Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by sofiane8394

AD PT project

advertisement 
Active Directory Penetration Testing
Description:
This project is about Active Directory Penetration Testing, through a LAB built on
three virtual machines, using Virtual Box, Windows Server 2016 and Windows 10.
Index:
❖
❖
❖
❖
Setting Up the lab
Initial Attack Vector
Post Compromise Enumeration
Post Compromise Attack
Author:
❖ Ruben Enkaoua – GL4DI4T0R
❖ Based on the “Practical Hacking” course – Heath Adam
2021
Summary
❖ Setting Up the lab
✓
✓
✓
✓
Installing Windows Server 2016
Installing Windows 10 machines
Setting the domain configuration
Setting the domain virtual network
❖ Initial Attack Vector
✓
✓
✓
✓
✓
✓
✓
✓
LLMNR Poisoning / Defense
Responder and credentials capture
SMB Relay Attack / Defense
Hosts discovery
Setting up LDAPS
IPv6 Attack Overview / Defense
IPv6 DNS Takeover – MITM6
Other Attack vectors and Strategies
❖ Post Compromise Enumeration
✓
✓
✓
✓
✓
Uploading Content
Domain Enumeration – PowerView
Bloodhound Setup
Grabbing data with Bloodhound
Enumerating Domain Data with Bloodhound
❖ Post Compromise Attack
✓
✓
✓
✓
✓
✓
✓
Pass The Hash / Pass The Password / Mitigation
Installing CrackMapExec
Dumping hashes with secretsdump
Token Impersonation – Incognito / Mitigation
Kerberoasting / Mitigation
Mimikatz – Credential dumping
Mimikatz – Golden Ticket Attacks
1 Setting Up the lab
This part is talking about how to set the lab, which includes one virtual machine for the Windows
Server, and two others for Windows 10 computers. We will join all computers to the domain, and set
Users with special permissions depending on its functions.
Network:
In order to start to build the lab, we need to set a network properly configured. Using the NAT network
option in Virtual Box, we make it possible. We will use the CIDR 10.20.10.0/24, and each address
will be distributed via DHCP, except the Domain Controller address (The domain controller address
will be static, because it is also the DNS server of attached machines).
The Network properties for each computer including the DC will be displayed under the next parts
of this chapter.
Installing Windows Server 2016:
To install a Windows 2016 Server in virtual box, we will use the following configuration:
✓
✓
✓
✓
2 Gb of RAM
50 Gb of Hard Drive
2 CPU cores
Nat Network
While starting the virtual machine, Virtual Box asks for an ISO. Once the Windows Server 2016 ISO
selected, we can start the installation.
As this project is about Active Directory penetration testing, I will not show the installation steps, but
you are invited to see it in the “Practical Ethical Hacking” course, of Heath Adam.
I choose the name NETSHARK-DC for the Domain Controller server, and netshark.local for the
domain name.
The network configuration, as mentioned before, will be relied to the Nat Network properties. The
Server static IP will be 10.20.10.12, and the mask 255.255.255.0.
For this lab, we build 4 user accounts. Two of them will be in the Administrator group, and two
others regular users.
As we can see, the SQL Service user is not a regular user, and we create it as a SPN user in order
to perform Kerberoasting later. To do so, we use the setspn command in the CMD, as shown below:
(Next Page – SPN user verification)
The SQL Service account is added in the Administrators group. According to the PEH course of
Heath Adam, it is a common mistake that when configuring the SPN accounts, they become a part
of the administrators group.
As we can see in the previous image, the password
for SQL Service account is displayed in clear in the
description tab. It is another mistake made by
administrators.
The purpose of the Lab is not about how to find an
unknow exploit in the Active Directory environment,
but how to enumerate and exploit bad domain
architecture and misconfigurations.
Obviously, it is highly recommended to search about
unknown exploits, but to do so it is necessary to know
about Active directory common attacks and exploits,
misconfigurations and architecture implementations.
For example, the zerologon exploit was discovered
after deep studying and understanding of the
NetServerAuthenticate3
method,
and
the
cryptography implementation (AES CFB8). For more
explanations see CVE-2020-1472.
The next Administrator user is tstark alias Tony Stark (I wanted to keep this one from the Heath
Adam domain example, as he picked the domain user names from marvel world).
This is the only user added to the administrators group.
The next step will be to add the computers COMPUTER1 and COMPUTER2 to the domain, to get
the following:
But before doing so, we must set a GPO (Group Policy) for every connected computer, to disable
the Windows Defender. Again, the purpose of the Lab is to learn, and AV evasion is an other subject,
and includes many different technics depending on the AV itself and the target architecture
configuration.
Now, we can pass to the computer’s configuration part.
Installing Windows 10 machines:
The Windows 10 machines are added to the domain following two steps. The first is to set the DC
IP as DNS server, and the second is to add the domain using the option “Access work or school”.
We can verify it using the following commands.
Both computers are joined to the domain. For more precision, I added the network configuration for
each computer using the ipconfig command.
The last information to know about the computers configuration, is the local administrators part. The
first computer, COMPUTER1, owned initially by fcastel, stays local admin in its machine, even using
its domain account.
The second computer, COMPUTER2, initially owned by vdupont, will also be local admin of its
computer from domain account, but fcastel will be too.
The first chapter is finished. The configuration is applied.
2 Initial Attack Vector
In this chapter, we will discover what is LLMNR Poisoning, how the Responder can handle the
attack, and how to crack the received hashes. Through disabled SMB signing, We will perform Host
Discovering, SMB Relay Attack, and gain shell access. We will perform also different IPv6 related
attacks, such as IPv6 DNS Takeover. Finally, we will talk about mitigations – defenses, and explore
other Attack vectors and strategies.
