Attacking Active Directory & NTDS.dit

pokolhaboru · January 25, 2023, 8:21pm

Hi guys,

Im stuck with this box: On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston’s credentials as the answer. (Format: username:password, Case-Sensitive)

Problem, i made wordlist with the users, and I use the wordlist’s fence, rockyou-10, and fasttrack… i dont know if the wordlist user that I made is correctly or if the pass file is not these…

Anybody can help me??

pokolhaboru · January 25, 2023, 10:57pm

I found, sorry guys…
using the wordlist with username-anarchy and de wordlist is fastrack…

hkcr · February 18, 2023, 1:41am

Hey there, can you share some more details on this:

I’m having trouble getting the method you described to work.

Thanks!

emdeh · February 26, 2023, 3:07am

What have you tried so far? DM me if you need assistance

ns1679 · February 27, 2023, 7:35pm

hey even I got stuck question @ 3rd although have found credentials for carlos and jessica but I can’t get onto evil-winrm with those since it throws an error of authentication failed and cannot get the ntds.dit file. Am I on the right track ??

emdeh · February 27, 2023, 11:15pm

You’re in the Attacking Active Directory & NTDS.dit section, right?

Have you looked at the hint? It tells you the potential username, but even without that, you could use the previous sections to create the possible usernames from the three people’s names. But to save time, have a guess about which role would have access to the DC and use the hint to gues the username format…

Then you want to attack the domain controller to obtain the credentials you need to steal the NTDS. Just use crackmapexec, don’t worry about winrm.

The command is below, but it is also explained in the section:

crackmapexec smb $IP -u /Username/or/path/to/list -p /usr/share/wordlists/fasttrack.txt

That will give you a username and password for question 3. Those credentials can then be used to steal the NTDS file. Again, use crackmapexec, it’s so much easier:

crackmapexec smb $IP -u $USERNAME -p $PASSWORD --ntds

The output of that last command will contain the hash to Jessica’s account that you need to crack. Let me know if you need help with that part - I’ll be online for a few hours.

ns1679 · February 28, 2023, 5:52am

I got both of them thank you.

AltesBesta69 · March 11, 2023, 7:59pm

Your post gave me a ton of ideas;) in how to tackle this problem;) I still struggle quite a lot to make this inferences, thank you;)

sakis17 · March 15, 2023, 9:06am

Hi guys,

After I created the shadow copy I couldn’t copy it to a different location. But with CME options worked fine. Also, after I created the username.list for cracking the username and password for the target CME didn’t go through the username.list… any advice to this?

Ps. I already complete this module but some options are still unclear.