Attacking Active Directory & NTDS.dit
Here we will learn how we can extract credentials through the use of a dictionary attack against AD accounts
and dumping hashes
from the NTDS.dit
file.
our target must be reachable over the network. This means it is highly likely that we will need to have a foothold established on the internal network to which the target is connected.
Here is the authentication process once a Windows system has been joined to the domain.
Once a Windows system is joined to a domain, it will no longer default to referencing the SAM database to validate logon requests
. That domain-joined system will now send all authentication requests to be validated by the domain controller before allowing a user to log on.
To bruteforce our way into the network, we need to know patterns orgs can utilize when creating employee usernames ->
Username Convention | Practical Example for Jane Jill Doe |
---|---|
| jdoe |
| jjdoe |
| janedoe |
| jane.doe |
| doe.jane |
| doedoehacksstuff |
an same goes for the email -> jdoe
@inlanefreight.com
Let's say we have some employees
Ben Williamson
Bob Burgerstien
Jim Stevenson
using the tool Username Anarchy, we can convert a list of real names into common username formats.
Once we have our list(s) prepared or discover the naming convention and some employee names, we can launch our attack against the target domain controller using a tool such as CrackMapExec.
Capturing NTDS.dit
NT Directory Services
(NTDS
) is the directory service used with AD to find & organize network resources. Recall that NTDS.dit
file is stored at %systemroot%/ntds
on the domain controllers in a forest. The .dit
stands for directory information tree. This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information
Connecting to a DC with Evil-WinRM
Once we have our set of credentials we can try and connect to the DC
Once connected, we can check to see what privileges bwilliamson
has.
To make a copy of the NTDS.dit file, we need local admin (Administrators group
) or Domain Admin (Domain Admins group
) (or equivalent) rights.
Checking User Account Privileges including Domain
This account has both Administrators and Domain Administrator rights which means we can do just about anything we want
We can use vssadmin
to create a Volume Shadow Copy (VSS
) of the C: drive because NTDS will be stored on C: as that is the default location selected at install, but it is possible to change the location.
Then to copy the file we need to create an SMB share on our attack host
We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.
Now cmd.exe /c move
can be used to move the file from the target DC to the share on our attack host.
Using cme to Capture NTDS.dit
This is much more faster
Cracking Hashes
Now we can copy the output of the attack and put every NT hash in a txt file to launch hashcat
What if we are unsuccessful in cracking a hash?
We can still use hashes to attempt to authenticate with a system using a type of attack called Pass-the-Hash
(PtH
). A PtH attack takes advantage of the NTLM authentication protocol to authenticate a user using a password hash. Instead of username
:clear-text password
as the format for login, we can instead use username
:password hash
Pass-the-Hash with Evil-WinRM Example
On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)
Did not manage to finish this, will come back later ->
Last updated