Demystifying Common Active Directory Attacks | Venkatraman K | BSides Delhi 2020

i'm very pleased to bring on to the stage uh venkataman okay hello and catherine how are you yeah hello how are you doing here hope you're safe good yes all very good thank you and where are you calling it from today uh i'm i'm descending at chennai which is in india yes yeah yeah absolutely good to hear it so you will be talking about uh demystifying common active directory attacks yeah uh that's the topic what made you uh interested in this in the first place yeah the thing i'm interested about is red teaming assessment and when it comes to red teaming assessment the common environment you face is windows which is in most of the corporate and

i guess this is the basic stuff you need to know when when you get to an engagement there yeah yeah very good so i'm sure plenty of audience members will be interested in this so please bring up your slides and we will get those on the screen sure so i will be sharing my entire screen here uh since uh i have the demos to show up if anything goes wrong please sure to tell me absolutely and we can all then pray to the demo gods

uh is my screen visible no yes it is you want to bring up the screen that there we go okay excellent so demystifying common active directory attacks taking away vein catcher man yeah sure so the topic for today's session would be dimensifying common active directory attacks so let's get to it so the agenda for today's topic would be basics of kerberos authentication technical terms like kdc tgt tgs tickets should be explained uh i will also show an uh demo and uh which uh along with the explanation of common active directory attacks like asrep roasting attack cable roasting attack dc sync attack dc shadow attack golden and silver ticket attacks there are more to uh when you dig deep into active

directory attacks but these are the things that i would be sharing with you today so this is just a small disclaimer here uh all the demos and the explanation are given here you to uh give you a basic insight about active directory attacks that you would face in the ctf and the real world engagement and in order to understand each attack you need to dig deep into it i have provided enough references link uh in each attack uh hope that would be helpful and i have configured my demo accounts in such a way that the password is set as password at one two three uh in order to reduce the password cracking time and last one is i love beams

if memes are too much uh sorry try to enjoy it that's it so let's uh who am i my name is venkatram and goes by the cyber name red wolf i'm working as a security analyst at walt infosec chapter lead or aspen i hold a couple of hall of fames one i love playing ctf's one a couple of rhythm village ctfs technical member of tamilnadu cyber security council if you have any doubts or any queries uh make sure you ping me over instagram and twitter these are my handles so let's get to the session so what is kerberos authentication in simple terms basically it's an authentication protocol which is used widely in windows environments and it is pretty advanced and it is an

alternative to ntlm which is uh majorly used too so the major technical terms here are kdc which stands for key distribution center tgt ticket granting ticket and tgs ticket granting service so let's see what are those now so kdc stands for key distribution center this is a place where the user and the service tickets are generated upon verification of the request that is being sent from the client so this also has components like password database authentication cent authentication center and so on i wouldn't be much explaining about that since i don't want to stretch it along and next comes ticket granting ticket so it is the initial authentication where the user is verified and the kdc

provides a ticket here this ticket is encrypted using the kr tgt accounts password which is a computer account which is handled by the domain controller itself and this tgt ticket is cached in the client machine and the request to access any other service from the client message uses this ticket and skipping the initial step of authentication so let's now move on to tds ticket here tgs ticket stands for uh ticket granting service when the user adds tgt ticket and the session key the user request the uh kdc in uh tgs when the user requests kdc to get tgs tickets once the tgt ticket provided by the client is verified the user generates a ticket which is

encrypted using the service accounts password which is tgs ticket so let's see the authentication flow here so the pre logon or the initial authentication consists of two requests so one is the service request from the user to the kdc in this authentication there are only three actors here one is the client another one is a domain controller which in turn means the kdc two and another one is the service that the client is trying to access so the first steps comes with when a user generates a request to kdc this request is encrypted using the user's password the request is the current timestamp and this is sent to the kdc here once since the kdc has all the clients

password all the user's password that request sent from the client is decrypted and the time stamp is verified here and upon verification the kdc generates a ticket which is a user ticket and it is sent in the asrep response here so this also has a session key which is encrypted using the user's password so once the clients get these two things from the kdc center user uh the client or the user again sends a request to the sql service in the cr kdc and upon verification here the kdc provides the tgs response this tgs response consists of two parts one is the tgs ticket which is encrypted using the service accounts password and the session key new session key

