Active Directory Attacks
This unit will present several techniques (and associated Core Impact modules) commonly used in the context of Active Directory attacks, where domain accounts are harvested and leveraged to move through the network and try to retrieve more information, and accounts with additional privileges.
The demo environment contains a simplified Active Directory deployment, with a minimum number of hosts. The configuration of the environment is also simplified to illustrate several Core Impact modules. For example, password length/complexity of accounts is simple to allow for cracking in a limited time. Real-world environments would require performing these steps across multiple hosts, and cracking of passwords may require significant more time (or even be not feasible using a workstation).
Features
- Impersonate domain user
- Perfom domain information gathering
- Kerberoast attacks
- AS-REPRoasting attacks
- Ntds.dit Password Extraction
- Kerberos Golden Tickets
Highlighted Modules
- Network Information Gathering RPT
- Install Agent using SMB
- Install Agent using WMI
- Agent Process Injector
- Mimikatz
- PowerShell Shell
- Windows Domain IG Wizard
- Enumerate User Accounts with SPNs
- Enumerate User Accounts without Kerberos preauthentication
- Windows Secrets Dump (L)
- Create Kerberos Goldent Ticket
References
- Kerberoasting
- AS-REPRoasting
- stealthbits' Attack Catalog - Ntds.dit Password Extraction
- Kerberos Golden Tickets.
Hosts
- Active Directory Domain Controller
- Hostname:
WIN2019DC
- Hostname:
- Active Directory client
- Hostname:
WIN10VPN
- Hostname:
Initial OS Agent Deployment
In order to exercise this scenario, we'll deploy an Impact OS Agent through known credentials into the client host.
- Launch Network IG RPT to obtain information about the Active Directory client host.
- Click Next.
- Click Next.
- Click Next.
- Replace the network range with the address of the AD client host and click Next.
- Click Next.
- Click Finish.
- Wait for Network IG RPT to complete gathering information from the AD client host.
- In the Modules view, go to the Agents category, select the module
Install agent using SMB
and drag & drop it into the AD client host.
- Complete the following module parameters:
- USER:
impact
- PASSWORD:
EzPassword1234
- Click OK to launch the module.
- This should deploy an OS Agent on the host (with SYSTEM privileges).
- Right-click on the new OS Agent and select
Get Username
.
- Right-click on the deployed OS agent and launch
Mimikatz
to harvest credentials from the host.
- Mimikatz has captured credentials from a domain user logged in the host,
ruth.lane
. - This credential is stored as an identity entity in the workspace to be used as a parameter to additional modules. Go see Identities - Windows NTLM in the entity view.
Move to Logged on Domain User Process
- Right-click on the agent again and launch
Get Process List
.
- Look for the pid of the
explorer.exe
process, which would be running in the context of the logged on user. - Module log supports finding text through the
Ctrl-F
hot-key (select the pane first by clicking in any row in the log).
- With the OS Agent in the AD client host selected, go back to the Modules view, and from the Agents category double-click on the module
Agent Process Injector
.
Agent Process Injector
is a local module, that is, a module that runs on the currently selected OS Agent in the entities view, or the current source agent if no OS Agent is currently selected. Because we want to run the module on the AD client host, we must either select the associated agent or previously have configured it as the source agent in the workspace (right-clicking on the OS agent and selecting Set as source).
- Enter the PID of the
explorer.exe
process and click OK.
- A new (non-privileged) OS Agent will be deployed, running in the context of the logged on user.
- Right-click on the new OS Agent and select
Get Username
.
- We can capture a screenshot from the logged session, by right-clicking on the OS Agent again and selecting
Get screenshot
.
Information Gathering on Domain
- Let's now obtain the name of the domain to which the host is connected.
The domain name was also shown as part of the Mimikatz dump, but the goal is to show off some OS Agent capabilities like the PowerShell Shell
.
- Right-click on the agent and launch a
PowerShell Shell
. - Execute the command:
(Get-WmiObject Win32_ComputerSystem).Domain
The PowerShell Shell
loads .NET & PowerShell libraries in the context of the OS Agent process, which means that no PowerShell process (powershell.exe
) is spawned (which can be detected by some HIPS).
- Let's inspect the domain.
- Set the OS agent of the logged on user as source by right-clicking on the agent and selecting
Set as source
. - In the Modules view, go to the Information Gathering category and launch the module
Windows Domain IG Wizard
.
You can also search for the module using the Modules view's search bar. The walkthrough shows module discovery through the categories, so that the user can locate additional features/actions to perform in the future.
- Click Next.
- Enter the domain name (
acme.corp
) and click Next.
- Click Next.
- Use Integrated Windows Authentication will leverage the credentials of the logged on user (associated to the process where the OS Agent is running).
- Click Finish.
- The module will spawn several submodules to perform the tasks listed above. See results in the output/log of each submodule.
