{"id":811,"date":"2020-03-09T07:20:35","date_gmt":"2020-03-09T06:20:35","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=811"},"modified":"2025-03-19T10:22:36","modified_gmt":"2025-03-19T09:22:36","slug":"enumerating-and-exploiting-active-directory-environments","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=811","title":{"rendered":"Active Directory notes"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Check\u00adlist<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check if the Repli\u00adca\u00adtion share is mount\u00adable. If yes, grep for ass\u00adword in Groups.xml, which can be recov\u00adered with <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1284\" data-type=\"post\" data-id=\"1284\">Pow\u00ader\u00adSploit\u2019s Get-GPPPassword.ps1<\/a>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">A <strong>domain<\/strong> of a <span class=\"caps\">DC<\/span> con\u00adsists out of the fol\u00adlow\u00ading elements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>users<\/li>\n\n\n\n<li>groups<\/li>\n\n\n\n<li>com\u00adput\u00aders<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">An object in <span class=\"caps\">AD<\/span> may have a set of <strong><span class=\"caps\">ACE<\/span> Access Con\u00adtrol Entries<\/strong> which is called <strong><span class=\"caps\">ACL<\/span> Access Con\u00adtrol List<\/strong>. An objec\u00adt\u2019s <span class=\"caps\">ACE<\/span> can be retrieved in <span class=\"caps\">PS<\/span> with <code>Get-ObjectAcl [-Identity| $object<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <span class=\"caps\">SCM<\/span> Ser\u00advice Con\u00adtrol Man\u00adag\u00ader con\u00adtains a data\u00adbase of installed ser\u00advices and dri\u00advers on Windows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Authentication methods<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Authen\u00adti\u00adca\u00adtion is per\u00adformed main\u00adly via <span class=\"caps\">NTLM<\/span> and Kerberos<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">NTLM<\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Client cal\u00adcu\u00adlates a <span class=\"caps\">NTLM<\/span> hash from the user\u2019s password.<\/li>\n\n\n\n<li>Client sends to the Appli\u00adca\u00adtion Serv\u00ader <span class=\"caps\">AS<\/span> a username.<\/li>\n\n\n\n<li><span class=\"caps\">AS<\/span> sends to the Client a Nonce\/Challenge.<\/li>\n\n\n\n<li>Client encrypts the Nonce\/Challenge with the <span class=\"caps\">NTLM<\/span> hash (aka user pass\u00adword) and sends it to the&nbsp;<span class=\"caps\">AS<\/span>.<\/li>\n\n\n\n<li><span class=\"caps\">AS<\/span> sends this to the <span class=\"caps\">DC<\/span> togeth\u00ader with the user\u00adname and&nbsp;nonce.<\/li>\n\n\n\n<li>The <span class=\"caps\">DC<\/span> com\u00adpares it with the stored <span class=\"caps\">NTLM<\/span> hash from the user and when iden\u00adti\u00adcal, it sends a green light to the&nbsp;<span class=\"caps\">AS<\/span>.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Kerberos<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\">See the Ker\u00adberos article.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <span class=\"caps\">DC<\/span> is the Key Dis\u00adtri\u00adb\u00adu\u00adtion Cen\u00adter. Because <span class=\"caps\">TGT<\/span> can only be used for a short time because of the aging time\u00adstamp, the sys\u00adtem has to been able to gen\u00ader\u00adate new <span class=\"caps\">TGT<\/span> for which is need the user\u2019s pass\u00adword. It is cached in the <em>Local Secu\u00adri\u00adty Author\u00adi\u00adty Sub\u00adsys\u00adtem Ser\u00advice <span class=\"caps\">LSASS<\/span><\/em>. To obtain the hash\u00ades, sys\u00adtem access is needed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Service Account attacks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\">See Ker\u00adberos article<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Low and slow passwort guessing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check the pass\u00adword poli\u00adcies on a <span class=\"caps\">AD<\/span> system<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net accounts<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note the Lock\u00adout thresh\u00adold and the Lock\u00adout obser\u00adva\u00adtion win\u00addow. The idea is to try very few com\u00admon pass\u00adwords against a large set of&nbsp;users.