which is always encrypted using the user's password and with these two the users can access the sql service here the user basically sends the tgs ticket here and the decryption takes place here and the authenticity of the talk ticket is verified so let's move on to our first attack so the first attack is asrep roasting attack it is an attack basically it focuses on the initial step of authentication and during the pre-authentication of the initial login phase the user enters the password and this is used to encrypt the current time stamp and it is sent to the domain controller once the domain controller receives it it verifies it by decrypting the key using the password and uh the timestamp

timestamp is verified in order to avoid replay attacks so and upon verification it generates a ticket which is tgt ticket and as i mentioned earlier it is encrypted using the krbt gt's account password it's it's not too long but it's very complex it's hard to crack and this krbt gt accounts password is changed every 30 days by the domain controller itself its automatic process this happens for all the computer accounts in the domain controller and and it also sends an session key so this session key can be decrypted offline so when the pre authentication is disabled in an user account an attacker could request the tgt ticket and in response the attacker would receive tgt

ticket along with the session key from the session key the password can be extracted so in order to show the demo i have set up my windows machine let me just show you my things here

okay yes so is my screen visible

yep okay it's cool so let's see this is the active directory administrator center that i have configured so i just want to preview about uh certain accounts that i have configured here one is rashtra mouse and another one is bradley brad owen and he is a part of domain admin and he is a normal domain user and this sql service is also a part of domain admin group this account i have created in order to perform uh kerberos t contact which i would explain it later so let's now switch on to my attacker mission which is the kali in order to perform k asrep roasting attack i will be using impact script you can also use powershell scripts here

there are many tools to it but for demo i will be using impact here so so the impact script that i will be using here is get np users and let's see the structure of empirical circuit here almost all of the impact scripts has default arguments which is the domain name and the username if you have added the domain controller ip address in your virtual host list you don't need to mention this i mean you don't need to explicitly mention the domain controllers ip here if you haven't then you need to mention it explicitly so let's try to get this sata done so my domain name is hdb.local i am going to retrieve the hash for rasta mouse

who has kerberos free authentication

disabled so my ip of the domain controller is one zero two okay so i have retrieved the response here which is the kerberos uh session key and this can be decrypted offline before decrypting it i just want to mention uh where this attacks where this attack can be useful uh this probably you won't be able to see in a real world engagement whereas in a ctf or in solving hack the box missions or in a rating thing you would be able to uh when you have certain usernames or the employee name and you can generate a list of username possible username and you can add this flag you add them using this flag and it would check whether the usernames

that you have added have kerberos pre-authentication disabled so let's try to crack it so let me copy it i will be saving it in yes rep so let's save it

so i will be using hi hash cat to crack this hash of course you can use john 2 but i feel comfortable using hashcat so hi there can you zoom in on your screen somewhat please shut up of course we can't see much okay okay let me just

okay i'm not sure about okay if it's not possible then so be it but yeah let me just check it out once again

i'm not sure why this isn't i'm playing okay okay uh sorry for the uh that's where it is okay then uh yeah i guess we'll just have to carry on and uh everybody squint sure so okay uh so here i have specified the domain name here so i know that uh okay this is a hash cam thing so we'll see which module we would be using it here uh we know that this is an asrep response here and this is encrypted type is 23 so this is a module that we would be using it here so

okay and

rap and i would be using the common word list rock you hope you are familiar with it

let's see so in the interim let's switch on to our domain controller and let me show you that this has been misconfigured so let's go to properties here and in the properties we can see other options so in this this has been explicitly set do not require kerberos free authentication is checked here so this is the key thing which is uh which is responsible for retrieving the hash kill bros has in our attackers mission so yes i guess the hash is cracked so [Music] i have and client machine which is set up here so this is the client mission this is connected to an ad and this client missions administrator is rashta mouse which is

our mouse so i will try to uh execute uh commands over it uh for this one time and i wouldn't be cracking the hashes in all the attacks right now so this is justin point demo so i will be using ps exec here of course you can use uh impact tools like smb execs or evil vinaram if vinaram port is enabled in the target mission so let's see