LLMNR poisoning:
First, we must understand what is LLMNR.
LLMNR stands for Link – Local Multicast Name Resolution. It is a protocol used to resolve names
in a local network when the machine is not registered manually in a DNS server or by a DHCP
server. It is used in current Windows Systems. The request is a multicast request, meaning that it is
received by any machine in the network, and not only those in the domain.
Since we know this, we can define what is LLMNR Poisoning.
LLMNR Poisoning occurs when after catching a LLMNR request, an attacker confirms that it’s
machine is exactly the requested location, and receives the username and the NTLMv2 hash of the
victim.
Using the Responder, we will observe how the attack occurs.
Responder and Credentials Capture:
The Responder is a tool used to perform LLMNR, NBT-NS, DNS and MDNS poisoning. Every
possibility enumerated here is used to resolve names. The responder is included by default in kali.
The first step here is to open the Responder, listening in interface eth0 for this case, and catching
incoming traffic.
As we can see, the responder opens the poisoners, and also different servers to catch traffic.
The next part is to simulate a request in the victim machine, using the attacker IP, to simulate a
LLMNR request. We don’t need especially the attacker IP, as LLMNR provides multicast message
so everyone can catch it.
Looking at the Responder, we received the hash.
The next step is to crack it using hashcat, as fcastel has a weak password.
But first, after a test, it seems that even the DC isn’t protected against LLMNR poisoning – by
default, as we can see here:
For the Hashcat command, we will use the NTLMv2 type, 5600.
And as expected, we get the password of fcastel:
The password is now cracked. It is important to add that NTLMv2 hashes cannot perform pass –
the – hash attack.
The next part is about mitigation and protection.
LLMNR poisoning defense:
The first way to defend against LLMNR and NBT – NS poisoning is to disable LLMNR and NBT –
NS protocols and services.
To do so, we can create a new GPO and disable both services.
Both services are under the DNS category because as mentioned before, when the DNS server
doesn’t recognize the requested name, the LLMNR or NBT-NS services are used with a multicast
request, which can lead to poisoning.
Now, we can edit the policy Turn off multicast name resolution.
To disable NBT – NS, it is necessary to disable NetBIOS over TCP in network connection
properties.
Since those attacks don’t support Pass the Hash and consist in cracking a hash, the second
protection, especially useful if LLMNR or NBT-NS can not be disabled, is to set a strong password
of 14 characters, without any signification, and including special chars and digits. Setting a Network
Access Control is another protection to prevent poisoning.
SMB Relay Attack:
In the precedent attack, we used the Responder to get the NTLMv2 hash sent by the victim. After
that, we cracked the victim hash and got the password. The SMB Relay attack uses the same
technic, but instead of cracking the hash the attacker relays it to the second victim computer, in
order to gain the victim hashes, or even an interactive SMB shell, using ntlmrelayx.py, an other
impacket tool.
The attack can be performed if two conditions are respected.
✓ SMB signing is disabled or enabled but not required, in order to relay the NTLMv2 hash
without the signing verification.
✓ The first victim, which sends the hash to the attacker, is an administrator in the second
victim machine.
In our case, SMB signing is not required for fcastel and vdupont both machines, and fcastel is an
administrator in the vdupont machine (C2).
In order to discovery users with disabled SMB signing, we can use nmap, with the smb2-securitymode script.
Hosts Discovery – SMB signing
This part is about enumeration, in order to perform a SMB Relay attack. I put it in another chapter
because enumeration is different than exploitation, and it requires a part for itself.
For the enumeration, we will directly enumerate the three IP’s, but it is important to know than
enumerating the domain using CIDR range is also a solution. For our case, the enumerated IP’s will
be: 10.20.10.11-13.
The first step will be to verify which ports are opened in the different machines.
For more fun, I scanned the IP’s using a special range (9-25) but it is also possible to enumerate
the domain using 10.20.10.0/24.
The output we get after the command is the following:
As we can see here, the port 445 is open for each computer. The DC computer I easily identifiable,
due to the high number of ports opened. The second part is the SMB signing enumeration part. The
previously mentioned script (smb2-security-mode) is used.
We call the script using the following command:
The DC seems to be secure:
But for both computers, we get the following result:
As we can see, message signing is enabled but not required, meaning that SMB Relay attack is
possible. We can now continue the SMB Relay attack part.
The SMB Relay attack works exactly like the LLMNR poisoning, using the responder, but instead of
getting a hash, we will relay it using the ntlmrelayx command. For this purpose, it is necessary to
set Off the HTTP and SMB values in the Responder.conf file.
We need to disable HTTP and SMB ports because they are necessary for another command, the
ntlmrelayx, in order to relay the hash. Otherwise, it can create conflicts between both processes.
The second necessary step is to indicate to the ntlmrelayx command which target we want to
challenge using the NTLMv2 hash. For this purpose, we will indicate the target IP in a file.
All conditions are respected. Let us start the responder first and then the ntlmrelayx.
As we can see, the ntlmrelayx process opens a HTTP and a SMB server.
We invoked the attacker IP. Now let us see the ntlmrelayx output.
By default, the purpose of the ntlmrelayx script is to dump the SAM file using the relayed NTLMv2
hash and to retrieve the local NTLM hashes. NTLM hashes aren’t salted.
But it is also possible to get an interactive SMB shell, or to start an executable, using the “-e”
option. For this case, we will use the “-i” option, which stands for “interactive shell”.
