Attacking Active Directory and NTDS.dit
Dictionary attacks against AD accounts using NetExec
Username convention
Practical example for Jane Jill Doe
firstinitiallastname
jdoe
firstinitialmiddleinitiallastname
jjdoe
firstnamelastname
janedoe
firstname.lastname
jane.doe
lastname.firstname
doe.jane
nickname
doedoehacksstuff
Often, an email address's structure will give us the employee's username (structure: username@domain). For example, from the email address jdoe@inlanefreight.com, we can infer that jdoe is the username.
Creating a custom list of usernames
Let's say we have done our research and gathered a list of names based on publicly available information. We will keep the list relatively short for the sake of this lesson because organizations can have a huge number of employees. Example list of names:
Ben Williamson
Bob Burgerstien
Jim Stevenson
Jill Johnson
Jane Doe
We can create a custom list on our attack host using the names above. We can use a command line-based text editor like Vim or a graphical text editor to create our list. Our list may look something like this:
Of course, this is just an example and doesn't include all of the names, but notice how we can include a different naming convention for each name if we do not already know the naming convention used by the target organization.
We can manually create our list(s) or use an automated list generator such as the Ruby-based tool Username Anarchy to convert a list of real names into common username formats. Once the tool has been cloned to our local attack host using Git, we can run it against a list of real names as shown in the example output below:
Enumerating valid usernames with Kerbrute
In this example, NetExec is using SMB to attempt to logon as user (-u) bwilliamson using a password (-p) list containing a list of commonly used passwords (/usr/share/wordlists/fasttrack.txt). If the admins configured an account lockout policy, this attack could lock out the account that we are targeting. At the time of this writing (January 2022), an account lockout policy is not enforced by default with the default group policies that apply to a Windows domain, meaning it is possible that we will come across environments vulnerable to this exact attack we are practicing.
Once we have our list(s) prepared or discover the naming convention and some employee names, we can launch a brute-force attack against the target domain controller using a tool such as NetExec. We can use it in conjunction with the SMB protocol to send logon requests to the target Domain Controller. Here is the command to do so:
Launching a brute-force attack with NetExec
Event logs from the attack
On any Windows operating system, an admin can navigate to Event Viewer and view the Security events to see the exact actions that were logged.
Capturing NTDS.dit
NT Directory Services (NTDS) is the directory service used with AD to find & organize network resources. Recall that NTDS.dit file is stored at %systemroot%/ntds on the domain controllers in a forest. The .dit stands for directory information tree. This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information. If this file can be captured, we could potentially compromise every account on the domain similar to the technique we covered in this module's Attacking SAM, SYSTEM, and SECURITY section. As we practice this technique, consider the importance of protecting AD and brainstorm a few ways to stop this attack from happening.
Connecting to a DC with Evil-WinRM
We can connect to a target DC using the credentials we captured.
Attacking Active Directory and NTDS.dit
Evil-WinRM connects to a target using the Windows Remote Management service combined with the PowerShell Remoting Protocol to establish a PowerShell session with the target.
Checking local group membership
Once connected, we can check to see what privileges bwilliamson has. We can start with looking at the local group membership using the command:
We are looking to see if the account has local admin rights. To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights. We also will want to check what domain privileges we have.
Checking user account privileges including domain
This account has both Administrators and Domain Administrator rights which means we can do just about anything we want, including making a copy of the NTDS.dit file.
Creating shadow copy of C:
We can use vssadmin to create a Volume Shadow Copy (VSS) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install, but it is possible to change the location. We use VSS for this because it is designed to make copies of volumes that may be read & written to actively without needing to bring a particular application or system down. VSS is used by many different backup and disaster recovery software to perform operations.
Copying NTDS.dit from the VSS
We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.
Before copying NTDS.dit to our attack host, we may want to use the technique we learned earlier to create an SMB share on our attack host. Feel free to go back to the Attacking SAM, SYSTEM, and SECURITY section to review that method if needed.
Note: As was the case with
SAM, the hashes stored inNTDS.ditare encrypted with a key stored inSYSTEM. In order to successfully extract the hashes, one must download both files.
Transferring NTDS.dit to attack host
Now cmd.exe /c move can be used to move the file from the target DC to the share on our attack host.
Extracting hashes from NTDS.dit
With a copy of NTDS.dit on our attack host, we can go ahead and dump the hashes. One way to do this is with Impacket's secretsdump:
A faster method: Using NetExec to capture NTDS.dit
Alternatively, we may benefit from using NetExec to accomplish the same steps shown above, all with one command. This command allows us to utilize VSS to quickly capture and dump the contents of the NTDS.dit file conveniently within our terminal session.
Cracking a single hash with Hashcat
In many of the techniques we have covered so far, we have had success in cracking hashes we've obtained.
What if we are unsuccessful in cracking a hash?
Pass the Hash (PtH) considerations
We can still use hashes to attempt to authenticate with a system using a type of attack called Pass-the-Hash (PtH). A PtH attack takes advantage of the NTLM authentication protocol to authenticate a user using a password hash. Instead of username:clear-text password as the format for login, we can instead use username:password hash. Here is an example of how this would work:
Pass the Hash (PtH) with Evil-WinRM Example
We can attempt to use this attack when needing to move laterally across a network after the initial compromise of a target. More on PtH will be covered in the module AD Enumeration and Attacks.
Lab - Questions
What is the name of the file stored on a domain controller that contains the password hashes of all domain accounts? (Format: **.*)
NTDS.dit
Submit the NT hash associated with the Administrator user from the example output in the section reading.
64f12cddaa88057e06a81b54e73b949b
On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)
Info -> People; John Marston IT Director | Carol Johnson Financial Controller | Jennifer Stapleton Logistics Manager
Fristly, save into a file the three names obtanided -->
Before that, git clone the user anarquie repositori and generame usernames -->
Once we have it, try to bruteforce via SMB and using rocku to password diccitionarie -->
Take a long time
So... try using use kerbrute to know the specific username -->
Gitclone the kerbrute repo and do 'male all'
Once we know the real user, try to bruteforce smb -->
Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)
We know see that jmarston is the admin of this pc, so... we connect via winrm to it -->
Now Iโll check the local group membership to check if I have Administrator privileges:
Yes I have, so Iโll also check my Domain Privileges:
As I also have them, I will now try to capture the NTDS.dit using netexec (FAST way)
We need get the password of ILF.local\jstapleton:1108:aad3b435b51404eeaad3b435b51404ee:92fd67fd2f49d0e83744aa82363f021b::: so.... get the NT hash and crack it --->
92fd67fd2f49d0e83744aa82363f021b
Last updated