Active Directory Attacks

Introduction

This unit will present several techniques (and associated Core Impact modules) commonly used in the context of Active Directory attacks, where domain accounts are harvested and leveraged to move through the network and try to retrieve more information, and accounts with additional privileges.

note

The demo environments contains a simplified Active Directory deployment, with a minimum number of hosts. The configuration of the environment is also simplified to illustrate several Core Impact modules. For example, password length/complexity of accounts is simple to allow for cracking in a limited time. Real-world environments would require performing these steps across multiple hosts, and cracking of passwords may require significant more time (or even be not feasible using a workstation).

Features

• Impersonate domain user
• Perfom domain information gathering
• Kerberoast attacks
• AS-REPRoasting attacks
• Ntds.dit Password Extraction
• Kerberos Golden Tickets

Highlighted Modules

• Network Information Gathering RPT
• Install Agent using SMB
• Install Agent using WMI
• Agent Process Injector
• Mimikatz
• PowerShell Shell
• Windows Domain IG Wizard
• Enumerate User Accounts with SPNs
• Enumerate User Accounts without Kerberos preauthentication
• Windows Secrets Dump (L)
• Create Kerberos Goldent Ticket

References

• Kerberoasting
  • QOMPLX Knowledge: Kerberoasting Attacks Explained
  • stealthbits' Attack Catalog - Kerberoasting
  • Discovering Service Accounts without using privileges
  • Extracting Service Accounts passwords with Kerberoasting
• AS-REPRoasting
  • QOMPLX Knowledge: What Are AS-REP Roasting Attacks?
  • Cracking Active Directory passwords with AS-REP Roasting
  • IOC differences between Kerberoasting and AS-REP Roasting
• stealthbits' Attack Catalog - Ntds.dit Password Extraction
• Kerberos Golden Tickets.
  • QOMPLX Knowledge: Golden Ticket Attacks Explained
  • stealthbits' Attack Catalog - Golden Ticket
  • Complete Domain compromise with Golden Tickets

Walkthrough

Introduction

This scenario will assume breach to the Active Directory client, that is, we've somehow obtained a foothold into the domain's network (for example, through a remote exploit to the client host, a client-side attack targeting the user of the client host, obtained credentials from a previously compromised host, performed a dictionary attack on weak credentials through identity verifiers, etc.).

Hosts

• Active Directory Domain Controller
  • Hostname: WIN2019DC
  • IP Address: 10.27.34.88
• Active Directory client
  • Hostname: WIN10VPN
  • IP Address: 10.27.34.80

Initial OS Agent Deployment

In order to exercise this scenario, we'll deploy an Impact OS Agent through known credentials into the client host.

1. Launch Network IG RPT to obtain information about the Active Directory client host.

2. Click Next.

3. Click Next.

4. Click Next.

5. Replace the network range with the address of the AD client host: 10.27.34.80 and click Next.

6. Click Next.

7. Click Finish.
8. Wait for Network IG RPT to complete gathering information from the AD client host.
9. In the Modules view, go to the 10-Post Exploitation > Agents folder, select the module Install agent using SMB and drag & drop it into the AD client host.

10. Complete the following module parameters:

• USER: impact
• PASSWORD: EzPassword1234

11. Click OK to launch the module.

• This should deploy an OS Agent on the host (with SYSTEM privileges).

12. Right-click on the new OS Agent and select Get Username.

13. Right-click on the deployed OS agent and launch Mimikatz to harvest credentials from the host.

• Mimikatz has captured credentials from a domain user logged in the host, ruth.lane.
• This credential is stored as an identity entity in the workspace to be used as a parameter to additional modules. Go see Identities - Windows NTLM in the entity view.

Move to Logged on Domain User Process

1. Right-click on the agent again and launch Get Process List.

• Look for the pid of the explorer.exe process, which would be running in the context of the logged on user.
• Module log supports finding text through the Ctrl-F hot-key (select the pane first by clicking in any row in the log).

2. With the OS Agent in the AD client host selected, go back to the Modules view, and from the 10-Post Exploitation > Agents folder double-click on the module Agent Process Injector.

• Agent Process Injector is a local module, that is, a module that runs on the currently selected OS Agent in the entities view, or the current source agent if no OS Agent is currently selected. Because we want to run the module on the AD client host, we must either select the associated agent or previously have configured it as the source agent in the workspace (right-clicking on the OS agent and selecting Set as source).

3. Enter the PID of the explorer.exe process and click OK.

• A new (non-privileged) OS Agent will be deployed, running in the context of the logged on user.

4. Right-click on the new OS Agent and select Get Username.

5. We can capture a screenshot from the logged session, by right-clicking on the OS Agent again and selecting Get screenshot.

Information Gathering on Domain

1. Let's now obtain the name of the domain to which the host is connected.

note

The domain name was also shown as part of the Mimikatz dump, but the goal is to show off some OS Agent capabilities like the PowerShell Shell.

2. Right-click on the agent and launch a PowerShell Shell.
3. Execute the command: (Get-WmiObject Win32_ComputerSystem).Domain

note

The PowerShell Shell loads .NET & PowerShell libraries in the context of the OS Agent process, which means that no PowerShell process (powershell.exe) is spawned (which can be detected by some HIPS).

4. Let's inspect the domain.
5. Set the OS agent of the logged on user as source by right-clicking on the agent and selecting Set as source.
6. In the Modules view, go to the Information Gathering category and launch the module Windows Domain IG Wizard.

note

You can also search for the module using the Modules view's search bar. The walkthrough shows module discovery through the categories, so that the user can locate additional features/actions to perform in the future.