As well, the responder is still up, and the attacker IP is invoked.
Instead of getting a shell in the same terminal, we have to start a netcat listener in the localhost IP,
pointing to the indicated port (11002).
As mentioned before, this is a SMB shell, meaning that we can run specifics commands (help for
more details)
Using the C$ share, we can access to the computer files
The SMB shell allows to upload a file inside the machine and to execute it, by the “-e” option. From
now, it is possible to generate an executable payload using msfvenom, and to execute it. We won’t
do it here as the last step is to store in a file the dumped hashes for further analysis.
Now let us analyze the attack using wireshark for enhanced understanding.
The first step is to analyze the exported objects.
From here it is possible to identify a dangerous activity. The svcctl service is also known as MSSCMR (Service Control Manager Remote Protocol). It is used to control remotely windows
services. The winreg service is the Microsoft Windows Remote Registry Service, used here to
dump the SAM file, as we can see in the following stream:
The next step is to analyze where the NTLMv2 hash is intercepted, and how it is relayed.
For this purpose, it is important to understand that a Pass The Hash attack is impossible for a
NTLMv2 hash. However, it is impossible if the hash is captured and reused after a defined time, but
for this case, the hash is immediately used, as the ntlmrelayx process acts like an intermediary.
We can observe it in the following streams. We need to identify first where the hash is captured, and
immediately after how it is relayed, to get an access from the second victim machine. For this
investigation, identifying the hour, the IP’s and the protocols can help to find the hash and the relay.
Immediately after getting the hash, the responder and the ntlmrelayx processes interacted together
to relay the NTLMv2 hash in order to perform the attack.
10.20.10.11
10.20.10.13
10.20.10.9
SMB signing Defense:
The last step for this chapter is about defense strategies. To prevent SMB relay attack, we need first
as well to enable SMB signing on all devices. The main disadvantage after doing so is to face issues
with file copies.
Disabling NTLM authentication can also be a solution, and the disadvantage happens if the
Kerberos server doesn’t work. By default, windows machines use NTLM in this case.
Other defense strategies exist, but we will explain here about creating a GPO for SMB signing.
The first step is to create a GPO in our Windows Server.
Now, we can edit it. We need to access the following values:
Once the values are located, we enable “define
this policy settings”, and set the radio value to
“enable”.
The same step has to be done for both client or
server.
Setting Up LDAPS:
Now, in order to prepare the next chapters, we must install LDAPS. To do so, we have to follow
the following steps.
Under Manage, we select Roles and features.
We click next until we get the following screen, and select ADCS.
We can install the server after choosing to restart it after
After a successful installation, we close the box and select the following notification
Since LDAPS is a secured implementation of LDAP, we must configure the certificate.
We select the Certification Authority role.
After clicking next few times, we get the following screen:
As we can see here, and as TCM mentioned in his course, I settled the expiration of the certificate
to 99 years. The installation of LDAPS is finished, and we can now start the next chapter.
IPv6 Attack Overview:
An IPv6 Attack is similar to LLMNR, NBT-NS and DNS poisoning. The attacker replies to DHCPv6
messages while providing as a response its own address, to become the default DNS server. Once
the attacker machine acts like a DNS server, he can perform DNS spoofing for both IPv4 and IPv6.
Being the DNS server allows to get NTLM credentials, but also to perform relaying, using SMB or
LDAPS for example. The tools used to perform the attack are mitm6 and ntlmrelayx, from impacket.
To perform the attack, it is necessary to install mitm6.
Getting the following result, and we can pass to the practice, the next chapter.
IPv6 DNS Takeover – mitm6:
As i mentioned before, to perform an IPv6 DNS Takeover attack, it is necessary to launch mitm6
and ntlmrelayx. MITM6 will perform DNSv6 and then DNSv4 poisoning.
To relay the received credentials via LDAPS, we launch ntlmrelayx with the following options
We indicate that:
✓
✓
✓
✓
✓
the IP type is IPv6
the protocol to use for relaying is LDAPS
The IP of the DC is 10.20.10.12
The fake WPAD (Web Proxy Auto Discovery) is fakewpad.netshark.local
We set a loot to dump useful information in a directory called lootme
Once both commands are settled, we can reboot a user machine to get the following output:
As we can see here, we intercept the traffic via DNS spoofing, and relay the credentials via
LDAPS. The ntlmrelayx script also enumerates the domain, to generate a loot folder.
The directory includes the following juicy files:
Opening for example domain_users_by_group.html using a browser displays the collected
information in a well-ordered table:
Everything here is juicy to help an attacker to perform initial attack, pivoting, privilege escalation,
etc…
We can see here different users in each group, the last set password, last logon, Flags, SID, but
also the description.
In the first part, we talked about a description about SQL Service account. Let us discover here the
password for this service through the output.
We deduce from this amazing experience that description isn’t visible only for Administrators from
the DC. It can be visible by anyone.
Now, we will discover how the ntlmrelayx process acts after an Administrator login.
The following is displayed in the ntlmrelayx command output:
As we can see, using LDAPS, users are automatically created, using the relayed Administrator
credentials. We can confirm it by navigating in the Active Directory Domain Controller machine:
As a final POC step, we can boot using the created account and verify that everything works:
And we get the expected response:
IPv6 DNS Takeover Defense:
The final part about IPv6 attack is the Defense strategies & mitigations.
The first fact about this attack is that Windows executes a DHCPv6 request. If the domain network
doesn’t use IPv6 addresses, it is better to shut down DHCPv6 service requesting. As mentioned in
the official mitm6 blog, “Due to the preference of windows regarding IP protocols, the DNSv6 server
will be preferred to the DNSv4 server”.
As we can see here, the IPv6 address of the attacker machine is settled as the DNSv6 server
address in the victim machine.
As mentioned before, to prevent this attack, it is necessary to disable DHCPv6, via GPO.
But also, if WPAD is not used in the domain network, it is better to disable it via GPO. If the domain
has to use a proxy, it is better to use a PAC (Proxy Auto Configuration) file with a configured URL
than WPAD to relay it automatically. To prevent an attack through WPAD, disabling
WinHttpAutoProxySvc is necessary.
To prevent LDAP an LDAPS relaying, it is recommended to enable LDAP(S) signing and channel
binding.
The last chapter for the second part is about Other attack vectors and strategies.
Other Attack Vectors & Strategies:
While Infrastructure attacks depend on provided services, infrastructure architecture, configurations,
and many other vectors, it necessary to establish a strategy depending on the target.
To begin, enumeration is the key. Understanding what the target is, what are the sub-target, where
misconfigurations can be exploited, etc… can helps to lead a correct pentest.
Also, starting the day with mitm6 or a responder can be useful to collect credentials for further
actions or to perform previously mentioned attacks.
Being innovative, searching for misconfigurations, bad implementations or mistakes can also help,
as we saw about the SQL Service account, or about LDAPS configuration. Depending on the
provided services, different other ways can be found to enumerate or to attack the domain.
Attacking an Infrastructure is mostly based on configurations, on human activity. It is not the same
as searching for a vulnerability in a service. That’s the reason why starting to enumerate a domain
must be strategic and with an out-the-box spirit, to perform the most innovative and best attacks.
BloodHound and SharpHound will be good examples to illustrate it.
3 Post Compromise Enumeration
Through different attacks enumerated in the last part, we obtained different vectors for a postcompromise attack. Hashes, passwords, fake accounts, domain map, etc… But before performing
any attack using those credentials, it is possible and necessary to perform advanced enumeration,
based on the privileges of the obtained vectors, to prepare as well as possible the attack part.
Uploading Content:
For this part, we will directly integrate files, executables and payloads into the victim machine. In
order to learn how to upload malicious content in the victim device, I will simulate some possibilities.
The purpose of the simulations is to learn about uploading and downloading from an attacker
machine to a victim machine, and not to learn about AV bypassing.
First, it is important to know that sending a file to a victim can be done via well-known services
(HTTP/S, SMB, mail phishing…), but also via a malware (downloader, reverse-tcp client…), and
many other possibilities. We will simulate here some of them.
HTTP:
The first way can be done using a python3 HTTP server. This technic is commonly used since
commands as certutil or PowerShell modules as Invoke-WebRequest exist. Let us practice about
this technic:
The first step is to open a HTTP server using the following command:
Once the server started, executing certutil from the victim machine downloads the file “done.txt”:
As we can see, the file is transferred. We will use two PowerShell commands as an alternative to
certutil.
The Invoke-WebRequest module worked fine. The second to test is wget:
An other way to launch an attacker web server is to use the apache server integrated by default:
An other time, the file is successfully uploaded, but I find the python3 server more useful, especially
if the server is launched from a directory that contains a ready set of tools.
SMB:
The second is SMB. SMB allows to put and get files. Since we settled a share, we will perform an
upload. But to list or to perform any action here, we need the password of fcastel. We remember
that from precedent attack, we dumped the hash and cracked the password using hashcat. Post
Compromise Enumeration is now possible.
As we can see here, we used smbclient to upload a file in the “Share” directory, using fcastel
password. From the victim machine, it looks like this:
SMB file upload is possible if the attack is performed against a SMB server that allows anonymous
login with sufficient privileges, or if the attacker has the password of the server owner.
Reverse TCP file server:
A simple python TCP file server can act as a malware. For our example, I coded a reverse shell
that has the capability to upload or to download a file, simply by executing the virus executable.
Since the victim machine doesn’t support python3, I converted the executable to an exe.
Once the client executes the malware, we get a TCP reverse shell from the attacker machine:
The python script allows the attacker to upload or to download a file from his machine. Inside,
three functions are included, the shell function, which calls two other functions depending on the
command of the attacker - put or get.
We don’t need the client to execute an other time the script since we have a shell opened.
Let us see how an attacker can upload the script (we won’t talk about persistence here)
The transfer is completed. We can confirm it by looking at the client machine:
For more information about python for penetration testing, see the advanced python for
penetration testing course in Udemy.
Domain Enumeration – PowerView:
PowerView is a PowerShell tool used for Active Directory enumeration. Through this chapter we will
discover about how to install & how to use it.
We can find PowerView in Github, under PowerShellMafia tools.
To upload it in the victim machine, we can start a simple HTTP server from kali and download the
file using certutil.
It is important to shut down the Antivirus for this action, otherwise the access is denied.
The file is downloaded, as we can see here:
Now that the module is installed, Let us see how to use it. The first step is to load the script into
PowerShell.
While opening PowerShell, we use the “-ep” option. This option stands for Execution Policy, and the
parameter is “bypass”. We must use this option to load and run scripts.
The first enumeration is about the domain itself. We must enumerate the domain name, the DC
machine etc… The command is Get-NetDomain.
Once we have basics information about the Domain, we can use the Get-NetDomainController
module to enumerate the DC.
The first interesting information here is the OS version. But the IP address is more interesting, since
knowing it allows the attacker to know who the target is.
