Attacking Active Directory Authentication:
Before moving to further, we must familiar with Active directory. For this, please check my previous blog .
It will give description about AD and if you want to know about authentication method go with this blog
There are three methods to bypass AD authentication, we will discuss one by one.
Cached Credentials Storage and Retrieval:
As in my previous blog I already discuss Kerberos, which store organizations hashed credentials somewhere to regenerate TGT request or in LSASS (Local Security Authority Subsystem Service).
So if anyhow we can get access of these hashes then we will further try to crack those hashes. Therefore, our initial aim to get access of these hashes. Nevertheless, to get something from LSASS we need at least local admin access.
Here we are going to use “Mimikatz” to extract the hashes from LSASS.
Note: Mimikatz work on previously defined signatures. It can work on PowerShell or can work as Task Manager.
a. Basic Approach:
i. First you have to download the mimkatz to the machine you can find it here
ii. After downloading unzip mimtakz and then open the exe file by double clicking on it, it will open a terminal.
iii. Then enter privilege::debug to check process owned by other account.
iv. Then run sekurlsa::logonpasswords to dump password hashes of all logged in users in current server, it will work for remote login sessions also.
In above screen shot we can clearly see NTLM, SHA1. It means we are using Windows Server 2008 or later because on those servers NTLM and SHA1 both are available only after Windows Server 2008. After dumping, the password’s hashes now we crack them in clear text so we can use the password for the privilege escalation.
Note: It shows all credentials information stored in LSASS but I am focusing on only one.
Manipulating TGT and service tickets:
Kerberos TGT and service tickets for currently logged in users are stored in local machine or in LSASS.
So to retrieve tickets of logged in users we will use sekurlsa::tickets on mimikartz, we will get below output.
Note: TGS will give permission to access only those ticket’s that are associated with it.
After executing this command, we can easily get the “session key” associated with TGT.
b. Service Account Attacks:
In Kerberos, authentication method service ticket which is generated by DC and encrypted by password hash of SPN, which is generally decrypted and validated by application server.
Exploit: So whenever legit user requests a service ticket from DC, no validation are performed at that point to check whether user has any permissions to access this service or not instead they usually grant them the ticket initally.
But in next step before accessing the service they validates whether the user have access to the service or not. Therefore, in initial step we can bypass service ticket validation if we know which SPN we want to target for that SPN we can request a service ticket from DC. As it is our ticket, we can save it to local memory.
How to exploit:
SPN for Internet Information Services exists in domain HTTP/example.com and to request service ticket form it, we can use KerberosRequestorSecurityToken class.
i. To load any code segment we use Add-Type cmdlet with the AssemblyName argument. So, here we are going to use System.IdentityModel namespace which is by default not loaded into a PowerShell. Now we are calling KerberosRequestorSecurityToken constructor by mentioning the SPN with argument list options.
a. Add-Type -AssemblyName System.IdentityModel
b. New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList ‘HTTP/CorpWebServer.corp.com’
After executing this, we got service ticket, generated by DC and saved in local memory of Window 10.
ii. Now we check if any cached Kerberos ticket exists or not? For it, we use klist command. We can also perform this with mimikartz also.
When we run klist command on terminal:
When we run klist command on mimikartz
iii. Now we have to download the service ticket by using mimikartz.
Command: Kerberos::list /export
This will tell us location where we are going to download the ticket.
iv. To decrypt service ticket we use brute forcing technique in Kerberos i.e. known as “Kerberoasting” which helps us to give clear text password services.
So to perform it first we install a wordlist and then install the kerberoast package(https://github.com/nidem/kerberoast). Then run tgsrepcrack.py with supplying a wordlist or we can use any password cracking tool like john the Ripper in the replacement of tgsrepcrack.py
Note: We do not need admin permissions for this step.
We have to perform this step on kali machine and command for this:
python tgsrepcrack.py wordlist.txt 0–40e00000-tony@krbtgt~example.local-example.local.kirbi
the characters after wordlist denotes the files we have exported.
After this step, we got all cracked service ticket and corresponding credentials in clear text.
c. Low and Slow Password Guessing:
In this technique, we focus on user accounts and the information we fetched from AD then apply advanced password guessing technique (brute force or word list based authentication attack) on it.
i. We mainly focus account lockout policy in how many failed attempt account will lock. Therefore, to check it we use net accounts command.
Command: net accounts
First, we will check the Lockout threshold of accounts. As in my case, I did not have any account lockout policies.
Let suppose Account Lockout threshold set to five. So on fifth wrong attempt my account was locked for 30 minutes and Lockout observation window means we are given an additional “free” login attempt every thirty minutes after the last login attempt.
So what the final analysis “We could try fifty-two logins in a twenty-four-hour span against every single one with these settings.
Without causing a lockout, the domain user hopes a login attempt does not fail for the real users.”
So mostly in this type, we compile short list of very commonly used passwords and use it lot of users.
ii. We are testing AD user login by using power shell script.
DirectoryEntry: We can provide 3 arguments (LDAP path, username, password) and then fetch the data of corresponding user.
I use same script as in my previous blog that is used to fetch LDAP path. Only last line I added to check whether credentials are true or false. I save this script on my AD account and execute on terminal.
If credentials are wrong we will get:
If credentials are right respective with username, this script will create the Object. If password is invalid, no object will create and got one exception.
So by creating these type of scripts we can enumerate all users and perform authentications by checking their account lockout policies.
So these all are the ways by which you can actually perform exploitation of credentials on the AD.