DCShadow – The New Technique Of Attack On Active Directory
On January 24, 2018, at the Microsoft BlueHat security conference, researchers Benjamin Delpy and Vincent Le Toux demonstrated a new attack technology against the Active Directory infrastructure.
The name of the new attack technique is DCShadow. Such an attack allows an attacker to create a fake domain controller in an Active Directory environment for replicating malicious objects in the Active Directory work infrastructure.
- First of all, the attack is noteworthy because its author is the author of the utility mimikatz, one of the most popular utilities for filtering passwords in Windows environment. It is based on many utilities and frameworks for post-operation in Windows environment. In its time, it made a lot of noise, allowing to receive Windows passwords of users in the clear.
In the DCShadow attack, the DrsReplicaAdd trigger (DRSR 220.127.116.11) is used to start replication. This allows you to change the reply attribute of the domain controller and perform immediate replication.
The main attack vector of DCShadow is to create a new server and nTDSDSA objects in the Configuration section. The technique of attack is well represented in the following scheme:
With DCShadow, you no longer need to attempt to replicate data, you must register new domain controllers in the target infrastructure to implement Active Directory objects or modify existing ones (by replacing the contents of attributes).
In order for the server to be a domain controller, it must perform the following functions:
- Use a data warehouse that can replicate its information using LDAP protocols, meet the specifications of MS-DRSR and MS-ADTS;
- It has to be the source of authentication available through Kerberos, NTLM, Netlogon or WDigest;
- It must use the Group Policy Management System;
DNS provider (optional role).
In addition to hosting these services, the domain controller during the creation process must be registered in the directory infrastructure that must be received by the other domain controller as the replication source.
The main function of KCC is to create and maintain a replication topology. By default, KCC initiates replication every 15 minutes to ensure consistent and regular updates.
Authors of DCShadow technology defined the minimum set of changes needed to implement a new server in the replication topology.
- To achieve this, the DCShadow attack must modify the target Active Directory infrastructure database to allow the spoofed server to be part of the replication process.
According to the MS-ADTS specification, the domain controller is represented in the Active Directory database by an object of the nTDSDSA class, which is always in the context of the domain configuration naming context. NTDS-DSA objects can only be created as child server objects, which, in turn, can only be part of the organization or server objects. Thus, the goal of the DCShadow attack is to create a new server and nTDSDSA objects in the “Configuration” section of the schema.
However, it’s not enough just to add an object to allow the spoofed server to initiate replication.
To be part of the replication process, you must meet two requirements:
- Trust other servers;
- Provide authentication support for connecting other servers to the forged server in order to replicate the data.
Using a valid account, a spoofed server can be considered a trusted Active Directory server. Kerberos SPN attributes will provide authentication support for other domain controllers.
- This requirement is fulfilled using Kerberos (SPN). SPNs are used by the Kerberos (KDC) service to encrypt the Kerberos ticket with the computer account associated with the SPN. The DCShadow technique allows you to add an SPN used for authentication.
The authors of the attack technique identified a minimum set of SNPs required for the replication process to pass.
The results of their research show that two SPNs require that another domain controller connects to the forged server:
- Class DRS (GUID E3514235-4B06-11D1-AB04-00C04FC2DCD2);
- Global catalog class (GC).
DCShadow allows you to install these two SPNs on the attacking computer using the DRSAddEntryc RPC function. Now it is possible to register a forged domain controller to participate in the replication process and to authenticate with another domain controller.
The last step of the DCShadow attack is to start the replication process. To do this:
- Wait for the KCC process of another domain controller to start the replication process (15 minutes);
- Make a replication by calling the DRSReplicaAdd RPC function, which will name the contents of the repsTo attribute, which will begin the immediate replication of the data.
Forced replication using IDL_DRSReplicaAdd RPC is the last step of the DCShadow attack. This will allow you to enter arbitrary data into the target AD infrastructure. It becomes possible to add new users to the administrative group, etc.
It should be noted that DCShadow is not a vulnerability, it is rather an innovative way of entering illegitimate data into the Active Directory infrastructure. This can allow an attacker to use new methods of secretly locking in successfully attacked systems.