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/ZilentJack\/Spray-Passwords\">The script Spray-Passwords.ps1<\/a> can be used for&nbsp;this.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\\Spray-Passwords.ps1 -Pass 'pw1,pw2,pw3' -Admin<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This script can be let on the vic\u00adtim\u2019s sys\u00adtem. It will per\u00adform n\u20111 pass\u00adword attempts in each time win\u00addows and maybe some\u00adwhen deliv\u00ader a pos\u00adi\u00adtive result.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>respon\u00adder<\/strong>: <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1946\">See blog&nbsp;post<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>mitm6<\/strong>: Win\u00addows pref\u00aderes IPv6 over IPv4 for <span class=\"caps\">DNS<\/span> servers. mitm6 can announce itself as IPv6 <span class=\"caps\">DNS<\/span> serv\u00ader which would then be used by Win\u00addows sys\u00adtems. (<a href=\"https:\/\/hausec.com\/2019\/03\/05\/penetration-testing-active-directory-part-i\/\">Source<\/a>)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>See also the source arti\u00adcle which describes how to catch <span class=\"caps\">DNS<\/span> requests and add pay\u00adload into requests.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">mitm6 -d lab.local<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>blood\u00adhound<\/strong>: <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1307\">See the article<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>GetUserSPNs.py<\/strong>: Retrieves an Ker\u00adberos tick\u00adet which can include a hash. (<a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/GetUserSPNs.py\">Down\u00adload<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">GetUserSPNs.py -request -dc-ip $victim $domain\/$user<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>User\/Attributes<\/strong>: See <span class=\"caps\">OSCP<\/span> 630f for a Pow\u00ader\u00adShell script which enu\u00admer\u00adates through all users with their attributes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span class=\"caps\">ADAPE<\/span><\/strong>: Please describe me: <a href=\"https:\/\/github.com\/hausec\/ADAPE-Script\">https:\/\/github.com\/hausec\/ADAPE-Script<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Death\u00adStar<\/strong>: Pease describe me: <a href=\"https:\/\/github.com\/byt3bl33d3r\/DeathStar\">https:\/\/github.com\/byt3bl33d3r\/DeathStar<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Get password hashes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <span class=\"caps\">DC<\/span> stores pass\u00adword hash\u00ades for all users in the whole domain in the <code>%systemroot%\\ntds\\ntds.dit<\/code> file. It can be parsed with Impack\u00adet\u2019s secretsdump.py.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=761\" data-type=\"post\" data-id=\"761\">See also Win\u00addows pass\u00adword files&nbsp;post.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secretsdump.py<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Required: Domain Admin user account and password.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get the krbt\u00adgt cre\u00adden\u00adtials (e.g. to per\u00adform Gold\u00aden Tick\u00adet attacks afterwards):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">secretsdump.py domain.local\/svcsqlserver:$password@$dc-ip -just-dc-user krbtgt<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Skeleton Key (<em>Generalschl\u00fcssel<\/em>)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When hav\u00ading domain admin access to the <span class=\"caps\">DC<\/span>, a mal\u00adware can be inject\u00aded into the mem\u00ado\u00adry which patch\u00ades the authen\u00adti\u00adca\u00adtion to check against the nor\u00admal process\u00ades (<span class=\"caps\">NTLM<\/span>\/Kerberos) and a con\u00adstant string. An attack\u00ader can then use this con\u00adstant string as pass\u00adword to obtain any tick\u00adet. There is no need to crack a domain admin\u2019s pass\u00adword anymore.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Mimikatz has inte\u00adgrat\u00aded this patch. Exe\u00adcute the fol\u00adlow\u00ading on a <span class=\"caps\">DC<\/span> with domain admin access:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">privilege::debug<br>misc::skeleton<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s it. Now, the pass\u00adword <em>mimikatz<\/em> is valid for all users in the whole domain. Notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This does not affect the \u201creal\u201d cre\u00adden\u00adtials. All users can authen\u00adti\u00adcate as before.<\/li>\n\n\n\n<li>The patch is applied in the mem\u00ado\u00adry. After the <span class=\"caps\">DC<\/span> restarts, the skele\u00adton key is not longer avail\u00adable. (But hey, who ever restarts a&nbsp;<span class=\"caps\">DC<\/span>\u2026?)<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">DCShadow<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DCShad\u00adow makes anoth\u00ader sys\u00adtem to a pri\u00adma\u00adry <span class=\"caps\">DC<\/span>. On this tem\u00adpo\u00adrary <span class=\"caps\">DC<\/span>, actions can be per\u00adformed like pass\u00adword changes, which prop\u00ada\u00adgate to the \u201creal\u201d (now sec\u00adondary) <span class=\"caps\">DC<\/span> and all oth\u00ader sys\u00adtems but with\u00adout hav\u00ading log\u00adging events on these sys\u00adtems. The log\u00adging takes place on the \u201cfaked\u201d <span class=\"caps\">DC<\/span>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On an attack\u00ader (Win\u00addows Serv\u00ader-) sys\u00adtem, exe\u00adcute Mimikatz. Make all changes there and then make the \u201creal\u201d <span class=\"caps\">DC<\/span> again to the pri\u00adma\u00adry&nbsp;<span class=\"caps\">DC<\/span>.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Notes<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><span class=\"caps\">SPN<\/span> Ser\u00advice Prin\u00adci\u00adpal Name<\/em> is used to deter\u00admine a spe\u00adcif\u00adic ser\u00advice with\u00adin a&nbsp;<span class=\"caps\">AD<\/span>.<\/li>\n\n\n\n<li><a href=\"https:\/\/hackmag.com\/security\/windows-ad-escalation\/\">Arti\u00adcle with attack techniques<\/a><\/li>\n\n\n\n<li>To pre\u00advent pass\u00adword reusage, the <span class=\"caps\">DC<\/span> nor\u00admal\u00adly stores the cur\u00adrent and the pre\u00advi\u00adous pass\u00adword (in Mimikatz ntlm\u20110 and ntlm\u20111). Maybe the old hash\/password can work somewhere\u2026?<\/li>\n\n\n\n<li><span class=\"caps\">DFSR<\/span> Dis\u00adtrib\u00aduted File Sys\u00adtem Repli\u00adca\u00adtion: A stan\u00addard <span class=\"caps\">AD<\/span> ser\u00advice which syn\u00adchro\u00adnizes direc\u00adto\u00adries on all AD-joined sys\u00adtems. Is used to repli\u00adcate small con\u00adfig\u00adu\u00adra\u00adtions on every device. (The oth\u00ader, for users vis\u00adi\u00adble way, is&nbsp;samba.)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Countermeasures<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check if there are tick\u00adets some\u00adwhere with a life-span which is too long. (Can be up to 10 years, which is used by most tools, but \u201cnor\u00admal\u201d tick\u00adets have a life\u00adtime only for some minutes\/hours.)<\/li>\n\n\n\n<li>Check peri\u00adod\u00adic on end-user sys\u00adtems (e.g. with klist) if there are tick\u00adets with a valid\u00adi\u00adty time which is too&nbsp;long.<\/li>\n\n\n\n<li>Mon\u00adi\u00adtor the DCs log for logs about new DCs\/replications.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Check\u00adlist A domain of a <span class=\"caps\">DC<\/span> con\u00adsists out of the fol\u00adlow\u00ading ele\u00adments: An object in <span class=\"caps\">AD<\/span> may have a set of <span class=\"caps\">ACE<\/span> Access Con\u00adtrol Entries which is called <span class=\"caps\">ACL<\/span> Access Con\u00adtrol List. An objec\u00adt\u2019s <span class=\"caps\">ACE<\/span> can be retrieved in <span class=\"caps\">PS<\/span> with Get-Objec\u00adtA\u00adcl [-Iden\u00adti\u00adty| $object. The <span class=\"caps\">SCM<\/span> Ser\u00advice Con\u00adtrol Man\u00adag\u00ader con\u00adtains a data\u00adbase of installed services&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[194,210,50,183,219,24],"class_list":["post-811","post","type-post","status-publish","format-standard","hentry","category-general","tag-active-directory","tag-ad","tag-enumeration","tag-powershell","tag-powersploit","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=811"}],"version-history":[{"count":48,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions"}],"predecessor-version":[{"id":4673,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions\/4673"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}