Kerberoast Attacks
- With the previously harvested domain identity (for
ruth.lane
), we can also try to find domain services that are using user accounts, which may be prone to a Kerberoast attack, where a potentially weak user accout's password could be cracked. - Launch the
Windows Domain IG Wizard
again.
- Click Next.
- Enter the domain name (
acme.corp
) and click Next.
- Select Use Validated Identities and click Next.
- Select the ellipsis button (…) in order to select the previously obtained identity.
- Go to the Identities - Windows NTLM group, select the identity for the domain user
ruth.lane
, and click OK. - Click Next.
- Uncheck all options and leave that of Enumerate User Accounts with SPNs and click Next.
- Click the ellipsis button (…) to provide the name of the file to output any retrieved ticket.
- Enter the name of file name to extract ticket info (for example,
ticket.tgt
) and click Save.
- Check the option to try to crack any retrieved ticket, and click Finish.
- The module
Enumerate User Accounts with SPNs
will find a user account with a SPN.
- Then, the module
Password cracking using John The Ripper
' will be launched to try to crack the password.
Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt
) file.
- The cracked user/pwd is stored as a new identity in the Identities - Others group.
The credential obtained through the Kerberoast attack is going to be leveraged later, in the Compromising Active Directory Domain Controller section.
AS-REPRoasting Attacks
- Similarly, you can also use the
Windows Domain IG Wizard
to enumerate users configured without Kerberos pre-authentication, to try and perform an AS-REPRoasting attack. - Launch the
Windows Domain IG Wizard
again.
- Click Next.
- Enter the domain name (
acme.corp
) and click Next.
- Select Use Validated Identities and click Next.
- Select the ellipsis button (…) in order to select the previously obtained identity.
- Go to the Identities - Windows NTLM group, select the identity for the domain user
ruth.lane
, and click OK. - Click Next.
- Uncheck all options and leave that of Enumerate User Accounts without Kerberos preauthentication and click Next.
Notice that enumeration of user accounts with SPNs and user accounts without Kerberos preauthentication could have been launched at the same time, though we've launched individually to show the associated attack separately.
- Click the ellipsis button (…) to provide the name of the file to output any retrieved ticket.
- Enter the name of file name to extract ticket info (for example,
preauth_ticket.tgt
) and click Save.
- Check the option to try to crack any retrieved ticket, and click Finish.
- The module
Enumerate User Accounts without Kerberos preauthentication
will find a user account without Kerberos preauthentication.
- Then, the module
Password cracking using John The Ripper
' will be launched to try to crack the password.
Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt
) file.
Compromising Active Directory Domain Controller
The service user account that we previously cracked through the Kerberoast attack, may be configured with additional privileges required by the associated application. In this reduced example environment, the account is configured with local admin privileges in the Active Directory server host. We can thus try to leverage the cracked user and password to deploy an OS Agent in that host.
- In the Network view, open the
localhost
entity, right-click onlocalagent
and set it as source, in order for the next steps to be executed from the local machine where Core Impact is running. - Repeat the steps to execute
Network Information Gathering
RPT (in section Initial OS Agent deployment), but now on the AD server host. - In the Modules view, look for the module:
Install Agent using WMI
on the Agents category, and drag & drop it on the discoveredADDC
host entity. - Select the IDENTITY parameter and then click on the ellipsis button (...) to select the identity of the
mssql_svc
, and click OK.
- Click OK to launch the module.
- In the Modules view, look for the module
Windows Secrets Dump (L)
and drag-and drop it on the newly deployed OS Agent on theADDC
host.
This module will retrieve and commit identities for all domain users, so make sure to consider whether to use the COMMIT IDENTITIES
parameter in a large Active Directory environment.
Kerberos Golden Tickets
Among the retrieved identities found in the ADDC
host, it's krbtgt
, which is the
Active Directory Key Distribution Service Account, and which can be used to forge valid Kerberos Ticket Granting Tickets (TGTs).
-
In order to create a Kerberos Golden Ticket we need the domain's SID, which is a required parameter for the module. We can obtain value through a
PowerShell Shell
on the OS Agent on theADDC
host, by executing:$domain = Get-ADDomain
$domain.DomainSID.value
- We can now right-click on the
krbtgt
identity and use it to create a Kerberos Golden Ticket to impersonate another domain account.
- Complete the following module parameters:
- USERNAME:
paul.compton
- DOMAIN:
acme.corp
(previously obtained in the Information gathering on domain section) - DOMAIN SID (complete with the value obtained above)
- Click OK.
The module will have created a new golden ticket identity entity for the domain user paul.compton
.
For the sake of illustration, let's assume that the user paul.compton
is a Domain Administrator account, this identity can now be used to authenticate and move around through the rest of the domain, by deploying and controlling OS Agents in other hosts in the network.