The basics - Part 1
Notes from TryHackMe Room - Active Directory Basics
Active Directory accounts
Machine accounts --> Represents a machine over the domain (can be recognized by $ at the end)
Services accounts --> use to run a service.
Users accounts --> regular users such as an employee.
Vocabulary
Delegation: Granting a user some permissions over an object or an OU.
Security groups vs Organizational Units
Organizational units are to apply policies while security groups exist to grant users permissions and access over resources.
Users can be member of only one organizational unit, but part of multiple security groups.
Authentication methods
Two main authentication mechanisms are used within Windows Domains. The TryHackMe room explains in a very limpid manner the two authentication mechanisms.
Kerberos
This method of authentication is used by default on recent Windows Server.
Step 1: Requesting the Ticket Granting Ticket (TGT)
The first step of the Kerberos authentication is to authenticate to the Key Distribution Center (KDC) in order to request a TGT by sending to the KDC our username and a Timestamp encrypted with a key derived from the user hash. This TGT will allow us to request Ticket Granting Services tickets, which corresponds to tickets used by users to access to services. The TGT that is returned by the KDC is encrypted with the krbtgt hash. A session key encrypted with the user hash is also returned by the KDC.
The TGT acts like our identity card and allows user to request TGS to access services over the network.
Step 2: Requesting a Ticket Granting Service (TGS)
Now that the user has the TGT in hand, he has to request a TGS to access some specific services. In order to do so, the user need to provide to the KDC the following:
A combination of the username and timestamp encrypted with the Session Key obtained earlier from the KDC.
The Ticket Granting Ticket.
The Service Principal Name (SPN) which is used to identify the server hosting the service we want to have access to.
The KDC responds with:
The TGS containing a copy of the SVC session key encrypted using a key derived from the Service Owner Hash.
A SVC Session Key
Step 3: Accessing the service
Having the TGS on hand, the user can access the targeted service by providing to the server its username and a timestamp encrypted with the SVC session key along with the TGS. The server will use its hash to decrypt the TGS given by the user and grant him access to the requested service.
NetNTLMv1/v2 Authentication protocols
While the old Windows systems used the NetNTLMv1 authentication protocol by default, recent Windows systems use the more secure NetNTLMv2 protocol. Both NetNTLM v1/v2 authentication protocols are based on Challenge/Response. The main differences between the two versions of the NetNTLM protocol are the length of the challenge being sent by the server and the way the client encrypts this challenge. The Net-NTLM protocol is used to authenticate to many internal services, but can also be used on internet facing applications or Remote Desktop Protocol interfaces.
The NTLM authentication mechanism is based on Challenge and Response being sent and return between parties. This way the user's have never leave the client system.
The authentication process starts when the client send an authentication request to the server.
The Server returns to the client a Challenge (a nonce).
The client uses its own NTLM Hash to encrypt the Challenge sent by the server to generate a encrypted Response that is returned to the server.
The Server send to the Domain Controller the Challenge (that has been sent to the client) and the encrypted Response (returned by the client).
The Domain Controller recalculate the Response using the client NTLM hash that is stored in the
NTDS.dit
database and the Challenge received. If the recalculated Reponses matches the Response received, the user will be successfully authenticated.
NT Hash vs NetNTLMv1 vs NetNTLMv2
Note that the NTLM hash or NT Hash should not be confused with the NTLMv1 or NTLMv2 Hashes which are hashed generated when a user try to authenticate with the NetNTLM protocol.
NTLM Hash/ NT Hash
NTLM hash, also referred as NT Hash is the way passwords are stored in Windows system. NT hashes are stored locally in the SAM database or in the NTDS.dit database in Active Directory domain.
NT Hash can be used to pass the hash
NT Hash can be cracked
Can be obtained using Mimikatz
Here is the anatomy of an NT Hash:
As seen above, the first part of the NT hash is the LM part. Before Windows Vista/Windows Server 2008, LM was the way of storing password, but that was deemed insecure and been replaced by NT Hash. When the LM part of the NT hash is empty the first part of the NT Hash corresponds to the string 'aad3b435b51404eeaad3b435b51404ee', meaning "no password". Simply said, this means that no LM hash exists for that user.
Net-NTLMv1
Net-NTLMv1 is an authentication protocol deemed insecure. It was the authentication protocol enable by default in old Windows System. When a user authenticate to a server, a Net-NTLMv1 hash is generated. The security issue with Net-NTLMv1 relies on the fact that the hash is easy to crack, since the client uses the weak DES algorithm to encrypt the challenge. Knowing the challenge and the computed value of that challenge, we can retrieve the NT hash and then the clear text password.
The format of the NTLMv1 Hash is as below:
Net-NTLMv2
Net-NTLMv2 is the more secure version of its predecessor. The challenge/response workflow is pretty much the same. However, Net-NTLMv2 is more secure because of the use the HMAC-MD5 algorithm. Moreover, information such as the username, the domain name and a timestamps is added when the client computed the response using the challenge.
Example of an Net-NTLMv2 hash.
NetNTLMv1/v2 hashes:
can not be used to perform Pass the Hash attacks
can be cracked using Hashcat.
can be obtained using tools such as Responder
Unlike Net-NTLMv1, Net-NTLMv2 can not be relayed offline, but can be relayed online.
Resource:
Byt3bl33d3r. 2017. NTLM vs. NTLMv1/v2 vs. Net-NTLMv1/v2. Here.
Crosser, Adam. 2022. NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack. Here.
Péter Gombos. 2018. LM, NTLM, Net-NTLMv2, oh my!. Here.
Last updated