Netwrix Enterprise Auditor (formerly StealthAUDIT) 11.6 has been released LEARN MORE
Stealthbits

Attacking Weak Passwords in Active Directory

Blog >Attacking Weak Passwords in Active Directory
Attacking Weak Passwords in Active Directory
| Jeff Warren | | Leave a Comment

In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords.  Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain.  For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts.  We’ve covered BloodHound in our permission attack series and AD attacks series, but today we’re going to look at a fork of BloodHound created by Tom Porter called BloodHound-Owned.

BloodHound-Owned brings new features to BloodHound which we can use as part of our attack against weak AD passwords.  Some of the features we will take advantage of include:

  • Password Reuse – BloodHound-Owned adds the ability of tracking shared passwords across AD user accounts and local Administrator passwords on computer accounts.
  • Tracking Compromised Accounts – You can now track an account or other AD objects as “owned” so you know which accounts you’ve compromised. This gives visual indications of which accounts you have found the passwords for, and offers other practical applications like planning attack paths from the accounts you have already compromised.

With that in mind, let’s look at an attack scenario where we attack AD accounts with password spraying, like we did with CrackMapExec in our last post.

Step 1 – Password Spray

During the password spraying attack we will hope to compromise one or more accounts by guessing their passwords, all without triggering the AD lockout policy on any accounts.  Once successful, we can import the compromised passwords into BloodHound-Owned using the provided Ruby script.

Ruby .bh-owned.rb –a .wave1.txt

Where wave1.txt contains a list of compromised accounts with a description of how they were compromised.  You can see the results of this command below, including some useful information about what additional accounts we now have access to as a result of this compromise.

Importing compromised accounts into BloodHound-Owned
Importing compromised accounts into BloodHound-Owned

We can now visualize these compromised accounts and relationships within BloodHound-Owned to start planning our attack path.  BloodHound-Owned adds several new queries to BloodHound to make this easy such as Show Wave and Show Owned Nodes.

Viewing Wave of Owned accounts in BloodHound-Owned
Viewing Wave of Owned accounts in BloodHound-Owned

Step 2 – Looking for Password Reuse

Okay, so now we’ve compromised a couple of accounts with password spraying, but we haven’t compromised the domain yet so let’s keep going.  Let’s see if any of the accounts that we’ve compromised share passwords with other accounts in AD.  To do that we are going to import our DSInternals output we looked at in the last post.

By issuing this command we can import them into BloodHound-Owned:

Ruby .bh-owned.rb –s .SharedPasswords.txt

Where SharedPasswords.txt is the output of a group of accounts with shared passwords.  After issuing that command you can see the relationships are created.

Importing shared passwords with BloodHound-Owned
Importing shared passwords with BloodHound-Owned

Once imported, we can visualize these shared passwords with BloodHound-Owned using the Find Clusters of Password Reuse query.

Viewing shared passwords in BloodHound-Owned
Viewing shared passwords in BloodHound-Owned

And we can see that our compromised account is shown on the left, so we know it shares a password with all of the other accounts.

Step 3 – Own the Shared Password Accounts

Now that we know about the shared passwords, we will consider those accounts owned.  The following command will mark them as owned nodes in BloodHound-Owned.

Ruby .bh-owned.rb –a .SharedPasswords.txt

Once imported as owned, we can see in my environment this gives us access to 90 additional nodes.

Importing shared password accounts with BloodHound-Owned
Importing shared password accounts with BloodHound-Owned

We can now visualize our new attack path with this second wave of compromised accounts.  By using the Find Shortest Path from owned node to Domain Admins, we can also see we now have an attack path which leads us to a compromise the entire domain!

Find Shortest Path from owned node to Domain Admin
Find Shortest Path from owned node to Domain Admin

So now we can see how an attacker can take concepts like password spraying and other attacks against passwords and build them into an attack plan.  In our next post, we will look deeper at risks associated with local account passwords.

Blog posts in the series:

Sign up for the full blog series to be notified when each new installment posts, here

Register for the 4 AD Password Attacks webinar, here

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Loading

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!


Loading

© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL