This article will showcase various attacks and tasks that can be performed on a compromised Windows Machine which is a part of a Domain Controller through PowerShell Empire inbuilt Mimikatz Module.
Table of Content
·
Introduction
·
DC Sync Attack
·
DC Sync Hash Dump
·
Golden Tickets
·
Extracting Tickets
·
Domain Cache
·
Mimikatz Commands
·
Extracting Certificates
·
Mimitokens
·
Crypto Keys
·
Purging Tickets
·
Local Security Authority (LSA|LSASS.EXE)
·
SAM
·
Conclusion
Introduction
PowerShell Empire is one those tools that keeps on giving to
the Penetration Community for as long as it was first introduced. Any other
tool that we could remember that has more utility than anything is the
Mimikatz. It has been years since the release of both of these tools but their
ability to consistently attack the Windows Machine is unmatched. We know that
neither PowerShell Empire nor Mimikatz is being used in the wild currently
because of their signature that has been added to almost all of the Anti-Virus
Software and across Virus Total. This has although made them less usable as
compared to Cobalt Strike and other alternatives but when it comes to
understanding the basics of Windows Authentication Systems such as SAM and
LSASS and attack them and extract credentials there is no tool that can work as
efficiently as Mimikatz.
We covered various forms of Credential
Dumping with Mimikatz in our Series
but we didn’t present a consolidated guide to use Mimikatz with PowerShell
Empire. Hence, we created this resource.
DC Sync Attack
The Mimikatz DCSYNC-function allows an attacker to replicate
Domain Controller (DC) behavior. Typically impersonates as a domain controller
and request other DC’s for user credential data via GetNCChanges. But
compromised account should be a member of administrators, Domain Admin or
Enterprise Admin to retrieve account password hashes from the others domain
controller. As a result, the intruder will build Kerberos forged tickets using
a retrieved hash to obtain any of the Active Directory ‘s resources. We have
compromised the machine and its user who is a member of privilege account (Administrators,
Domain Admin or Enterprise Admin).
usemodule credentials/mimikatz/dcsync
set user krbtgt
execute
Loading the dcsync module will invoke the mimikatz
PowerShell script to execute the dcsync attack to obtain the credential by
asking from an others domain controller in the domain. Here, we are requesting
for KRBTGT account Hashes and as result, it will retrieve the KRBTGT NTLM HASH.
Learn More: Credential
Dumping: DCSync Attack
DC Sync Hash Dump
Similar to the DC Sync attack we just performed on a
particular user so the NTLM hash returned is also of that particular user. But
in case the attacker wants to extract the hash of the entirety of all the users
created on the Domain Controller. This is when the hashdump module comes into
action. It will perform the DC Sync attack for each and every user and then
provide the hashes for all of them in a consolidated view as shown in the image
below.
usemodule credentials/mimikatz/dcsync_hashdump
execute
Golden Ticket
Golden Ticket attack is a famous technique of impersonating
users on an AD domain by abusing Kerberos authentication.
Default local accounts are built-in accounts that are
created automatically when a Windows Server domain controller is installed, and
the domain is created. These default local accounts have counterparts in Active
Directory. The default local accounts in the Users container include:
Administrator, Guest, and KRBTGT. In the
Active Directory domain, every domain controller runs a KDC (Kerberos
Distribution Center) service that processes all requests for tickets to
Kerberos. For Kerberos tickets, AD uses the KRBTGT account in the AD domain. A legitimate user begins the communication for
a service request to the Application Server. The KBRTGT account acts as a
service account for the Key Distribution Center (KDC) and separated into three
parts: Database (db), Authentication Server (AS) and Ticket Granting Server
(TGS). The Authentication Server (AS) verifies client authentication. If the
logged user is authenticated successfully the AS issues a ticket called TGT
which confirms to other servers that user has been authenticated. Then the User
request for TGS from the KDC that will be used to access the service of the
application server.
Forging Kerberos tickets depends on the password hash
available to the attacker. Golden Tickets requires the KRBTGT password hash. Golden
Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication
tickets, Attacker escapes authentication and initializes communication with KCD.
