1. The document discusses various methods for gaining domain administrator privileges on a Windows domain, including exploiting the domain's architecture, abusing Active Directory services like Kerberos, and cracking Kerberos tickets. 2. It provides three attack scenarios: leveraging internal access and the BloodHound tool, performing an NTLM relay attack against WebDAV to setup delegation, and directly cracking Kerberos tickets by requesting tickets for service principal names. 3. The document recommends demonstrating these attacks against a test environment to gain hands-on experience compromising a Windows domain from different starting points.

1. Cracking the
domain
Please sign-in via QR Code or
https://goo.gl/U46rfU
But… gaining knowledge is fun
and we always profit from
knowledge...

2. Announcements
● Square CTF - Oct 10th
● Cambrian Cyber Group - October 21st
● Alkami - October 28th
● Firetalks - October 30th
● TI - November 4th
● Officer Applications!

3. What is a network domain?
● A network domain is an administrative grouping of multiple private
computer networks or hosts within the same infrastructure.
● A domain controller is a server that automates logins, user groups, and
architecture of the domain.
○ Typically on microsoft servers.
○ Makes it so you don't have to manual setup every host with all the
domain data individually.

4. What do I want out of this?
● In an ideal pentest you want to control the entire network because that’s what the
attackers want.
● The domain controller tells all the other systems how the domain works and how it
supposed to look.
○ Controller is managed by the domain admin.
● I.E. I want to be domain admin.

5. Okay, so how can I become the big daddy
admin?
● You could…
● Phish the admin.
● Break in through web stuff..
● Kidnap the admin.
● “Persuade” the admin.
● Physically connect to the domain
controller.
● Or you could..
● Abuse the domains architecture to
laterally move.
● Abuse active directory.
● Exploit Domain services like
Kerberos.

6. What’s an active directory?
● The Active Directory Domain Service is a service that authenticates and authorizes
all computers and users in a domain, assigning and enforcing security policies
(GPO) for all computers.
○ Runs on the Lightweight Directory Access Protocol (LDAP)
● Holds data about what users can access/allowed to do on specified systems.
Permissions can be given individually or through AD Groups.
● AD can have many more services like..
○ Certificate services.
○ Federation services.
○ Rights management.

8. 3 attack scenarios
1. Attacking the domain by exploiting it’s architecture. Starting from
comfortable shell access of a domain system.
2. Attacking a single machine by exploiting the domains kerberos system.
Starting from a more restricted shell access of a domain system.
3. Owning the whole domain by exploiting the domains kerberos system.
Starting from no shell access of a domain system.

9. Scenario 1: The Bloodhound
● You are inside the network and on a system that is flexible.
○ Allows you to download and run things without much fuss.
○ Currently a user on the system.
○ Currently not much on the immediate system that is exploitable.
● To take advantage of the domain architecture and user permissions you could use
a tool called bloodhound. (https://github.com/BloodHoundAD/BloodHound/wiki)
● Collects AD data through powershell to be examined on the attackers machine.
● We can now quickly identify attack vectors on the victim machine.

11. What’s this kerberos thing I keep hearing?
● Kerberos is a network authentication protocol that works on tickets that allow for
nodes over a network to prove their identity in a secure manner.
● Users are granted ticket granting tickets (TGT) which have a time limit after pre-
authentication. A TGT can be used to request access to a service to then gain a
ticket granting services (TGS).
● To get a TGS, a service has to be registered under a service principal name (SPN).

13. Kerberos delegation
● Sometimes a service may need to access another service on the users behalf.
● There are 3 main delegation features
○ Unconstrained Delegation - User gives its TGT to the service and the service
uses that ticket to obtain TGS for other services.
○ Constrained Delegation - The service uses the users TGS to acquire TGS for
other services.
○ Protocol Transition - Allows services to request TGS on behalf of users
arbitrary users. **It can impersonate users out of thin air!!**

14. NTLM Relay Attack
● NetNTLM is a challenge response
authentication protocol designed by
Microsoft.
1. The client sends a NEGOTIATE message
to request authentication and
“advertise capabilities”.
2. The server sends a CHALLENGE
message that contains a random 8-byte
nonce.
3. The client sends an AUTHENTICATE
message that contains a response to the
challenge. The response is calculated
using a cryptographic function with a
key derived from the user’s password
(the NTLM hash).

15. Scenario 2: Wagging the Dog
● Windows and Kerberos have some “features” that could prove useful and things we need
for an successful attack.
● Kerberos offers a resource-based constrained delegation which allows a node to
configure who is allowed to delegate (impersonate) them.
● This could allow for a possible NTLM relay attack to setup up this delegation on another
services behalf if there is no signing on the communication.
● Windows 10 has a webdav server installed by default that doesn’t do message signing.
● When you change your account picture the user SYSTEM opens the image as well to
inspect its properties.
Taken from: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

16. Scenario 2: Wagging the Dog
Taken from: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

17. Taken from: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

18. Scenario 3: Roasting Kerberos
● Well I don’t want to impersonate other services I rather just be that service.
● Some more facts you may wanna know about kerberos
○ Need a TGT and a valid SPN to get a TGS.
○ The DC doesn’t track if it is used or if they even have access.
○ The TGS for the SPN is encrypted with the service account associated with
the SPN.
○ Kerberos uses RC4_HMAC_MD5 encryption. **It uses the service account’s
NTLM password hash to encrypt the ticket**
● So could we just generate NTLM hashes and see which one opens/decrypts the
ticket?

19. Scenario 3: Roasting Kerberos
The Kerberoast Attack
● What if you have an admin who gives a SPN to a domain admin and makes bad
passwords?
● Can request a TGS to the domain admin as a normal user.
● Crack the hash to get the domain admins password.
● Profit????
Ticket Hash:
05f50a70b856b624df5e723
15d9c9194
Domain Admin Pass:
texsaw{r3c0n_i5_my_m1ddl3
_n4me}

20. DEMOOOOOOOOOOOOOOOOOOO
Let’s hack em’ up.

21. References
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/kerberos-resource-based-
constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
https://adsecurity.org/?p=2362