DCShadow 攻击

On January 24, 2018, Benjamin Delpy (author of Artifact Mimikatz) and Vincent Le Toux unveiled a new attack technology for the domain active directory during the BlueHat IL meeting DCShadow

With domain administrator privileges, an attacker can create a fake domain controller and copy preset object or object properties to the running domain server

DCSync copy things from the domain server, DCShadow copies data to the domain server

Luc Delsalle verifies and describes this technology in detail, and treats the flaws and remedies of the Red and Blue team against the Chinese and Blue team against this attack technology.

Judging from the functions currently displayed by DCShadow, it can only be used for hidden back doors that can be used for red and blue confrontation. But DCShadow clarifies and implements the first time that it fakes a minimum requirement collection of DCs, which contributes very much. Many attack methods in the past were stuck and could not forge domain servers, such as MS15-011 and MS15-014. With the foundation of DCShadow, I believe there will be many new attack methods in the future.

流程

According to Luc Delsalle's description, the attack process of DCShadow includes 3 main steps :

1. Register a fake DC in the AD active directory of the target domain;

2. Make the forged DC recognized by other DCs and be able to participate in domain replication;

3. Force trigger domain copying, and synchronously copy the specified new object or modified object attributes to other DCs;

注册伪造的 DC

If a machine wants to register as a DC server in the domain, it is necessary to register an NTDS-DSA (nTDSDSA) class object in the active directory of the domain. The registered location is CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com

The adsec.com domain has 3 domain servers, namely LABDC01, RESDC01 and WIN2016-DC01. The domain server marked red is the domain server of our experimental environment. The machine we tested is Win7X86cn04. If the test is successful, a new NTDS-DSA (nTDSDSA) class object will be generated.

Check out the security descriptors of CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com. It can be seen that the domain administrator privileges must be used to have write permissions.

Therefore, when launching a DCShadow attack, you must have domain administrator permissions, but we can experiment and do some tricks, and it will be easier to deal with. For example, if you give full permissions to ordinary users, ordinary users can also modify them.

DC Shadow source code:

注册的 DC 被其他 DC 认可，能够参与域复制

A newly registered DC needs to be recognized by other DCs in the domain and be able to participate in domain replication, must be met

1. This forged DC has certification certificates and can authenticate to the domain, that is, it has an account within the domain, and can use a machine account. In the experimental environment, WIN7X86CN04$;

2. Forgetting that DC can authenticate the account that other DCs can access. If we add SPN to WIN7X86CN04$, we can achieve this. The key is which SPNs need to be added. One of the major contributions of DCShadow is to find the smallest collection of SPNs, which only requires 2 :DRS services (GUIDs are E3514235–4B06–11D1-AB04–00C04FC2DCD2) and GS (Global Catalog) services.

3. When running DRS services, you need to implement at least four RPC interfaces: IDL_DRSBind, IDL_DRSUnbind, IDL_DRSGetNCChanges, and IDL_DRSUpdateRefs, so that other DCs can obtain the data that needs to be copied through RPC. The latest version of Mimikatz tool has integrated these 4 interfaces

强制立即发起域复制

The process usually responsible for domain replication and synchronization is the KCC process. The default time is 15 minutes to verify, and it will be initiated if replication is required. You can also use the system tool repadmin, which comes with Windows domain server, which will call the DRSReplicaAdd function interface to force domain replication to be initiated immediately. DCShadow forces domain replication to be initiated immediately by calling the DRSReplicaAdd function.

攻击复现

View the security descriptor of CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com. It can be seen that the domain administrator privileges must be used to have write permissions.

Therefore, when launching a DCShadow attack, you must have domain administrator permissions, but we can experiment and do some tricks, and it will be easier to deal with. For example, if you give full permissions to ordinary users, ordinary users can also modify them.

攻击时注意防火墙的设置