Attacking and Defending
Active Directory
Hacks and Countermeasures
Andrei Pusoiu
Cyber Security Engineer
Table of contents
● Introduction to Active Directory
● Ways of attacks
○ Ways of Defence
● Conclusion
Andrei Pusoiu
● Cyber Security Engineer
● 6+ years in penetration Testing
● Web, mobile, secure development
● Co-Founder of Cyber Threat Defense
● Email: andrei.pusoiu@ctdefense.com
Introduction
Active Directory
● Tool installed on a Windows Server (DC)
● Database: NTDS.dit
○ Users
○ Computers
○ Printers
○ File Shares
○ Security Groups
● Handle Security Authentication
● Centralized Management of Windows networks
Most common tasks with AD
● Reset passwords
● Create / delete user accounts
● Setting permission (groups)
Attacking
Active Directory
Goal
○ Domain admins
○ Enterprise admins
○ Built-in administrators
○ Backup Operators
○ ….
● Second Goal
○ Exchange email
○ Sharepoint documents
○ Skype messages
○ Azure apps
○ Secret data
○ ...
Attacking Kill Chain
Classic intrusion scheme
Next Steps
● Persistence
● Reconnaissance
● Privilege escalation
● Persistence (admin)
● Lateral and vertical movement
● Grab and exfiltrate
COMMON ATTACKS from Domain User to Admin Domain
● SMB Shares Mining
● Mimikatz attacks
● Passwords in SYSVOL & Group Policy Preferences
● Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
● Other methods
SMB SHARES MINING
● Share scanning can be a pentester’s best friend
● Fruitful, but tedious
● Enumerating shares in the environment and looking
for data with hardcoded creds (scripts, config files),
backups, documentation, dump files
● Tools:
○ shareenum
○ PowerView Find-ShareDomain
○ Smbmap
○ nmap
● We had 100% success
SMB SHARES MINING
● Different permissions: view, edit, delete
● Results differ based on user you connect with
SMB SHARES MINING
SMB SHARES MINING
Mitigation:
No straightforward solution
● Config Firewall to block access
● Scanning For and Finding Vulnerabilities in SMB Shares Enumeration (OpenVAS)
● Penetration testing periodically
● It requires a certain level of manual inspection on each share
● Remove sensitive data from share or close access
Mimikatz attacks
● There are actually multiple attacks with same process:
○ Compromise a single workstation
○ Escalate privileges
○ Dump credentials
○ Laterally move to other workstations using dumped credentials
○ Escalate privileges
○ Dump more credentials
● Quickly results in Domain Admin credentials
Mimikatz Attacks
Mimikatz Attacks
● Mimikatz
○ Dumps passwords from memory, hashes, PINs and Kerberos tickets
○ Enables multiple lateral movement techniques
Mimikatz Attacks
● Why is this working?
○ AD admins logon to their workstation with a user account
○ then use RunAs -> admin credentials on the local workstation
○ or RDP to connect to a server -> credentials can be grabbed using a keylogger
○ Logging onto a computer with a Domain Admin account places the credentials in
LSASS ->dump from memory
Mimikatz Attacks
Mimikatz Attacks
● Compromise a single workstation
● Download and run Mimikatz to dump local credentials and recently logged on credentials.
● Using the local Administrator credentials gathered authenticate to other workstations
○ Dump credentials with Mimikatz
○ Until a DC admin credentials are harvested
● Leverage to servers where there are lots of credentials (Exchange, MSSQL etc)
● Dump all credentials from AD
Other Credential Theft methods
● Also using Mimikatz
● Pass-the-Hash: grab the hash (usually NTLM) and use to access DC. Hash is valid until
the user changes the account password.
Other Credential Theft methods
● Also using Mimikatz
● Pass-The-Ticket:
○ After a Kerberos ticket is found
○ Pass it to other system, simulating a logon without communicating with DC
Other Credential Theft methods
● Also using Mimikatz
● Pass-The-Key:
○ This attack aims to use user NTLM hash to request Kerberos tickets
○ clears all existing Kerberos keys for the user
○ injects the acquired hash into memory for the Kerberos ticket request
○ the injected hash (which is now a Kerberos key in memory) is used to request the
resource Kerberos ticket
Other Credential Theft methods
Mimikatz Attacks
Mitigation:
Mimikatz Attacks
● Administrators should have separate admin workstations for administration activities
● Admin accounts should never be logged onto regular workstations where user activities
such as email and web browsing are performed.
