In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords. Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain. For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts. We’ve covered BloodHound in our permission attack series and AD attacks series, but today we’re going to look at a fork of BloodHound created by Tom Porter called BloodHound-Owned.
BloodHound-Owned brings new features to BloodHound which we can use as part of our attack against weak AD passwords. Some of the features we will take advantage of include:
- Password Reuse – BloodHound-Owned adds the ability of tracking shared passwords across AD user accounts and local Administrator passwords on computer accounts.
- Tracking Compromised Accounts – You can now track an account or other AD objects as “owned” so you know which accounts you’ve compromised. This gives visual indications of which accounts you have found the passwords for, and offers other practical applications like planning attack paths from the accounts you have already compromised.
With that in mind, let’s look at an attack scenario where we attack AD accounts with password spraying, like we did with CrackMapExec in our last post.
Step 1 – Password Spray
During the password spraying attack we will hope to compromise one or more accounts by guessing their passwords, all without triggering the AD lockout policy on any accounts. Once successful, we can import the compromised passwords into BloodHound-Owned using the provided Ruby script.
Where wave1.txt contains a list of compromised accounts with a description of how they were compromised. You can see the results of this command below, including some useful information about what additional accounts we now have access to as a result of this compromise.
We can now visualize these compromised accounts and relationships within BloodHound-Owned to start planning our attack path. BloodHound-Owned adds several new queries to BloodHound to make this easy such as Show Wave and Show Owned Nodes.
Step 2 – Looking for Password Reuse
Okay, so now we’ve compromised a couple of accounts with password spraying, but we haven’t compromised the domain yet so let’s keep going. Let’s see if any of the accounts that we’ve compromised share passwords with other accounts in AD. To do that we are going to import our DSInternals output we looked at in the last post.
By issuing this command we can import them into BloodHound-Owned:
Where SharedPasswords.txt is the output of a group of accounts with shared passwords. After issuing that command you can see the relationships are created.
Once imported, we can visualize these shared passwords with BloodHound-Owned using the Find Clusters of Password Reuse query.
And we can see that our compromised account is shown on the left, so we know it shares a password with all of the other accounts.
Step 3 – Own the Shared Password Accounts
Now that we know about the shared passwords, we will consider those accounts owned. The following command will mark them as owned nodes in BloodHound-Owned.
Once imported as owned, we can see in my environment this gives us access to 90 additional nodes.
We can now visualize our new attack path with this second wave of compromised accounts. By using the Find Shortest Path from owned node to Domain Admins, we can also see we now have an attack path which leads us to a compromise the entire domain!
So now we can see how an attacker can take concepts like password spraying and other attacks against passwords and build them into an attack plan. In our next post, we will look deeper at risks associated with local account passwords.
Blog posts in the series:
- Post #1 – Compromising Plain Text Passwords
- Post #2 – Finding Weak Passwords
- Post #3 – Attacking Weak Passwords
- Post #4 – Attacking Local Account Passwords
Sign up for the full blog series to be notified when each new installment posts, here.
Register for the 4 AD Password Attacks webinar, here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.