Active Directory

PENTEST ACTIVE DIRECTORY FROM SCRATCH

  1. Trouver des login/mdp en dehors du réseau
    1. Attaque par BruteForce sur les différents service accessible depuis internet :
      1. Email (Office365, OWA)
      2. Communication (Lync, XMPP, WebEx)
      3. Collaboration (JIRA, Slack, Teams, etc…)
      4. Autres Services (CMS, Support, Jenkins, etc…)

Outils : Spray from Spiderlabs, Ruler

  1. Trouver des login/mdp dans le réseau
  1. Dans le réseau mais sans avoir de compte
  1. Responder :

Explication simplifiée : Quand un utilisateur dans le réseau fait une requête DNS qui échoue (exemple : il cherche un répertoire partagé qui n’existe plus) alors le protocole utilisé sera celui du LLMNR (Link-local Multicast Name Resolution).

Donc quand le PC victime n’arrive pas à faire DNS lookup, la victime demande à tout le monde sur le réseau s’ils savent où se trouve ce répertoire (broadcast du réseau). 

On peut alors utiliser Responder pour faire croire que c’est bien nous le “hostname” qu’il recherche. On peut alors forcer la victime à s’identifier avec son NTLMv2. 

Du côté de l’attaquant on peut alors récupérer non pas le NTLMv2 mais le hash NTLM challenge/response.

Il ne nous reste plus qu’à le cracker avec hashcat par exemple.

Petit tips : Si on ne veut pas ou que l’on a pas le temps de récupérer ce hash on peut utiliser Responder pour faire apparaître une pop-up d’authentification et la victime rentrera son mot de passe en claire dedans (marche dans 95% des cas).

  1. MultiRelay (Responder ++)
  1. Enumeration des utilisateurs sans avoir de creds
  1. Abuse Kerberos

nmap -p88 –script krb5-enum-users –script-args krb5-enum-users.realm”DomainControllerName”, userdb=”PathToUsersWordlist”, <DomainControllerIp>

  1. CrackMapExec (CME)

cme smb <ip> -d “DomainNameController” -u “UsersWordlist” -p “PasswordWordlist”

  1. Après avoir compromis votre première victime
  1. Enumeration
  1. Network Info
  • netstat -anop | findstr LISTEN
  • net group “Domain Admins” / domain
  1. Process List
  • tasklist /v
  1. System Info
  • systeminfo
  • Get-WmiObject -class win32 operatingsystem | select -property * |
  1. Password Search 
  • dir /s *password*
  • findstr /s /n /i /p foo *
  • findstr /si pass *.txt | *xml | *ini

Python script : RTFM.py

  1. Privilege Escalation
    1. Unquoted Service Path
    2. Web / Windows cred
    3. UserSPN

On voit plusieurs répertoires différents auxquelles on va essayer de se connecter successivement en samba. 

En cherchant dans le répertoire partagé NETLOGON on retrouve un fichier contenant un fichier “cpassword”. Mais qu’est ce que c’est ?

cpassword est le nom de l’attribut qui stocke les mots de passe dans l’élément Group Policy Preference (PS: c’est dans le sous dossier Préférence que l’on a trouvé ce fichier contenant le cpassword). Chaque fois qu’une préférence nécessite d’être enregistrée avec un mot de passe, le mot de passe lui-même est enregistré dans cet attribut. L’attribut n’est en fait qu’une valeur dans le XML, stocké dans le dossier SYSVOL des Domain Controllers.

Voici à quoi ressemble un cpassword :

En cherchant quelques secondes sur internet, on trouve un framework qui s’apelle gpp-decrypt (déjà présent dans Kali) permettant de décrypter le cpassword :

  • root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Dans le résultat de l’analyse nmap, on a vu que le port 88 était ouvert avec le service Kerberos, d’où la nécessité d’associer certains noms de principal de service (SPN) au compte utilisateur normal. C’est pourquoi nous avons téléchargé et installé impacket de Github pour utiliser sa classe python GetUserSPN.py

https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py

On se retrouve avec un hash Kerberos :

Que l’on va stocker dans un fichier et soumettre à hashcat :

  • hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt –force –show

Hop on trouve un mot de passe d’un compte admin.

Nous allons maintenant utiliser le script metasploit ou impacket (As You Want) Psexec. Psexec permet d’exécuter une commande à distance sur la victime et de retourner le résultat.

De la vous aurez la main sur la victime avec les droits administrateur. TADAM !

  1. Dumping Clear-Text Credentials

Passwords in clear-text that are stored in a Windows host can allow penetration testers to perform lateral movement inside an internal network and eventually fully compromise it. Therefore in a system that has been compromised with elevated access (Local Administrator or SYSTEM) and persistence has been achieved the hunt for clear-text passwords should be one of the first post exploitation activities. This is due to the fact that is the easiest and the fastest way to achieve domain administrator privileges and at the same time being less noisy.

The article contains Windows locations where passwords might exist and techniques to retrieve them.

LSA Secrets

LSA Secrets is a registry location which contains important data that are used by the Local Security Authority like authentication, logging users on to the host, local security policy etc. This information is stored in the following registry key.

1HKEY_LOCAL_MACHINE/Security/Policy/Secrets

Due to the sensitivity of information Windows is protecting access to the Security folder in the registry with permissions. By default only the SYSTEM account can access the LSA Secrets registry location.

LSA Secrets - Registry Permissions

LSA Secrets – Registry Permissions

Giving the appropriate permissions to the administrator account and re-open the registry will unveil all the subfolders that are contained in the Security folder.