● All local Administrator account passwords on workstations and servers should be long,
complex, and random using a product like Microsoft LAPS.
● Configure Group Policy to prevent local Administrator accounts from authenticating over the
network
Passwords in SYSVOL & Group Policy Preferences
● A bit old
● But still present in networks with low security maturity
● SYSVOL is the domain-wide share in Active Directory to which all
authenticated users have read access.
● SYSVOL contains logon scripts, group policy data, and other domain-wide
data
● Any group policy file that need to use a local or domain password
○ stores the password in the XML file
○ stored in the SYSVOL path
○ usually \\DOMAIN\SYSVOL
○ Stored encrypted (AES256) but…
○ Encryption key is public on Microsoft website
Passwords in SYSVOL & Group Policy Preferences
Passwords in SYSVOL & Group Policy Preferences
● On any client, search for:
○ Groups.xml
○ Services.xml
○ Scheduledtasks.xml
○ DataSources.xml
○ Printers.xml
○ Drives.xml
dir \\DOMAIN\sysvol\*.xml /a-d /s
Passwords in SYSVOL & Group Policy Preferences
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User
clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator
(built-in)" image="2" changed="2017-10-10 11:23:48"
uid="{355F2024-75C3-4EB4-9A16-BE114035625F}"><Properties action="U"
newName="" fullName="" description=""
cpassword="VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE" changeLogon="0"
noChange="1" neverExpires="1" acctDisabled="1" subAuthority="RID_ADMIN"
userName="Administrator (built-in)"/></User>
</Groups>
Passwords in SYSVOL & Group Policy Preferences
https://gist.github.com/andreafortuna/6dc38f84f07fdadd1c90c41db7cd35e0
Group Policy Preference
Exploitation Mitigation:
Group Policy Preference Exploitation Mitigation:
● Install KB2962486 on every computer used to manage GPOs which prevents
new credentials from being placed in Group Policy Preferences.
● Delete existing GPP xml files in SYSVOL containing passwords.
● Install Endpoint Protection software
● Microsoft Local Administrator Password Solution (LAPS)
Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
● Offline brute force of password of service account within service tickets
(TGS)
○ No risk of detection
○ No account lockouts
● Invoke-Kerberoast from PowerView (dev) to collect hashes
● Focus on user accounts. They have shorter passwords
● JohnTheRipper (magnumripper) to crack them
Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
Kerberos TGS Service Ticket
Offline Cracking Mitigation:
Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
● Ensuring service account passwords are longer than 25 characters.
Other attacks:
● Hack Application that run with admin privileges: Jenkins
● Missing patches on DC: MS14-068 Kerberos Vulnerability on a Domain
Controller
● Exploit Vulnerable software
● Legacy systems: 1 click exploit
Persistence
Golden Tickets
● Previous methods help us obtain admin on DC
● Kerberos Golden Ticket help us to persist access
○ Active Directory domain controller is responsible for handling Kerberos ticket requests
○ The KRBTGT account is used to encrypt and sign all Kerberos tickets
○ domain controllers use the account password to decrypt Kerberos tickets for
validation
○ This account password never changes
○ and the account name is the same in every domain
Golden Tickets
Golden Tickets
Golden Tickets
● Using Mimikatz
● Golden tickets can be created for valid domain accounts, or for accounts that do not exist
Golden Tickets
● Passing the ticket
Golden Ticket
Mitigation:
Mitigate Golden Tickets
● Very difficult - they are perfectly valid TGTs
● they are created with lifespans of 10 years or more -> exceends the default
● event logs do not log the TGT timestamps in the authentication logs
● you must reset the KRBTGT account twice
Conclusion
Your AD is as secure as your weakest host.
Most of vulnerabilities come from homan error and technology limitation
BUSINESS RISK
● Compromise of just one Domain Admin account in the Active Directory exposes the entire
organization to risk. The attacker would have unrestricted access to all resources managed
by the domain, all users, servers, workstations and data.
● Moreover, the attacker could instantly establish persistence in the Active Directory
environment, which is difficult to notice and cannot be efficiently remediated with
guarantees.
“Once domain admin, always domain admin”