Attacking Weak Passwords in Active Directory

Attacking Weak Passwords in Active Directory

In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords.  Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain.  For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts.  We’ve covered BloodHound in our permission attack series and AD attacks series, but today we’re going to look at a fork of BloodHound created by Tom Porter called BloodHound-Owned.

BloodHound-Owned brings new features to BloodHound which we can use as part of our attack against weak AD passwords.  Some of the features we will take advantage of include:

  • Password Reuse – BloodHound-Owned adds the ability of tracking shared passwords across AD user accounts and local Administrator passwords on computer accounts.
  • Tracking Compromised Accounts – You can now track an account or other AD objects as “owned” so you know which accounts you’ve compromised. This gives visual indications of which accounts you have found the passwords for, and offers other practical applications like planning attack paths from the accounts you have already compromised.

With that in mind, let’s look at an attack scenario where we attack AD accounts with password spraying, like we did with CrackMapExec in our last post.

Step 1 – Password Spray

During the password spraying attack we will hope to compromise one or more accounts by guessing their passwords, all without triggering the AD lockout policy on any accounts.  Once successful, we can import the compromised passwords into BloodHound-Owned using the provided Ruby script.

Ruby .\bh-owned.rb –a .\wave1.txt

Where wave1.txt contains a list of compromised accounts with a description of how they were compromised.  You can see the results of this command below, including some useful information about what additional accounts we now have access to as a result of this compromise.

Importing compromised accounts into BloodHound-Owned
Importing compromised accounts into BloodHound-Owned

We can now visualize these compromised accounts and relationships within BloodHound-Owned to start planning our attack path.  BloodHound-Owned adds several new queries to BloodHound to make this easy such as Show Wave and Show Owned Nodes.

Viewing Wave of Owned accounts in BloodHound-Owned
Viewing Wave of Owned accounts in BloodHound-Owned

Step 2 – Looking for Password Reuse

Okay, so now we’ve compromised a couple of accounts with password spraying, but we haven’t compromised the domain yet so let’s keep going.  Let’s see if any of the accounts that we’ve compromised share passwords with other accounts in AD.  To do that we are going to import our DSInternals output we looked at in the last post.

By issuing this command we can import them into BloodHound-Owned:

Ruby .\bh-owned.rb –s .\SharedPasswords.txt

Where SharedPasswords.txt is the output of a group of accounts with shared passwords.  After issuing that command you can see the relationships are created.

Importing shared passwords with BloodHound-Owned
Importing shared passwords with BloodHound-Owned

Once imported, we can visualize these shared passwords with BloodHound-Owned using the Find Clusters of Password Reuse query.

Viewing shared passwords in BloodHound-Owned
Viewing shared passwords in BloodHound-Owned

And we can see that our compromised account is shown on the left, so we know it shares a password with all of the other accounts.

Step 3 – Own the Shared Password Accounts

Now that we know about the shared passwords, we will consider those accounts owned.  The following command will mark them as owned nodes in BloodHound-Owned.

Ruby .\bh-owned.rb –a .\SharedPasswords.txt

Once imported as owned, we can see in my environment this gives us access to 90 additional nodes.

Importing shared password accounts with BloodHound-Owned
Importing shared password accounts with BloodHound-Owned

We can now visualize our new attack path with this second wave of compromised accounts.  By using the Find Shortest Path from owned node to Domain Admins, we can also see we now have an attack path which leads us to a compromise the entire domain!

Find Shortest Path from owned node to Domain Admin
Find Shortest Path from owned node to Domain Admin

So now we can see how an attacker can take concepts like password spraying and other attacks against passwords and build them into an attack plan.  In our next post, we will look deeper at risks associated with local account passwords.


Blog posts in the series:

Sign up for the full blog series to be notified when each new installment posts, here

Register for the 4 AD Password Attacks webinar, here

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.

With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.

Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.