Skip to main content

Active Directory Attacks

This unit will present several techniques (and associated Core Impact modules) commonly used in the context of Active Directory attacks, where domain accounts are harvested and leveraged to move through the network and try to retrieve more information, and accounts with additional privileges.

note

The demo environment contains a simplified Active Directory deployment, with a minimum number of hosts. The configuration of the environment is also simplified to illustrate several Core Impact modules. For example, password length/complexity of accounts is simple to allow for cracking in a limited time. Real-world environments would require performing these steps across multiple hosts, and cracking of passwords may require significant more time (or even be not feasible using a workstation).

Features

  • Impersonate domain user
  • Perfom domain information gathering
  • Kerberoast attacks
  • AS-REPRoasting attacks
  • Ntds.dit Password Extraction
  • Kerberos Golden Tickets

Highlighted Modules

  • Network Information Gathering RPT
  • Install Agent using SMB
  • Install Agent using WMI
  • Agent Process Injector
  • Mimikatz
  • PowerShell Shell
  • Windows Domain IG Wizard
  • Enumerate User Accounts with SPNs
  • Enumerate User Accounts without Kerberos preauthentication
  • Windows Secrets Dump (L)
  • Create Kerberos Goldent Ticket

References

Hosts

  • Active Directory Domain Controller
    • Hostname: WIN2019DC
  • Active Directory client
    • Hostname: WIN10VPN

Initial OS Agent Deployment

In order to exercise this scenario, we'll deploy an Impact OS Agent through known credentials into the client host.

  1. Launch Network IG RPT to obtain information about the Active Directory client host.

Network IG RPT Welcome

  1. Click Next.

Network IG RPT Discovery Method

  1. Click Next.

Network IG RPT IP Version

  1. Click Next.

Network IG RPT IP Range Selection

  1. Replace the network range with the address of the AD client host and click Next.

Network IG RPT Scan Type

  1. Click Next.

Network IG RPT Additional Settings

  1. Click Finish.
  2. Wait for Network IG RPT to complete gathering information from the AD client host.
  3. In the Modules view, go to the Agents category, select the module Install agent using SMB and drag & drop it into the AD client host.

Install Agent Using SMB Parameters

  1. Complete the following module parameters:
  • USER: impact
  • PASSWORD: EzPassword1234
  1. Click OK to launch the module.
  • This should deploy an OS Agent on the host (with SYSTEM privileges).
  1. Right-click on the new OS Agent and select Get Username.

Get Current Username - SYSTEM

  1. Right-click on the deployed OS agent and launch Mimikatz to harvest credentials from the host.

Mimikatz

  • Mimikatz has captured credentials from a domain user logged in the host, ruth.lane.
  • This credential is stored as an identity entity in the workspace to be used as a parameter to additional modules. Go see Identities - Windows NTLM in the entity view.

Mimikatz Harvested Identities

Move to Logged on Domain User Process

  1. Right-click on the agent again and launch Get Process List.
  • Look for the pid of the explorer.exe process, which would be running in the context of the logged on user.
  • Module log supports finding text through the Ctrl-F hot-key (select the pane first by clicking in any row in the log).

Get Process List

  1. With the OS Agent in the AD client host selected, go back to the Modules view, and from the Agents category double-click on the module Agent Process Injector.
  • Agent Process Injector is a local module, that is, a module that runs on the currently selected OS Agent in the entities view, or the current source agent if no OS Agent is currently selected. Because we want to run the module on the AD client host, we must either select the associated agent or previously have configured it as the source agent in the workspace (right-clicking on the OS agent and selecting Set as source).

Agent Process Injector

  1. Enter the PID of the explorer.exe process and click OK.
  • A new (non-privileged) OS Agent will be deployed, running in the context of the logged on user.
  1. Right-click on the new OS Agent and select Get Username.

Get Current User Name - Logged on user

  1. We can capture a screenshot from the logged session, by right-clicking on the OS Agent again and selecting Get screenshot.

