Professional Documents
Culture Documents
Practical AD Attacks and Protection Booklet
Practical AD Attacks and Protection Booklet
Contents
Contents ............................................................................................................................................................. 2
Introduction ....................................................................................................................................................... 5
LAB Prerequisites ............................................................................................................................................... 5
Building the LAB in 15 min ................................................................................................................................. 6
Deploying a new Microsoft Windows Server 2016 Domain Controller .................................................... 6
Windows Server 2016 Installation ................................................................................................... 6
Disable IE enhanced security ........................................................................................................... 6
Active Directory Domain Services role Installation.......................................................................... 6
Active Directory Objects Creation Using BadBlood ......................................................................... 7
Setting UP Victim Machine (Windows 10) ................................................................................................ 7
Setting Up windows 10 .................................................................................................................... 7
Joining to Domain ............................................................................................................................ 7
Set the DNS IP configuration ............................................................................................................ 7
Kali Machine (Attacker Machine).............................................................................................................. 7
BloodHound and bloodhound.py Installation.................................................................................. 7
Active Directory Enumeration ........................................................................................................................... 8
Finding the Active Directory Server using windows commands ............................................................... 8
Finding the AD server using Nmap............................................................................................................ 8
Enumerating AD Usernames using Guessing technique ........................................................................... 9
Enumeration Using BloodHound ............................................................................................................ 12
What is BloodHound ...................................................................................................................... 12
What is BloodHound.py ................................................................................................................. 12
Prerequisites .................................................................................................................................. 12
Enumeration .................................................................................................................................. 13
Kerberos Explained .......................................................................................................................................... 15
Modern Active Directory Attacks..................................................................................................................... 15
AS-REP Roasting ...................................................................................................................................... 15
Attack prerequisites ....................................................................................................................... 15
Creating an explicitly vulnerable user account .............................................................................. 16
Practical Active Directory Attacks and Protection
Mitigations ..................................................................................................................................... 26
Monitoring ..................................................................................................................................... 27
Kerberoasting .......................................................................................................................................... 27
What is Kerberoasting Attack ........................................................................................................ 27
Creating an explicitly vulnerable user account .............................................................................. 27
Kerberoasting Attack Using Windows PowerShell......................................................................... 28
Attack prerequisites ....................................................................................................................... 28
Identify accounts with registered SPNs ......................................................................................... 28
Using Bloodhound ............................................................................................................. 29
Introduction
In order to secure Active Directory, you must understand the techniques used by attackers to Attack AD.
This article will cover most of the modern AD attacks using know and built-in tools like Powershell,
bloodhound, etc.This LAB is based on real attacks and Red team activities. Some of the attacks that will
be covered:
• Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
• Persistence (DCShadow, WMI, GPO, Domain and Host ACLs and more)
LAB Prerequisites
• 180 days trial of Windows Server 2012
• Kali OS
• Windows 10 OS
After Restart, Run the following code using PowerShellISE to create the Domain:
• Open the “invoke-badblood” script found in C:\badblood directory with PowerShellISE and run it
The Domain Controller with the Groups and Users is now build and ready.
Joining to Domain
Join the device to the Domain and try to login with the domain user
neo4j console
Practical Active Directory Attacks and Protection
• Goto http://localhost:7474/ to set up a Database B user and password, you will need those
credentials when launching BloodHound.
• Run bloodhound by typing “bloodhound” and login with the credentials previously set
gpresult /r
Let’s run Nmap over the subnet to search for a host having these ports open
More Enumeration reveals the domain name and the OS version, which could be useful for later
Reply Obtained user worker exist and does not require preauthentication
Practical Active Directory Attacks and Protection
Reply obtained with and Error : User Test exist but require preauthentication
What is BloodHound.py
BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.
Prerequisites
You need a valid user and password (can be from ophishing, as rep …)
Practical Active Directory Attacks and Protection
Enumeration
Go to the BloodHound.py-master repository and run the following command
Python3 bloodhound.py -u {user} -p {password} -ns {name server (DC IP)} -d {domain} -c All (collect data
as much as possible)
NB: how we got the user credentials? With a successful phishing campaign that allowed us to get the
user credentials or by compromising the victim machine using a malicious file then dumping the user
password via Mimikatz, keylogger, etc.. , or via a Malicious internal user, etc…
Lunch bloodhound
Practical Active Directory Attacks and Protection
Import data generated by bloodhound.py to BloodHound by drag and dropping the generated JSON files
NB: these queries are run locally on the database that we have exported and not live active directory
queries. Changes made to the domain after we gathered our data will not be reflected.
Practical Active Directory Attacks and Protection
Kerberos Explained
Kerberos is an authentication protocol .It issues tickets to nodes to allow access to services/resources
based on privilege level. It is used mainly in Active Directory and sometimes in Linux Environments
Kerberos Ticketing:
Ticket Granting Ticket (TGT) Ticket assigned for users to authenticate to the KDC and issues requests
for TGS.
Ticket Granting Server (TGS) An authentication subset of the KDC that issues Service Tickets after
verifying an end user’s TGT and if they have access to the requested resource.
Service Ticket (ST) Ticket granted to you by the TGS for authentication purposes against services.
Pre-Authentication is the first step in Kerberos Authentication and it’s main role is to try prevent against
brute-force password guessing attacks.
If Pre-Authentication is disabled it would allow an attacker to request a ticket for any user and the DC
would simply return a TGT which will be encrypted similar to the Kerberoast attack which can be
cracked offline.
Attack prerequisites
• A valid username
• “Do not require kerberos preauthentication” (must be enabled) (usually it is not enabled by
default)
NB: how we got the user credentials? With a successful phishing campaign that allowed us to get the
user credentials or by compromising the victim machine using a malicious file then dumping the user
password via Mimikatz, keylogger, etc.. , or via a Malicious internal user, etc…
Import data generated by bloodhound.py to BloodHound by drag and dropping the generated JSON files
Practical Active Directory Attacks and Protection
Click on “Find AS-REP Roastable Users (DontReqPreAuth) (found 2 AS-Reproastable users: WALIDTEST & WORKER)
Use python -m SimpleHTTPServer to host the bloodhound.exe collector in our kali attacking machine
Download bloodhound.exe to the windows victim machine (use one of the 4 techniques highlighted)
Practical Active Directory Attacks and Protection
Run Sharphound (manually entering credentials if you are not logged in with a domain account)
Download the generated zip file and import it to bloodhound (same as we did previously)
1- You can create an upload page on your kali machine then you can request this page from the
victim browser and upload the bloodhound.zip file
2- You can upload the bloodhound.zip via email service, to an online file sharing website like
Mega.io, etc.
3- You can use the Metasploit download feature if you obtained a reverse shell with Metasploit
(via a vulnerability or a reverse shell, etc.)
Using Powershell (Compromised Windows machine, it can be also using PSREMOTING or Metasploit )
Import the module in powershell and run the following command to extract user hash with AS_REP message
Then you can copy the the hashes to your attacking machine and crack them using hashcat or John The
Ripper
Export the hashes Then you can copy the the hashes to your attacking machine and crack them using
hashcat or John The Ripper
You can also crack the hashes by downloading hashcat.exe to the victim machine
Once we cracked one username account we can enumerate now all the rest of the users with
Preauthentication not required misconfiguration
Mitigations
1- Continuously monitor/identify for accounts that Do Not Require Preauthentication (you can use the above mentioned
techniques)
2- Enforce strong password policy requirements such as complexity, length and lifetime in the organization as it is the first
line of defense against intruders.
3- It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as
Practical Active Directory Attacks and Protection
it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again. This query will bring back
all access rights for user accounts which do not require preauthentication:
PS> (Get-ACL "AD:$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access
Monitoring
1- Check out event 4738 looking for changes to the User Account Control “Don’t Reuire Preauth” value.
2- Monitor event ID 5136 looking for changes to User Account Control
Kerberoasting
What is Kerberoasting Attack
Kerberoasing attack is an attack against service accounts (SPNs) in Active Directory .Kerberoasting is a
post-exploitation attack that extracts service account credential hashes from Active Directory for offline
cracking. When you request a service ticket for Service Principal Name (SPN), you get back a ticket that
is encrypted with NTLM hash of the account with that SPN registered.
• Domain user. (The user need not have elevated or “administrator” privileges)
Using Bloodhound
Using GetUserSPNs.ps1
Results before creating the misconfigured user (optionally)
Practical Active Directory Attacks and Protection
The Error below indicate that your PC cannot reach the AD (connection/DNS issue)
Running the powershell script “GetUserSPNs.ps1” after creating the misconfigured user. We identified
the “webserver” account which is the webserver account.
Request a Ticket using Powershell passing the ticket request (SPN) and getting service ticket
Practical Active Directory Attacks and Protection
We can see on the DC server event viewer an event related to the credential validation of the user test4
Practical Active Directory Attacks and Protection
Or
Mitigations
- Enforce robust password policies for service accounts.
Monitoring (SIEM)
- Monitoring domain user accounts requesting large numbers of service tickets (Event 4769).