so again this has a format here local uh domain name and almost at the client machine which you are going to target here so the ip address is 128 and the domain controller's ip address is 192. 0.102 let's fire it up and this is asking for password three and i have entered the password that we have got earlier and we have got it so [Music] so we have got us the administrator of the system so this is happened only because the user our mouse is in local administrator in the client mission which is 192.168.0.178. so let's switch over to our presentation and yep this is the screenshot that i sold and the catch thing here is that it is

nearly impossible to find this configuration on a real world engagement whereas uh when you find it you can find it over hack the box missions or active directory labs uh which would be helpful i guess it is one of the basic attack that you need to know uh when it comes to red team assessments so i have attached all the possible demos here i mean the attacks that i would be performing i have captured as a screen as a video and attached to my presentation here uh the thing is i am running three vms here i don't know when they would uh mess up so in order to be more safe i have added the videos here

when i share my presentation hope you would check it out you can ask questions too so this is uh the screenshot where i have wireshark listening in my ethernet and firing the asrep roasting attack here so this is the request that is being gone to the kdc here so without entering the password the asrep response is generated and this is the tgt ticket and as i mentioned earlier this cannot be cracked uh since it's encrypted using krbtgt's account password and this is the session key which can be brute forced online and kindly make a note that this attack i mean [Music] this attack possibly retrieves different hashes whenever you try it out the thing here is that uh one

of the key that is being encrypted is uh the current the timestamp so it's uh its nature that the hashes would vary so let's when pre-authentication is enabled uh the it throws an error like pre-auth is required from the kdc this is the error and this would be you seeing in when you run that in package script so these are some cool references hope you check it out let's now move on to the next attack which is uh careful roasting attack so kerprusting attack comes into play when you have uh certain credentials of the domain user so it basically what it does is hit harvest the password ashes of the account which has spn values or the service principle

name values set in it so this misconfiguration usually takes place when an user account is configured as an service account through adding the spn values by the domain administrator so usually without generally what happens is that when an authenticated user in the dc request to access a service the tg sdk is generated by the kdc and given to him so this tg uh s ticket comes along with a t this tgs ticket is encrypted using the service accounts password and it comes along with the session key which is encrypted using the user's password so when this is configured by an administrator or by an person so the password for the service account is uh generally seem to be very weak and it

can be brute force whereas when it's conflict with the domain controller itself it's hard to crack so that is catch here so this is the image that is where the misconfiguration is this is the user account sql service and this is the service principle name and this is the service that has been configured here so let's see the demo here so let's exit the shell again i will be using an impacted script which is get users np htb.lo i am specifying the domain name here i know that rasta mouse is the user name whose credential i have and he is a part of domain user i am specifying it the password explicitly and let me give the

domain and controller's ip address again and i will be giving an extra thing called as target ip which is required to extract the service accounts hash

102 okay i guess it's not required yep so it uh this retrieves the spn values whose account has been set so we'll try to request the tgs ticket here okay i guess there is some issue with my time okay i expected this

um let me just restart my vm here i have attached the video here so let's play it

i said right something might go wrong this is the thing so yep

yeah so this is the thing and this is a uh face we've added so let me just give this i am giving a command request and i am entering the password here in previous condition i didn't i didn't i i was not prompted to enter the password because uh i have explicitly mentioned it here so this didn't come so once this has been given the krbtgt has been generated the thing that was going wrong here is that uh the time difference between the domain controller and my kali mission is too high and the domain controllers thinks that it's in replay attack that's the thing probably if this issue is resolved i will try to show this demo let's

go back here so this is the place where the misconfiguration is happened services window this is the place windows services and uh sql service has an authentication or the logon of the domain user sql svc hdb.local and the password has been given here so this service uses the domain users account so this is the reason we were able to get the tgs ticket so this would be the basic flow uh again the wire start flow here and uh this is the tgs response tgs ticket and uh hope you could see it here the hashes start with the same thing and this is the session key new session key and uh we don't need to bother it i guess so

let's uh these are some references let's try to file the command again i guess there won't be any issue now

okay the time has changed yep i guess i won't be able to use my kali machine here at the time okay it's look good

okay

i am specifying the password here itself so that i don't get a prompt

um yep

okay oh lol i don't know what's this thing is happening yeah i have retrieved the hash successfully here so let's copy this and let's crack it here i haven't copied it completely

so again let's see the module which we would use in cracking the hash so this is an tgs response and we are going to crack tgt a tgs ticket so let's see so i guess this would be the module that we'll be using

