Active Directory: Post Exploitation

Published by Shiv Shankar on

What is LLMNR Poisoning Attack?

Link-Local Multicast Name Resolution (LLMNR) is a protocol used by Windows operating systems to resolve names on a local network when DNS resolution fails. LLMNR allows computers to perform name resolution for hosts on the same local network without needing a DNS server.

LLMNR poisoning is a type of attack where an attacker exploits this protocol to intercept and respond to LLMNR queries with malicious intent. By doing so, the attacker can trick a victim’s machine into sending sensitive information, such as NTLM hashes, to the attacker’s machine.

How LLMNR Poisoning Attack Works

  1. Network Monitoring:
    • The attacker monitors the network for LLMNR queries. These queries are typically broadcasted by computers when they cannot resolve a hostname through DNS.
  2. Sending Fake Responses:
    • When an LLMNR query is detected, the attacker sends a fake response to the querying machine, pretending to be the requested host.
  3. Capturing NTLM Hashes:
    • The victim machine believes it has resolved the hostname and attempts to authenticate to the attacker’s machine using NTLM authentication.
    • The attacker captures the NTLM hash of the user’s credentials.
  4. Cracking the Hash:
    • The attacker can then attempt to crack the captured NTLM hash offline to retrieve the plaintext password using tools like Hashcat.

Tools Commonly Used for LLMNR Poisoning

  • Responder: A popular tool that listens for LLMNR (and NetBIOS) queries and responds to them, capturing authentication requests and NTLM hashes. 
    
sudo responder -I eth0
  • Metasploit: Contains modules for LLMNR poisoning. 
    
use auxiliary/spoof/llmnr/llmnr_response

And try to login smb service

Impact of LLMNR Poisoning

  • Credential Theft: Attackers can capture NTLM hashes, which can be cracked to obtain user passwords.
  • Privilege Escalation: If the captured credentials belong to privileged users, attackers can gain elevated access to the network.
  • Lateral Movement: Attackers can use the stolen credentials to move laterally within the network, accessing other systems and data.

What is AS-REP

AS-REP Roasting

AS-REP Roasting is an attack technique used against Active Directory environments, specifically targeting user accounts that do not require pre-authentication. This technique allows attackers to retrieve encrypted parts of authentication data (the AS-REP response) which can then be brute-forced offline to obtain the user’s password.

Key Concepts

  1. Kerberos Authentication:
    • Kerberos is an authentication protocol used in Active Directory for secure authentication over a non-secure network.
    • The process involves multiple steps, starting with the Authentication Service (AS) request and response.
  2. Pre-Authentication:
    • By default, Kerberos requires users to pre-authenticate before sending their Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC).
    • Pre-authentication prevents unauthorized entities from requesting service tickets for other users.
  3. AS-REP Roasting:
    • Some user accounts might be configured to not require pre-authentication (a setting in Active Directory).
    • For these accounts, attackers can request an AS-REQ without needing valid credentials.
    • The KDC responds with an AS-REP that contains an encrypted part using the user’s password hash.
    • This encrypted data can be captured and then brute-forced offline to recover the password.

Steps in AS-REP Roasting

  1. Identify Accounts without Pre-Authentication:
    • Search for user accounts with the property “Do not require Kerberos preauthentication” set.
    • This property is stored in the UserAccountControl attribute as the flag DONT_REQUIRE_PREAUTH.
  2. Request AS-REQ:
    • Send an AS-REQ for the identified user accounts.
    • Since pre-authentication is not required, the KDC responds with an AS-REP containing the encrypted data.
  3. Capture AS-REP:
    • Extract the encrypted part of the AS-REP response (the Ticket Granting Ticket or TGT).
  4. Brute-Force Offline:
    • Use tools to brute-force the encrypted part of the AS-REP offline.
    • This process involves guessing passwords until the correct one is found, effectively cracking the user’s password.

Tools for AS-REP Roasting

  • Impacket: A collection of Python classes for working with network protocols. Includes scripts for AS-REP roasting.
  • Rubeus: A toolset for raw Kerberos interaction and abuse in C#.
  • Hashcat: A popular password recovery tool that can be used to brute-force the encrypted AS-REP data.

Example Attack with Impacket

  1. Identify Users:
    • Using a tool like GetNPUsers.py from Impacket to list users without pre-authentication.
    #Impacket GetNPUsers.py 
python3 GetNPUsers.py -dc-ip <domain-controller-ip> example.com/userlist.txt
  2. Request AS-REQ and Capture AS-REP:
    • The output will include the AS-REP encrypted part for each user identified.
  3. Crack AS-REP:
    • Use a tool like hashcat to brute-force the captured AS-REP data.
    #hashcat 
hashcat -m 18200 <hash-file> <wordlist>

    Where -m 18200 specifies the Kerberos 5 AS-REP etype 23 hash mode.

What is Kerberoasting?

Kerberoasting is a post-exploitation attack technique used by attackers to extract service account credentials in Active Directory (AD) environments. The attack exploits the Kerberos authentication protocol, specifically targeting service accounts that have associated Service Principal Names (SPNs).

How Kerberoasting Works

  1. Enumerate SPNs:
    • Attackers with a valid domain user account enumerate the SPNs in the domain. SPNs are unique identifiers for services running on servers.
    • Tools like setspn (native tool) or GetUserSPNs.py from the Impacket suite can be used to list SPNs.

