Attacking Active Directory from Windows
Hardening and auditing Active Directory
Attacking from linux
Attacking from Windows
Linux in AD
Chronology
2013
The Responder tool was released by Laurent Gaffie. Responder is a tool used for poisoning LLMNR, NBT-NS, and MDNS on an Active Directory network. It can be used to obtain password hashes and also perform SMB Relay attacks (when combined with other tools) to move laterally and vertically in an AD environment. It has evolved considerably over the years and is still actively supported (with new features added) as of January 2022.
2014
Veil-PowerView first released. This project later became part of the PowerSploit framework as the (no longer supported) PowerView.ps1 AD recon tool. The Kerberoasting attack was first presented at a conference by Tim Medin at SANS Hackfest 2014.
2015
2015 saw the release of some of the most impactful Active Directory tools of all time. The PowerShell Empire framework was released. PowerView 2.0 released as part of the (now deprecated) PowerTools repository, which was a part of the PowerShellEmpire GitHub account. The DCSync attack was first released by Benjamin Delpy and Vincent Le Toux as part of the mimikatz tool. It has since been included in other tools. The first stable release of CrackMapExec ((v1.0.0) was introduced. Sean Metcalf gave a talk at Black Hat USA about the dangers of Kerberos Unconstrained Delegation and released an excellent blog post on the topic. The Impacket toolkit was also released in 2015. This is a collection of Python tools, many of which can be used to perform Active Directory attacks. It is still actively maintained as of January 2022 and is a key part of most every penetration tester's toolkit.
2016
BloodHound was released as a game changing tool for visualizing attack paths in AD at DEF CON 24.
2017
The ASREPRoast technique was introduced for attacking user accounts that don't require Kerberos preauthentication. wald0 and harmj0y delivered the pivotal talk on Active Directory ACL attacks "ACE Up the Sleeve" at Black Hat and DEF CON. harmj0y released his "A Guide to Attacking Domain Trusts" blog post on enumerating and attacking domain trusts.
2018
The "Printer Bug" bug was discovered by Lee Christensen and the SpoolSample PoC tool was released which leverages this bug to coerce Windows hosts to authenticate to other machines via the MS-RPRN RPC interface. harmj0y released the Rubeus toolkit for attacking Kerberos. Late in 2018 harmj0y also released the blog "Not A Security Boundary: Breaking Forest Trusts" which presented key research on performing attacks across forest trusts. The DCShadow attack technique was also released by Vincent LE TOUX and Benjamin Delpy at the Bluehat IL 2018 conference. The Ping Castle tool was released by Vincent LE TOUX for performing security audits of Active Directory by looking for misconfigurations and other flaws that can raise the risk level of a domain and producing a report that can be used to identify ways to further harden the environment.
2019
harmj0y delivered the talk "Kerberoasting Revisited" at DerbyCon which laid out new approaches to Kerberoasting. Elad Shamir released a blog post outlining techniques for abusing resource-based constrained delegation (RBCD) in Active Directory. The company BC Security released Empire 3.0 (now version 4) which was a re-release of the PowerShell Empire framework written in Python3 with many additions and changes.
2020
The ZeroLogon attack debuted late in 2020. This was a critical flaw that allowed an attacker to impersonate any unpatched domain controller in a network.
2021
The PrintNightmare vulnerability was released. This was a remote code execution flaw in the Windows Print Spooler that could be used to take over hosts in an AD environment. The Shadow Credentials attack was released which allows for low privileged users to impersonate other user and computer accounts if conditions are right, and can be used to escalate privileges in a domain. The noPac attack was released in mid-December of 2021 when much of the security world was focused on the Log4j vulnerabilities. This attack allows an attacker to gain full control over a domain from a standard domain user account if the right conditions exist.
⛓️ DCShadow
See https://blog.netwrix.com/2022/09/28/dcshadow_attack/
🤐 Group Policy Object Abuse
We can enumerate GPO information using many of the tools we've been using throughout this module such as PowerView and BloodHound. We can also use group3r, ADRecon, PingCastle, among others, to audit the security of GPOs in a domain.
Powershell
If Group Policy Management Tools are installed on the host we are working from, we can use various built-in GroupPolicy cmdlets such as Get-GPO
to perform the same enumeration.
