After gaining access to a business network, it is important to prioritize what is your goal or better know what is the most critical/important to the business. If the company has an active directory, one of your goals will be getting control of it. On active directory, there are at least 2 important targets:
- Domain controller: server computer that responds to security authentication requests within a Windows domain. Here is a database with all the NTLM hashes of all the users on a domain.
- Group with privileges to modify the active directory (usually known as domain admins): the members of this group have full control of the domain.
There are some other important groups in an active directory like enterprise admins and others, but we will focus on those two targets in this blog. To continue with this explanation, it is important to know what a NTLM hash is.
On systems or services using NTLM authentication, users’ passwords are never sent in clear text over the wire. Instead, they are provided to the requesting system, like a domain controller, as a hash in a response to a challenge-response authentication scheme. So, the NTLM hash is the way that passwords are stored on modern Windows systems and can be obtained by dumping the SAM database for local users or NTDS file in domain controllers for login as a domain user.
On windows, when a user logs on a computer with the domain account, it stores the NTLM hash and it can be retrieved reading the process lsass.exe (Local Security Authority Subsystem Service). This process is a Windows service responsible for system security policy. If the computer has the WDigest authentication enabled, the passwords are in clear text, but in modern systems this feature is disabled by default.
How can we retrieve those hashes?
There are several methods to perform it having high privileges, but we will explain 3 of them:
- Invoke-Mimikatz.ps1 or mimikatz.exe: this program can read the lsass.exe process and retrieve those hashes.
- Procdump.exe: this program can read the lsass.exe process and make a dump file of it.
- Rundll32.exe Comsvcs.dll: as being from windows this dll won’t be blocked. This method will make a dump file of the lsass.exe process.
The last 2 methods are dumping the content to a file. In order to read it, you will need to use mimikatz offline. Search in google about minidump to know more.
Some antivirus are monitoring the lsass.exe process and blocking the read of it. That is awesome, but what if we clone this process? The antivirus will still be monitoring the new cloned process? I will let this question here without an answer to let you test if it works.
What can we do once we have the NTLM hash?
There is a python library called impacket with a lot of tools that can use this NTLM hash to perform multiple things like remote code execution through smb protocol and others.
If you could remote code execute a command on another server, you could perform the same task with high privileges, dumping lsass.exe, retrieving NTLM hash and moving to another server. It is quite chaotic if you don’t know more information about the domain.
How can I retrieve information about the domain and organize it?
There are several methods to retrieve information about a domain, but what I like the most is bloodhound.
Bloodhound is a project that makes a visual graph from the information of a domain retrieved with some injectors.
It has an executable or Powershell to retrieve all the information of a domain and it makes a ZIP file with this information in json files.
After retrieving the ZIP file it is needed to import it to a bloodhound application and you will see a graph of all the domains. The Powershell has some arguments that retrieve more detailed information than the default argument. Check in the code to see it.
Now on bloodhound you will see the domain admin group with its members, where are they logged in and a path that it is needed to follow to retrieve the NTLM hashes of domain admins.
What can I do with a NTLM hash of a domain admin?
You can do several things with this NTLM hash until the domain admin changes it. If you want to make your privilege persistent, I recommend you to make a golden ticket with the krbtgt account and add it a long time to expire. There are some protocols like RDP that if they are well configured, does not allow to connect using NTLM hash and you will need the passwords, so remember to try cracking the domain admin NTLM hash. Some things to check during a penetration test once you have domain admin:
- Dump the NTDS file on the domain controller and try to crack the hashes of the company with a dictionary and a rule on hashcat as example.
- Try to do some noise without impacting business, to check if someone is controlling you and recommend to the company what they can implement to enhance their security.
- If the company has some services that its authentication is implemented with the active directory, try to access those services to review for vulnerabilities and to check the risk for the information to be stolen.
It is important to know that you need permission of the company you are auditing to perform anything explained on this blog . And remember to recommend the company to change those passwords that were cracked.
Author: Mario Sala