How I Hacked a Domain Controller in 3 Easy Steps

How I Hacked a Domain Controller in 3 Easy Steps

Sometimes getting the keys to the kingdom is too easy and can have devastating consequences if it gets into the hands of the wrong people. That's why ethical hackers exist to make sure the keys to your kingdom are secure or as secure as possible. In today's blog, I would like to share a short story on how I hacked a Domain Controller, it was scary and easy.

For this engagement, I was provided with a set of credentials. The environment I was working in was equipped with a well-known EDR (Endpoint Detection and Response) solution which failed to detect and stop the attack techniques used to gain access to the Domain Controller.

Step 1: Dumping the hashes

Initially, I did some light enumeration and noticed there was a local admin account. I was hoping I could get the hashes and crack them or pass them around to see where else I could get access.

With the credentials provided to me, I used secretsdump to dump the local user hashes and attempted to crack them with no luck. I moved on to the next step, passing the hash around.

Hash Dump Example: domain/user@10.x.x.x

Step 2: Passing the hash

Passing the hash around using crackmapexec, it became apparent that the admin had the same password on multiple machines, including the Domain Controller. Next, I needed to gain access to the Domain Controller without being blocked.

Pass the Hash Example:

crackmapexec smb 10.x.x.x/24 -u admin -d domain -H <HASH>

Step 3: Getting a shell on the Domain Controller

At this point, I was weighing my options as to how I could get a shell on the Domain Controller without being blocked by the EDR. A few of my attempts failed. There are multiple options, so I started researching and used one of my favourite cheat sheets (available here) to find what else I could do.

I was able to get a semi-interactive shell on the Domain Controller using smbexec without being blocked by the EDR. Now that I had a shell it was GAME OVER and it was time to reach out to the relevant people to take action in resolving the issue.

The bottom line is something we hear quite a bit. Do not use the same password across multiple accounts as if one is compromised, the others are at risk as well.

It is my goal to keep my blogs short and straight to the point, so I hope you enjoyed this one. Stay curious and see you next time.