Get Screenshot

Information Gathering on Domain

  1. Let's now obtain the name of the domain to which the host is connected.
note

The domain name was also shown as part of the Mimikatz dump, but the goal is to show off some OS Agent capabilities like the PowerShell Shell.

  1. Right-click on the agent and launch a PowerShell Shell.
  2. Execute the command: (Get-WmiObject Win32_ComputerSystem).Domain
note

The PowerShell Shell loads .NET & PowerShell libraries in the context of the OS Agent process, which means that no PowerShell process (powershell.exe) is spawned (which can be detected by some HIPS).

PowerShell Shell - Get Domain

  1. Let's inspect the domain.
  2. Set the OS agent of the logged on user as source by right-clicking on the agent and selecting Set as source.
  3. In the Modules view, go to the Information Gathering category and launch the module Windows Domain IG Wizard.
note

You can also search for the module using the Modules view's search bar. The walkthrough shows module discovery through the categories, so that the user can locate additional features/actions to perform in the future.

Windows Domain IG Welcome

  1. Click Next.

Windows Domain IG Domain Name

  1. Enter the domain name (acme.corp) and click Next.

Windows Domain IG Authentication Type

  1. Click Next.
  • Use Integrated Windows Authentication will leverage the credentials of the logged on user (associated to the process where the OS Agent is running).

Windows Domain IG Modules Selection

  1. Click Finish.
  • The module will spawn several submodules to perform the tasks listed above. See results in the output/log of each submodule.

Windows Domain IG Results

Kerberoast Attacks

  1. With the previously harvested domain identity (for ruth.lane), we can also try to find domain services that are using user accounts, which may be prone to a Kerberoast attack, where a potentially weak user accout's password could be cracked.
  2. Launch the Windows Domain IG Wizard again.

Windows Domain IG Welcome

  1. Click Next.

Windows Domain IG Domain Name

  1. Enter the domain name (acme.corp) and click Next.

Windows Domain IG Authentication Type

  1. Select Use Validated Identities and click Next.

Windows Domain IG Identity Selection

  1. Select the ellipsis button () in order to select the previously obtained identity.

Windows Domain IG Select Validated Identity

  1. Go to the Identities - Windows NTLM group, select the identity for the domain user ruth.lane, and click OK.
  2. Click Next.

Windows Domain IG - Enumerate User Accounts with SPNs - Modules Selection

  1. Uncheck all options and leave that of Enumerate User Accounts with SPNs and click Next.

Windows Domain IG - Enumerate User Accounts with SPNs - Modules Parameters

  1. Click the ellipsis button () to provide the name of the file to output any retrieved ticket.

Windows Domain IG - Enumerate User Accounts with SPNs - TGT File Selection

  1. Enter the name of file name to extract ticket info (for example, ticket.tgt) and click Save.

Windows Domain IG - Enumerate User Accounts with SPNs - Modules Parameters

  1. Check the option to try to crack any retrieved ticket, and click Finish.
  2. The module Enumerate User Accounts with SPNs will find a user account with a SPN.

Windows Domain IG - Enumerate User Accounts with SPNs

  1. Then, the module Password cracking using John The Ripper' will be launched to try to crack the password.
caution

Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt) file.

Windows Domain IG - Enumerate User Accounts with SPNs - Password cracking

  1. The cracked user/pwd is stored as a new identity in the Identities - Others group.

Windows Domain IG - Enumerate User Accounts with SPNs - Cracked Password identity

note

The credential obtained through the Kerberoast attack is going to be leveraged later, in the Compromising Active Directory Domain Controller section.

AS-REPRoasting Attacks

  1. Similarly, you can also use the Windows Domain IG Wizard to enumerate users configured without Kerberos pre-authentication, to try and perform an AS-REPRoasting attack.
  2. Launch the Windows Domain IG Wizard again.