1300 i guess and as this is the password [Music] oh again i will be using wordlist raw queue here and uh the note i need to mention here is that uh usually all the service accounts would be a past part of domain admin it's the most common scenario where server account has and domain administrator privilege so that they can access all the uh things uh in the service so that's the thing here so we have retrieved the hash successfully now so let's move on to the next attack so this is and called as dc sync attack so dc sync attack is probably the last part of the engagement or last part of privilege escalation usually so

when you have the domain administrator credentials or and user credential who is part of the domain admin or the enterprise admin then you would have an access or permission which is replicating changes directory changes all or replicating directory changes so this attack basically is a credential dumping attack which stimulates the behavior of replication of domain controller and this what the attack flow would be this compromise and attack which has a compromision account which has a permission of replicating directory changes all or replicating directory changes and request the domain controller for replication via get nc changes and the domain controller responds with the replication process after verifying the request and the credentials are being dumped so i will be using secrets.dumb

secrets dumpster py so when the replication process is initiated uh the secrets dumps only request for the files or the credential which is present in and the which is present in the credential database which is ntts dot dit file so all the same database so let's move on to the demo now so i will be using secrets dump and

see at http okay let me

i guess i would be prompted to enter the password okay name i need to mention target ip here since i'm using service account

okay okay yep this hash usually happens here so we are able to dump the ntlm ashes for all the accounts present in the domain controller this includes the domain admins uh the computer accounts we are able to dump the accounts like uh our rashta mouse ntlms sql service ntlms uh we also retrieve the krb tgt accounts password ntlms uh let me just copy and and note the entire mass of user administrator and krbtgt which i would be later using it in generating golden and silver ticket

let me just cross verify it yep okay so this is all about dc sync attack uh let's move on to my presentation here so this is the thing yep uh here are the references hope you check it out so now let's move on to and similar attack which is uh dehe shadow attack when it comes to dc shadow attack the key difference between dc zinc and dc shadow is that dc sync only dumps the credentials of the computer and the user account present in the domain or the domain controller when i come to dc shadow attack this would be able to modify the objects and the attributes of the object of the domain controller we are same replication uh we are

leveraging the replication process so dc shadow attack basically basically sets a rogue domain controller on the network and it pushes the changes to the original domain controller so you would make changes to the original domain controller via the rogue domain controller that you have set up so let's see the process flow here so first thing you need to have the there are two requirements here one is the credentials of an user who is a part of domain admin and another one is a system privilege access to one of the machine in present in the ada environment and i would be using mimikatz to perform this attack uh you can uh upload the mimikats on the

machine and start maybe catch with administrator privilege on two shells uh one is for creating the rogue domain controller and setting up the changes in it and another one is for pushing this changes to the original domain control controller i have been the commands here and this is the demo file hope you check it out so let's now move on to my client mission so this is the client mission and uh let me just power cmt so i have logged in as bowman who is a part of domain admin and so this is the s id of bowen so let's now fire up the mimikaz thing here so of course uh in uh in an engagement on an

thing what you would do is you would compromise the client and you would use any uh script like a tool like evil venaram or smb exec or ps exec here so let let me run this as an administrator i will also have another shell here so let's check whether the pros uh the dll files are imported here uh we have the drivers imported successfully let's also check whether the token is as system so yep so let's generate the rogue domain controller here so the object that i would be changing here is raster mouse and the attribute i would be changing here is description

and the value here would be v sites i need to give it in quotes

so that's it let's fire it up yep so we have created it so this is waiting for the push command that we need to give it so before uh we need to uh as i said earlier we need to have an uh domain admin access here right so we need to uh impersonate the token here so what we'll do is we'll do that imagination first