Powerview
Using the Get-DomainGPO function from PowerView, we can get a listing of GPOs by name.
Enumerating GPO Names with PowerView
Results:
Converting GPO GUID to Name:
Checking in BloodHound, we can see that the Domain Users
group has several rights over the Disconnect Idle RDP
GPO. If we select the GPO in BloodHound and scroll down to Affected Objects
on the Node Info
tab, we can see that this GPO is applied to one OU, which contains four computer objects.
We could use a tool such as SharpGPOAbuse to take advantage of this GPO misconfiguration by performing actions such as adding a user that we control to the local admins group on one of the affected hosts, creating an immediate scheduled task on one of the hosts to give us a reverse shell, or configure a malicious computer startup script to provide us with a reverse shell or similar.
When using a tool like this, we need to be careful because commands can be run that affect every computer within the OU that the GPO is linked to.
👥 Group Policy Preferences (GPP) Passwords
When a new GPP is created, an .xml file is created in the SYSVOL share, which is also cached locally on endpoints that the Group Policy applies to. These files can include those used to:
- Map drives (drives.xml)
- Create local users
- Create printer config files (printers.xml)
- Creating and updating services (services.xml)
- Creating scheduled tasks (scheduledtasks.xml)
- Changing local admin passwords.
These files can contain an array of configuration data and defined passwords. The cpassword
attribute value is AES-256 bit encrypted, but Microsoft published the AES private key on MSDN, which can be used to decrypt the password. Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share.
This was patched in 2014 MS14-025 Vulnerability in GPP could allow elevation of privilege, to prevent administrators from setting passwords using GPP. The patch does not remove existing Groups.xml files with passwords from SYSVOL. If you delete the GPP policy instead of unlinking it from the OU, the cached copy on the local computer remains.
In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link). If you retrieve the cpassword value more manually, the gpp-decrypt
utility can be used to decrypt the password as follows:
Locating & Retrieving GPP Passwords with CrackMapExec
To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — **gpp_password**
and **gpp_autologin**
modules. The **gpp_password**
decrypts passwords stored in the Group.xml file, while **gpp_autologin**
retrieves autologin information from the Registry.xml file in the preferences folder.
Results:
💌 LLMNR/NBT-NS Poisoning
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.
If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts.
It uses port 5355
over UDP natively. If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137
over UDP.
The kicker here is that when LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply. This is where we come in with Responder
to poison these requests.
How does a typical attack work
- A host attempts to connect to the print server at \print01.inlanefreight.local, but accidentally types in \printer01.inlanefreight.local.
- The DNS server responds, stating that this host is unknown.
- The host then broadcasts out to the entire local network asking if anyone knows the location of \printer01.inlanefreight.local.
- The attacker (us with
Responder
running) responds to the host stating that it is the \printer01.inlanefreight.local that the host is looking for. - The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
- This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.
Tools
Several tools can be used to attempt LLMNR & NBT-NS poisoning:
Tool | Description |
---|---|
Responder | Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions. |
Inveigh | Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks. |
Metasploit | Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks. |
Inveigh
https://github.com/Kevin-Robertson/Inveigh
Mitre ATT&CK lists this technique as ID: T1557.001, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
.
LLMNR & NBT-NS poisoning is possible from a Windows host as well.
Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. The repo contains the primary C# version as well as the legacy PowerShell version.
Inveigh can listen to IPv4 and IPv6 and several other protocols, including LLMNR
, DNS, mDNS
, NBNS, DHCPv6
, ICMPv6, HTTP
, HTTPS, SMB
, LDAP, WebDAV
, and Proxy Auth.
Powershell version
The PowerShell version of Inveigh is the original version and is no longer updated. The tool author maintains the C# version (in the belowed section). Configurable parameters in inveigh: https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters
C# Inveigh (InveighZero)
Before we can use the C# version of the tool, we have to compile the executable.
Results:
[+]
default option and enabled by default[ ]
disabled options .
Console access:
Press ESC to enter/exit interactive console. The console gives us access to captured credentials/hashes, allows us to stop Inveigh, and more.
🪤 NoPac (SamAccountName Spoofing)
Detailed explanations
This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command.
See more on NoPac (Sam account Spoofing).