To know the Domain policy, we can use the Get-DomainPolicy command.
The output is very rich. To filter it, we can use the following command:
Knowing about password policy allows an attacker to perform password spreading, but other
categories such as KerberosPolicy are very useful, as we will see after.
The next step for PowerView enumeration is about Users enumeration. We will use the module
Get-NetUser to know about the users, the descriptions, etc…
The output is the following (it is a part of the output since the output is very rich)
The enumerated account here is the Administrator account. As we remember, we settled the
description of the SQL Service account to be a password reminder. We noticed that using ntlmrelayx
we can “loot” information, including the reminder. But using the Get-NetUser command we can read
the description too as well.
Using the cmdlet select, it is possible to display a category for each user.
As we can enumerate the CN names, it is also possible to display the SAM account names, to know
how to log-in to the different accounts.
The command to display the SAM account names is the following:
Using the select cmdlet it is possible to get information for a specific category. Example:
To get more information about user properties, we can use the command Get-UserProperties:
Setting a property as a parameter for the option -properties displays juicy information:
This command is very useful since we can display very juicy and useful information about the domain
security configuration and events. We will display here the log count for every user.
It is also possible to enumerate the failed logins.
The next useful and basic command is Get-NetComputer. Using this command, we can enumerate
the computers in the domain.
Using the option -FullData we can display all possible enumerated data.
To filter the output, we can use one more time the cmdlet select. Here we enumerate the OS.
Another useful command that we will not detail here is Get-NetGroup:
As we remember, we created shares for every computer, to make possible SMB attacks. Using the
command Invoke-ShareFinder it is possible to enumerate the shares:
The next useful command is Get-NetGPO. The created GPO’s can be enumerated using this
command.
An interesting GPO rule can be found here:
Discovering about the GPO rules allows to an attacker to discover about the protection strategy of
the Domain.
As well, it is possible to use the select cmdlet to display specific information.
We will display here the created GPO’s for the domain.
PowerShell is a very powerful tool, and the PowerView module as well. To know more about
PowerShell and PowerView, you can play the rooms “Hacking With PowerShell” and “PostExploitation Basics” in TryHackMe.
The next step is BloodHound.
BloodHound Setup:
BloodHound is a tool used to find relationships within an Active Directory domain, to map the
environment, to discover strategic paths to carry out an attack, and to perform elevation of privileges.
The tool uses the Neo4j backend / database. The data is collected using SharpHound, which can
be an executable or a PowerShell script. The output is a JSON file, which can be visualized by
Neo4j.
The first step is to install BloodHound.
As we can see here, we get the neo4j DB server, to support BloodHound.
The next step is to start Neo4j.
As we can see, we get a localhost address to perform interactions with the Database. We navigate
through the URL address to login using the default credentials (username: neo4j – password: neo4j)
and to change the Neo4j default password to a stronger one.
We finally get the Neo4j interface:
The next step is to launch BloodHound and to login using the Neo4j credentials.
We get an empty interface, and it is normal. Now we can start the next chapter.
Grabbing data with BloodHound:
Grabbing data with BloodHound can be done with the PowerShell script “SharpHound.ps1”. From
now we must understand what BloodHound is, SharpHound and Neo4j. So, BloodHound is the
name of the project. It is also the tool used to interact with Neo4j, the Data Base. SharpHound is the
script used to collect the data in the victim machine. To use it, the command Invoke-BloodHound is
used. The command generates a file that we can open with BloodHound from the attacker machine.
The first step is to download the SharpHound script.
Once the script is downloaded, we can send it to the victim using a simple HTTP server:
The next step is to start PowerShell with Execution Policy bypass, and to load the script.
From now, Invoke-BloodHound is loaded in PowerShell. We run it with the following options:
✓ CollectionMethod
✓ Domain
✓ ZipFileName
We want to collect as much information as possible.
To indicate which domain to analyze.
To choose to save the output in a zip file.
We verify that we got the zip file in the current directory:
To get the file, We can copy it in the Share directory to download it using SMB.
We can use smbclient command to download the file.
Enumerating Domain data with BloodHound:
To enumerate the data with BloodHound, we just need to upload the zip file into the Data Base:
Once the files are uploaded, we can visualize basic data from the symbol on top left.
A lot of indications can be provided by BloodHound, we will display the “Find Shortest Paths to
Domain Admins” result as an example.
Navigating through the different options can indicate about strategies to perform pivots and
escalation of privileges. BloodHound is a very powerful and rich tool, and I invite everyone to read
more about it, as enumeration is the key for Active Directory Penetration Testing.
4 Post Compromise Attack
The Post Compromise Attack part is the most important and significant part, as it is the targeted
step for every previous activity. Through IAV, we tried to get credentials and footholds to make an
attack possible. Through PCE, we enumerated the domain to make as effective as possible pivoting
and privilege escalation. The PCA part is the application and practice part.
Pass The hash / password:
Pass the hash and pass the password are common and dangerous attacks, as it is difficult to set a
protection against it (we talk only about mitigation). As it was mentioned before, in order to
authenticate, a user types the password. The password is hashed by the machine using the right
algorithm and sent through the network to the server. If the hash is verified and validated, the access
is accorded to the user that sent the request.
PTH attack can be done when a hash is captured by an attacker and sent for authentication. The
attacker don’t have to crack the captured hash, as getting the hash is enough to guarantee the
access to an attacker. Using a hash, it is possible to authenticate with the same account into different
machines, to dump the local SAM file for example. The attack is now more interesting, as it is very
useful for privilege escalation and lateral movement. Here is an example of a PTPWD attack.
