It was difficult to choose the order of Chapters 4, 5 and 6, as they are all closely interconnected. We are not going to cover how to dump secrets from the host (LSASS, DPAPI, Credential Manager, etc.). Instead, we will keep our focus on Active Directory. This chapter starts with discussing ways to obtain credentials in clear text in the domain. Then, we will explore various techniques to capture the hash, such as forced authentication and poisoning. Relay will be covered later in Chapter 5, Lateral Movement. After that will be an introduction to the Kerberos authentication protocol and different styles of roasting the three-headed dog. Finally, we will discuss native security mechanisms for password management, such as Local Administrator Password Solution (LAPS) and Group Managed Service Account (gMSA), and ways to recover privileged credentials from them. As a final note, the DCSync attack together with ways to dump hashes from the ntds.dit domain controller...

In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, eight CPU cores, and at least 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• Vagrant installed with the plugin for the corresponding virtualization platform and Ansible
• From the GOADv2 project, we will use DC02, DC03, SRV02, and SRV03

In this section, we will discuss different ways to obtain credentials in clear text. However, we will not touch on things such as the password.txt file left on the share, the default set of credentials for some applications, and pushing the WDigest parameter so a password can be dumped in clear text from memory. We also will not discuss Internal Monologue attack[1] that allows to obtain credentials without touching LSASS[1]. Our focus is solely on Active Directory. We may find a very old pre-Windows 2000 computer in the domain or the domain may be vulnerable to MS14-025 with the local administrator password encrypted in a Group Policy file. We can try our luck with password spraying or by searching for a password in an Active Directory user’s comment field.

Old, but still worth trying

Recently, I came across some intriguing research published by Oddvar Moe regarding pre-created computer accounts[2]. Apparently, checking the Assign this...

This section will be focused on capturing the hash, the number-one step in a well-known attack: NTLM relay. As an introduction to this theme, I highly encourage you to read the most comprehensive guide about this attack[7].

Firstly, we need to cover a bit of a theory. The NTLM authentication protocol is used for network authentication and has two versions. It uses a zero-knowledge proof concept, meaning that credentials have never been transmitted over the network. It uses a challenge-response scheme, where the server sends a random set of data and client responses with a value, which is a result of hashing this data together with some extra parameters and the client’s secret key. As an attacker, we are interested in capturing this valid NTLM response from the client. Next, we can try to crack the hash or relay it.

NTLMv1 is deprecated and not considered secure. However, it is possible to see NTLMv1 in use in older environments. There are two techniques...

We have covered MITM capabilities and now will discuss in detail various ways to force authentication. The idea is that a standard user can force the target machine account (usually a domain controller) to connect to an arbitrary target. This is made possible through an automatic authentication attempt. You can find a repository with 15 known methods in 5 protocols[10]. Now, let’s dive a bit deeper into each method.

MS-RPRN abuse (PrinterBug)

This is a won’t-fix bug, which is enabled by default in every Windows environment. The idea is that by using a domain username and password, the attacker can trigger the RpcRemoteFindFirstPrinterChangeNotificationEx method and force authentication over SMB. We will demonstrate this attack later when discussing Kerberos’s unconstrained delegation in Chapter 5. A go-to tool for this abuse is called SpoolSample[11] and can be found on GitHub.

MS-EFSR abuse (PetitPotam)

The Encrypting File System...

It was inevitable that we would reach a point where we must discuss and understand Kerberos. This authentication protocol was built to access services in the network by presenting a valid ticket.

Kerberos 101

We need a bit more of an understanding of how the protocol works before we can discuss the attack venues available for us. As a good starting point, I can recommend the blog post by hackndo[17]

We have three main subjects – the client, service, and Key Distribution Center (KDC), which is the domain controller. The following diagram[18], which was published on the Microsoft website, explains how it works:

Figure 4.8 – Kerberos in a nutshell

Now let follow the authentication process in more details step-by-step.

1. KRB_AS_REQ (Kerberos Authentication Service Request) is sent by the client to KDC and contains various information, most importantly, a timestamp that is encrypted with the hashed...

Some of the attacks from previously, for example, MS14-025 and Kerberoasting, contributed to the development of password management automation. To resolve the problem of local administrator password rotation, LAPS was created. To tackle Kerberoasting, gMSA was introduced a bit later by Microsoft.

LAPS

Now, we will deploy LAPS on braavos in the essos domain and discuss possible attack venues. I will follow this deployment guide[25]. The general steps include component installation, Active Directory schema extension, agent deployment on computers, and Group Policy configuration.

