The attack narrative illustrates how specific vulnerabilities were exploited in sequence to escalate privileges from an unauthenticated network position to that of a Domain Administrator. This advanced, assumed breach scenario provided a comprehensive evaluation beyond typical internal assessments.

Privilege Escalation Sequence:

Unauthenticated to Domain User via LLMNR/NBT-NS Poisoning & NTLM Relay Attacks:

To initially gain access to the domain within the network, the process began with the use of the ntlmrelayx tool for relaying incoming requests. Following this, the Responder tool was employed to compromise the network by intercepting name resolution requests. Whenever a victim system tried to resolve a hostname, Responder provided misleading information, redirecting communication to a system controlled by the attacker. This interaction caused the victim system to initiate authentication attempts, transmitting its credentials in the process. Responder captured these credentials, which included the username and password hash, and then forwarded them to the ntlmrelayx tool. Using these captured credentials, ntlmrelayx conducted relay attacks, impersonating the victim to authenticate to other systems within the network that accepted unsigned SMB traffic. Consequently, connections from both Domain Users and Domain Machines were successfully captured, granting the attackers initial domain credentials and potentially facilitating lateral movement within the network. Furthermore, successful password spraying granted access to the network as a Domain user.

Domain User to Domain Administrator via Kerberoasting Attack:

The attack leveraged a technique known as Kerberoasting, exploiting vulnerabilities in the Kerberos authentication protocol. This method allows attackers to request and decrypt Kerberos Ticket Granting Service (TGS) tickets that contain encrypted service account credentials. By targeting accounts with Service Principal Names (SPNs), which were identified through LDAP queries, the attacker was able to request TGS tickets and extract hashed credentials.

• LDAP Enumeration: The attacker utilized the LDAP service to enumerate user accounts associated with Service Principal Names (SPNs). This step identified accounts that were susceptible to Kerberoasting.
• Kerberoasting Attack: Using the identified SPN accounts, the attacker requested TGS tickets from the Domain Controller. These tickets contain encrypted hashes of the service account's credentials.
• Hash Decryption: The attacker then employed offline cracking tools to decrypt the hashed Kerberos credentials extracted from the TGS tickets. This process aims to recover plaintext passwords associated with privileged service accounts.
• Escalation: Upon successfully obtaining plaintext passwords, the attacker escalated privileges to a Domain Administrator account. This elevation allowed unrestricted access to critical network resources and administrative controls within the domain.

Credential Dumping and Domain Controller Compromise:

With escalated privileges, the attacker gained access to administrative shares, SAM hashes, and LSA secrets on compromised workstations. Various indications suggested the use of Domain Admin accounts on these workstations, and cached Domain Admin hashes were retrieved from LSA secrets. LSA secrets store hashed credentials, which are critical for authentication. This reconnaissance effort yielded important insights into the network's structure. Moreover, exploiting the compromised Domain Controller, the attacker extracted the NTDS (Active Directory database) file. This action yielded plaintext passwords, including those of domain administrators, significantly expanding access throughout the domain.

Expanding Access and Compromising Accounts:

Eventually, hashes obtained from the NTDS dump were cracked using the Hashcat tool, further compromising additional domain user accounts. Within approximately 22 minutes, the attacker compromised an astonishing 80% of all domain user accounts, including every domain administrator, within the organization.