Installing CrackMapExec:
In order to perform a PTH or a PTPWD attack, an attacker can use the post - exploitation tool
crackmapexec. According to the documentation, the tool “helps automate assessing the security
of large Active Directory networks”. In the current chapter we will install the tool and see how to use
it.
To install the tool, we simply use the command apt get.
We can run the command to verify that everything works:
We can now practice some PTPWD attacks using CrackMapExec. For the first command, we can
test if we can login with the fcastel credentials in the different domain machines. We only have to
indicate the protocol to use, and the CIDR. Indicating the CIDR is very useful for large domains.
As we can see, the COMPUTER1 and COMPUTER2 machines are pwned, meaning that using a
domain account we can connect to the physical machine. This attack can compromise local
administrator account, and can leads to password spraying. The password reuse problematic can
severely compromise a network in this situation. For example, CrackMapExec allows to dump the
SAM file using secretsdump.py, a command that we will cover in the next chapter.
We just dumped the SAM file from the different domain machines. SAM stands for Security Account
Manager. It is the credentials database file, queried by the LSASS process, for local authentication.
LSASS stands for Local Security Authority Subsystem Service.
The domain credentials are not displayed here, since they are stored in the DC, in the ntds.dit file.
If the DC can be pwned, it is possible to dump the ntds.dit file with CrackMapExec with the --ntds
option.
Using the password of a user from the domain in a pwned machine, an attacker can spawn a reverse
shell as a NT authority\system user with an impacket tool called psexec.
Using the same account and password, it is possible to spawn a NT authority shell in COMPUTER2.
In the next chapter, we will learn about the secretsdump.py tool, to perform further a PTH attack.
Dumping hashes with secretsdump:
According to the documentation, the secretsdump.py tool from impacket is used to “perform various
techniques to dump hashes from the remote machine without executing any agent there”. Using the
SAM file, the LSA subsystem and the registry, the gathered credentials are stored in the
%SYSTEMROOT%\\Temp directory, where the data is analyzed.
In an Active Directory environment, where the ntds.dit file is dumped, the script dumps the users,
the hashes and the Kerberos keys lists via the MS DRDS protocol and the DRSGetNCChanges()
functionality, and then it extracts the ntds.dit file using the vssadmin command over SMB with the
smbexec tool from impacket.
In order to understand what DRSGetNCChanges() is, we must know that when a DC wants to
update its data from another DC, it calls an API. The credentials used to connect in order to update
are the domain admin or the DC machine credentials. When an attacker abuse this functionality,
pretending to be a DC that requests an API through the DRSGetNCChanges() functionality, every
information can be transferred, including the ntds.dit file.
Let us run the script for both machines now, using the fcastel credentials.
The hashes are dumped thanks to secretsdump.py, and we can try to crack them using hashcat.
For this purpose, it is possible to copy all hashes into a file in order to run hashcat.
The next step is to start hashcat with the 1000 value, which stands for NTLM hash.
As we can see, the admin account is disabled, since the admin hash stands here for empty
password. The credentials of frank and valerie are retrieved, and it is important to notice that these
are weak passwords.
The last step of this series of Pass attacks is to perform a PTH. For this step, we will use
CrackMapExec another time to check if a target accepts the hash, and then psexec to check if the
target provides an access with the hash only.
We don’t get a pwned flag, but the green “[+]” flag still indicates to us that the target might be
vulnerable to a PTH attack. Let us try it with psexec.
We cannot spawn here a reverse shell using a hash. There can be several reasons for this, but the
first possible reason is that the share is not writeable for the indicated user, and the second reason
can be that remote UAC is enabled or doesn’t exists in the registry. To disable it in order to simulate
a PTH attack we go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
And then we change (or create) the DWORD value of LocalAccountTokenFilterPolicy to 1.
After rebooting the computer, we can run psexec and we get the following result:
We successfully performed a PTH attack, in an environment where remote UAC is disabled. For a
better understanding, we will explain what remote UAC is.
Remote UAC stands for Remote User Account Control. When a target has remote UAC enabled, it
will block any action performed by another actor through the network, if it requires elevated
privileges.
When the share is writable, and Remote UAC is still enabled, we get the following error:
“Unable to open SVCManager”. The error is directly related to an enabled Remote UAC policy, that
blocks the access to the SVCManager (the SVC manager here is the remcomsvc executable that
psexec from impacket uses to spawn a reverse shell from the victim machine).
Pass Attack Mitigations:
The first fact to know is that Pass attacks are very difficult to mitigate. But it is possible to make the
work difficult on an attacker.
The first issue is account and password reuse. Setting a different password for local and domain
accounts can prevent an attack. Also, account reuse can help an attacker to perform a PTPWD
attack, as fcastel is a local administrator in COMPUTER1 and in COMPUTER2. Disabling the local
Administrator and Guest account is necessary, since the SAM file contains all hashes including the
admin hash. Assigning only necessary privileges to the local administrator can also prevent abuses
on the machine.
The second issue is the hash cracking step. We already talked about mitigations against it in IAV.
The third dangerous feature is the disabled Remote UAC. We disabled it in order to perform the
PTH attack via psexec, but it is important to verify that the DWORD key is deleted or settled to 0.
The Remote UAC protocol caused a lot of issues at the beginning, when it was introduced with
Windows Vista. Also, when the share is used only for read purposes, disabling write privileges if
they are not necessary can prevent the attack.
But one of the best mitigations can be provided with the implementation of a strategy via a PAM.
