Active Directory Attacks

By Jaskaran & Mufaddal

Brief Introduction About us

• Mufaddal Masalawala
• B.E in Comp Science from Mumbai University
• 4.5+ years of experience in Cyber Security
• Working in Synopsys as Security Consultant
• Certifications: CRTP / CEH / CASE.NET

• Jaskaran Singh Nayyar
• B.Tech in Comp Science from RGPV University (Bhopal)
• 1+ years of experience in Cyber Security
• Working in Synopsys as Associate Consultant
• Certifications: eJPT / CRTP / CEHv11

Disclaimer

• All opinions are all ours, not representation of the company we work for or organizations we are affiliated with.
• None of these materials are original. They are just a compilation of researches done by awesome people.
• Test all recommendations first, before implementing them. We take no liability if they mess up your environment.
• Please always be cautious while performing attacks in the Active Directory environment.

Agenda

• Introduction to Active Directory
• Most Common AD Security Issues
• Windows Authentication
• Active Directory Attack Simulation
• AD Enumeration Vectors
• Privilege Escalation
• Lateral Movement
• Persistence

​

​

Introduction to Active Directory

What is Active Directory?

​

• Active Directory (AD) is Microsoft's directory service which runs on Windows Server and enables administrators to manage permissions and access to network resources.
• Stores information related to computers & users which contains information about objects on the network and makes this information easy for administrators and users to find and use.
• Authenticates using Kerberos tickets

Why Active Directory?

​

• Active Directory is the most commonly used identity management service in the world.
• 95% of Fortune 1000 Companies use Active Directory services in their networks

​

• Active Directory attacks are difficult to exploit and when exploited it can be due to its misconfigurations and abuses in its features

​

Components of Active Directory

​

• Microsoft’s Directory Service (AD DS)- A set of services to manage network resources
• Domain Controller (DC) — Server running AD DS
• Domain Admin (DA) — The User Group that has full control of network resources in the Domain
• Local Administrators — The User Group that has full control for Local/Specific Machine

​

Active Directory - Structure

​

• Forests, domains and organization units (OUs) are the basic building blocks of any active directory structure.

​

• A forest – which is a security boundary – may contain multiple domains and each domain may contain multiple OUs.

Most Common AD Security Issues

AD Admin Accounts Have Old Passwords

​

Weak Domain Password Policy

We should set to at least 12 characters, preferably 15 and use Fine-Grained Password Policies for Admins & Service Accounts

Server GPOs Linked to Domain Controllers

Server GPOs Linked to Domain Controllers

Only use GPOs dedicated to Domain Controllers, don’t link GPOs already linked to other OUs.

Service Accounts in Domain Admins

• Service Accounts rarely actually need Domain Admin rights.
• Better to delegate the required rights for the accounts.

Mitigations:

• Remove from Domain Admins
• Delegate appropriate rights
• Use separate accounts for different tiers:
• Workstations
• Servers
• Domain Controllers

Default Domain Administrator Account SPN

• There is no good reason for admin accounts to have Kerberos SPNs.
• Attack: �Kerberoast these accounts to own AD.

A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID. For Kerberos authentication (a protocol that authenticates client and server entities on a network) to function, an SPN must be registered for each SQL Server service account in Active Directory.

AD Admin Accounts with SPNs

Domain Permission Delegation Issues

Windows Authentication

• NTLM Authentication
• Kerberos Authentication

NTLM Authentication

1. User requests access. The user tries to log on to the client by providing user credentials. Before logon, the client computer caches the password hash and discards the password. The client sends a request to the server, which includes the user name along with the request in plain text.
2. Server sends challenge message. The server generates a 16-byte random number called challenge, or nonce, and sends it to the client.
3. Client sends response message. The client uses a password hash generated from the user's password to encrypt the challenge sent by the server. It sends this encrypted challenge in the form of a response back to the server.
4. Server sends challenge and response to domain controller. The server sends the user name, the original challenge, and the response from the client computer to the domain controller.
5. Domain controller compares challenge and response to authenticate user. The domain controller obtains the password hash for the user, and then uses this hash to encrypt the original challenge. Next, the domain controller compares the encrypted challenge with the response from the client computer. If they match, the domain controller sends the server confirmation that the user is authenticated.
6. Server sends response to the client. Assuming valid credentials, the server grants the client access to the requested service or resource.

