Select Page

Let's say you've successfully phished a client, and now have an Empire agent on a victim computer. Congratulations! Establishing an initial foothold on a network, with either a .hta link or an office macro (excellent write-up using this method by @enigma0x3), is one of the hardest parts of pentesting, and most security practices are designed to prevent you from getting to this point. The next phase seems to be where a lot of new pentesters scratch their heads: post-exploitation. I know I sure did! Let's walk through one potential real-world path using Empire and the OpSec safe modules to obtain our ultimate goal: Domain Administrator privileges.

Once we're on a box, it's good to take a look at what you've got available to you. I tend to use the "situational_awareness" modules in Empire to discover what account I'm running under, who are the local administrators, domain administrators, network settings, mapped drives, and installed programs and patches. Even if you don't end up using a lot of this information for exploitation, it can be demonstrative of your access when writing the final report.

In this example, we're going from an initial beacon to domain administrator.

Once the beacon checks in, and its confirmed that you're in a domain environment on a managed computer let's check the Group Policy Preferences for stored credentials (courtesy @obscuresec http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html).

GPP

And if the administrators have stored passwords in their group policy preferences, you'll see something like this:

5

Here we have a stored local administrator password in the scheduled tasks preferences.

With local administrator credentials, let's launch a new agent on the host with administrator privileges using "management/runas". The module "management/spawnas" will work as well, but is not OpSec safe. This may or may not make a difference in your engagement. Though an OpSec safe module is less clean up for you 🙂

2

Assuming that worked, you should now see that a new agent has checked in with local administrator privileges. With local administrator access, we can now run the PenTesters favorite tools such as Mimikatz to dump plaintext credentials from memory and Responder (known as Inveigh in Powershell, by @kevin_robertson) to poison NBNS and LLMNR queries on the wire. If you've done some initial recon, you'd have a list of potentially privileged users from groups in the domain. For instance, members of the obvious "Domain Administrators", and potentially "Local Administrators" are accounts you'd want to keep an eye out for while Inveigh does its thing.

3

Inveigh started at 2016-07-05T10:02:33
Listening IP Address = 192.168.1.8
LLMNR/NBNS Spoofer IP Address = 192.168.1.8
LLMNR Spoofing Enabled
LLMNR TTL = 30 Seconds
NBNS Spoofing Of Types 00,20 Enabled
NBNS TTL = 165 Seconds
SMB Capture Enabled
HTTP Capture Enabled
HTTPS Capture Disabled
HTTP/HTTPS Authentication = NTLM
WPAD Authentication = NTLM
Ignoring Machine Accounts
Real Time Console Output Enabled
Real Time File Output Disabled
2016-07-05T10:02:34 - NBNS request for WPAD received from 192.168.1.9 - spoofed response has been sent
2016-07-05T10:02:34 - HTTP request for /wpad.dat received from 192.168.1.9
2016-07-05T10:02:34 - HTTP request for /wpad.dat received from 192.168.1.9
2016-07-05T10:10:39 - HTTP request for /wpad.dat received from 192.168.1.9
2016-07-05T10:10:39 - LLMNR request for wpad received from 192.168.1.9 - spoofed response has been sent
2016-07-05T10:10:39 - HTTP NTLMv1 challenge/response captured from 192.168.1.9(VICTIM):
da_jsmith::ID:F7289113DB0D44BD00000000000001000000000000000000:AB1FA198699CEDEADCD16EA9A75A44E55D47777ABCD2DAA9:DEADBEEFC0DECABE

Once Inveigh has captured a hash, lets crack this with john, aka JTR.

root@kali:~/# john --wordlist=~/SecLists/Passwords/merged.txt --format=nt --rules Inveigh_Hashes.txt

And if we're lucky, and they have a poor or known password, we'll get a cracked password result:

da_jsmith:0th3rP@ssw0rd!!
1 password hashes cracked, 0 left

Finally, with a domain administrator account and password, we can use the lateral_movement/invoke_wmi module to spawn a new Empire agent on the Domain Controller. Or better yet as @bluescreenofjeff has pointed out to me: "use the dcsync module to pull the krbtgt from any computer, and then create the golden ticket without ever compromising the domain controller". The latter option being more OpSec safe and less likely to raise any alarms.

With Domain Administrator access, you can now create accounts, issue yourself a kerberos golden ticket, or use the "credentials/mimikatz/lsadump" module to extract all the password hashes from the DC. Of course, there are other paths to getting this access, and this is but one example.

tl;dr: Unpriv'd agent -> LA via GPP -> Inveigh -> Crack captured DA hash

bneg

Having worked in some capacity with computers for the past 16 years, in a whole host of industries and job titles, I sometimes think I've seen it all. Then I meet a new client, and realize there really are a million ways to skin a cat. And they're all horrible.

My aim here is to educate and hopefully cause some people to think about the broader implications of their actions and inactions. Whether you're white, grey, black, blue, purple, red, or something more rainbow colored, I hope you walk away learning something new.