Unveiling Active

Directory Secrets

Uncommon Tricks for Enhanced Security

Vincent LE TOUX (VINCI, France)

C0 - VINCI Public
 About
GLOBAL PLAYER IN
CONCESSIONS, ENERGY
AND CONSTRUCTION

French group
250 000
employees Participation of 40% from VINCI Airports

End of contract (year):

2060

C0 - VINCI Public 2
 About us

4th presentation by the VINCI-

Vincent LE TOUX
Head of VINCI-CERT
CERT at the annual conference

Tanguy LE BRETTON
VINCI-CERT analyst
Vincent has already spoken at
many conferences (FIRST,
BlackHat US&EU, BlueHatIL,
RomHack, HackinParis, …)
Marc VILLAIN
Security Project Manager
https://www.vinci.com/cert mostly on Active Directory
topics (PingCastle & Mimikatz)
Ewen FERTIL
VINCI-CERT analyst
@mysmartlogon

C0 - VINCI Public 3
 Level of

Introduction difficulties /
understanding /
impact

12 tips to be presented #X: Title Easy

What is this ?

3 steps explanation Why it is a problem ?

How to fix detect it / mitigate it ?

! I’m using a Windows 2008 for the presentation because I own a license. But all the items presented works on newer OS
C0 - VINCI Public
 In Summary

Unusual Config #1: user vs inetOrgPerson classes Easy

#2: Backup files of GPO are not replicated Easy
#3 forgotten Ownership of AD Objects Easy
Stay Silent #4 Anonymous Bind Usage Easy
#5 NT4 API Abuse Advanced Demo !
#6 Dynamic Objects for Stealth Medium
#7 AV Detection via SID Resolution Advanced Demo !
#8 Abuse network auth to get password Advanced Demo !
Admin tricks #9 Smart card logon for dummies Medium Demo !
#10 AD Denial of Service Easy Demo !
Investigate #11: Replication Data and Timeline Easy Demo !
#12: DPAPI Key Vulnerability Reminder Easy

C0 - VINCI Public
Unusual configuration

6
C0 - VINCI Public
 #1: user vs inetOrgPerson classes Easy
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

InetOrgPerson is the class « user » LDAP class.

However, Microsoft uses the default « user ». Just search and replace the class InetOrgPerson
InetOrgPerson inherits from user, so classes can by User
be switched easily

Set-ADUser SaraDavis -Remove

Set-ADUser SaraDavis -Add
@{objectClass='inetOrgPerson'}
@{objectClass='inetOrgPerson'}

Powershell filter isn’t working correctly.

See above of a LDAP filter (which works
correctly) vs the Where clause in powershell

C0 - VINCI Public
 #2: Backup files of GPO are not replicated
What is this ?
As a reminder DFRS do not replicate .bak and .tmp
files.
Easy
Why it is a problem ? How to fix it / detect it / mitigate it ?
Iterate the SYSVOL on each DC to
find .bak files
The SYSVOL Folder is published through DFRS.
That means backup files of :
- Login script
- Group policy containing obfuscated passwords
(groups.xml, services.xml, scheduledtasks.xml,
datasources.xml,printers.xml,drives.xml )
are not checked by AD audit tools looking at a single DC.
C0 - VINCI Public
 #3 forgotten Ownership of AD Objects Easy
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

Owner can overwrite permissions, even without any write

Audit the AD object owners
Users / Computers may create AD objects. access.
(ex: when 'ms-DS-MachineAccountQuota’ is not zero)
User Get-ADUser with the property
1) Reset the domain controller account password and you
ntSecurityDescriptor.Owner
They become the owner of the object, and can overwrite the become the DC
permissions. (in some case, mS-DS-CreatorSID is set) 2) Secrets are stored in some attributes.
See link
Other: when a server is promoted as DC: who added it in You can become local admin by reading the LAPS password.
https://blog.piservices.fr/post/2021/03/2
the AD ?
9/powershell-who-s-owner-of-my-ad-
$adObject = Get-ADUser -Identity 'username'
$acl = Get-Acl -Path "AD:\$($adObject.DistinguishedName)" object
$rule = New-Object System.Security.AccessControl.ActiveDirectoryAccessRule `
-ArgumentList @(
'username', # Identity
'GenericAll', # Active Directory rights
'Allow', # Type of access rule
[guid]::empty, # Inheritance type
'None', # Inheritance flags
[guid]::empty # Object type
)
$acl.AddAccessRule($rule)
Set-Acl -Path "AD:\$($adObject.DistinguishedName)" -AclObject $acl

C0 - VINCI Public
Stay silent

10
C0 - VINCI Public
#4 Anonymous Bind Usage Easy
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

« Anonymous bind » can be used on Can be disabled only starting Windows Server
every DC. 2019 (DenyUnauthenticatedBind)
Basic information about the server FQDN,
OS type, …

Sadly, not a vulnerability

C0 - VINCI Public
 #5 NT4 API Abuse
Advanced
What is this ? Why it is a problem ?

CLEAR TEXT
You can set your password without the password in clear text.
PASSXORD
Hash update if
password
changed No password complexity checks.
DENIED ! PASSWORD NOT
COMPLEX ENOUGH

Classic way to change the password

01011
11001 How to fix it / detect it / mitigate it ?
CLEAR TEXT NTLM HASH
PASSXORD RPC firewall can block SamrChangePasswordUser.
The other call SamrSetInformationUser is used for genuine purpose
DONE !
No solution for the moment.

NT4 way to change the password

C0 - VINCI Public
 #5 Demo !
https://github.com/vletoux
/NTLMInjector

Limits:
• Change password to
zero char ✗
• Usable for kerberos
AES256 ✗ (immediate
password change
proposed at login time)

C0 - VINCI Public
 #6 Dynamic Objects for Stealth
Medium
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

A special class that add ends of life to objects at a specific date. Leave no traces, even in recycle bin. Track object creation and add a filter on
Minimum lifetime: 1h No replication logs at deletion. objectclass
Needs to be specified at creation time. Cannot be granted later

[int]$intDynTTL = “15”
$intDynTTL = $intDynTTL * 60
$objDomain = New-
Object System.DirectoryServices.DirectoryEntry(“LDAP://O
U=Accounts,DC=contoso,DC=com”)
$objName = “DYNUSER1”
$objDyn = $objDomain.Create(“user”, “CN=” + $objName)
$objDyn.Put(“objectClass”, @(“dynamicObject”,“user”) )
$objDyn.Put(“entryTTL”, $intDynTTL )
$objDyn.Put(“sAMAccountName”, $objName )
$objDyn.SetInfo()

Normal account Recycle bin Marked as deleted

https://itpro-tips.com/detect-the-creation-of-
Dynamic account No data for forensic analysis
ad-dynamic-objects/

C0 - VINCI Public
 #7 AV Detection via SID Resolution
Advanced
What is this ? Why it is a problem ?

SERVICE NAME

USER NOT FOUND

HERE IS THE SID

You can use SID resolution (no permissions) to

check if a service (aka antivirus) is installed

How to fix it / detect it / mitigate it ?

To be differentiated from SYSTEM, each service has a local service name:
NT SERVICE\<Service name> No solution for the moment.

Thus, it needs an SID to set permissions.

SID = S-1-5-80-XXXX-XXXXX-XXXX (aka hash(<Service Name>))

C0 - VINCI Public
Demo

https://github.com/vletoux/TestAntivirus

Or
https://www.pingcastle.com/download C0 - VINCI Public
#8 Abuse network auth to get password
Advanced
What is this ? Why it is a problem ?

You can authenticate yourself with a service you host.

You can see the packet Exchanged.
CLEAR TEXT
PASSWORD

If you want to test a password, you can check if the crypto matches.
DONE !

!!! There is a local “optimization” to disable password hashing.

It has to be disabled !!!
Interactive Login

NTLM HASH

How to fix it / detect it / mitigate it ?

A lot of data exchange !
Search for event 4624 with Logon Type: 3
DONE ! (https://learn.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-10/security/threat-protection/auditing/event-4624)
Network login

C0 - VINCI Public
 Demo !
https://github.com
/vletoux/DetectPas
swordViaNTLMInFl
ow

C0 - VINCI Public
Admin trick

C0 - VINCI Public
#9 Smart card logon for dummies
Medium
What is this ? How to use it ?

Step1: Get a Card

A) Buy PKI smart card on smart card focus

B) Or enable PKI feature (aka: PIV applet with Yubikey)

Same chip than:
SIM card (phone)
C) Or build yourself:
EMV (credit card)
1) Get a javacard with RSA support (1$ !)
= CHEAP
2) Install a PKI applet on it (GIDSApplet, IsoApplet, …)

Step2: Use it

Demo !
Linux : Use OpenSC
Why it is NOT a problem ?

No password anymore. Windows: If applet is GIDS or PIV, nothing to do.

Else, install a “CSP” or “minidriver”
Run “certutil –scinfo” to check the installation

Then ADCS => request Certificate => Use CSP

C0 - VINCI Public
 Demo length:
2:30

#1: insert an
empty card
0:00 -> 0:11

#2: install GIDS

applet
0:11 -> 1:00

#3: personalize
applet (set PIN)
1:00 -> 1:24

#4: Request
CERT
1:24 -> 2:15

#5: Login demo

2:15 -> 2:30

C0 - VINCI Public
#10 AD Denial of Service Easy
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

Except using IPV6

I don’t know !

https://medium.com/@nannnu/the-f-c-urious-case-of-the-
DC ldapipdenylist-8e5799cd9ce

LdapIpDenyList
Attribute

Is the incoming IP in
the LDAP IP-Deny List ?

C0 - VINCI Public
#10 AD Denial of Service - Demo

C0 - VINCI Public
Investigate

24
C0 - VINCI Public
 #11: Replication Data and LDAP notifications Easy
What is this ? Why it is NOT a problem ? How to use it ?

A) Information in public access to debug replication issue A) Used to know in IR when data has been changed:

B) Flag in LDAP to see changes in realtime (with 15 minutes Created users

delay if replicated) Modified group
Password reset https://github.com/ANSSI-FR/ADTimeline
repadmin /showobjmeta * "C N=…” B) Put in place a monitoring during IR in 2 minutes
https://pingcastle.com/download

C0 - VINCI Public
 #12: DPAPI Key Vulnerability Reminder Easy
What is this ? Why it is a problem ? How to fix it / detect it / mitigate it ?

Hunting:
Compromise checklist
User password AD Master key
Investigate Event 4662 with object bckupkey
Reset:
- the krbtgt ✓
DPAPI
- Service accounts ✓
- the admin passwords ✓
- the user passwords ✓
Passwords

AD DPAPI master key ✗

Password
database

DPAPI is used to encrypt sensitive stuff, such as secret.

Used everyday to prevent the admin from eye dropping

your saved passwords.

https://learn.microsoft.com/en-us/windows/win32/seccng/cng-
dpapi-backup-keys-on-ad-domain-controllers

C0 - VINCI Public
 Conclusion

6/14/2024
Direction des Systèmes d’Information Groupe - CONFIDENTIEL 27
C0 - VINCI Public
 In Summary
Question ?

Unusual Config #1: user vs inetOrgPerson classes Easy EMAIL:

#2: Backup files of GPO are not replicated Easy vincent.letoux
#3 forgotten Ownership of AD Objects Easy @vinci.com
Stay Silent #4 Anonymous Bind Usage Easy
#5 NT4 API Abuse Advanced
Recommended
#6 Dynamic Objects for Stealth Medium
tool for AD audit:
#7 AV Detection via SID Resolution Advanced
#8 Abuse network auth to get password Advanced
PingCastle
Admin tricks #9 Smart card logon for dummies Medium
#10 AD Denial of Service Easy Twitter / X:
Investigate #11: Replication Data and Timeline Easy @mysmartlogon
#12: DPAPI Key Vulnerability Reminder Easy

C0 - VINCI Public