Compromising Plain Text Passwords in Active Directory

A lot of attention gets paid to preventing pass-the-hash and pass-the-ticket attacks, but imagine what an attacker could do with the actual passwords of privileged user accounts rather than just the hashes. Pass-the-hash gives attackers access to what can be performed from a command line, but plain text passwords give an attacker unlimited access to an account.  This may include access to web applications, VPN, and email.  If you need a primer on the difference between plain text passwords and password hashes, check out our training video here.

We looked briefly at one way to extract plain text passwords in the Kerberoasting post, which relied on brute-force attacking a password. That is effective but takes a lot of time and patience.  There are quicker and easier ways attackers can extract plain text passwords, which we’ll explore in this post.

Group Policy Preferences

In Windows Server 2008, Microsoft introduced Group Policy Preferences (GPPs). One of the common use cases for GPPs is to create and manage local accounts on servers and workstations, such as the Administrator account.  As part of this, an administrator can push out a password for these accounts.

The password is stored inside the group policy XML file within SYSVOL and is encrypted using an AES key. However, Microsoft published the AES key, which can be used to decrypt these passwords making them effectively plain text.

Because the SYSVOL share is open to Authenticated Users, anybody within the organization can read the files stored here. Therefore, any user account can find and decrypt these files and gain access to plain text passwords for Administrator accounts. PowerSploit offers a simple command Get-GPPPassword, which will find and decrypt these passwords for you.

For a more detailed write-up on this, check out Sean Metcalf’s post here and Microsoft’s post here.  Also, Microsoft provides a useful script for scanning for GPPs that contain passwords as part of the security bulletin they issued.

Mimikatz and LSASS Minidumps

Typically, Mimikatz is used to extract NTLM password hashes or Kerberos tickets from memory. However, one of the lesser-known capabilities of Mimikatz is the ability to extract plain text passwords from process dumps created for the LSASS process. This means that an attacker can compromise passwords in plain text without running any nefarious code on domain controllers. Dump files can be created interactively or using ProcDump, and in either case, it is unlikely to be flagged by anti-virus software. Once the dumps are created, they can be copied off the domain controller (DC) and the plain text credentials can be harvested using Mimikatz offline.

Here you can see the creation of the process dump on a domain controller using ProcDump. This, in essence, creates a snapshot of the LSASS process, which contains plain text password information. 

Once created, the file can be copied to another host for offline password extraction using Mimikatz. By using the sekurlsa::minidump command, you can switch the context of Mimikatz to the extracted dump file and issue the sekurlsa::logonpasswords command. 

And that’s all it takes.  Now you can see plain text passwords for privileged accounts. 

WDigest

Digest authentication was introduced in Windows XP, which is used for HTTP and SASL. Most importantly, this authentication provider, if enabled, will store plaintext credentials for locally authenticated accounts.  In 2014, Microsoft released a patch that allows you to disable this using the UseLogonCredential registry value.  However, many organizations still run many servers and workstations with WDigest enabled.

With WDigest enabled, you can see how easily Mimikatz can extract plain text credentials with the sekurlsa::logonpasswords command. 

Reversible Encryption

Active Directory enables the storing of user passwords with reversible encryption, which is essentially the same as storing them in plain text. This was introduced in Windows Server 2000, but still exists in even the most recent versions.  According to Microsoft, this was introduced to provide “support for applications that use protocols that require the user’s password for authentication”.

By default, this option is off; but, when enabled, it allows user passwords to be easily extracted in clear text using approaches such as DCSync. 

Which will return a plain text password: 

This setting can be enabled through Group Policy Objects, User Account Control settings, and through fine-grained password policies. An attacker may be able to maliciously create a fine-grained password policy that links to Domain Admins to enable their passwords to be stored with reversible encryption, giving them access to the plaintext password for privileged accounts.

As you can see, there is no shortage of ways for an interested attacker to obtain plaintext passwords for Active Directory accounts.  However, there are several other attacks against AD passwords, which we will explore in the coming posts.

Blog posts in the series:

• Post #1 – Compromising Plain Text Passwords
• Post #2 – Finding Weak Passwords
• Post #3 – Attacking Weak Passwords
• Post #4 – Attacking Local Account Passwords

Sign up for the full blog series to be notified when each new installment posts, here. 

Register for the 4 AD Password Attacks webinar, here. 

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*