Have you ever wondered how little it takes to take over an Active Directory domain? Have you considered using some exploit? Nah, using exploits is not a fancy way and can be easily detected, and if anything, that option remains as a last resort. As savvy “hackers”, we possess the right knowledge to navigate the network smoothly without making noise. Sometimes it takes a few steps, and just as Neil Armstrong said, it’s one small step for man…, but for us hackers, taking over one system is a small step towards taking over the entire network. In this scenario, I’ll demonstrate how the ability to analyze acquired information, coupled with a few sublime actions, was sufficient to take over the entire domain of a company consisting of 500-1000 users.
As an advanced attacker, I already have access to the “unhackable.corp” LAN and I start by analyzing what’s on the local network. I always like to check what is in the shared directories because you can always find very, very interesting things there, just like in this case. The “dev” directory, the first thing that comes to mind is “ah, the DEV directory, source code, access data, configuration files”, so I’ll probably be able to get some data from this directory.
In this directory, there are about 30 folders. The first one that caught my attention is AWS, and what I found in it I didn’t expect at all.
If you didn’t say, “Oh, here may be the passwords for some AD account”, then you need more practice ;).
And this time my intuition didn’t fail me - domain account credentials.
Time to see what the user “serverdeveloper” has to offer in the attacked AD. Ideally suited for this purpose is BloodHound, a graphical tool that reveals any connections within Active Directory. Mmmm, and such links are more than welcome. Time to extract secrets from the A-SAP92 system.
Oh, and there are credentials for another AD account. This time, the name suggests that I’m dealing with a user who can potentially cause quite a stir in the AD.
I’ll tell you, when it comes to “stars”, only these will do:
The user backupadmin is in the Domain Admins group - how nice… :)
Now, just like in Mortal Kombat, it’s time to use the right combination to execute a fatality: a DCSync, which will dump all secrets from the domain controller:
Great, in a few steps, I managed to take over the entire network of the unhackable.corp company. As an additional tidbit for the keen reader, I’ll mention that the percentage of cracked hashes was 15.08%, with 232 unique passwords out of 1538 available, granting access to 323 accounts. It may not be a lot but considering that each of the 323 users can take over the entire AD in their own way, it’s quite an interesting result.