LSA Secrets - Registry Location

LSA Secrets – Registry Location

This location contains the password of the account that is logged in an encrypted format. However the key to reverse the password is stored in the parent key: Policy.

1HKEY_LOCAL_MACHINE/Security/Policy

Registry keys of interest are except of Security, the SAM and the System as they contain password hashes. From an elevated command prompt the registry keys can be saved with the reg utility.

123reg save hklm\sam c:\temp\sam.savereg save hklm\security c:\temp\security.savereg save hklm\system c:\temp\system.save
Dump Registry Hives

Dump Registry Hives

Impacket suite contains a python script that can read the contents of these registry keys and decrypt the LSA Secrets password.

impacket - Registry Hives

impacket – Registry Hives

Alternatively there is a post exploitation module in Metasploit that can be used from an existing Meterpreter session to retrieve the password in clear-text.

1post/windows/gather/lsa_secrets
Metasploit - LSA Secrets

Metasploit – LSA Secrets

The same output can be achieved with the lsaSecretRead binary.

1lsaSecretRead.exe DefaultPassword
lsaSecretRead - Read LSA Secrets

lsaSecretRead – Red LSA Secret Password

LSASS Process

The Local Security Authority Subsystem Service (LSASS) handles the enforcement of security policy in a Windows host. In Windows environments from 2000 to Server 2008 the memory of the LSASS process was storing passwords in clear-text to support WDigest and SSP authentication. Therefore tools such as Mimikatz could retrieve the password easily.

1procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
Procdump - lsass process

Procdump – lsass process

Microsoft from Windows 8.1 and Windows Server 2012 to enhance security of the systems further prevented LSASS from storing passwords in clear-text. However in a system that has been already compromised with elevated credentials a minor registry modification can instruct LSASS process to store clear-text passwords in its memory in the next login of the user.

1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
Mimikatz - Registry Setting for Windows 2012 and 2016

Mimikatz – Registry Setting for Windows 2012 and 2016

Metasploit Framework has a post exploitation module which can be used to enable caching of Wdigest authentication by modifying the registry automatically.

1post/windows/manage/wdigest_caching
Metasploit -WDigest Caching

Metasploit – WDigest Caching

Mimikatz can be used offline in order to read the contents of the LSASS dump and especially sections that contain logon passwords.

1mimikatz.exe log « sekurlsa::minidump lsass.dmp » sekurlsa::logonPasswords exit
Mimikatz - lsass dump

Mimikatz – LSASS dump

The password of the John user was retrieved in plain-text through WDigest authentication protocol.

Mimikatz - ClearText Password in lsass

Mimikatz – ClearText Password in LSASS

Alternatively Mimikatz can be dropped into the target if the system doesn’t have an endpoint solution or if the binary has been modified to evade detection.

12privilege::debugsekurlsa::logonPasswords full
Mimikatz - Logon Passwords Command

Mimikatz – Logon Passwords Command

Metasploit Framework has an extension which can be loaded to Meterpreter in order to execute Mimikatz commands directly from memory.

Mimikatz - via Meterpreter

Mimikatz – Kiwi Meterpeter Extension

WDigest authentication credentials can retrieved by executing the following command:

Mimikatz - wdigest credentials via Meterpreter Kiwi

Mimikatz – wdigest credentials via Meterpreter Kiwi

Windows credential editor can also retrieve wdigest passwords in clear-text from older Windows environments. (XP to Windows 8). If the environment is Windows Server 2012, 2016, Windows 8.1 and Windows 10 the method with Mimikatz is more reliable.

1wce.exe -w
Windows Credential Editor

Windows Credential Editor

Running also the PowerShell module of Mimikatz directly from console or executing from memory will also retrieve the password from the LSASS process.

Mimikatz - PowerSploit

Mimikatz – PowerSploit

Credential Manager

Windows is using Credential Manager to digitally store various other credentials in an encrypted format by using the Windows Data Protection API. Credentials that have been used by the user to access an internal system over the web or a network resource can be retrieved.

Running LaZagne on the target host can retrieved all the passwords that are stored on the system in various formats (not only plain-text).

LaZagne

LaZagne

However browser based passwords will be retrieved in plain-text. This could give the opportunity to the penetration tester to expand his access to various other systems.

Lasagne - Browser Passwords

LaZagne – Browser Based Passwords

Nikhil Mittal developed a PowerShell script which is part of the Nishang framework that can be used to retrieve passwords from the Windows Vault similar to LaZagne tool.

PowerShell - GetWebCredentials

Nishang – Get-WebCredentials PowerShell Script

Group Policy Preferences

Windows workstations that are attached to a domain have access to the Groups.xml file on the domain controller. Often this file is cached locally on the workstation. The location of this file in the Domain Controller and in the Host itself can be seen below:

12\\DC.PENTESTLAB.LOCAL\SYSVOL\pentestlab.local\Policies\{xxx}\MACHINE\Preferences\Groups\Groups.xmlC:\ProgramData\Microsoft\Group Policy\History\{xxx}\Machine\Preferences\Groups\Groups.xml

This file contains the cPassword value in an encrypted format but with a publicly known key. There are various scripts which they can decrypt the value cPassword. Metasploit Framework can also automate the task with the below post exploitation module.

1post/windows/gather/credentials/gpp
Metasploit - GPP Exploitation

Metasploit – Decrypting GPP Passwords

Full details of decrypting GPP passwords can be found in the article Group Policy Preferences.