7. Click Next.

8. Enter the domain name (acme.corp) and click Next.

9. Click Next.

• Use Integrated Windows Authentication will leverage the credentials of the logged on user (associated to the process where the OS Agent is running).

10. Click Finish.

• The module will spawn several submodules to perform the tasks listed above. See results in the output/log of each submodule.

Kerberoast Attacks

1. With the previously harvested domain identity (for ruth.lane), we can also try to find domain services that are using user accounts, which may be prone to a Kerberoast attack, where a potentially weak user accout's password could be cracked.
2. Launch the Windows Domain IG Wizard again.

3. Click Next.

4. Enter the domain name (acme.corp) and click Next.

5. Select Use Validated Identities and click Next.

6. Select the ellipsis button (…) in order to select the previously obtained identity.

7. Go to the Identities - Windows NTLM group, select the identity for the domain user ruth.lane, and click OK.
8. Click Next.

9. Uncheck all options and leave that of Enumerate User Accounts with SPNs and click Next.

10. Click the ellipsis button (…) to provide the name of the file to output any retrieved ticket.

11. Enter the name of file name to extract ticket info (for example, ticket.tgt) and click Save.

12. Check the option to try to crack any retrieved ticket, and click Finish.
13. The module Enumerate User Accounts with SPNs will find a user account with a SPN.

14. Then, the module Password cracking using John The Ripper' will be launched to try to crack the password.

caution

Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt) file.

15. The cracked user/pwd is stored as a new identity in the Identities - Others group.

note

The credential obtained through the Kerberoast attack is going to be leveraged later, in the Compromising Active Directory Domain Controller section.

AS-REPRoasting Attacks

1. Similarly, you can also use the Windows Domain IG Wizard to enumerate users configured without Kerberos pre-authentication, to try and perform an AS-REPRoasting attack.
2. Launch the Windows Domain IG Wizard again.

3. Click Next.

4. Enter the domain name (acme.corp) and click Next.

5. Select Use Validated Identities and click Next.

6. Select the ellipsis button (…) in order to select the previously obtained identity.

7. Go to the Identities - Windows NTLM group, select the identity for the domain user ruth.lane, and click OK.
8. Click Next.

9. Uncheck all options and leave that of Enumerate User Accounts without Kerberos preauthentication and click Next.

note

Notice that enumeration of user accounts with SPNs and user accounts without Kerberos preauthentication could have been launched at the same time, though we've launched individually to show the associated attack separately.

1. Click the ellipsis button (…) to provide the name of the file to output any retrieved ticket.

11. Enter the name of file name to extract ticket info (for example, preauth_ticket.tgt) and click Save.

12. Check the option to try to crack any retrieved ticket, and click Finish.
13. The module Enumerate User Accounts without Kerberos preauthentication will find a user account without Kerberos preauthentication.

14. Then, the module Password cracking using John The Ripper' will be launched to try to crack the password.

note

Depending on the password length and complexity this may take a long time, so this step is optional and can be launched manually at a later stage, referencing the retrieved ticket (.tgt) file.

Compromising Active Directory Domain Controller

The service user account that we previously cracked through the Kerberoast attack, may be configured with additional privileges required by the associated application. In this reduced example environment, the account is configured with local admin privileges in the Active Directory server host. We can thus try to leverage the cracked user and password to deploy an OS Agent in that host.

1. In the Network view, open the localhost entity, right-click on localagent and set it as source, in order for the next steps to be executed from the local machine where Core Impact is running.
2. Repeat the steps to execute Network Information Gathering RPT (in section Initial OS Agent deployment), but now on the AD server host, with IP address: 10.27.34.88.
3. In the Modules view, look for the module: Install Agent using WMI on the 10-Post Exploitation > Agents folder, and drag & drop it on the discovered ADDC host entity.
4. Select the IDENTITY parameter and then click on the ellipsis button (...) to select the identity of the mssql_svc, and click OK.

5. Click OK to launch the module.

6. In the Modules view, look for the module Windows Secrets Dump (L) and drag-and drop it on the newly deployed OS Agent on the ADDC host.

note

This module will retrieve and commit identities for all domain users, so make sure to consider whether to use the COMMIT IDENTITIES parameter in a large Active Directory environment.

Kerberos Golden Tickets

Among the retrieved identities found in the ADDC host, it's krbtgt, which is the Active Directory Key Distribution Service Account, and which can be used to forge valid Kerberos Ticket Granting Tickets (TGTs).

1. In order to create a Kerberos Golden Ticket we need the domain's SID, which is a required parameter for the module. We can obtain value through a PowerShell Shell on the OS Agent on the ADDC host, by executing:

   $domain = Get-ADDomain
   $domain.DomainSID.value

2. We can now right-click on the krbtgt identity and use it to create a Kerberos Golden Ticket to impersonate another domain account.

3. Complete the following module parameters:

• USERNAME: paul.compton
• DOMAIN: acme.corp (previously obtained in the Information gathering on domain section)
• DOMAIN SID (complete with the value obtained above)

4. Click OK.

The module will have created a new golden ticket identity entity for the domain user paul.compton.

For the sake of illustration, let's assume that the user paul.compton is a Domain Administrator account, this identity can now be used to authenticate and move around through the rest of the domain, by deploying and controlling OS Agents in other hosts in the network.