Notes | AD | AD Basics

Active Directory

Introduction

Well, well well… Here we are. Doing an Active Directory introduction note. Lets start by defining what is Active directory. Active Directory (AD), is the windows directory. It allows interconnection between computers and/or servers. The computers and servers in a domain (computer cluster) can have any distribution in it (Unix-like or windows).

I will not get into too much detail on how active directory works, what is a domain, forest… I will focus only on the different protocols and attacks on it. If you want to get more information about how an AD works, and want basic knowledge on it, I advise you the great post Attacking Active Directory: 0 to 0.9.

Protocols

Before talking about the attacks on AD, I will just talk about the basic protocols that we have on windows AD. First we will talk about the famous three headed dog… I mean Kerberos protocol.

Kerberos

The Kerberos protocol uses tickets. You ask tickets, you get tickets and you give tickets. But why do we need tickets ? Because you would, for example, access a service on the domain. For example, let’s say you would like to access a web server or a server that share files… You will have to authenticate to this service. In an AD environment, you will, most of the time, use the Kerberos protocol for the authentication process (or NetNTLM but we will talk about it later).

Because an image is worth a big speech:

paloaltonetworks image

Lets break this down. Lets say you want to access a server.

• First, you have to connect to your workstation. When you enter your credentials, you request a TGT (Ticket Granting Ticket) to the AS (Authentication Service). Then, the AS check if you are who you pretend to be (username and hash of your password). If your credentials are valid, the AS will provide you with the requested TGT.

• Now, when you try to connect to a server, it will check if the Kerberos protocol is available for this server. If so, you will request a ST (Service Ticket) to the TGS (Ticket Granting Service). To be able to do that, the TGT is sent to the TGS so it can authenticate the client.

• With the ST, you just have to give it to the server that will check the validity of the ticket and authenticate you.

Be aware of the difference between ST and TGS. The TGS is the SERVICE providing the TICKET, where ST is the TICKET.

The KDC (Key Distribution Center) is the fusion of an AS and a TGS. It is often the DC (Domain Controller) that has the role of KDC.

NTLM

There is often a bit of confusion when we talk about NTLM. Do we speak about an authentication protocol or about a hash algorithm ? Well the authentication protocol is often called NTLM but the full name is Net-NTLM. There are different version of this protocol like Net-NTLMv1 or Net-NTLMv2. For now, only these 2 versions exist. And when we speak about a hash we just say NTLM hash. This NTLM hash is the response of the server challenge. It is the challenge + the response. But what people think of when we speak about NTLM hash is the NT hash or LM hash. This NTLM hash can be realayed or cracked offline.

Be aware that a lot of people make no distinction between the concatenation of NT and LM hash (separated by a :) and the NTLM "hash"/response that isn’t really a hash. It is just a response to the challenge sent by the server. Sometimes, the LM/NT hash is called NTLM hash

This NTLM hash can’t be passed. You can’t do a PtH (Pass the Hash) attack.

The client uses its NT hash during the NTLM authentication mechanism in order to calculate a response for the server.

NT hash can be used to authenticate to several services (ex: RDP).

LDAP

LDAP provides a standardized way to access and manage directory services, making it a fundamental component of many network infrastructure setups. For example, you can use LDAP to list all the users of a domain.

Attacks

Now that we know more about how an AD is working, we are going to talk about the most basic attacks on it.

Kerberoasting

In Active Directory, a ST can be requested by any user for any service that is registered in the domain database through an SPN (Service Principal Names), regardless of whether the service is running or not. Only service account should have an SPN but sometimes a regular user has an SPN.

An SPN looks like service_class/machine_name[:port][/path]

The Kerberoast attack consist on requests STs for those services of regular user accounts and try to crack them to get the user passwords. Usually, the users that have services also have privileges, so these are juicy accounts.

Enumeration / Exploitation

First of all, we need a user of the domain to be able to launch this attack. Once you have that, you can use LDAP queries, Bloodhound or GetUsersSPN to find the potential vulnerable users. The basic command:

GetUserSPNs.py -dc-ip $DC_IP $DOMAIN.LOCAL/$USER

You can export the result with the same command by adding the -outputfile flag.

You can use hashes instead of the user password that you own by specifying the -hashes LM_HASH:NT_HASH. This is called PtH (Pass the Hash)

For better visualization, you can use bloodhound-python to export all the necessary information from the domain using commands like:

bloodhound-python -u $USER -p $PASSWORD -ns $DC_IP -d $DOMAIN.local -c all --zip

Now that you exported the data with bloodhound-python, you can use the default bloodhound GUI program to see any information about the domain you are trying to exploit. There is an option to see all Kerberoastable account in a graph format.

The same thing can be done using crackmapexec:

cme ldap $DC_IP -u $USER -p "$PASSWORD" -d $DOMAIN.local --kerberoasting KERBEROASTING

You can now use tools like hashcat to try cracking the recovered hash:

hashcat -m 13100 Kerberoastables.txt /usr/share/wordlists/rockyou.txt

Note that you can get ST for a service account. This won’t be able to crack it because it is generated automatically by the DC. It is a 120 random characters long passwords. Good luck cracking this XD.

AS-REPRoasting

Because some applications don’t support Kerberos preauthentication, it is common to find users with Kerberos preauthentication disabled, hence allowing attackers to request TGTs for these users and crack the session keys offline.

As for the Kerberoast attack, you can also use Bloodhound GUI to search AS-REPRoastable users. But here we are going to look only for the command line exploit.

Enumeration / Exploitation

GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $DC_IP "$DOMAIN/$USER:$PASSWORD"

Here we just listed the potentially vulnerable users and exported their hash from the TGT in a file called ASREProastables.txt.

If this doesn’t work you can provide a user list like so:

Note that you can use the -hashes "$LM_HASH:$NT_HASH" to use the hash of the user you own instead of its password.

We can now try to crack them all using hashcat:

hashcat -m 18200 -a 0 ASREProastables.txt /usr/share/wordlists/rockyou.txt

It may be worth mentioning that we can exploit AS-REProasting as an unauthenticated attacker. We just need to know the domain name (visible in crackmapexec output) and the username (that we can bruteforced with kerbrute or using a user list like we did earlier).

Golden / Silver Tickets

First of all, Golden and Silver tickets are used for persistence. This mean that you won’t use it on CTFs or pentest but it is a well known persistence method so it is good to know it.

Silver Tickets

Lets start with silver tickets. A Silver Ticket grants us access to a specific service. It allows us to generate a ST (Service Ticket) for this service. To do that, we need to know the kerberos key of this service account. To recover this key you can, for example, dump the lsass process. Tools like mimikatz (kerberos::golden) or the impacket ticketer.py can be used to do that.

Golden Tickets

Golden Tikets allows us to have unrestricted access to a whole domain by generating a TGT for any user. To be able to do that, we need to have access to the krbtgt keys and to get those, we need to be domain admin (DA).

Delegations

TODO