Advanced Active Directory attacks: Simulating domain controller behavior

There was a time when cyberattacks on identity and authentication infrastructures [like Active Directory (AD)] were immensely challenging to perform. A lot of forethought had to be put into devising a plan for the careful execution of attacks, and advanced technical knowledge of domains and networks was a requisite. Over time, with the advent of open-source pen testing tools, the knowledge gap and the complexities involved to carry out a full-scale cyberattack have narrowed drastically.

AD attacks: Understanding the intent

The objective of AD attacks, or attacks on any identity administration infrastructure, is pretty simple: to gain the highest access in the shortest time possible. Regardless of the source of the attack or the point of intrusion, attackers are always looking to escalate privileges. And the highest level of access in AD is access to a domain controller (DC), because then attackers gain instant administrative access to every critical resource in the network. 

AD attack kill chain 

AD attacks are performed in multiple phases; attackers typically infect an end-user workstation (since they have less stringent security controls), scan the domain for vulnerabilities or misconfigured permissions, and exploit them to move laterally and gain access to a server higher up in the network hierarchy, like a business-critical file server or a DC.

But what if we told you that an attacker could impersonate the role of a DC and stealthily extract sensitive domain information?

Replication between DCs in AD 

An organization’s IT infrastructure often needs more than one DC for their AD. To keep information between the DCs consistent, the AD objects must be replicated through those DCs.

Most of the replication-related tasks are specified on the Microsoft Directory Replication Service Remote Protocol (MS-DRSR). The Microsoft API that implements the protocol is called DRSUAPI.

DSGetNCChanges function:

The client DC sends a DSGetNCChanges request when it wants to get AD object updates from the second DC. The response contains a set of updates from the second DC that the client DC has to apply to the NC replica (a structure that stores replication information).

Let’s see how attackers take advantage of the replication function in AD, which cannot be turned off or disabled.

 Exploiting replication privileges to access sensitive domain data 

Offensive open-source tools can utilize specific commands within MS-DRSR to simulate the behavior of a DC and fetch domain user password hashes.

 Such attacks are known as post-exploitation attacks, because attackers need access to a user account that has replication privileges in AD. Administrators, Domain Admins, and Enterprise Admins generally have the rights required. But more specifically, the following rights are required:

Once the access is acquired, the steps to perform the attack are fairly straightforward.

• The attacker discovers a DC to request replication.

• • A simple one-line command, such as NLTEST  /dclist:[ Domainname], can help determine DC names, including details such as the Primary DC and the DCs’ site names.

• Replication changes are requested using the GetNCChanges function.

• The DC returns the replication data, including password hashes, to the requester.

Check out this short video to see how the attack is executed.