yep so i would be using s key you are say module here

and i would be impersonating as administrator in order to not to take any chance and the domain here is hdb.local and the ntlm hash for administrator is i have copied it and let me paste it and we are going to impersonate it

okay i have misspelled it i have added an extras here oh lol okay so the token impersonation has been successful i guess let's see so by firing the command to a token who am i so hope yup so we'll now do the

oh sure yeah this has been reflected i guess let's go to the domain controller and see it so yeah this is the thing so the key difference is that the dc shadow attack allows you to uh modify the domain objects and the attributes of the domain objects which would be helpful in making persistent connection or setting up an backdoor to your c2 framework so this is the image and yep okay these are some rough references let's now move on to golden ticket so golden ticket attack is basically uh is as the name it it provides you complete and in uh unlimited access over the domain controller an attacker who has the attacker who has a

credentials of krbtgt account or the ntlms of krbtgt account can frame the tgt ticket and access any service in the ad so using the possible ways of exploiting this is issuing tickets for users that don't exist adding users to the uh adding users to grow hope in which they don't belong or issuing tickets with the lifetime uh access or i mean uh the expiry expert time of tgt ticket can be set to 10 years or so so the requirements in order to perform this attack are domain name domain sid and the krbtgt accounts ntla mash and the user that you are going to impersonate so again i will be using my client here so let's close this

let's fire it up again i will be running it as administrator so we need the domains sid here right so this is the s id of users account one of its part that is uh till this this is the s id of domain and this is the rid of the user account bowen so what we'll do is we'll use kerberos module here golden and we are going to impersonate our administrator and will be using the domain htv hdb.local and the sid is

and krv tgt i have captured the hash here so

i will be generating a token with administrator privilege which comes with id 500 right so let's yeah the ticket is saved here so this is the ticket and

we'll use this so in order to use this you need to import it so i will be importing it using this command okay so let's fire up command from from this so this is the i guess the token uh the ticket has been imported i guess so let's list the tickets that are present in this uh domain so yeah we have administrator here so let's try to do an attack where the administrator has privilege so i will be trying to load the c directory of domain controller to this client mission as a shared folder here let's give i and so this is the thing here i guess command has been successful let's try to list it out

so these are the directories of c drive in my domain controller so this is the thing uh so let's now move on to yeah i have captured the demo here so i guess we lag behind the time so let's quickly see what a silver ticket attack silver ticket attack is similar to golden ticket the key difference is that uh golden ticket provides you an unlimited access whereas a silver ticket provides you an access to specific services once you have compromised the password for and service account or the password has for the service account you would be able to generate tgs tickets uh for every of our any users present to the domain in order to access the service so its

scope is limited but it is very stealth and easily achievable than golden ticket the requirements of to perform this attack is sid of the user you are trying to generate and the domain name the target service and the username and the ntlr mesh for the service account so let's go here i will just kill all the care bros list here i have kls purge would do it i have deleted all the kerberos tickets here so let's try to generate the silver ticket here i would be using the golden module itself but instead of specifying the sid of entire domain i would specify the entire sid of the user and i would specify the accounts password along with service

name and the target here so let's provide the s id here i guess i have the sid here yep

the domain is htv dot local or the user is bowen so uh bowen stands for brad owen which is the first uh i have took the initial letter of first name and the complete name of last so this is usually the naming convention present in your uh ad i mean when it comes to active directory so let's provide the target here which is

and let's provide the service here let's also provide the password hash so since the password has is same for all the things which is password attend one two three uh the password hash wouldn't vary so let's yep the ticket has been saved i guess let's import it again using kerberos vdt and oh i haven't to specify the file

i have imported it successfully let's run command here so let's list the things so i have yeah hope you could see that the service ticket i have got it for sql svc so this is it and this is the image screenshot the references uh yeah this is it thank you let me stop presenting my skin thank you very much finn countryman you bought that in just in time during extended putt play as well so just in time uh looks like you didn't pray to the demo gods quite so hard as uh as you needed to but yeah i guess the timing got screwed up uh so i had to restart my attacker mission here so things mess up

ah it's not a reason if it is uh yeah thank you for understanding no but no no thank you very much indeed and in the absence of a real applause