🍥 Password spraying
DomainPasswordSpray
kerbrute
crackmapexec
Mitigation techniques against password spraying
- Multi-factor Authentication
- Restricting Access
- Reducing Impact of Successful Exploitation
- Password Hygiene
In the Domain Controller’s security log, many instances of event ID 4625: An account failed to log on over a short period may indicate a password spraying attack. Organizations should have rules to correlate many logon failures within a set time interval to trigger an alert. A more savvy attacker may avoid SMB password spraying and instead target LDAP. Organizations should also monitor event ID 4771: Kerberos pre-authentication failed, which may indicate an LDAP password spraying attempt. To do so, they will need to enable Kerberos logging. This post details research around detecting password spraying using Windows Security Event Logging.
🍟 PetitPotam (MS-EFSRPC)
! tips "" - NTLM relaying to AD CS - On certificates, printers and a little hippo
PetitPotam (CVE-2021-36942) is an LSA spoofing vulnerability that was patched in August of 2021. The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC).
This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS) is in use. In the attack, an authentication request from the targeted Domain Controller is relayed to the Certificate Authority (CA) host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new digital certificate.
This certificate can then be used with a tool such as Rubeus
or gettgtpkinit.py
from PKINITtools to request a TGT for the Domain Controller, which can then be used to achieve domain compromise via a DCSync attack.
First off, we need to start ntlmrelayx.pyin one window on our attack host, specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template. If we didn't know the location of the CA, we could use a tool such as certi to attempt to locate it.
Step 1: capture the base64 certificate
In another terminal connected via ssh with the host machine, user PetitPotam.py.
In the terminal with the ntlmrelayx.py
running we will see the base64 encoded certificate for the Domain Controller if the attack is successful.
Step 2: Request a TGT
Next step, we can take this base64 certificate and use gettgtpkinit.py
to request a Ticket-Granting-Ticket (TGT) for the domain controller:
Set the KRB5CCNAME environment variable, so our attack host uses the dc01.ccache
file for Kerberos authentication attempts.
Step 3: Retrieve NTLM password hashes with DCSync attack
Use this TGT with secretsdump.py to perform a DCSYnc and retrieve one or all of the NTLM password hashes for the domain.
We can see this by typing klist
(using the klist
command requires installation of the krb5-user package on our attack host.
Confirming Admin Access to the Domain Controller. Finally, we could use the NT hash for the built-in Administrator account to authenticate to the Domain Controller:
Optional path #1: Submit a TGS for ourselves
Submitting a TGS Request for Ourselves Using getnthash.py
We can also take an alternate route once we have the TGT for our target. Using the tool getnthash.py
from PKINITtools we could request the NT hash for our target host/user by using Kerberos U2U to submit a TGS request with the Privileged Attribute Certificate (PAC) which contains the NT hash for the target. This can be decrypted with the AS-REP encryption key we obtained when requesting the TGT earlier.
Submitting a TGS Request for Ourselves Using getnthash.py
Optional path #2: rubeus to generate TGT and TGS
once we obtain the base64 certificate via ntlmrelayx.py, we could use the certificate with the Rubeus tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.
Setting the KRB5CCNAME Environment Variable
We can then type klist to confirm that the ticket is in memory.
since Domain Controllers have replication privileges in the domain, we can use the pass-the-ticket to perform a DCSync attack using Mimikatz from our Windows attack host.
PetitPotam Mitigations
First off, the patch for CVE-2021-36942 should be applied to any affected hosts. Below are some further hardening steps that can be taken:
- To prevent NTLM relay attacks, use Extended Protection for Authentication along with enabling Require SSL to only allow HTTPS connections for the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services
- Disabling NTLM authentication for Domain Controllers
- Disabling NTLM on AD CS servers using Group Policy
- Disabling NTLM for IIS on AD CS servers where the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services are in use.
👃 Sniffing LDAP Credentials
Many applications and printers store LDAP credentials in their web admin console to connect to the domain. These consoles are often left with weak or default passwords. Sometimes, these credentials can be viewed in cleartext. Other times, the application has a test connection
function that we can use to gather credentials by changing the LDAP IP address to that of our attack host and setting up a netcat
listener on LDAP port 389. When the device attempts to test the LDAP connection, it will send the credentials to our machine, often in cleartext.
❌ Zerologon
See https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/.
Last update: 2025-06-01 Created: December 27, 2024 22:00:41