The threat landscape is ever changing and, in this deeply technical webinar, we are going to show you the state of the art in attacking Active Directory and what you can do to detect these attacks.
- Extracting Passwords through the Active Directory database (NTDS.dit)
With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the NTDS.dit file from Active Directory Domain Controllers. We’ll show you what this threat entails and how it can be performed. Then we can review some mitigating controls to be sure you are protecting your own environment from such attacks. The NTDS.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. The extraction and cracking of these passwords can be performed offline, so they will be undetectable. Once an attacker has extracted these hashes, they are able to act as any user on the domain, including Domain Administrators.
Of course, before you can do that, you need a copy of NTDS.dit and I’ll show you 4 ways to do that.
- Kerberoasting
Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs). Kerberoasting allows us to crack passwords for those SPN-based service accounts. By logging into an Active Directory domain as any authenticated user, we are able to request service tickets (TGS) for service accounts by specifying their SPN value. Active Directory will return an encrypted ticket, which is encrypted using the NTLM hash of the account that is associated with that SPN. You can then brute force these service tickets until successfully cracked, with no risk of detection or account lockouts. Once cracked, you have the service account password in plain text.
We’ll start by explaining SPNs and also quickly reviewing the fundamentals of Kerberos. Then we’ll take you through the 4-step process and follow-up with prevention and detection techniques. One method includes setting up a honey pot SPN and then monitoring the Windows Security Log for event IDs 4768/4771 for that account.
- DCSync
We’ve all heard of using Mimikatz for pass-the-hash but one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most importantly, this can be done without running any code on a domain controller as opposed to the other ways Mimikatz will extract password data. This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create Golden Tickets. The trickiest part of this attack is that it takes advantage of a valid and necessary function of Active Directory, so it cannot be turned off or disabled.
The cool thing is that there are ways to detect this kind of attack with event ID 4662, and possibly other events, which I’m researching right now.
I think this will be one of the best webinars this year for folks that want to learn about advanced attack techniques and how to detect them. Jeff Warren from STEALTHbits is helping me put this real training for free session together and Jeff will briefly show you how STEALTHbits can help you detect and mitigate these attacks.