📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Prerequisite
  • Configuring
  • Attacking
  • How it works
  • Tools
  • Executing the attack
  • Defending
  • Recommendations
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Misc

Password on shares

PreviousDiscovering SharesNextDifferent methods of dumping credentials

Last updated 2 years ago

Configuring

Prerequisite

Configuring

  1. Login on DC02 with the username Administrator and password Welcome01!.

  2. Open the "Active Directory Users and Computers" administration tool on DC02.

3. Right click on the "Users" directory and select "New" and then "User". Create a user with the name testreset.

4. Fill in the password Testing123Testing! and select "Password never expires" and make sure "User must change password at next logon" is not selected.

5. Login on FILE01 with the username Administrator and password Welcome01!.

6. Open "Windows Explorer" and browse to C:\Share\IT.

7. Create a directory "Scripts" and enter the Directory. Then create a new textdocument with the name Password-reset-transferuser-testscript.ps1 and place the following content inside it:

$password = 'Testing123Testing!'
$credentials = New-Object System.Management.Automation.PsCredential("amsterdam\testreset",$password)

Import-module ActiveDirectory
#Generate a 15-character random password.
$Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$ })
$NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force
$user = "sa_transfer_test"
Set-ADAccountPassword $user -NewPassword $NewPwd -Reset -Credential $credentials
#Display userid and new password on the console.
Write-Host $user, $Password

8. Download a couple bogus scripts to the server and place them in the same folder such as:

wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/Windows%2010/CreateLocalAdminAcc.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Add-UsersToGroup.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/CleanupDisabledUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADComputers.ps1

Attacking

How it works

During our pentests I often find shares that are accessible for all users and often there are some credentials to be discovered in either configuration files, scripts or Microsoft documents(.doc, .xls) made to store passwords. Sometimes there even is a NAS that allows null session and read/write on all shares.

Tools

Executing the attack

The attack is executed from the perspective of already having discovered the IT Share on FILE01 and having access to it.

  1. For having easy access to look at the share login as noah with the password haoNHasAStrongPassword321!@ on WS01.

  2. Open File Explorer and browse to \\file01\Data.

3. Open the IT directory and then the Script directory.

4. While looking through the scripts we see that the script Password-reset-transferuser-testscript has login credentials saved in the script:

5. The password for the user testreset probably is Testing123Testing!. After reading through the code it seems that its a script to reset the credentials of the user sa_transfer_test with the credentials of testreset.

We can easily test this by starting a new PowerShell session as this user by opening powershell, then in the taskbar right click on it and shift right clicking on Window PowerShell and then selecting "Runas as different user".

6. Copy and paste the credentials and click on "OK". A PowerShell window opens, type whoami to check if we are running as the testreset user:

On the following page the ACL's this account has will be abused by resetting a password from another user:

Defending

Recommendations

  • Don't save credentials in readable files.

Discovering Shares
ForceChangePassword
Discovering Shares