We recently performed an internal network penetration test for a large enterprise with up to 3 domains and 2000+ hosts. We had zero knowledge of the target network (as an attacker would have) and were placed onto the user VLAN with unauthenticated access.

We decided to write a blog on it as we used several different techniques (simple and complex) to gain domain administrator across all three domains, plus an enterprise administrator J

OMG, it’s a BIG network

We ran a quick NMAP scan on limited ports to scan the full range of IP addresses to identify hosts with at least one service running and identified more than 2000 live hosts. Our instant pick was to use Metasploit Database for the assessment. This handy tool is too awesome that it helps not only to exploit the vulnerabilities directly from the Metasploit console but also saves plenty of time consolidating the scan results and specifying the target types; how to use and setup post is here.

No Nessus, straight to crackmapexec

We were focused on getting the highest privilege access in a short time; a vulnerability scanner would be time-consuming, noisy and stretch for such a big network. It can be run as an overnight scan. Let’s get onto the targeted attacks and identify if the live hosts are connected to the domain (and which domain) or standalone systems:

crackmapexec smb <hosts list>

The above command revealed three domains and different active directories.

Good old MS17-010 (EternalBlue)

During the initial foothold, we identified a host running Windows 2003 which was obsolete and vulnerable to MS17-010. That’s a quick hack, and we were able to gain administrative access to the host using the MS17-010 exploit available in the Metasploit Framework. But, this is not the main domain.‍

‍

With administrative access, we dumped the wdigest credentials using mimikatz and got the clear text password of the user belonging to the ‘Domain Admins’ group.

‍

We have Domain Administrative access on one domain, but this is not the main domain.

Dump hashes and pass-the-hash

Next, we extracted all the Local Administrator hash from the compromised domain using Metasploit hashdump and performed pass-the-hash on all the hosts in the network. Bummer, the administrator password is not used anywhere. We confirmed it again by dumping the ntds.dit file and checking if the user passwords were reused across domains, but no luck here too L

Keep it going, more techniques

We went hard on the targeted attacks such as Bluekeep, PetitPotam but still no luck getting the foothold of the main domain. We then tried the most common and popular way of getting the DA, i.e. LLMNR and NetBIOS Poisoning, relay attacks using responder, but still no luck here L

Until now, we tried LLMNR and NBT-NS poisoning, password-spraying, SMB relaying, redirecting LDAP on printers, Bluekeep, PetitPotam, etc.

There has to be a way for such a large network (IPv6 DHCP attack)

It’s no secret that the Windows network has IPv6 enabled by default and preferred over IPv4. We confirmed it by running the tshark tool and observed that multiple hosts transmitted the IPv6 DHCP traffic.

‍

We went on to spoof all traffic for the specified domain using mitm6 tool.

mitm6 -d <domain> //this will spoof traffic for specific domain

‍

Note that the mitm6 issues a DHCPv6 lease to clients that last for a period of 300 seconds. This means that several DNS queries will fail, resulting in clients not being able to access services that rely on DNS names.

Next is to relay credentials to systems that do not have SMB signing enabled. We used ntlmrelayx.py for this purpose.

python3 ntlmrelayx.py -6 -smb2support -tf <target list with smb signing disabled>

This would perform relay attacks and authenticate with the target credentials. We quickly got a privileged user authenticating on one of the hosts and further dumped the NTLM hashes from the system.

‍

We chained the above loot to pass-the-hash attack on all the hosts and found that many hosts were a part of the main domain. Yaay, booom!!!

We quickly used the crackmapexec lsassy module to extract the clear text passwords and dump passwords of multiple users belonging to the Domain Admins and Enterprise Admins group. Job done with 100% satisfaction.

Share this post