First I tried capturing and relaying hashes with Responder and NTLMRelayx, but the targets did not give local administrator access to the accounts I was relaying. (Boo!) I was able to crack some of the hashes, but that didn’t help right away. So I had to look for something else. Since I did have some working credentials, I could then fire up Metasploit and see what happens against GPP. Using the auxiliary/scanner/smb/smb_enum_gpp module, I set the RHOST for a domain controller, gave it the username and password that I had previously captured and fired away. It started listing out the policies, like Groups.xml and a nice little table popped up like:
USERNAME Administrator (built-in)
DOMAIN CONTROLLER 192.168.19.14
CHANGED 2017-01-08 16:49:50
Hooray!! So what do we do with that account? Spray it! That’s a local administrator account, so maybe it’ll have access elsewhere! How do we spray it? With CrackMapExec by byt3bl33d3r! Point that at all the hosts with SMB open and see what happens.
Run: cme smb IP -u Administrator -p SuperSecretPassword –local-auth
Hey, it worked! I know it worked because of that awesome “Pwn3d!” that CME shows. Next up, Mimikatz and see what’s in memory. So same command as above, but add the -M Mimikatz to it and see what comes up. Sure enough, there’s another set of credentials in clear text! Try that against the domain controller…NOW! Using CME again, with the new creds, against a DC and you know what? Pwn3d again! We are in! But as we know, DA is only the beginning and it’s time to find the data. So that’s what I learned this week, check the GPP for passwords!