Since a Golden Ticket is a forged TGT, it is sent to the Domain Controller as
part of the TGS-REQ to get a service ticket. The TGT is used mainly to inform
KDC’s domain controller that another domain controller has authenticated the
users. The reality is that the TGT has the hash KRBTGT password encrypted and
any KDC service inside the domain may decrypt to proves it is valid.
If an intruder has access to an Active Directory
forest/domain administrator/local administrator account, he/she can exploit
Kerberos tickets for identity theft. A golden ticket attack is something that
he/ he creates a ticket created by Kerberos that is valid for 10 years.
However, if any other user has changed its password, the attacker may use the
KRBTGT account to stay on the network. The attacker may also create accessible
user/computer/service tickets from Kerberos for a non-existent Active Directory
account. As we know, there is some basic requirement create a forge TGT i.e.,
extract the “domain Name, SID, krbtgt Hash”, Once an attacker has admin access
to a Domain Controller, the KRBTGT account password hashes can be extracted
using Mimikatz.
Once we have compromised the victim machine who is member of
AD, then we can use the following module directly without admin privilege
session.
usemodule credentials/mimikatz/golden_ticket
set domain <Domain_name>
set sid <SID>
set group 500
set user pavan
set krbtgt_hash <ntlm_hash>
set id 500
execute
kerberos::golden /user:pavan /domain:ignite.local /sid:
SID
back
shell dir \\DC1.ignite.local\c$
This is a dynamic way to generate ticket because this module
can be run without having admin privilege session and it will inject the ticket
into the current session and the attacker can get direct access of the server.
Learn More: Domain
Persistence: Golden Ticket Attack
Extracting Tickets
We saw how to forge tickets. Tickets last longer than a
normal persistence. Golden Tickets can last up to 10 years. Hence, we should
have the ability to extract those tickets for usage down the road.
usemodule credentials/mimikatz/extract_tickets
execute
Learn More: Deep
Dive into Kerberoasting Attack
Domain Cache
Microsoft Windows stores previous users’ logon information locally
so that they can log on if a logon server is unreachable during later logon
attempts. This is known as Domain Cache credential (DCC) but in-actually it is
also known as MSCACHE or MSCASH hash. It sorted the hash of the user’s password
that you can’t perform pass-the-hash attacks with this type of hash. It uses
MSCACHE algorithm for generating password hash and that are stored locally in
the Windows registry of Windows operating system. These hashes are stored in
the Windows registry, by default the last 10 hashes.
There two versions of MSCASH/MSCACHE or DCC
· MSCACHEV1 or DCC1 used before Vista Server 2003
·
MSCACHEV2 or DCC2 used after Vista & Server
2003
PowerShell Empire has a module that extracts the MSCACHEV2
hashes from the inside registry of the compromised machine.
usemodule credentails/mimikatz/cache
execute
And again, you will get the MSCACHEv2 hashes on your screen
Learn More: Credential
Dumping: Domain Cache Credential
Mimikatz Commands
As we saw that there is no shortage of mimikatz modules on
PowerShell Empire but the Mimikatz is still a big tool with many more attack
methods than the Empire team can catch up. So, if you are at the point where
you don’t remember any module but you do know the mimikatz command to run, then
Empire has you covered. Use the mimikatz/command module to run manual commands
directly on the compromised target. To demonstrate, we will be running the lsadump::lsa
/patch on the target machine. When run, Mimikatz patches the samsrv.dll running
inside the process lsass.exe to dump the NTLM hashes.
usemodule credentials/mimikatz/command
Set Command lsadump::lsa /patch
execute
Extracting Certificates
A Root SSL certificate is a certificate issued by a trusted
certificate authority (CA). In the SSL ecosystem, anyone can generate a signing
key and use it to sign a new certificate. However, that certificate isn’t
considered valid unless it has been directly or indirectly signed by a trusted
CA. Signed certificates can be used to mount Man in the Middle or Phishing
attacks on the target or the target’s network. To extract the certificate, form
a compromised machine use this module.
usemodule credentials/mimikatz/certs
execute
The list goes on as on a rough estimate any system that is
under the use might contain a short of 400 certificates and this number
increases based on the user activity on the system. The details extracted by
Mimikatz is of subsequent value.
Mimitokens
Token impersonation technique can be used as local administrator
to impersonate another user logged on to a system. In case we compromised a
local admin on the target machine then we can use it to impersonate another logged
on user e.g., domain controller using Mimitokens.
usemodule credentials/mimikatz/Mimitokens
execute
Crypto Keys
The keys module of the PowerShell Empire works on the back
of the crypto module of Mimikatz, It is one of the oldest module that still
works in wild. It directs on the CryptoAPI functions of the target. In general
sense the usability is like the certutil binary that is present in the Windows
Machine by default. It uses the token impersonation to its advantage and then patches
the legacy CryptoAPI functions to patch the CNG key isolation service that
makes the keys exportable. After that it just exports those keys in a PVK file.
usemodule credentials/mimikatz/keys
execute
Purging Tickets
While working with the tokens and tickets, there will be a
time where the number of tickets would be too large to work with. This scenario
will arise sooner or later and that’s when the purge module will help you. It
will purge all the tickets in the current session.
Logon Passwords
Mimikatz has the ability to retrieve clear text password as
well as hashes. This is done by exploiting the Local Security Authority Service
on the Windows. After a machine is compromised, the attacker can use the
PowerShell Empire to load the logon passwords module to extract the clear text
passwords. These passwords can be used to create Golden Tickets, Account Take
Over or just a preliminary step to another attack. As we can see the image
shown that we have successfully extracted the password for Yashika and Aarti
Users.
usemodule credentials/mimikatz/logonpasswords
execute
Learn More: Understanding
Guide to Mimikatz
Local Security Authority (LSA|LSASS.EXE)
LSA and LSASS stands for “Local Security Authority” And
“Local Security Authority Subsystem (server) Service”, respectively. The LSA is
a protected system process that authenticates and logs users on to the local
computer. Domain credentials are used by the operating system and authenticated
by the LSA. The LSA can validate user information by checking the SAM database
located on the same computer. LSASS manages the local system policy, user
authentication, and auditing while handling sensitive security data such as password
hashes and Kerberos keys. The password is protected by the operating system.
Only code running in-process with the LSA can read and write domain
credentials. LSASS can store credentials in multiple forms, including: Reversibly
encrypted plaintext, Kerberos tickets (ticket-granting tickets (TGTs), service
tickets), NT hash, LAN Manager (LM) hash.
After compromising the target, we can use the PowerShell
Empire to extract the user hashes from the machine with the help of the lsadump
module as shown in the image.
usemodule credentials/mimikatz/lsadump
execute
Learn More: Credential
Dumping: Local Security Authority (LSA|LSASS.EXE)
SAM
SAM is short for the Security Account Manager which manages
all the user accounts and their passwords. It acts as a database. All the
passwords are hashed and then stored SAM. It is the responsibility of LSA
(Local Security Authority) to verify user login by matching the passwords with
the database maintained in SAM. SAM starts running in the background as soon as
the Windows boots up. The sam module of the PowerShell Empire can be used to
extract the SAM file and the associated password hash.
usemodule credentials/mimikatz/sam
execute
After the target is compromised by other methods the
attacker can use the PowerShell Empire sam module to target the SAM file and
read the password hashes as shown in the image below.
Learn More: Credential
Dumping: SAM
Conclusion
After Credential Dumping Series which contained different
tools that can be used against a specific vulnerability it felt like there is a
gap for a guide that can help a person who is trying to get the reins of
PowerShell Empire and to showcase the ability of Mimikatz to target the wide
range of Windows Authentication Systems with compatibility to integrate with
different frameworks such as Metasploit, PowerShell Empire, Koadic etc.
0 comments:
Post a Comment