Credentialed Enumeration - From Linux
CrackMapExec module
This section of the module starts by showcasing all options in CrackMapExec used to enumerate domain information. Since I already completed the entire CrackMapExec module from Hack The Box, I went quickly through this section.
SMBMap
SMBMap can be used on a Linux system to enumerate directories and files that may possibly contain useful information.
The following commands enumerate permissions & access right for the user forend on the 172.16.5.5 host:
A recursive option can be set to list all files/folder within a directory. The --dir-only flag is to list directories only.
RPCClient
The tool RPCclient can be used to enuemerate domain information from an unauthenticated or authenticated perspective. We can find details regarding enumeration using the RPCclient utility here.
SID & RID
The RPCclient allows to fetch information based on the RID (Relative Identifier). In Active Directory, the RID is combined with the domain SID to represent a unique object in Windows.
For example the domain SID of the INLANEFREIGHT.LOCAL domain might be: S-1-5-21-3842939050-3880317879-2865463114. The htb-student parts of the INLANEFREIGHT.LOCAL domain might have the RID 1111 (0x457 in Hexa). Combined the htb-student users will have the following SID: S-1-5-21-3842939050-3880317879-2865463114-1111.
Some RID are shared between common Windows object. As instance, the local administrator always have its RID equals to 500 (0x1f4).
Impacket Toolkit
The Impacket toolkit can be used to interact with Windows system and AD objects in various ways. It is maintained by Secure Auth Corp. It is one of the most useful swiss army knife during internal pentest engagement.
psexec.py
The psexec.py is an handful script to get a SYSTEM shell on a remote host. What this tool does is to create an arbitrary executable in the ADMIN$ share on the target host. This executable starts a service that is registered via RPC and the Windows Service Control Manager. It is possible to interact with the service via a SMB (a named pipe). Thus, the service uses port 445.
To use this tool it is necessary to get at least local admin credentials since the users needs WRITE access to the ADMIN$ share.
The PSExec.py tool is easily detected by AV and others defending solutions.
Example of logging in as with wley credentials on the 172.16.5.5 target host.
wmiexec.py
The WMIExec.py script gives a semi-interactive shell on the remote host. It gives a shell as the administrative user we are login with. Unlike PSExec.py, WMIExec.py does not create any services which makes it a little bit more stealthier. WMIExec.py works over the Windows Management and Instrumentation and DCOM to create a new process. The connection is made via port 135. The result output is written into a file in a SMB share, by default ADMIN$, that is clean up automatically after session completion. However, the use of WMIexec.py can still be detected quite easily. See this article from CrowdStrike.
Semi-interactive shells means that each time a command is issued a new cmd.exe process is issued from WMI. Defenders can investigate for event ID 4688: A new process has been created to detect the use of WMIExec on the host.
Windapsearch
This HTB section introduces us to Windapsearch wich is a python script that can be used to query domain information over the LDAP protocol.
The tool perform recursive search within nested groups which can be quite useful. Two flags are note worthy. The --da flag is to enumerate domains admin groups members, while the -PU option will list privileged users and perform recursive search over nested groups.
BloodHound
Finally, the section introduces the students to Bloodhound. See details about the caracteristcs and abilities of BloodHound here.
Last updated