​

Kerberos Authentication

Active Directory Attack Simulation

AD Enumeration Vectors

Manual Approach

​

• 1. Powerview
• 2. Active Directory Module`

Automated Approach

​

​

• 1. Bloodhound

Domain Enumeration with Powerview

We will use Powerview for our enumeration Purpose: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Domain Enumeration with Powerview

Domain Enumeration with Powerview

User Enumeration with Powerview

Invoke-UserHunter:

​

• Get a list of hosts from AD

​

• Get a list of users of a specific Domain Group (Domain Admins/Local Administrators)

​

• Run NetSessionEnum (User Sessions) and NetWkstaUserNum (Logged On Users)with information gathered

​

• Checks if current user has Local Administrators right on each host

• Implicit trust relationship

​

• Look at where the current user has Local Administrators Right

​

• Look for where privilege users are logged on to

​

• Target machines with privilege users

​

• Steal their tokens / credentials

​

​

User Enumeration with Powerview

​

​

BloodHound

​

​

• Provides GUI for AD entities and relationships for the data collected by its ingestors.
• Uses Graph Theory for providing the capability of mapping shortest path for interesting things like Domain Admins. https://github.com/BloodHoundAD/BloodHound
• There are built-in queries for frequently used actions.
• Simplify Admin Hunting across the network to achieve Derivative Local Admin

BloodHound

​

​

An Example View of Enumeration Done with the help of BloodHound

Privilege Escalation

​

​

• In an AD environment, there are multiple scenarios which lead to privilege escalation. We had a look at the following

​

– Hunting for Local Admin access on other machines

– Hunting for high privilege domain accounts (like a Domain Administrator)

There are various ways of locally escalating privileges on Windows box:

​

– Missing patches

– Automated deployment and AutoLogon passwords in clear text

– AlwaysInstallElevated (Any user can run MSI as SYSTEM)

– Misconfigured Services

– DLL Hijacking and more

Privilege Escalation

• These are some of the tools which are used for local privilege escalation

– PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

– BeRoot: https://github.com/AlessandroZ/BeRoot

– Privesc: https://github.com/enjoiz/Privesc

We are using PowerUp for our demonstration

• PowerUp:
• Invoke-AllChecks

​

• BeRoot is an executable:
• .\beroot.exe

​

• Privesc:
• Invoke-PrivEsc

Privilege Escalation

Privilege Escalation

Privilege Escalation

Lateral Movement - Kerberoasting

• Service Ticket can be obtained without actually using it.

​

• Service Ticket issued by TGS is encrypted with target service’s account secret key.

​

• Service accounts are usually privilege accounts on the domain.

Lateral Movement - Kerberoasting

Lateral Movement - Kerberoasting

• Why not just crack it ?

​

• User requests TGT from Domain Controller/KDC by providing NTLM hash (credentials can be of any known user account, does not need to be a domain administrator account)

​

• DC sends TGT encrypted with ktbtgt hash

​

• User requests TGS for server by presenting TGT

​

• DC sends TGS encrypted with server’s account hash

​

• User now cracks the hash of the server’s account through the TGS using hashcat tool

Lateral Movement - Kerberoasting

Lateral Movement - Kerberoasting

Lateral Movement - Kerberoasting

Lateral Movement - Kerberoasting

Persistence

• Golden Ticket

Persistence

• Golden Ticket

• A golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.

​

• Since user account validation is not done by Domain Controller (KDC service) until TGT is older than 20 minutes, we can use even deleted/revoked accounts.

​

• The krbtgt user hash could be used to impersonate any user with any privileges from even a non-domain machine.

​

• Password change has no effect on this attack.

Persistence

• Golden Ticket

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:scrm.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /ptt"'

Persistence

• Golden Ticket

Persistence

• Golden Ticket

Persistence

• Golden Ticket

Persistence

• Silver Ticket

Persistence

• Silver Ticket

• A valid TGS (Golden ticket is TGT).

​

• Encrypted and Signed by the NTLM hash of the service account (Golden ticket is signed by hash of krbtgt) of the service running with that account.

​

• Services rarely check PAC (Privileged Attribute Certificate).

​

• Reasonable persistence period (default 30 days for computer accounts).

References

• Adversarial Tactics, Tecopiques & Common Knowledge�https://attack.mitre.org/wiki/Main_Page

​

• Attack Methods for Gaining Domain Admin Rights in Active Directory�https://adsecurity.org/?p=2362

​

• PROTECTING WINDOWS NETWORKS — KERBEROS ATTACKS�https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks

​

• The Most Common Activie Directory Security Issues and What You Can Do to Fix Them�https://adsecurity.org/?p=1684

​

References

• Mimikatz and DCSync and ExtraSids, Oh My�http://www.harmjOy.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

​

• Make PowerView Great Again�http://www.harmjOy.net/blog/powershell/make-powerview-great-again/

​

• Six Degree of Domain Admin�https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin.pdf

​

• Kerberos, kerberoast and golden tickets�https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/

​

Thank You for Listening!��Please don’t ask questions that can hurt us ☺