In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords. Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain. For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts. We’ve covered BloodHound in our permission attack series and AD attacks series, but today we’re going to look at a fork of BloodHound created by Tom Porter called BloodHound-Owned.
BloodHound-Owned brings new features to BloodHound which we can use as part of our attack against weak AD passwords. Some of the features we will take advantage of include:
With that in mind, let’s look at an attack scenario where we attack AD accounts with password spraying, like we did with CrackMapExec in our last post.
During the password spraying attack we will hope to compromise one or more accounts by guessing their passwords, all without triggering the AD lockout policy on any accounts. Once successful, we can import the compromised passwords into BloodHound-Owned using the provided Ruby script.
Ruby .bh-owned.rb –a .wave1.txt
Where wave1.txt contains a list of compromised accounts with a description of how they were compromised. You can see the results of this command below, including some useful information about what additional accounts we now have access to as a result of this compromise.
We can now visualize these compromised accounts and relationships within BloodHound-Owned to start planning our attack path. BloodHound-Owned adds several new queries to BloodHound to make this easy such as Show Wave and Show Owned Nodes.
Okay, so now we’ve compromised a couple of accounts with password spraying, but we haven’t compromised the domain yet so let’s keep going. Let’s see if any of the accounts that we’ve compromised share passwords with other accounts in AD. To do that we are going to import our DSInternals output we looked at in the last post.
By issuing this command we can import them into BloodHound-Owned:
Ruby .bh-owned.rb –s .SharedPasswords.txt
Where SharedPasswords.txt is the output of a group of accounts with shared passwords. After issuing that command you can see the relationships are created.
Once imported, we can visualize these shared passwords with BloodHound-Owned using the Find Clusters of Password Reuse query.
And we can see that our compromised account is shown on the left, so we know it shares a password with all of the other accounts.
Now that we know about the shared passwords, we will consider those accounts owned. The following command will mark them as owned nodes in BloodHound-Owned.
Ruby .bh-owned.rb –a .SharedPasswords.txt
Once imported as owned, we can see in my environment this gives us access to 90 additional nodes.
We can now visualize our new attack path with this second wave of compromised accounts. By using the Find Shortest Path from owned node to Domain Admins, we can also see we now have an attack path which leads us to a compromise the entire domain!
So now we can see how an attacker can take concepts like password spraying and other attacks against passwords and build them into an attack plan. In our next post, we will look deeper at risks associated with local account passwords.
Blog posts in the series:
Sign up for the full blog series to be notified when each new installment posts, here.
Register for the 4 AD Password Attacks webinar, here.
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more