Practical Active Directory Attacks and Protection
Attack prerequisites
• Password of a service account
Cracking password
Practical Active Directory Attacks and Protection
Mitigations
- Enforce User Least Privilege
- Ensure that local users, administrator and service accounts use strong, unique passwords
- Make sure that your kerberos is leveraging the Privilege Attribute Certificate (PAC) and requiring the TGS to be
signed by the KDC using krbtgt encryption key
In this attack, we assumes a Domain Controller compromise where KRBTGT account hash will be
extracted which is a requirement for a successful Golden Ticket attack.
Attack prerequisites
• Compromised Domain Controller
• Compromised user with the following rights (Replicating Directory Changes, ReplicatingDirectory
Changes All, Replicating Directory Changes In Filtered Set) Generally Domain Admins
• Domain name/SID
Using Mimikatz Kerberos golden to create the Golden ticket and impersonate any user
Practical Active Directory Attacks and Protection
Using Mimikatz Kerberos pass the ticket command (ticket will be loaded into memory)
Accessing the NTDS folder and (ntds.dit )(database that stores Active Directory data and passwords).
later you can dump the credentials hashes from NTDS.dit file
Pass-the-Hash (PTH)
What is Pass-the-Hash Attack
Pass The Hash is an attack that allow a malicious user to move laterally and elevate privileges. Once the acount is
compromised the attacker can use it's NTLM or another user NTLM hash in memory to replay it against other machines in
your environment.
Practical Active Directory Attacks and Protection
Screenshot showing groups memberships (the user “lowpriv” is a low privilege user, only a local administrator )
Practical Active Directory Attacks and Protection
Trying to run psexec command angainst the domain controller, we get access denied since the user does not have enough
access/privileges to login to the Active Directory.
Elevate Privileges and get access to the Domain Controller (using Mimikatz)
NB: in this scenario the administrator has logged in with his credentialts to this PC. (Command prompt should be run as
administrator)
Replay “administrator” password hash to Active Directory using PSExec. We were able to use PSExec and logged on to the
AD server (pass the hash technique)
Practical Active Directory Attacks and Protection
Pass-the-Ticket (PTT)
What is Pass-the-Ticket Attack
Similar to the Pass-The-Hash attack where we can pass a users NTLM hash without cracking it
and authenticate as them, we can pass stored kerberos tickets to access other network
resources.
We have two options here. Either dumping TGT or TGS tickets. If we dump TGT (depends on
level of access) we can then request access to any service within the context of this user. If we
dump a TGS ticket then we can Pass The Ticket to the respective service.
Cached tickets exported (we are interested in the highlighted one. The administrator ticket)
Reusing the domain admin cached ticket and checking the output of Kerberos::list
Practical Active Directory Attacks and Protection
Accessing the domain controller “AD-lab” using psexec with the admin ticket
Practical Active Directory Attacks and Protection
Trying to execute again psexec on AD after purging the tickets. We got access denied which is normal
Practical Active Directory Attacks and Protection
Policy in details
Get-NetGPO
Enumerate permission on test policy using icacls (we have rights to edit the GPO)
Practical Active Directory Attacks and Protection
If we take the other side (search for the policy “test policy”, click on it and check how many affected objects by this policy.
(means if we modify the policy for malicious goals these are the objects that will be affected)
Edit GPO
Practical Active Directory Attacks and Protection
We logged in to the AD server using the recently added local admin account
Mitigations
- Routinely audit the permissions associated to your GPOs (use bloodhound)
Detection
- Enable the GPO setting “Audit Directory Service Changes”. This provide you with event ID 5136 when GPO policies are
modified
Practical Active Directory Attacks and Protection
Abusing ACLs/ACEs
Access Control Entries allows and denies permission to an object in the AD. DACLs are lists made of ACEs that identify the users
and groups that are allowed or denied to access an object. When it is misconfigured it allows a malicious user to escalate
privilege and move laterally on the network.
Let’s check our user “lowpriv” if he has “GenericAll” rights on the AD object for the user
Administrator. (as a result we were able to change the administrator password with the user
lowpriv)
Mitigations
- Routinely inspect object’s DACL (you can use bloodhound, PowerView)
Practical Active Directory Attacks and Protection
Mitigations
- It is not recommended to delegate permissions directly to specific users. Instead create a new security group and add
users to it.
- Avoid using Deny permissions, they take precedence over allowed ones
- Periodically audit the delegated permissions in the domain (using powershell, bloodhound, etc..)
- Do not grant any user permissions to manage the OU with admin accounts
Practical Active Directory Attacks and Protection