Skip to content Skip to footer

Credential Dumping

Introduction

MITRE has reported that attackers may Active Directory authentication encryption properties to gain access to credentials on systems. The AllowReversiblePasswordEncryption property determines whether reversible password encryption for an account is turned on or off. By default, this property is disabled, and user credentials are stored as one-way hashed functions. This property should only be enabled if legacy or other software requires it. 

MITRE TACTIC: Credential Dumping (ID: TA0006)

MITRE Technique Modify Authentication Process (T1556)

MITRE SUB ID: Reversible Encryption (T1556.005)

In the case of Domain user account reversible encryption, the encrypted data can be reversed back to the User's password. The password stored with a reversible encryption policy is not a hash since it can be returned to a clear-text password using a function.

Do you know?

According to , you must enable a policy setting if you use the Challenge Handshake Authentication Protocol (CHAP) for remote access or Internet Authentication Services (IAS). CHAP is an authentication protocol used for remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires this policy setting to be enabled.

Lab Setup

Enabling reversible encryption in Active Directory Users involves modifying the account property for the domain user account. Multiple methods exist for this property, including using PowerShell commands, Group Policy Management, and changing the UserAccountControl property through the User's property-Attribute Editor. It's important to note that enabling reversible encryption means that an adversary may be able to obtain the plaintext of passwords created or changed after the property was allowed if the system administrator resets the password for the user account.

Enumeration

Use this PowerShell command to find users enabled with reversible password encryption: 

Get-ADUser -Filter AllowReversiblePasswordEncryption -eq "true"
PowerShell

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.