Sahil Saini

Exploiting Active Directory Vulnerabilities: From Zero to Domain Admin

by

sahil
in ,

Active Directory (AD) is the backbone of most enterprise networks, but it’s also a treasure trove for attackers. As a penetration tester, understanding how to exploit AD vulnerabilities can give you the keys to the kingdom—literally. In this guide, we’ll dive into common AD vulnerabilities, creative exploitation techniques, and advanced methods to escalate privileges and gain domain admin access. Let’s get started!

Ah, Active Directory—the digital equivalent of a medieval castle. It’s the heart of most enterprise networks, guarding the kingdom’s most precious treasures: user accounts, sensitive data, and, of course, the coveted domain admin privileges. But here’s the thing: even the most fortified castles have a secret passage or two, and AD is no exception.

As a penetration tester, I’ve spent more time poking around systems than I care to admit (AD included). And let me tell you, AD is a goldmine for attackers. Why? Because AD is like that one friend who leaves their Wi-Fi password on a sticky note—convenient, but not exactly secure. From credential dumping to golden tickets, there are countless ways to exploit AD vulnerabilities and go from zero to domain admin faster than you can say “password123.”

In this [no-fluff (as always!)] guide, we’ll dive into the dark arts of AD exploitation. We’ll cover everything from extracting passwords from memory to forging Kerberos tickets and even stealing password hashes directly from the domain controller. Think of it as a crash course in digital lock-picking, but with fewer lock picks and more PowerShell commands.

AD Exploitation Techniques

Let’s dive head-first into the “How-to” AD exploitation and get “how-to” hints for protecting your [AD] castle against these attacks. After all, the best way to protect is to know where the secret passages are.

1. Credential Dumping: Extracting Passwords from Memory

What it is: Extracting plaintext passwords, hashes, or tickets from memory.
Why it works: Many services store credentials in memory for convenience, making them vulnerable to extraction.

How to exploit it:

  • Mimikatz: The go-to tool for extracting credentials from memory. Use commands like sekurlsa::logonpasswords to dump plaintext passwords.
  • Procdump: Use this tool to create a memory dump of the LSASS process, then analyze it with Mimikatz.
  • LSASS Dumping via Task Manager: Manually create a memory dump of the LSASS process using Task Manager and analyze it offline.

Examples:

  1. Mimikatz in Action: Run Mimikatz on a compromised machine to extract plaintext passwords from memory.
  2. Procdump + Mimikatz: Use Procdump to create a memory dump, then transfer it to your machine for analysis with Mimikatz.

Tools to use:

  • Mimikatz: For extracting credentials from memory.
  • Procdump: For creating memory dumps.
  • Task Manager: For manual LSASS dumping.

How to defend: Enable Credential Guard, restrict access to LSASS, and monitor for unusual activity.

2. Pass-the-Hash: Using Hashes to Authenticate

What it is: Using password hashes to authenticate without knowing the plaintext password.
Why it works: AD uses NTLM hashes for authentication, which can be reused if intercepted.

How to exploit it:

  • Mimikatz: Use the sekurlsa::pth command to pass the hash and authenticate as the user.
  • Impacket’s psexec.py: Use this Python script to authenticate with a hash and execute commands on a remote machine.
  • CrackMapExec: Use this tool to pass the hash and execute commands across the network.

Examples:

  1. Mimikatz Pass-the-Hash: Use Mimikatz to pass a hash and gain access to a remote machine.
  2. Impacket psexec.py: Use Impacket to authenticate with a hash and execute commands on a remote machine.

Tools to use:

  • Mimikatz: For passing the hash.
  • Impacket: For executing commands with a hash.
  • CrackMapExec: For network-wide hash passing.

How to defend: Disable NTLM authentication, enforce strong passwords, and monitor for pass-the-hash attacks.

3. Kerberoasting: Exploiting Service Accounts

What it is: Extracting service account hashes and cracking them offline.
Why it works: Service accounts often use weak passwords, making them vulnerable to offline cracking.

