4 Active Directory Password Attacks and How to Protect Against Them

4 Active Directory Password Attacks and How to Protect Against Them

Active Directory Password Attacks

So far in our travels through Active Directory security, we’ve looked at attacks against permissions, credentials, service accounts, and many of the open-source toolkits available for getting more hands-on exposure to these techniques. Inside each scenario, an attacker is attempting to increase their privileges and compromise sensitive information. Some techniques like Pass-the-Hash and Golden Tickets are designed to compromise accounts without ever knowing their actual password. However, Active Directory can be compromised much more quickly if an attacker can obtain the password of the account they are targeting, without all the fancy forged tickets. In many cases, Active Directory Password Attacks may be easier than you think. Protect against Active Directory Password Attacks

In a study released by Praetorian in which 100 real-world penetration tests were analyzed, the #1 attack vector was weak domain user passwords. Sixty-six percent of the penetration tests used weak user passwords to compromise the environment.

The Verizon 2017 Data Breach Investigations Report supports this finding and identifies that 81 percent of hacking-related breaches leveraged either stolen and/or weak credentials.

Why use complex exploits and low-and-slow privilege escalation techniques, when you can just use somebody’s actual password? It sounds easy—and, unfortunately, in most cases it is!

In this Active Directory Password Attacks series, we are going to look at some of the common techniques in which attackers can obtain your passwords and what you can do to protect against them. Here are some of the vulnerabilities that these attacks exploit.

Weak Passwords

Active Directory lets you enforce basic password age, length and complexity settings but these alone are not nearly enough. They can’t stop common password patterns from being used like Winter2017, or other common conventions, which are easy to remember (and easy to guess). This leaves the door wide open for attackers to quickly compromise a handful of accounts with weak passwords, giving them a solid foothold in an attack.

Password Reuse

Most users are guilty of re-using a password across multiple sites. When a site is breached, attackers gain access to usernames, emails and their associated passwords. Often users will utilize their work emails, making it very easy to associate the leaked account with an Active Directory user account. With breaches to Yahoo, LinkedIn, and Twitter exposing over 3 billion accounts, it’s safe to assume a large amount of every company’s AD users have been exposed. If your users are reusing passwords, which you should assume they are, your work passwords could be easier to attack than you may think.

Beyond using the same password for AD accounts that you use on social media, many companies also reuse passwords across multiple AD accounts (like service accounts or local Administrator accounts). All it takes is one account to be compromised for an attacker to quickly take over the rest of the accounts.

Plain Text Password Extraction

We’ve looked at ways you can use tools like Mimikatz to extract credential artifacts from memory on Windows, but we’ve focused on NTLM hashes and Kerberos tickets. However, there are ways in which you can extract plain text passwords just as easily. This approach doesn’t require any guessing and is effective against even very long and complex passwords.

How to Protect Yourself from Password Attacks

Traditionally, companies have turned to multifactor authentication and privileged access management solutions to secure their user passwords; but, these alone are not enough. There is a reason Microsoft identified multifactor authentication as a minimally effective solution for stopping Pass-the-Hash attacks. In this series, we’ll go deeper into password security and show additional mitigations to keep your users and their passwords safe. Here’s the lineup:

Sign up for the full blog series to be notified when each new installment posts, here

Register for the 4 AD Password Attacks webinar, here

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.