    Example command using setspn:

    
setspn -T <DomainName> -Q */*

# GetUsersSPN
  2. Request Service Tickets (TGS):
    • The attacker requests a Ticket Granting Service (TGS) ticket for a specific service account. The Kerberos protocol allows any authenticated user to request a TGS for any service account.
    • These TGS tickets are encrypted with the service account’s NTLM hash.
  3. Extract TGS Tickets:
    • The requested TGS tickets are cached on the requesting machine. Tools like Rubeus or Mimikatz can be used to extract these tickets from memory.

    Example command using Rubeus:

    
Rubeus.exe tgtdeleg
  4. Offline Cracking:
    • The attacker extracts the encrypted part of the TGS ticket, which is encrypted using the service account’s NTLM hash, and attempts to crack it offline using brute force or dictionary attacks.
    • Tools like Hashcat are commonly used for this purpose.

    Example command using
    Hashcat:

    hashcat -m 13100 <TGS_Hash> <Wordlist>

Why Kerberoasting is Effective

  • Service Accounts: Service accounts often have elevated privileges and might use weak or reused passwords, making them attractive targets.
  • No Elevated Privileges Required: The attacker does not need elevated privileges to request TGS tickets—any authenticated domain user can do this.
  • Offline Cracking: The cracking process is done offline, avoiding detection by network monitoring tools.

What is the DCSync Attack?

DCSync Attack is the post-exploitation technique the attacker uses to obtain sensitive information such as password hashes from the Domain Controller in the Active Directory environment.  Any member of Administrative, Domain Admins, Enterprise Admins, or users having the replication directory privilege can run this attack.

How DCSyc Attack Works?

  1. Replication Right: In the active directory environment some user accounts or groups have permission to replicate the directory data from the Domain controller. These permissions are usually granted to accounts belonging to groups like Domain Admins, Enterprise Admins, or accounts with specific replication rights.
  2. Mimikatz Tool: Attackers typically use tools like Mimikatz to perform DCSync attacks. Mimikatz has a specific module designed to request replication data from a DC.
    DCSync Extract the hash from the domain controller

    # Extract the all the hashes of domain users
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
    # Extract the all the hashes of domain users
mimikatz# lsadump::dcsync /domain:htb.local /all /csv

The attacker can then use the obtained password hashes to crack them offline or directly authenticate to other services using techniques like Pass-the-Hash.

 

What is the Golden Ticket Attack?

Kerberos Ticket Granting Tickets (TGT) that are used to authenticate users with Kerberos. TGTs are used when requesting Ticket Granting Service (TGS) tickets, which means a forged TGT can get us any TGS ticket – hence it’s golden.

Prerequisites :

  1. Domain Admin or KRBTGT Credentials: You need access to the krbtgt account hash or the hash of a Domain Admin account to create a Golden Ticket.
  2. Tool: Tools like Mimikatz are essential for extracting credentials and creating the Golden Ticket.

Steps for Performing a Golden Ticket Attack:

    1. Initial Access: The attacker gains initial access to a network, often through kerberoasting, LLMNR poisoning, or stolen credentials.
    2. Privilege Escalation: After getting the initial access, we need to perform the privilege escalation to escalate the privilege of the normal user to the administrator or domain admin.
    3. Extract the hash of the KRBTGT account: Now we can extract the hash of the KRBTGT account by using the Mimikatz tool. 
      cd downloads && mimikatz.exe

mimikatz # privilege::debug

mimikatz # lsadump::lsa /inject /name:krbtgtt
    4. Golden Ticket Generation: Using the KRBTGT hash, the attacker forges a TGT with any desired user privileges, often choosing high-privilege accounts like Domain Admins. 
      ### 
kerberos::golden /user: /domain: /sid: /krbtgt: /id:


mimikatz # kerberos::golden /user:krbtgt /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

# checking for ticket is created 
klist

    5. Deploying the Golden Ticket: The forged TGT is deployed on the network, allowing the attacker to authenticate as any user and access any resource without raising alarms. 
      mimikatz # kerberos::ptt ticket.kirbi

Impact of Golden Ticket:

  1. Impersonate of Any User
  2. Maintain the Persistent Access
  3. Execute Arbitrary Commands
  4. Lateral Movement and Further Compromise

 

you can visit our website untold cyber to learn more about the latest updates, jobs, and blogs related to Cyber Security. It offers a wealth of information about the cybersecurity field, blogs and course material, bug bounty tricks, and updates on the industry’s latest job openings and carrier in cybersecurity.

If you have any questions or concerns about the Cyber Security interview questions or preparation, please post comments and feedback. Your feedback and comments are important to us, so please let us know what you think!

Reference:

  1. https://redfoxsec.com/blog/as-rep-roasting/
  2. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md

 

Categories: Active DirectoryUncategorized
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Active Directory

Active Directory : Kerberoasting

Kerberoasting exploits weak Kerberos SPNs in Active Directory, letting attackers extract encrypted service account passwords and crack them offline for privilege escalation. What is Kerberoasting? Kerberoasting is an abuse of Kerberos authentication in Active Directory. Read more

Active Directory

Active Directory: Basic Enumeration

Active Directory is a directory service to store and organize objects on a network (such as computers, users, and devices) provided by Windows. According to Wikipedia, “Microsoft previewed Active Directory in 1999, released it first Read more

Uncategorized

Port Swigger : CSRF ATTACK

CSRF Attack Impact of CSRF Attack: Prevention of CSRF Attack: CSRF Token Same Site cookie Referer-Based CSRF Token Lab 1: CSRF Vulnerability with no defense Description: This lab’s email change functionality is vulnerable to CSRF. Read more