How to exploit it:

  • Mimikatz: Use the kerberos::list command to extract service account hashes.
  • Impacket’s GetUserSPNs.py: Use this script to request service account tickets and extract hashes.
  • Hashcat: Use this tool to crack the extracted hashes offline.

Examples:

  1. Mimikatz Kerberoasting: Use Mimikatz to extract service account hashes and crack them offline.
  2. Impacket GetUserSPNs.py: Use Impacket to request service account tickets and extract hashes.

Tools to use:

  • Mimikatz: For extracting service account hashes.
  • Impacket: For requesting service account tickets.
  • Hashcat: For cracking hashes offline.

How to defend: Use strong passwords for service accounts, monitor for unusual ticket requests, and implement Kerberos armoring.

4. Golden Ticket Attacks: Forging Kerberos Tickets

What it is: Creating forged Kerberos tickets to gain domain admin access.
Why it works: Golden tickets allow attackers to bypass authentication and gain unrestricted access to the domain.

How to exploit it:

  • Mimikatz: Use the kerberos::golden command to create a golden ticket.
  • Impacket’s ticketer.py: Use this script to create forged Kerberos tickets.

Examples:

  1. Mimikatz Golden Ticket: Use Mimikatz to create a golden ticket and gain domain admin access.
  2. Impacket ticketer.py: Use Impacket to create a forged Kerberos ticket.

Tools to use:

  • Mimikatz: For creating golden tickets.
  • Impacket: For forging Kerberos tickets.

How to defend: Regularly rotate the KRBTGT account password, monitor for unusual ticket usage, and implement strong authentication policies.

5. DCSync: Stealing Password Hashes from the Domain Controller

What it is: Mimicking a domain controller to request password hashes.
Why it works: The DCSync attack exploits the replication protocol to extract password hashes from the domain controller.

How to exploit it:

  • Mimikatz: Use the lsadump::dcsync command to extract password hashes.
  • Impacket’s secretsdump.py: Use this script to perform a DCSync attack and extract hashes.

Examples:

  1. Mimikatz DCSync: Use Mimikatz to perform a DCSync attack and extract password hashes.
  2. Impacket secretsdump.py: Use Impacket to perform a DCSync attack and extract hashes.

Tools to use:

  • Mimikatz: For performing DCSync attacks.
  • Impacket: For extracting password hashes.

How to defend: Restrict replication permissions, monitor for unusual replication requests, and implement strong access controls.

6. ACL Abuse: Exploiting Misconfigured Permissions

What it is: Exploiting misconfigured access control lists (ACLs) to escalate privileges.
Why it works: Misconfigured ACLs can allow attackers to modify permissions and gain unauthorized access.

How to exploit it:

  • BloodHound: Use this tool to identify misconfigured ACLs and potential attack paths.
  • PowerView: Use this PowerShell script to enumerate and exploit misconfigured ACLs.

Examples:

  1. BloodHound ACL Abuse: Use BloodHound to identify misconfigured ACLs and escalate privileges.
  2. PowerView ACL Abuse: Use PowerView to enumerate and exploit misconfigured ACLs.

Tools to use:

  • BloodHound: For identifying misconfigured ACLs.
  • PowerView: For enumerating and exploiting ACLs.

How to defend: Regularly audit ACLs, implement least privilege, and monitor for unusual permission changes.

Conclusion

Active Directory is a complex and powerful system, but it’s also a prime target for attackers. By understanding and exploiting these vulnerabilities, you can help organizations strengthen their defenses and protect their most critical assets. Remember, the goal isn’t just to break in—it’s to make the system more secure.

TL;DR

  • Credential Dumping: Extract passwords from memory using Mimikatz or Procdump.
  • Pass-the-Hash: Use hashes to authenticate with Mimikatz or Impacket.
  • Kerberoasting: Extract and crack service account hashes with Mimikatz or Impacket.
  • Golden Ticket: Forge Kerberos tickets to gain domain admin access.
  • DCSync: Steal password hashes from the domain controller.
  • ACL Abuse: Exploit misconfigured permissions to escalate privileges.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *