RedTeam
5.Machine
3.Active-Directory
General
Exploitation
6.Persistence-AD
1.persistence through Credentials

General

Large organizations use multiple Domain Controllers (DCs) for efficient authentication across multiple locations through domain replication. The Knowledge Consistency Checker (KCC) process generates a replication topology and syncs information via Remote Procedure Calls (RPC). This includes updates such as new passwords and new user objects. The process is called DC Synchronization and can be initiated by accounts such as Domain Admins for legitimate purposes like creating new DCs.

A popular attack to perform is a DC Sync attack. If we have access to an account that has domain replication permissions, we can stage a DC Sync attack to harvest credentials from a DC.

DCsync Attack

A DCSync attack is a type of attack that allows an attacker to simulate the behavior of a Domain Controller (DC) and request account password data from the targeted DC. This allows the attacker to obtain the hashed passwords of all accounts in the targeted Active Directory domain without needing to log in or having access to an account with sufficient privileges. The command "lsadump::dcsync" specifically is used to dump the password hashes of all the accounts in the targeted domain controller.

Requirements 1. Access to a domain-joined machine: The attacker needs to have access to a machine that is joined to the domain in order to execute the DCSync attack. This can be achieved by compromising a user's machine or by gaining access to a machine with a privileged account. 2. Authentication to the domain: The attacker needs to have valid credentials in order to authenticate to the domain in order to execute the DCSync attack. This can be achieved by stealing a user's credentials or by compromising an account with privileged access. 3. The right permissions: The attacker needs to have the right permissions to perform the DCSync attack, typically a domain user or domain admin. 4. Knowledge of the target domain controller: The attacker needs to know the name or IP address of the target domain controller in order to execute the DCSync attack. 5. Knowing the name of the target user: The attacker needs to know the name of the target user in order to execute the DCSync attack. 6. Tools: The attacker needs to use specific tools like Mimikatz or other similar tools that can perform the DCSync attack.

Credential Targeted

In a DC Sync attack, the goal is to persist with near-privileged credentials, instead of just privileged credentials, as these are more likely to be rotated by the blue team. We should target credentials such as local administrator rights on multiple machines, service accounts with delegation permissions, and accounts used for privileged AD services to gain a privileged foothold and persist in the network.

As such, we should attempt to persist through credentials such as the following:

  • Credentials that have local administrator rights on several machines. Usually, organisations have a group or two with local admin rights on almost all computers. These groups are typically divided into one for workstations and one for servers. By harvesting the credentials of members of these groups, we would still have access to most of the computers in the estate.
  • Service accounts that have delegation permissions. With these accounts, we would be able to force golden and silver tickets to perform Kerberos delegation attacks.
  • Accounts used for privileged AD services. If we compromise accounts of privileged services such as Exchange, Windows Server Update Services (WSUS), or System Center Configuration Manager (SCCM), we could leverage AD exploitation to once again gain a privileged foothold.

Commands

DCSync All

We will be using Mimikatz to harvest credentials.

Single Account

Lauch Mimikatz

C:\Users\Administrator.SUB> mimikatz.exe

Let's start by performing a DC Sync of a single account, LOW ACCESS Account (User)

mimikatz # lsadump::dcsync /domain:AD_DOMAIN /user:<Your low-privilege AD Username>

All Accounts

Lauch Mimikatz

C:\Users\Administrator.SUB> mimikatz.exe

Enable logging (Logs) on Mimikatz (Save the output of the dcdump module)

mimikatz # log <username>_dcdump.txt

Generate the lsadump information in the log file (<username>_dcdump.txt)

mimikatz # lsadump::dcsync /domain:za.tryhackme.loc /all

Inspect the contents of the dcdump.txt file on the attacking machine using a tool such as Sublime Text, where you can search for specific elements within the file.