Using Metasploit Express to own a Domain!

Wednesday

Sep222010

Wednesday, September 22, 2010 at 11:14AM

So you DLL Hijacked someone or they opened an Evil PDF that they found on the thumb drive in the bathroom! Is this a big deal? Yes! Today I will show you how to go from one of the client side attacks to owning a Domain Controller.

So when we last left our thumb drive in the bathroom, someone had taken it and we get a meterpreter session.

In this scenario, we are outside their firewall and we are able to have them connect back to us using reverse_tcp. If the firewall rules were blocking random ports, an attacker could try 443 :)

We have our connection but we are outside the firewall and they are inside. We can pivot. Click on Add Session Route. This will allow us to launch attacks from our new inside the firewall owned n00b who picked up our thumb drive and probably didn't wash their hands. Disguising!

Now that we have our route, let's go after the Gibson/Domian Controller.

I have a tool I like to use called JoeWare ADFind. ADFind allows one to query the LDAP server. Lets upload our adfind.exe to our Bathroom system.

Running ADFind from the target reveals the domain controller. You can also enumerate user groups such as the Domain Admins. We have the server name, IP address and list of Domain Admins.

We also have the IP address range to scan that the Gibson resides in. Using Discovery, we identified a SQL server that looks like a test instance.

Maybe the user who set up this test system didn't protect it with a strong password because it is "TEST/DEV." Let's Bruteforce this!

Successful login: "sa" with the password "sa." In this case "sa" stands for "stupid administrator."

With the user name and password, we can run Microsoft SQL Server Payload Execution. This module is awesome. From JDuck (Author of the CoolTYPE PDF Exploit we used on our USB Drive) and David ReL1K Kennedy (Author of Social Engineering Toolkit/FastTrack)

We get a meterpreter session! Time to kick it up a notch, BAM!

Since this is a TEST/DEV box, perhaps a Domain Admin has accessed this box. If we could capture the token, we could use their permission to add an account on the domain as a Domain Admin.

We click on Command Shell.

After reading this awesome write up at carnal0wnage, we load incognito.

We list the tokens on our captured system. Upon inspection, we identify a member of the Domain Admins group.

Now we commit some digital identify theft.

Now that we have assumed the identify of the Domain Admin, lets add ourselves into the Domain Admin group.

AngryBirds is an awesome game. I highly recommend it, now available on iPhone, iPad, and Droids.

Not only is the game awesome, the newly created domain account is awesome as well.

Using ADFind to verify, we now see AngryBirds is now a Domain Admin and we now have keys to the kingdom.

n00bz Network |

References (12)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Response: indexing services

at indexing services on November 3, 2013

Good Web page, Stick to the useful job. Thanks a lot!
Response: twitter account hacker

at twitter account hacker on March 5, 2014

Using Metasploit Express to own a Domain! - Blog - n00bz Network
Response: biomedical science degree

by lfasoe at lafseo on July 2, 2014

The metasploit project is well known for its hostile to scientific and avoidance instruments, some of which are incorporated with the metasploit framework. Metasploit might be utilized to test the weakness of machine frameworks or to break into remote frameworks.
Response: online english tutoring

by Viatrophy at Viatrophy on August 5, 2014

Now I finally know how to properly administer the entire server without being distracted from work! Very grateful for your blog is so informative article!
Response: comment pirater snapchat sur iphone

at comment pirater snapchat sur iphone on September 24, 2018

Using Metasploit Express to own a
Response: Iphone XS

at Iphone XS on October 7, 2018

Using Metasploit Express to own a
Response: Hindi Songs Lyrics

by Sidhu Moose Wala at LyricsBell.com on September 13, 2019

LyricsBell.com is an online source of Hindi song lyrics from latest bollywood movies and albums. With lyrics we also provide audio and video of song.
Response: Manali Tour Package

by sulekhaholi99 at Sulekha Holidays on April 8, 2020
Response: Bhojpuri Song Lyrics 2020

by toplyrics22 at Top Lyrics Site on April 8, 2020
Response: bhojpuri mp3 songs download

by Ritesh Pandey at Gaana Bhojpuri on June 28, 2020
Response: Laundry Mississauga

by Jimmy at Laundry Mississauga on March 27, 2021
Response: Smart Contract Audit Services

by Manoj at Immunebytes on January 4, 2022

Hire a leading Smart Contract Audit Company that has hands-on experience on the various Blockchain frameworks like ETH, BSC, PolkaDot, and others.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

n00bz Network

NewServers:

Bare Metal Cloud