Active Directory Password Attacks
So far in our travels through Active Directory security, we’ve looked at attacks against permissions, credentials, service accounts, and many of the open-source toolkits available for getting more hands-on exposure to these techniques. Inside each scenario, an attacker is attempting to increase their privileges and compromise sensitive information. Some techniques like Pass-the-Hash and Golden Tickets are designed to compromise accounts without ever knowing their actual password. However, Active Directory can be compromised much more quickly if an attacker can obtain the password of the account they are targeting, without all the fancy forged tickets. In many cases, Active Directory Password Attacks may be easier than you think. 
In a study released by Praetorian in which 100 real-world penetration tests were analyzed, the #1 attack vector was weak domain user passwords. Sixty-six percent of the penetration tests used weak user passwords to compromise the environment.
The Verizon 2017 Data Breach Investigations Report supports this finding and identifies that 81 percent of hacking-related breaches leveraged either stolen and/or weak credentials.
Why use complex exploits and low-and-slow privilege escalation techniques, when you can just use somebody’s actual password? It sounds easy—and, unfortunately, in most cases it is!
In this Active Directory Password Attacks series, we are going to look at some of the common techniques in which attackers can obtain your passwords and what you can do to protect against them. Here are some of the vulnerabilities that these attacks exploit.
Weak Passwords
Active Directory lets you enforce basic password age, length and complexity settings but these alone are not nearly enough. They can’t stop common password patterns from being used like Winter2017, or other common conventions, which are easy to remember (and easy to guess). This leaves the door wide open for attackers to quickly compromise a handful of accounts with weak passwords, giving them a solid foothold in an attack.
Password Reuse
Most users are guilty of re-using a password across multiple sites. When a site is breached, attackers gain access to usernames, emails and their associated passwords. Often users will utilize their work emails, making it very easy to associate the leaked account with an Active Directory user account. With breaches to Yahoo, LinkedIn, and Twitter exposing over 3 billion accounts, it’s safe to assume a large amount of every company’s AD users have been exposed. If your users are reusing passwords, which you should assume they are, your work passwords could be easier to attack than you may think.
Beyond using the same password for AD accounts that you use on social media, many companies also reuse passwords across multiple AD accounts (like service accounts or local Administrator accounts). All it takes is one account to be compromised for an attacker to quickly take over the rest of the accounts.
Plain Text Password Extraction
We’ve looked at ways you can use tools like Mimikatz to extract credential artifacts from memory on Windows, but we’ve focused on NTLM hashes and Kerberos tickets. However, there are ways in which you can extract plain text passwords just as easily. This approach doesn’t require any guessing and is effective against even very long and complex passwords.
How to Protect Yourself from Password Attacks
Traditionally, companies have turned to multifactor authentication and privileged access management solutions to secure their user passwords; but, these alone are not enough. There is a reason Microsoft identified multifactor authentication as a minimally effective solution for stopping Pass-the-Hash attacks. In this series, we’ll go deeper into password security and show additional mitigations to keep your users and their passwords safe. Here’s the lineup:
- Post #1 – Compromising Plain Text Passwords
- Post #2 – Finding Weak Passwords
- Post #3 – Attacking Weak Passwords
- Post #4 – Attacking Local Account Passwords
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- SERVER (UN)TRUST ACCOUNT
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Detecting Persistence through Active Directory Extended Rights
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
- Domain Persistence with Subauthentication Packages
- What is DCSync? An Introduction
- How to Detect Pass-the-Hash Attacks
- New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges
Leave a Reply