The end of the year is a good time to sit back and reflect for a moment on the past year. So let us take a look at the ten most common ways how I got Domain Admin privileges in our Active Directory penetration tests in 2021.
1 – Sensitive Data on Shares
It may sound unbelievable to find a network share that contains scripts and files including high privileged service account credentials. But in reality this happens quite often. Sometimes I even find backups of domain controllers.
But not only readable files are a problem. In some cases tools and applications are executed from the network share directly. More often than not the Domain Users have write permissions on the executables, allowing everyone to replace the files which will be executed by other users. Obviously a bad idea.
2 – Kerberoasting
Kerberoasting still works very well although the attack has been known since 2014. Kerberoasting leverages accounts with a defined service principal name (SPN). If the password of such an account is weak, an attacker might be able to crack the password and use it to gain further privileges.
Strangely enough I encountered this year many service accounts with high privileges and a weak password that our Compass Cracker was able to break; only using standard wordlists works usually like a charm.
I recommended that you check all your accounts for SPN entries. If they don’t need it, it should be removed. For all other accounts with an SPN entry a strong and unique password should be set. You can use PowerShell to easily search for accounts with SPN entries. You might as well want to use Group Managed Service Accounts to handle such accounts.
3 – NetNTLMv1
Even tough NetNTLMv1 is quite old I encountered it this year more than I thought I would. The problem with NetNTLMv1 is that it uses DES encryption and can easily be cracked. Rainbow Table at crack.sh can be used to crack such hashes in seconds for free.
Using NetNTLMv1 is therefore quite dangerous. I highly (yes again highly…) recommend that you turn off NetNTLMv1 in your Windows network.
4 – No SMB Signing Required
Without enforcing SMB signing, an attacker in the network can most likely relay SMB sessions to his heart’s desire. Often I find Microsoft SCCM installations where one SCCM machine is local admin to another machine. If SMB signing is not enforced on the machines, it is possible for an attacker to relay an SMB session from one machine to the other and gain local admin privileges on the target. Check out our Blog if you want to know more about NTLM relaying.
SMB signing should be required and enforced on all clients and servers to counter such relaying attacks inside the network.
5 – Misconfigured Certificate Authority (CA) Enrollment Endpoint
During the year SpecterOps published an amazing paper on Active Directory Certificate Services (AD CS) security. One of my favorite attack is the relaying of a NTLM authentication to the HTTP enrollment endpoint of the CA. If one relays a session from a domain controller (heard of PetitPotam?), the CA will sign arbitrary certificates for the domain controller. The valid certificate and private key can be used to take over the
Microsoft released a whitepaper on how to secure HTTP enrollment endpoints from this attack.
6 – Misconfigured Certificate Template
Another attack from the SpecterOps paper that keeps giving is the misconfigured certificate templates. In the last quarter of the year this was an almost guaranteed way to gain Domain Admin privileges in a matter of minutes!
Various tools have sprung to life to check the configuration of certificate templates. I like Certify, from SpecterOps and PingCastle, which offer a convenient way to check for misconfigured certificate templates.
7 – Reuse of Local Administrator Password
One of the first questions that I will ask the customer in an engagement is:
Do you use Microsoft LAPS?
Depending on the reaction I gain a certain feeling about the state of the AD security. Unfortunately only a small number of my customers this year use LAPS (or a similar tool). As soon as you gain local admin privileges on one client it’s most likely trivial to escalate the privileges further.
Every Windows system should have a unique local Administrator password. If an attacker can compromise one machine, he is not automatically local Administrator on all other systems with the same password. Use LAPS to manage the passwords. It’s free.
8 – Service Accounts
Sometimes I encounter the situation where an account is trying to connect to my own system via SMB out of the blue. I remember specifically two cases in 2021:
- The first one was a firewall service performing IP to user mapping. The incoming connection occurred every 15 minutes and was quite easy to detect.
- In the second case, it was a hardware and software inventory solution. The connection occurred only once every Tuesday and it was pure luck that I detected the connection attempt.
Unfortunately both accounts were members of the Domain Admin group and I could perform relaying attacks and escalate privileges.
Sadly it’s very common that service accounts have too high privileges. You should verify all your service accounts and adhere to the least privilege principle.
9 – The Struggle with Patches
PrintNightmare, HiveNightmare, noPAC and other attacks have been released this year. For me as a pentester this is what keeps me going and interested in what I do.
From a system administrator perspective it’s probably just annoying! Especially when patching can have side effects on the environment (PrintNightmare) or patching alone does not resolve the issue (HiveNightmare). So throughout the year I encountered multiple environments where these vulnerabilities either were not patched or patched but still exploitable.
I often heard from those responsible for patching that they lack the time to fully comprehend the attacks, mitigations and side effects. So please ensure that your system administrators get enough time to deal with such issues. Patching is important!
10 – Easy to Guess Passwords
This is something that I mostly do on the side during the engagement. I compile a list of all user accounts and try some common passwords. Tools like kerbrute allow to quickly spray passwords across all users in the AD and I always have to slow myself down in order to not lock out all accounts in the company.
Still widely used are season names or simply the company name. A newer trend is “corona” in combination with the current or past year. Also the amount of accounts with an actual empty password is higher than you might think.
Unfortunately Microsoft does not a great job for on-prem AD’s to check for easy to guess passwords, so you’re left with educating users or implementing defense in depth!
With these good memories in mind, we wish you safe holidays and a happy new year!