PAM stands for Privileged Access Management. According to the Microsoft documentation, a PAM
is a solution that helps organizations restrict privileged access within an existing and isolated Active
Directory environment. An interesting goal of a PAM is to “isolate the use of privileged accounts to
reduce the risk of those credentials being stolen”. A PAM can:
✓ Generate automatically different credentials after a successful authentication.
✓ Assign limited authorizations and privileges depending on the needs.
It is important to notice that the remcomsvc.exe program used by psexec.py is also an
ADSelfService Plus component. ADSelfService Plus is a ManageEngine solution, and the provider
indicates that ADSSP still works if remcomsvc.exe is disabled by the antivirus. According to ME, in
order to use the solution without remcomsvc.exe, the GINA agent can be deployed through GPO or
SCCM. See the official website for more information. This is an example of an environment where
remcomsvc is used.
Token Impersonation:
Before talking about impersonation, it is important to know what a token is.
As TCM mentioned in his PEH course, you can think cookies for computers when you hear about
token in windows environment. As a cookie provides a session without to enter a password, a token
gives an access to restricted resources without a password.
For example, when a user wants to login from a machine, the credentials are passed through the
network to the DC. Once the DC authenticates the password, an interactive logon session is opened
for the user - but in the background, the LSA process generates an Access Token for the user.
According to the Microsoft documentation, the LSA creates the access token. The created token is
a primary access token. When the system verifies if whether or not a user has enough privileges to
perform an action, the token is consulted to determine the level of authorization.
There is two types of tokens.
✓ Primary token: it describes the security context of the user account associated with a process.
By default, when a process interacts with a limited and secure object, it uses the primary
token.
✓ Impersonation token: The impersonation token provides more privileges, as it impersonates
a client account. It is usually used in a client / server context.
We can analyze the content of a token using the TokenViewer tool. The tool was released by Project
Zero. The Google Project Zero is a team of security analysts tasked with finding zero days. The first
step to do is to install the executable.
Since i didn’t find the executable from github, I decided to download the archive through wget. From
here, we can extract everything with the 7z command:
We list everything in the directory and get the following:
I used the HTTP method to upload the exe and the dll’s into the victim machine.
From now, we can observe a primary token, I choose the cmd.exe token.
As we can see, the token stores a lot of
information.
✓
✓
✓
✓
✓
The SID stands for security identifier
The token type: primary / impersonate
The list of privileges
The Token Source
Etc…
According to the Microsoft resources and
documentation, the token describes the
security context of the user account
associated with the process. For this
example, the token describes the security
context for cmd.exe launched by the user
fcastel. As we can see above, the token
also contains groups, privileges Token
Sources, etc… We understand now why it
can be enough to act as a cookie for
privileges check when the system has top
determine if whether or not the user can
access to limited resources. Now we will display the different privileges of the user:
Using the cmd, it is also possible to check privileges using whoami /priv. The whoami command has
a lot of options that can help for enumeration.
The Groups tab indicates the listed groups for the thread.
In order to understand what an impersonate token is, we can think that as a process has a primary
token for a specific user with privileges and groups that define the security context, it is the same
for users. Users have different privileges and groups, and when a token is used to impersonate a
user, the whole security context changes. There is two types of tokens for users:
✓ Delegate:
When a user connects to a machine, an interactive token is created since
the user performs a physical action
✓ Impersonate:
When a machine needs to access to some resources for a user using it’s
security context, the machine impersonates the user token in order to access only authorized
objects, for example through the network.
Now, if an attacker can impersonate a user token, the security context changes depending on the
user privileges on the domain. In order to perform this action, the incognito module from Metasploit
can be used.
According to the Offensive Security Metasploit-Unleashed resources, the great thing to know about
tokens is that a delegate token becomes an impersonation token after a logoff, meaning that the
security context can be reused.
Let us perform the attack using the msfconsole.
The first step is to gain a reverse shell using the windows/smb/psexec module. We must set the
payload in a x64 format since the machine is an x64 based PC. It is important to set the target to
Native Upload, as the module will upload it to System32.
The meterpreter is ready. As we can see, we got a meterpreter shell as fcastel local user, with NT
AUTHORITY\SYSTEM privileges, since fcastel is a local administrator on the C1 machine.
Metasploit contains a lot of different modules that it is possible to load from the meterpreter. In order
to enumerate the impersonation tokens, we will use the incognito module, as we said before. To do
so, it is enough to type the following commands
load incognito
list_tokens -u
In the following example, we can observe how easy it is to impersonate a user with this module.
Token impersonation – Mitigations:
The MITRE ATT&CK id for token manipulation is T1134. Token impersonation is a sub-technic, with
the id T1134.001. Some mitigations are listed in order to prevent an attacker to abuse tokens.
The best mitigation is to avoid administrator log in. The best practice to run administrator tasks is to
log in as a regular user, and then to run tools with administrator privileges, such as runas.
Also, it is important to limit the user privileges only to the least privileges they require, in order to
avoid possible abuse. If fcastel wasn’t a local administrator, the attack would be more difficult for an
attacker.
Kerberoasting:
Kerberos is an authentication protocol, and grants an access to services and resources in a domain
environment to an authenticated user. The protocol is based on ticket authentication, and it is the
default authentication method in a domain environment.
