Christian's Docs
  • Welcome to my Docs!
  • Deep-dive
    • The Active Directory Notebook
      • AD DS: Domain Services
      • AD CS: Certificate Services
      • AD FS: Federation Services
      • AD LDS: Lightweight Directory Services
    • Attacking AD environments
    • Kerberos Authentication Protocol
    • NTML Authentication
    • LDAP Bind Authentication
    • TLS and Ciphers Suites
    • OAuth2 and OIDC
      • Authorization Code Flow
    • HTTP Security Checklist
  • In progress ...
    • SAML
    • PKI and X.509v3 Certificates
    • SAML 2.0
    • IETF RFC geekery
    • HTTP compression and BREACH-attacks
    • iOS Encryption & Data Protection
  • Archive
    • Brotli for NGINX
    • Don't touch PHP again
  • Portfolio
  • Github
  • Linkedin
  • Medium
Powered by GitBook
On this page
  • (Over) Pass the Hash
  • Golden Ticket Attacks
  • Security Measures
  • Todo
  1. Deep-dive

Attacking AD environments

PreviousAD LDS: Lightweight Directory ServicesNextKerberos Authentication Protocol

Last updated 1 year ago

(Over) Pass the Hash

Based on blogposts from Microsoft (), adsecurity and other blogs (, , , , , ).

Link:

In a Windows-environment, NTLM, NTLMv2, and Kerberos all use the NT-hash (usually called NTLM-hash).

There are actually several types of pass the hash attacks:

  • Pass the Hash: Performing NTLM authentication with stolen NT-hash (e.g. by dumping LSASS memory and exec mimikatz offline)

  • Over-pass the Hash: Use NT-hash to retrieve a Kerberos TGT

  • Pass the ticket: Stealing Kerberos tickets from host

.... Lorem Ipsum .....

Golden Ticket Attacks

Based on a .

When an adversary has infiltrated the network and become admin of the domain controllers, they essentially own the Windows environment. However, in increase the level of persistence, the adversary could issue Golden Tickets with virtually infinite lifetime to any account.

In a Windows environment, the authentication is based on Kerberos tickets which are issued by KDC running on domain controllers. The has a separate page in this docs but the important aspects are that Kerberos has two ticket types:

  • Ticket-granting Ticket (TGT): Acts a as a proof-of-authentication and is used to retrieve Service Tickets.

  • Service Tickets: Authenticates the user towards the service in question.

The KDC runs on domain controllers as the KRBTGT system account. The password hash of the KRBTGT account is the key for encrypting/signing the issued TGTs.

So, a Golden Ticket is a custom-forged TGT using the password hash of the KRBTGT account. Since the KDC trusts all TGTs which it has issued, regardless of set policies in the AD, the TGT can contain custom attributes, including Username, Domain and Group Membership.

In order to mitigate this, the KRBTGT password must be changed twice. This will invalidate all existing TGTs in the domain, any Golden Tickets included.

Security Measures

Todo

  • Dump LSASS -> NTLM hash

  • Dump SAM file

: Mitigates kernel-based attacks (by multiple virtualized kernels) Default in Windows 11. This activates .

a
1
2
3
4
5
6
https://www.netwrix.com/pass_the_hash_attack_explained.html
blogpost from adsecurity
Kerberos Authentication Protocol
Windows Virtualization-based Security (VBS)
Credential Guard