Press "Enter" to skip to content

Targeted Plaintext Downgrades with PowerView

Following my pattern of weaponizing Sean Metcalf‘s work in PowerView, I’m here with another update. Sean recently released a post titled “Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync“. He describes a legacy feature for Active Directory user accounts called ‘reversible encryption’. According to Microsoft, “This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS)“. There’s a bit more a detailed explanation of its workings here and here.

Sean describes a cool way to set this policy for classes of users on domains with a functional level of 2008 and above using something called “Fine-Grained Password Policy”.  Check out his article for more information, as I won’t be covering that method in this post.

But long story short, if reversible encryption is enabled for a user account, you can recover a user’s plaintext password using a method like Mimikatz’ DCSync. One caveat that Sean mentions- if this policy is set for a particular user through whatever method, the current password is not magically turned into a reversible form, but only after the password changes.

UserAccountControl and PowerView

I recently started building in more functionality to handle AD object manipulation, specifically “using UserAccountControl flags to manipulate user account properties“. This property is a combination of several possible binary values, then converted to a decimal display value:

https://support.microsoft.com/en-us/kb/305144
https://support.microsoft.com/en-us/kb/305144

So a value of 514 would mean that 512 (NORMAL_ACCOUNT) and 2 (ACCOUNTDISABLE) are currently applied. PowerView now has a ConvertFrom-UACValue function, which will display these values in a human-readable format (also passable on the pipeline):

convertfrom_uac_pipeline

If you want to see the complete table of UAC values, you can pass the -ShowAll flag, which will add a to any value that’s current active:

convertfrom_uac_showall

The other new(ish) function is Set-ADObject which accepts SID/Name/SamAccountName specification for a target to modify, a -PropertyName to manipulate, and a -PropertyValue or -PropertyXorValuePropertyValue sets the supplied value for the property, while PropertyXorValue is useful for things like UserAccountControl. For example, if you wanted unlock a specific account, you could execute:

set_ad_object

Targeted Reversible Encryption

With all these pieces, we can now build a series of operations that will set an account to use reversible encryption, and then force the user to change their password on next login. This will allow us to DCSync the password as soon as the pwdlastset date changes for the user, giving us their newly set plaintext credentials. You will obviously need admin/user modification rights to modify these properties.

First, if DONT_EXPIRE_PASSWORD is set, we need to flip that with Set-ADObject -SamAccountName USER -PropertyName useraccountcontrol -PropertyXorValue 65536.

Then we can set ENCRYPTED_TEXT_PWD_ALLOWED with Set-ADObject -SamAccountName USER -PropertyName useraccountcontrol -PropertyXorValue 128.

We can then manually set pwdlastset to 0, which forces the user to change their password on next login Set-ADObject -SamAccountName USER -PropertyName pwdlastset -PropertyValue 0.

This has all been wrapped up into a new function in PowerView, Invoke-DowngradeAccount:

invoke_downgradeaccount

password_change

pwchange_dcsync

Once you’re done with your mischief, you can set values back to their original state with the -Repair flag:

downgradeaccount_repair

Have fun :D

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *