Lab: Lateral Movement – Step 11 – Abusing Domain Admin
Teamwork – Team DaMa
Description
In the last challenge, we were able to acquire the NTLM hash of the user ffast. If we check again in Bloodhound, we see that this user is part of the domain admin group and has therefore full control over the whole domain
Questions to Answer
Q1:
What can we do with the hash retrieved from the domain controller using DCSync?
A1:
With DCSync and the retrieved hash it’s possible the get the NTDS.dit.
Q2:
What happens “under-the-hood” when we perform a DCSync attack against the domain controller?
A2:
The DCSync tool request the DC for a domain replication. In other words the DCSync tool behaves like another domain controller. At the end the DCsync tool has the NTDS.dit information.
Q3:
What kind of privileges are required to perfom this attack?
A3:
The following rights are required:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
Reference:
Q4:
How can Mimikatz make the RDP client use Ffast’s credentials, without knowing the plaintext password?
A4:
Mimikatz starts mstsc.exe with paramter /restrictedadmin to prevent the authentication with username and password.
Mimikatz uses the NTLM hash from FFast to authenticate the mstsc process on the target system.
Q5:
Why was it still not possible to log in to the domain controller using RDP and the NTLM hash of Ffast?
A5:
If the Restricted Admin Mode is enabled on the DC then Mimikatz is able/allowed to perform the authentication with the NTLM hash only.
Q6:
How did we bypass this RDP security feature?
A6:
The RDP service performs a network login to the remote device to ensure the user is allowed access but doesn’t require any further input because the NTLM hash that was created during the initial login can be used for authentication (if Restricted Admin Mode is enabled).
Reference:
Q7:
How could this bypass be prevented?
A7:
The option Restricted Admin Mode has advantages and disadvanteges. It prevents credentials from being stored on the remote machine on the other hand it allows to connect to a remote system with
NT hash or Kerberos ticket of the user.
RDP Restricted Admin Mode builds upon Kerberos. Taking a look at the network traffic, one can see that the RDP client requests a ticket on behalf of the impersonated user which is no problem since the hash is all we need to authenticate against Kerberos.
Reference:
Prevention/Best Practise:
If you follow basic security best practices, you shouldn’t need to use Restricted Admin Mode in most situations. Protect administrator credentials by starting with the following best practices:
- Domain administrator accounts should only be used to log in to domain controllers (DCs), and never for administering member servers, supporting end-users’ PCs or joining servers or workstations to the domain.
- Every device in your organization should be configured with a unique administrator username and password, for management purposes and remote support. This account should not be the built-in administrator account.
- All administrative tasks should be performed from dedicated, secure workstations.
- Log in with a standard user account.
Reference:
PDF Report
Readme-Step11