So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments. However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently. How do they do this? They guess. And you’d be surprised how well guessing works at cracking passwords.
As we covered in the introductory post for this series, guessing can be very effective when your users are creating weak passwords. Unfortunately, there isn’t a whole lot you can do to stop users from doing this. This explains why in a study released by Praetorian in which 100 real-world penetration tests were analyzed, the #1 attack vector was weak domain user passwords.
What is a Weak Password?
The password policy within Active Directory enforces password length, complexity, and history. This does not in any way control what the password is, just how long it is and what characters are inside of it. Many people will use easily guessable passwords like Winter2017 or Password!@# because they technically meet the standards but are easy for them to remember.
Password Spraying
To prevent bad guys from constantly guessing the passwords of user accounts, AD supports account lockout policies. This will lock an account after a certain number of bad passwords are guessed for a particular user. But if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts. Let’s take a look at how you can do this using CrackMapExec (which we’ve explored in previous posts).
One of the cool features of CME is to enumerate the Active Directory password policy and lockout policy. This will let an attacker know how many bad passwords he can guess per account to avoid a lockout. Here is what the command outputs:
So you can see in my environment I can guess up to 10 passwords for an account before triggering a lockout. I also see I have a minimum password length of 5 characters and complex passwords is enabled. This can be used to craft a custom dictionary of passwords to guess against all accounts. Alternatively you can use any number of existing password lists which are readily available on GitHub and built based on analyzing password dumps from data breaches.
Now we have our list of passwords, we just need a list of users to attack. We can easily extract all users with an LDAP query. Alternatively, CME has a nice feature rid-brute which will enumerate all accounts:
Now that we have our list of passwords and users, we just need to specify the right command to guess the passwords across all users until we find a hit.
This command will attempt to run commands against a domain controller and cycle through the list of passwords for every user account in the users list. Here you can see this running until it finds a hit:
This is a very effective way for attackers with no access rights to compromise AD accounts and have access to their plain text passwords.
Discovering Your Weak Passwords
After reading this you may be wondering just how vulnerable you are to these attacks. Luckily DSInternals provides a great command Test-PasswordQuality which can be used to do just that. Using DSInternals you can extract all password hashes, then provide a dictionary of “weak” passwords which it will hash and compare to your account hashes. It then provides very useful output to identify the biggest weaknesses.
Here is the command you can issue to run the analysis. This can actually be run remotely and will extract password hashes using DC replication similar to the DCSync Mimikatz attack.
The first thing the report identifies is accounts stored with reversible encryption, a topic we covered in our last post.
Then it will find which accounts were found with matches in the dictionary. The ShowPlainTextPasswords flag controls whether you show the matching password or not.
Now we understand how important it is to set strong, and not easily guessable passwords. STEALTHbits offers products not only to assess this problem but to prevent users from using weak AD passwords going forward. In our next post, we will look at how an attacker can use this information to plan an attack path to compromise an AD domain.
Blog posts in the series:
- Post #1 – Compromising Plain Text Passwords
- Post #2 – Finding Weak Passwords
- Post #3 – Attacking Weak Passwords
- Post #4 – Attacking Local Account Passwords
Sign up for the full blog series to be notified when each new installment posts, here.
Register for the 4 AD Password Attacks webinar, here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- SERVER (UN)TRUST ACCOUNT
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Detecting Persistence through Active Directory Extended Rights
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
- Domain Persistence with Subauthentication Packages
- What is DCSync? An Introduction
- How to Detect Pass-the-Hash Attacks
- New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges
Leave a Reply