Thank you for your interest in Decoding the Attacker Mindset: Pen Testing Revelations!

Experienced attackers know that even disabled accounts can be useful, especially given the common practice of certain employees having multiple Domain User accounts. For example, an IT team member may get both a regular user account and a privileged account. 

While this is theoretically a security measurement so that the employee is only using the account with the least amount of privilege needed to accomplish a task, it can also be a security weakness. Naming conventions for usernames can be easily guessed and it is not unusual for employees to make the mistake of using the same password for all of their different accounts.

Image

Such was the case for this engagement. The password for John Doe’s disabled domain account worked for his regular user account login, which was still enabled. The testers were able to use this account, conduct a password spray attack, and obtain local administrator privileges on seven different hosts. 

After the successful password spray attack, the team accessed the Security Account Manager (SAM) databases and Local Security Authority (LSA) secrets of the discovered hosts. Nothing of interest came from these efforts, so the team attempted to access the host’s process memory to try and pull credentials that would hopefully have more extensive privileges. However, before they were able to complete this task, their account was disabled by the defense team. 

Despite this, the team was far enough along in the process that they had other options. Having previously retrieved the contents within the SAM databases of the hosts, they decided to test all of the RID 500 default admin account NTLM password hash against all of the hosts in the domain, resulting in local administrator privileges on four new hosts. 

After repeating the process of retrieving SAM databases and LSA secrets, the team was once again caught. One host, which seemed to be a file server, was put into network isolation to restrict access to it. Since file servers often have privileged user credentials in memory, the team decided to wait for it to come back online. Since file servers are so essential to complete regular organizational activities, this typically only takes a few hours. 

The isolation was indeed temporary, but the security team had changed the RID 500 user account password and also disabled it. Despite basic security controls being in place, the initial security weaknesses exploited provided enough information to keep moving forward. 

The team was still in control of the NTLM password hashes since they had previously retrieved all the information from the SAM database in the second set of hosts—including the file server they no longer had access to. 

They used the file server computer account NTLM password hash to handcraft a Kerberos Service Ticket for accessing any service as any user, allowing a domain administrator to gain access to the SMB service.

Image

This forged ticket allowed the team to get to the LSASS memory to pull domain and administrator credentials. Using these credentials, they could log into the domain controller and execute operating system commands.

The pen testing team exploited weak passwords on network printers to gain initial access, conducted a password spray attack to escalate privileges, and ultimately gained domain admin control using a Kerberos service ticket attack. 

If it’s connected to the network, it’s a potential attack vector.

First, the team noted that any domain account, regardless of its privileges, would be able to query not only its domain, but all the domains for which trust relationships have been defined, to collect valuable information. Additionally, the devices in the network may still have had some remnants of old vulnerabilities, which were likely fixed but not Decoding the Attacker Mindset: Pen Testing Revelations correctly cleaned up. 

No matter how outdated, all it takes is one unpatched vulnerability to provide an opening. An attacker would be especially interested in user groups and computers. Any domain account could also use and abuse the Kerberos protocol, which can introduce some interesting attack avenues.

The team started by gathering all the information possible from the user domain, querying LDAP to obtain a list of the assets in the domain, as well as the IP addresses of the domain controllers. 

Looking over the list of assets, the team discovered a Group Policy Object (GPO) that was affected by an ancient vulnerability, commonly known as the group password policy vulnerability. This vulnerability is directly linked to a flawed use of domain GPOs, which distributes local administrator passwords to the rest of the machines. Passwords would be found encrypted in XML files stored in the SYSVOL share of domain controllers, which is by default accessible by any domain account. Additionally, the encryption key is a well-known value, which is even disclosed in the Microsoft documentation, giving attackers the chance of decrypting any password they find. As this is a simple test, only requiring them to mount the SYSVOL share and perform a find string operation, most attackers will check to see if this vulnerability is still active. 

With this GPO vulnerability, the team was able to easily decrypt the password. However, this password was not currently used by the local admin of any machine in the domain, which could be interpreted as an indicator that this vulnerability had already been f ixed in the past by the company.

Since the password had been changed, the testers instead leveraged their domain account to abuse Kerberos by requesting service tickets to the key distribution center. Using a technique known as Kerberoast, an attacker can request service tickets for each service owner account in the domain, forcing them to be encrypted with the weak RC4 encryption algorithm. Since these tickets are encrypted using the password set by the service owner, the tickets can then be submitted to an offline cracking process.

 With this information in mind, the team designed their attack path. Though the password they found through the group password policy vulnerability was no longer being used by local admins, they were able to repurpose it as the basis of an internal password spray, in case it hadn’t been changed elsewhere. Cracking Kerberos tickets is a slow exercise compared with cracking netNTLM or NTLM hashes, so the team established a well-defined approach using the known password. For example, the password Organization_Name5 could indicate that the next password may be Organization_Name6. 

Despite not being used for any high privilege account, the password was valid for five additional domain accounts, allowing the team to diversify their interactions with internal devices. This password continued to prove useful, as its structure contained the name of the organization and showed the pattern that could be used to guess the passwords for other domain accounts. The team used this information to graph an intelligent cracking attack against the Kerberos tickets through the Kerberoast. 

They followed the structure of the password to create a hybrid cracking approach, testing each case variation of the client’s Decoding the Attacker Mindset: Pen Testing Revelations organization name, followed by a series of one to six characters, including letters, numbers, and special characters. This approach proved effective, as they were able to access two high privilege service accounts in less than 48 hours.

After obtaining the password for the first service owner, they tested it in the server register, in the service principal name (SPN) f ield, as they believed that the account was a local admin for this server. With these new privileges, it was possible to dump the password hash of the default local administrator account for a pass-the-hash attack, allowing them to gain administrative access to all the servers in the network. 

The second service account they obtained was a domain administrator. Domain admins often use their own accounts to quickly run services, as was found in this scenario. It’s worth noting that this is never a good identity management practice, since the administrative account can then be exposed and compromised through a Kerberoast attack. 

Though they had obtained this password, it was expired and there was no way to reset its value from the internal network.

With no way to reset the value internally, the team moved into the external sphere, and attempted to log in to the company’s SharePoint through federated services. After seeing the alert that the password was expired, they were redirected to a password self-reset portal, on Windows Azure. This portal allowed users to reset their passwords after providing a one-time password (OTP) received in the recovery phone number. 

In this case, a recovery phone number was never designated, allowing the tea to simply plug in their own phone number. After validating the OTP, they successfully reset the account’s password.

Finally, they moved back into the internal sphere and attempted logging in using the newly reset password. Leveraging the administrative privileges, they dumped the password domain table for the non-PCI domain, effectively compromising it. 

They then moved to PCI environment, where not even a single low privilege domain account had been compromised. Since the two environments were separated, the only known information was the IP address of the PCI domain controller. The team thought that there was a chance one of the IT administrators in charge of both domains was using the same credentials between domains. As they already had the password hashes for all the users in the non-PCI domain, there was no impediment to attempt a massive interdomain password hash attack against the PCI domain. 

Fortunately for the team (and unfortunately for this organization’s PCI compliance status), the theory about password reuse was correct. They immediately discovered that a group of users, including a domain administrator, were using the same passwords on both domains.

Testers exploited a very old vulner-ability to gain initial access, used Kerberoasting and password spray attacks and password resets to elevate privileges, and used shared passwords to gain access to the domain controller. 

Patch. Validate. Repeat.