5.1 -u mydomain\ops -p Pa55word --da | grep cn: | cut -d " " -f 2

Use the - M parameter to get members of the remote desktop group:

-m

windapsearch --dc-ip 192.168.5.1 -u mydomain\ops -p Pa55word -m "Remote Desktop Users" | grep CN=

PowerView

Everyone is familiar with this tool. There are many people using it. Blog:

http://www.harmj0y.net/blog

We need to use runas and / netonly to establish a PowerShell session started by a domain user on a host that is not joined to the domain:

runas /netonly

runas /netonly /user:mydomain\op powershell

We need to enter the password in the pop-up box:

Now that we have installed PowerPoint, the path is as follows:

C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-dev

We import powerplot module:

Import-module .\PowerSploit.psd1

We use the following command to export domain users:

Get-DomainUser -Domain mydomain.test -DomainController 192.168.5.1 | findstr samaccountname

Use the following command to export Domain Admins group members:

domain admins

Get-DomainGroupMember -identity "Domain Admins" -Domain mydomain.test -DomainController 192.168.5.1 | findstr MemberName

Use the following command to export members of the remote desktop management group:

Get-DomainGroupMember -identity "Remote Desktop Users" -Domain mydomain.test -DomainController 192.168.5.1 | findstr MemberName

We can also use the identity of the current user to query the list of shares that he can access:

Find-DomainShare -CheckShareAccess -Domain mydomain.test -DomainController 192.168.5.1

RSAT (Microsoft remote service management tool)

The purpose of Microsoft RSAT is to let administrators manage Windows Servers remotely. This tool is similar to the above one. First, create a PowerShell session with normal user rights in the domain, and then execute the following command to obtain the domain password policy:

Get-ADDefaultDomainPasswordPolicy -Server 192.1685.5.1

We can also use the rast interface program and use runas to start:

runas

runas /netonly /user:mydomain\ops mmc

Let's use this method to add hosts or users to the domain:

Change the domain controller instance to our target:

Let's take a look at the user information in the domain:

Reference link

https://www.offensive-security.com/metasploit-unleashed/smb-login-check/

https://www.attackdebris.com/?p=311

https://www.attackdebris.com/?p=470 

© 2023