Credential Dumping – Active Directory Reversible Encryption
Introduction
According to MITRE, an adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default, this property is disabled (instead of storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software requires it.
- MITRE TACTIC: Credential Dumping (ID: TA0006)
- MITRE Technique Modify Authentication Process (T1556)
- MITRE SUB ID: Reversible Encryption (T1556.005)
In Domain Controller user account reversible encryption is enabled, which means the encrypted data can be reversed back to the user’s password. The password stored with a reversible encryption policy is not a hash since a function can be called to get back to the original clear-text password.
Do you know?
As per Microsoft: If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.
Table of Content
- Lab Setup
- DC-Sync Attack-Dump Plain text Password
- Mitigation
- Conclusion
Lab Setup
Enabling Reversible encryption in Active Directory Users
There are multiple methods to enable Reversible encryption property:
- User Account Property
Enable the Reversible encryption by modifying the account property for the Domain User account.
Powershell Command
set-ADUser – AllowReversiblePasswordEncryption $true
Group Policy Management
Enable the store password using reversible encryption with Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
Validate the property through User’s property-Attribute Editor for UserAccountControl.
NOTE: Now if the system Administrator reset the password for the user account, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled.
Enumeration
PowerShell Command to find user enabled with allow reversible password encryption.
Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq "true"} | Select Name, sAMAccountName
Attack: DC-Sync
In our Previous article, we described the DCsync attack, read more from here. You can download the DC Sync Script tool here.
Commands to execute in the domain controller to check the user’s clear text password.
powershell.exe -ep bypass Import-Module .\Invoke-DCSync.ps1 Invoke-DCSync -AllData
DCSync shows the clear-text password of the target user.
Mitigation
- Ensure that Allow Reversible Password Encryption property is set to disabled.
- Group policy store password using reversible encryption is set to disable.
Conclusion
In this article, we were able to decrypt the password of active directory user accounts. This article can serve as a reference for Red Team activists for Credential Dumping – Active Directory Plain Text Password.
Author: Faisal Khan security analyst and expert in infrastructure Security Contact him on LinkedIn