I completed the Active Directory section on “Practical Ethical Hacking” by Heath Adams (aka The Cyber Mentor) and my brain was overwhelmed. He presented many great techniques and tools, but it wasn’t clear to me how a real attack to Active Directory (AD) looked like. This is the reason why I’m writing this blog post. This is my attempt to bring a bit of (chronological) order in an AD penetration test.
- Malware injection
- Post-compromise enumeration
- Credential theft
- Privilege escalation
- Data access & Exfiltration
- Persistence (Retaining access)
In this post, I will elaborate on points 2-4 based on my notes from the course. Here I will assume that we have access to a machine in the target domain already. In real life, a malicious actor could get control over such a machine with e.g., spear-phishing, which is a personalized campaign that targets single individuals within a company.
The first step after getting inside the target network is to perform reconnaissance in order to discover useful resources to e.g., escalate permissions. What was surprising for me is that this can be done by a domain user, that is, a regular user with no admin rights.
One of the most famous tools to enumerate a domain is called PowerView (now PowerSploit). With this tool we can gather information about the domain we are attacking. For example, we can get to know the IP address of the domain controller(s) or enumerate the domain password policy. The latter is interesting because it lists the enforced minimum password length for the domain (among other things). Such information is useful for tuning a password spraying attack.
The highlight of post-compromise recon was the enumeration of the attributes for each computer on the domain, as this list also includes the Service Principal Names (SPNs), such as SQL servers or Exchange servers. Apparently, administrators often save passwords in the field “description” and make these services domain administrators as well. In such instances, we will not only have access to sensitive data but also control over the domain controller. Sweet!
Once we are finished with the recon of the domain, we can proceed to steal the credentials of the domain user on the infected machine. This will be useful for lateral movement. Firstly, we get hold of the hash using LLMNR poisoning and crack it offline. The stolen credentials can be used for a pass-the-password attack. If we cannot decrypt the hash, we can use it for a pass-the-hash attack, or an SMB relay attack.
Until now we have worked with a domain user. In this section, we will learn how to do privilege escalation on AD by tackling the following three techniques: getting passwords from SYSVOL, exploiting the MS14-068 vulnerability, and Kerberoasting.
The first option does not require any hacking tool, as any authenticated user has read access to the SYSVOL share. In this share, XML files – such as Groups.xml – are generated anytime a new Group Policy Preference (GPP) is created. Such a file contains the relevant configuration for the new GPP and (if there is a password) a password in the field “cPassword” that is encrypted with AES-256. This is a solid encryption algorithm that cannot be cracked easily. However, the AES encryption key was leaked and now anyone can decrypt the passwords. This vulnerability has been patched with a Knowledge Base (KB) which prevents new credentials from being placed in GPP. However, administrators still have to remove all existing GPP xml files in SYSVOL that contain passwords. If they forget to do so, we can easily decrypt the password with gpp-decrypt on Kali. If we are lucky, we may find some administrator passwords in that share.
The second option to do privilege escalation on unpatched machines is MS14-068. This exploit enables an attacker to re-write a valid Kerberos TGT authentication ticket to make them a domain admin. The exploit process is shown on the screenshot below which was taken from adsecurity.org:
The third and last option to do privilege escalation presented in this blog post is called Kerberoasting. The goal of this attack is to crack a server account hash by misusing Kerberos, a network authentication protocol. This is possible because any domain user can get a service ticket without sending traffic to the target. In this exploit, the user first requests a TGT (ticket-granting ticket) to the domain controller by providing his/her NTLM hash. The domain controller sends back the TGT encrypted with the krbtgt hash. The user then sends a request for a TGS (ticket-granting service ticket) by presenting the new TGT. The domain controller sends back the TGS encrypted with the server account hash. Now we get hold of this hash and try to crack it with GetUserSPN.py. This attack is usually successful as service user accounts often have weak passwords.
Impersonate the administrator when only having local admin rights on an end-point machine
This section will briefly introduce a technique called token impersonation which only works if the user has local admin rights. In this attack, our goal is to find an administrator token – that is, a temporary key that allows a user to access to a machine or network without having to provide credentials each time – on an end-point machine and use it to impersonate the administrator. By using Incognito on Metasploit, we can list the delegate tokens – that is, tokens that are created anytime a user logs on a machine (either locally or via RDP) – on the victim machine. If there are no such tokens on the present machine, we can move laterally via e.g., SMB relay attacks, until we found one with such tokens. By impersonating the administrator, we can steal its credentials and then get access to the domain controller.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!