Windows Domain IG Welcome

  1. Click Next.

Windows Domain IG Domain Name

  1. Enter the domain name (acme.corp) and click Next.

Windows Domain IG Authentication Type

  1. Select Use Validated Identities and click Next.

Windows Domain IG Identity Selection

  1. Select the ellipsis button () in order to select the previously obtained identity.

Windows Domain IG Select Validated Identity

  1. Go to the Identities - Windows NTLM group, select the identity for the domain user ruth.lane, and click OK.
  2. Click Next.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication - Modules Selection

  1. Uncheck all options and leave that of Enumerate User Accounts without Kerberos preauthentication and click Next.
note

Notice that enumeration of user accounts with SPNs and user accounts without Kerberos preauthentication could have been launched at the same time, though we've launched individually to show the associated attack separately.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication - Modules Parameters

  1. Click the ellipsis button () to provide the name of the file to output any retrieved ticket.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication - TGT File Selection

  1. Enter the name of file name to extract ticket info (for example, preauth_ticket.tgt) and click Save.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication - Modules Parameters

  1. Check the option to try to crack any retrieved ticket, and click Finish.
  2. The module Enumerate User Accounts without Kerberos preauthentication will find a user account without Kerberos preauthentication.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication

  1. Then, the module Password cracking using John The Ripper' will be launched to try to crack the password.
note

Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt) file.

Windows Domain IG - Enumerate User Accounts without Kerberos preauthentication - Password cracking

Compromising Active Directory Domain Controller

The service user account that we previously cracked through the Kerberoast attack, may be configured with additional privileges required by the associated application. In this reduced example environment, the account is configured with local admin privileges in the Active Directory server host. We can thus try to leverage the cracked user and password to deploy an OS Agent in that host.

  1. In the Network view, open the localhost entity, right-click on localagent and set it as source, in order for the next steps to be executed from the local machine where Core Impact is running.
  2. Repeat the steps to execute Network Information Gathering RPT (in section Initial OS Agent deployment), but now on the AD server host.
  3. In the Modules view, look for the module: Install Agent using WMI on the Agents category, and drag & drop it on the discovered ADDC host entity.
  4. Select the IDENTITY parameter and then click on the ellipsis button (...) to select the identity of the mssql_svc, and click OK.

Install Agent using WMI - Identity parameter selection

  1. Click OK to launch the module.

Install Agent using WMI Install Agent using WMI - Deployed OS Agent

  1. In the Modules view, look for the module Windows Secrets Dump (L) and drag-and drop it on the newly deployed OS Agent on the ADDC host.
note

This module will retrieve and commit identities for all domain users, so make sure to consider whether to use the COMMIT IDENTITIES parameter in a large Active Directory environment.

Windows Secrets Dump (L) Windows Secrets Dump (L) - Harvested Identities

Kerberos Golden Tickets

Among the retrieved identities found in the ADDC host, it's krbtgt, which is the Active Directory Key Distribution Service Account, and which can be used to forge valid Kerberos Ticket Granting Tickets (TGTs).

  1. In order to create a Kerberos Golden Ticket we need the domain's SID, which is a required parameter for the module. We can obtain value through a PowerShell Shell on the OS Agent on the ADDC host, by executing:

    $domain = Get-ADDomain
    $domain.DomainSID.value

PowerShell Shell - Get Domain SID

  1. We can now right-click on the krbtgt identity and use it to create a Kerberos Golden Ticket to impersonate another domain account.

Create Kerberos Golden Ticket

  1. Complete the following module parameters:
  • USERNAME: paul.compton
  • DOMAIN: acme.corp (previously obtained in the Information gathering on domain section)
  • DOMAIN SID (complete with the value obtained above)

Create Kerberos Golden Ticket - Module Parameters

  1. Click OK.

The module will have created a new golden ticket identity entity for the domain user paul.compton.

Create Kerberos Golden Ticket - New Identity

For the sake of illustration, let's assume that the user paul.compton is a Domain Administrator account, this identity can now be used to authenticate and move around through the rest of the domain, by deploying and controlling OS Agents in other hosts in the network.