1. When a user needs to authenticate, it requests a TGT ticket from the Domain Controller. The
request includes the NTLM hash of the user. (AS-REQ)
2. The KDC verifies the credentials, and if they are correct it sends an encrypted TGT to the
client. (AS-REP)
3. If the client wants to access to some resources, it has to request for a TGS ticket. In order to
get this ticket, the client sends the requested service name (SPN) with the TGT to the TGS
in a request. (TGS-REQ)
4. The KDC verifies the credentials, and the privileges of the user in order to access to the
requested service, and if it is correct it sends a TGS ticket to the user. (TGS-REP)
5. The user requests the service using the TGS ticket to authenticate. It is important to know
that the TGS ticket contains the hash of the requested service. (AP-REQ)
6. The service verifies the ticket, and validates it if the credentials are correct. The user has then
an access to the resources of the service. (AP-REP)
Kerberoasting allows an attacker to request a service ticket (TGS-REQ) and to crack the hash of
the requested SPN account. The GetuserSPNs.py tool from impacket can provides the hash of the
requested SPN to an attacker.
Once we get the hash, it is possible to crack it with hashcat. In order to enumerate the different
hashcat modes for Kerberos types, we can use the command hashcat --help | grep Kerberos.
Let us enumerate the possibilities
As we can see, the type can be identified by the request name (TGS-REP).
Let us crack the hash with hashcat now.
We told earlier in the LS part that SQLService is a domain admin. What if we run psexec.py from
impacket on the DC?
We pwned the DC and we get here NT AUTHORITY\SYSTEM privileges. This example can
demonstrate how dangerous it is to set a SPN account as an administrator.
Kerberoasting – Mitigations:
The best mitigation against Kerberoasting attacks are:
✓ Setting a strong and long password for service accounts. According to the PEH course from
TCM, 30 characters minimum.
✓ Limiting the privileges. The DC was pwned here because the SPN account was an
administrator. This is a dangerous mistake.
Mimikatz:
Mimikatz is a tool written in C. According to the github resources, it is well known to extract plaintexts
passwords, hash, PIN code and Kerberos tickets from memory. But it is also used to perform PTH,
Pass The Ticket, to build Golden Tickets etc…
In a machine, it is possible to dump local credentials, such as NTLM hashes, SAM file, LSASS
dump, etc… Mimikatz can do it.
But in an Active Directory environment, the first interesting part is the ntds.dit file. It is a database
that stores Active Directory data. The second interesting component is Kerberos.
Let us upload Mimikatz to the DC.
We can now execute it and get the following terminal.
The first command is privilege::debug. If the result is ‘20’ OK, we can continue. The command
verifies the debug privileges, in order to debug a service running as local system. To do so, it is
necessary to be administrator.
Let us now check logon passwords from the LSASS process with sekurlsa::logonpasswords .
From the output, we get the administrator NTLM hash (not salted as v2, so it makes PTH possible).
We successfully cracked it with hashcat. But it is also possible to dump the entire process with the
command lsadump::lsa /patch .
We can see that the NTLM hash of every account is displayed here. But the LSA process is used
locally, interacting with the SAM database. What about the ntds.dit file?
In order to dump the credentials from the ntds.dit database, we can use lsadump::dcsync .
It is necessary to type the domain name in /domain .
In the last chapter, we talked about the hash of SQLService. It was a TGS-REP hash. We get here
the NTLM hash of the service account, and we can crack it again with hashcat.
It is also possible, from the lsadump::dcsync command, to dump credentials from the ntds.dit
database for a specific user with the /user option.
From the attacker machine, it is also possible to retrieve machine or domain credentials from the file
or the database itself. In order to dump the SAM or the SYSTEM file, it is possible to use the following
commands:
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
Once the commands are executed from the cmd, the SAM and SYSTEM hives are located in the
current directory. We can retrieve the hashes from another machine with Mimikatz, but also from a
kali machine with samdump2 for example.
From here we can run Mimikatz with the command lsadump::sam /system: system /sam:sam
We retrieved the passwords from the dumped files.
Mimikatz – Golden Ticket attack:
In the Kerberos environment, even Kerberos itself has a TGT. Now imagine if a user can get the
ticket of the krbtgt account? It allows to an attacker to get an access to any resources in the domain
without any limit.
Let us practice the attack in our domain.
The first step, as shown above, is to perform the “injection”, in order to gain the credentials of the
krbtgt account, including the hash and the SID of the domain. The mentioned account here is the
Kerberos account, when the attack is only a Silver Ticket attack, the specified account is mentioned
in the parameter /user. The next step is to create the golden ticket for a specified user.
In order to generate the Golden ticket, we have to enter the values of the selected user (name and
id), the credentials of the krbtgt account, including the NTLM hash and the SID, and the /ptt option
for Pass The Ticket.
Once we get a successfully result, we can run the following command to get a shell with the received
ticket.
misc::cmd
We can verify from here that we get an access to different resources.
We can also run psexec from Sysinternals to spawn a reverse shell in the different computers.
Conclusion
This project was about basic active directory penetration testing. Through different attacks, we
learned about enumeration, exploitation, post exploitation, and more. But it is only the skeleton of
the field. Windows Privilege Escalation, AV evasion etc… the path is long.
However, from now, we understood what it is talking about, what stands behind every attack, and
more, and this is the most important.
I would like to thank the Cyber Mentor, and I encourage you to follow his courses from TCM security,
as this project was entirely based on his course.
I also want to thank my parents for their support.
Thanks for reading !
Ruben Enkaoua
GL4DI4T0R
Ruben.formation@gmail.com
Related documents
Learning to Live with an Advanced Persistent Threat PPT Only
Learning to Live with an Advanced Persistent Threat PPT Only
Mash
Mash
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
Hash table
Hash table
Download
advertisement