The installation is straightforward. Just download the .msi file and deploy it. After running the following command, your schema will be extended (run as schema admin):

Update-AdmPwdADSchema

The output would be like what is shown in the following screenshot:

Figure 4.15 – Schema update was successful

The next step is...

We will cover NTDS secrets extraction as this attack applies only to domain controllers. The ntds.dit file is a database that stores Active Directory data, including hashes. This file is in %systemroot\NTDS\ntds.dit and %systemroot\System32\ntds.dit. It is constantly in use, so it can’t be copied directly as any other file. There are different ways that ntds.dit data can be dumped[31]:

• ntdsutil.exe – Active Directory maintenance tool
• VSSAdmin – volume shadow copy
• vshadow
• DiskShadow
• esentutl.exe
• NinjaCopy from PowerSploit
• Copy-VSS from Nishang
• windows/gather/credentials/domain_hashdump from Metasploit

For our example, on a domain controller, we will run ntdsutil.exe, which will save the ntds.dit file and SYSTEM registry hive, which we can then move to our machine and extract hashes using secretsdump:

ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS"...

DCSync uses the domain controller’s API to emulate the replication process from a remote domain controller. DCSync, in a nutshell, performs a DsGetNCChanges operation from a domain controller via an RPC request to the Directory Replication Service API (DRSUAPI). This attack requires extended privileges, DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, which are assigned by default only to the “Domain Controllers”, “Domain Admins”, “Administrators”, and “Enterprise Admins” groups in the domain.

If we were able to compromise the user with extended privileges, we could run secretsdump to obtain all hashes in the domain:

/usr/bin/impacket-secretsdump -outputfile 'something' 'essos'/'daenerys.targaryen':'BurnThemAll!'@'192.168.56.12'

The output produced by the preceding command is shown in the following screenshot:

Figure...

Let us go through a scenario. Following internal security policies and after security awareness training, users started using Credential Manager in Windows instead of password.txt files. Credential Manager is a built-in password manager in Windows that uses the Data Protection API (DPAPI). DPAPI allows programs, such as Chrome or RDP, to store sensitive data transparently. This data is stored in a user’s directory and is encrypted by a key that is derived from the user’s password. Our target user, khal.drogo, had credentials in their Credential Manager for SQL system administrator (SA) account. An adversary has compromised the user with domain admin privileges and intends to pull the sa password in clear text. There are three attack scenarios:

• Obtain khal.drogo’s master key and then decrypt
• Extract all local master keys if you have local administrator privileges
• Extract all backup master keys with...

This chapter was devoted to tools and techniques that can help you get access to credentials either in clear-text or hashed form. Obtaining such sensitive data is a crucial step to progress further in attacking Active Directory. We have also discussed OpSec consideration and possible mitigation/detection options.

In the next chapter, we will cover lateral movement inside the domain and between forests. We will focus on relay and different types of pass-the-whatever attacks, finishing with Kerberos delegation abuse and lateral movement between forests.

1. Internal Monologue Attack – Retrieving NTLM Hashes without Touching LSASS: https://github.com/eladshamir/Internal-Monologue
2. Pre-created computer account research: https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/
3. Exploiting GPP: https://adsecurity.org/?p=2288
4. CrackMapExec: https://github.com/Porchetta-Industries/CrackMapExec
5. Kerbrute: https://github.com/ropnop/kerbrute
6. DomainPasswordSpray: https://github.com/dafthack/DomainPasswordSpray
7. NTLM relay: https://en.hackndo.com/ntlm-relay/
8. Responder: https://github.com/lgandx/Responder
9. Harvesting NetNTLM: https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
10. Coerced authentication methods: https://github.com/p0dalirius/windows-coerced-authentication-methods
11. SpoolSample: https://github.com/leechristensen/SpoolSample
12. PetitPotam: https://github.com/topotam/PetitPotam
13. WebClient Service Scanner: https://github.com/Hackndo/WebclientServiceScanner...

These resources for further study will help you dive deeper into the attacks covered in the chapter:

• A good walk-through of WebDAV abuse and a further attack path: https://pentestlab.blog/2021/10/20/lateral-movement-webclient/
• A great writeup with traffic samples and event IDs generated during AS-REP roasting: https://rioasmara.com/2020/07/04/kerberoasting-as-req-pre-auth-vs-non-pre-auth/
• A blog post with a focus on detecting and preventing AS-REP roasting: https://blog.netwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/
• A step-by-step guide on how to implement and abuse gMSA in the domain: https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/
• A blog post about NTLM relay for gMSA passwords published by Cube0x0: https://cube0x0.github.io/Relaying-for-gMSA/