Active Directory
Introduction
Well, well well… Here we are. Doing an Active Directory introduction note. Lets start by defining what is Active directory
. Active Directory (AD), is the windows directory. It allows interconnection between computers and/or servers. The computers and servers in a domain (computer cluster) can have any distribution in it (Unix-like or windows).
I will not get into too much detail on how active directory works, what is a domain, forest… I will focus only on the different protocols and attacks on it. If you want to get more information about how an AD works, and want basic knowledge on it, I advise you the great post Attacking Active Directory: 0 to 0.9.
Protocols
Before talking about the attacks on AD, I will just talk about the basic protocols that we have on windows AD. First we will talk about the famous three headed dog… I mean Kerberos
protocol.
Kerberos
The Kerberos
protocol uses tickets. You ask tickets, you get tickets and you give tickets. But why do we need tickets ? Because you would, for example, access a service on the domain. For example, let’s say you would like to access a web server or a server that share files… You will have to authenticate to this service. In an AD environment, you will, most of the time, use the Kerberos
protocol for the authentication process (or NetNTLM but we will talk about it later).
Because an image is worth a big speech:
paloaltonetworks image |
Lets break this down. Lets say you want to access a server.
First, you have to connect to your workstation. When you enter your credentials, you request a
TGT
(Ticket Granting Ticket) to theAS
(Authentication Service). Then, theAS
check if you are who you pretend to be (username and hash of your password). If your credentials are valid, theAS
will provide you with the requestedTGT
.Now, when you try to connect to a server, it will check if the
Kerberos
protocol is available for this server. If so, you will request aST
(Service Ticket) to theTGS
(Ticket Granting Service). To be able to do that, the TGT is sent to the TGS so it can authenticate the client.With the
ST
, you just have to give it to the server that will check the validity of the ticket and authenticate you.
Be aware of the difference between
ST
andTGS
. TheTGS
is the SERVICE providing the TICKET, whereST
is the TICKET.
The KDC
(Key Distribution Center) is the fusion of an AS
and a TGS
. It is often the DC
(Domain Controller) that has the role of KDC
.
NTLM
There is often a bit of confusion when we talk about NTLM
. Do we speak about an authentication protocol or about a hash algorithm ? Well the authentication protocol is often called NTLM
but the full name is Net-NTLM
. There are different version of this protocol like Net-NTLMv1 or Net-NTLMv2. For now, only these 2 versions exist. And when we speak about a hash we just say NTLM hash
. This NTLM hash
is the response of the server challenge. It is the challenge + the response. But what people think of when we speak about NTLM hash
is the NT hash
or LM hash
. This NTLM hash
can be realayed or cracked offline.
Be aware that a lot of people make no distinction between the concatenation of
NT
andLM
hash (separated by a:
) and theNTLM "hash"/response
that isn’t really a hash. It is just a response to the challenge sent by the server. Sometimes, theLM/NT
hash is called NTLM hash
This
NTLM hash
can’t be passed. You can’t do a PtH (Pass the Hash) attack.
The client uses its NT
hash during the NTLM
authentication mechanism in order to calculate a response for the server.
NT
hash can be used to authenticate to several services (ex: RDP).
LDAP
LDAP
provides a standardized way to access and manage directory services, making it a fundamental component of many network infrastructure setups. For example, you can use LDAP
to list all the users of a domain.
Attacks
Now that we know more about how an AD is working, we are going to talk about the most basic attacks on it.
Kerberoasting
In Active Directory, a ST
can be requested by any user for any service that is registered in the domain database through an SPN
(Service Principal Names), regardless of whether the service is running or not. Only service account should have an SPN
but sometimes a regular user has an SPN
.
An
SPN
looks likeservice_class/machine_name[:port][/path]
The Kerberoast
attack consist on requests STs
for those services of regular user accounts and try to crack them to get the user passwords. Usually, the users that have services also have privileges, so these are juicy accounts.
Enumeration / Exploitation
First of all, we need a user of the domain to be able to launch this attack. Once you have that, you can use LDAP queries, Bloodhound or GetUsersSPN to find the potential vulnerable users. The basic command:
1
GetUserSPNs.py -dc-ip $DC_IP $DOMAIN.LOCAL/$USER
You can export the result with the same command by adding the
-outputfile
flag.
You can use
hashes
instead of the user password that you own by specifying the-hashes LM_HASH:NT_HASH
. This is calledPtH
(Pass the Hash)
For better visualization, you can use bloodhound-python to export all the necessary information from the domain using commands like:
1
bloodhound-python -u $USER -p $PASSWORD -ns $DC_IP -d $DOMAIN.local -c all --zip
Now that you exported the data with bloodhound-python
, you can use the default bloodhound
GUI program to see any information about the domain you are trying to exploit. There is an option to see all Kerberoastable
account in a graph format.
The same thing can be done using crackmapexec
:
1
cme ldap $DC_IP -u $USER -p "$PASSWORD" -d $DOMAIN.local --kerberoasting KERBEROASTING
You can now use tools like hashcat
to try cracking the recovered hash:
hashcat -m 13100 Kerberoastables.txt /usr/share/wordlists/rockyou.txt
Note that you can get
ST
for a service account. This won’t be able to crack it because it is generated automatically by the DC. It is a 120 random characters long passwords. Good luck cracking this XD.
AS-REPRoasting
Because some applications don’t support Kerberos preauthentication
, it is common to find users with Kerberos preauthentication disabled, hence allowing attackers to request TGTs
for these users and crack the session keys offline.
As for the Kerberoast
attack, you can also use Bloodhound GUI
to search AS-REPRoastable
users. But here we are going to look only for the command line exploit.
Enumeration / Exploitation
1
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $DC_IP "$DOMAIN/$USER:$PASSWORD"
Here we just listed the potentially vulnerable users and exported their hash from the TGT
in a file called ASREProastables.txt
.
If this doesn’t work you can provide a user list like so:
Note that you can use the
-hashes "$LM_HASH:$NT_HASH"
to use the hash of the user you own instead of its password.
We can now try to crack them all using hashcat
:
hashcat -m 18200 -a 0 ASREProastables.txt /usr/share/wordlists/rockyou.txt
It may be worth mentioning that we can exploit AS-REProasting as an unauthenticated attacker. We just need to know the domain name (visible in crackmapexec output) and the username (that we can bruteforced with kerbrute or using a user list like we did earlier).
Golden / Silver Tickets
First of all, Golden and Silver tickets are used for persistence. This mean that you won’t use it on CTFs or pentest but it is a well known persistence method so it is good to know it.
Silver Tickets
Lets start with silver tickets. A Silver Ticket
grants us access to a specific service. It allows us to generate a ST (Service Ticket) for this service. To do that, we need to know the kerberos key of this service account. To recover this key you can, for example, dump the lsass
process. Tools like mimikatz (kerberos::golden
) or the impacket ticketer.py can be used to do that.
Golden Tickets
Golden Tikets
allows us to have unrestricted access to a whole domain by generating a TGT
for any user. To be able to do that, we need to have access to the krbtgt
keys and to get those, we need to be domain admin (DA).
Delegations
TODO