Listen to this Post
Introduction:
Active Directory Reversible Encryption, a legacy feature often enabled by mistake, stores passwords in a weakly encrypted format equivalent to plain text. This critical misconfiguration allows attackers to easily extract and decrypt user credentials, leading to rapid domain compromise. Understanding this technique is essential for both red teamers testing defenses and blue teams fortifying their enterprise environments.
Learning Objectives:
- Understand the mechanism and critical danger of Active Directory Reversible Encryption.
- Learn to perform a DC-Sync attack to dump and decrypt passwords using reversible encryption.
- Implement robust mitigation strategies and detection mechanisms to protect your domain.
You Should Know:
1. Identifying Users with Reversible Encryption Enabled
The first step for an attacker is to enumerate which user accounts have this dangerous setting enabled. This can be done from a domain-joined machine without elevated privileges.
Command (PowerShell – Active Directory Module):
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl | Select-Object Name, SamAccountName
Step-by-step guide:
This PowerShell command queries Active Directory for all users where the `USERACCOUNT_CONTROL` attribute has the `UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` bit (value 128) set. The `-band` operator performs a bitwise AND operation. If the result is 128, the setting is enabled. The command then displays the name and SAM account name of the vulnerable users, providing a target list for the subsequent attack.
2. Performing a DC-Sync Attack for Credential Dumping
With a target identified, an attacker with appropriate permissions (often gained through earlier compromise) can perform a DCSync operation to retrieve the user’s password hash, which in this case is reversibly encrypted.
Command (Mimikatz):
mimikatz lsadump::dcsync /user:<TargetUsername> /domain:<DomainFQDN>
Step-by-step guide:
Launch Mimikatz with administrative privileges. The `lsadump::dcsync` module impersonates a Domain Controller and requests replication data for a specific user from a real DC. For accounts with reversible encryption enabled, the retrieved `NTLM` hash is actually the product of a reversible cipher. This “hash” is the primary artifact that can be decrypted back to the plain text password.
3. Decrypting the Reversibly Encrypted Hash
The data retrieved via DCSync is not a standard NTLM hash but a ciphertext. Mimikatz can automatically detect and decrypt this if the appropriate encryption keys are available from the domain.
Command (Mimikatz):
mimikatz lsadump::dcsync /user:<TargetUsername> /domain:<DomainFQDN>
Note: Mimikatz will automatically display the plaintext password in the output if it detects and successfully decrypts reversible encryption.
Step-by-step guide:
When you execute the DCSync command for a vulnerable account, Mimikatz’s output will include a section titled `Supplied Credentials` or similar, which reveals the plaintext password directly. This automation occurs because the Domain Controller uses a shared, domain-wide key to perform the reversible encryption, which Mimikatz can leverage.
4. Alternative Dump Method with SecretsDump.py
For penetration testers operating from a Linux platform, the Impacket suite’s `secretsdump.py` script is a powerful alternative that can perform the same DCSync operation and handle reversible encryption.
Command (Linux – Impacket):
python3 secretsdump.py '<Domain>/<User>:<Password>@<DomainController_IP>' -just-dc-user <TargetUsername>
Step-by-step guide:
This command authenticates to the Domain Controller using a compromised domain account. The `-just-dc-user` flag focuses the dump on a specific user. When this user has reversible encryption enabled, `secretsdump.py` will output the plaintext password in the results, clearly labeled. It’s a cross-platform tool essential for any offensive security toolkit.
5. Enabling Audit Policies for Detection
Blue teams must detect DCSync attacks. The first step is enabling detailed audit policies to log directory service access attempts.
Command (Windows Command Prompt – via GPO or local policy):
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
Step-by-step guide:
This command configures the system to audit both successful and failed attempts to access directory service objects. You can apply this via Group Policy Object (GPO) across the domain for centralized management. Once enabled, Event ID 4662 will be generated in the Windows Security log for DCSync replication requests, providing crucial forensic data.
6. Hunting for DCSync Attack Events
After enabling auditing, security analysts need to proactively hunt for the specific events generated by a DCSync attack within their SIEM or Windows Event Logs.
Query (Splunk-like SIEM Query):
index=windows EventCode=4662 AttributeLDAPDisplayName="msDS-ReplAttributeMetaData" NOT SubjectUserName="$"
Step-by-step guide:
This query searches for Event ID 4662, which logs detailed directory service access. It filters for events where the attribute being accessed is related to replication metadata (msDS-ReplAttributeMetaData). The final part excludes computer accounts (which end with ‘$’) to reduce noise and focus on potentially malicious user-initiated replication requests.
7. The Ultimate Mitigation: Disabling Reversible Encryption
The most critical and definitive mitigation is to disable reversible encryption for all accounts via Group Policy. This prevents new passwords from being stored using this method.
Command (Group Policy Management Console – GPMC):
Navigate to: `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy`
Step-by-step guide:
1. Open the Group Policy Management Console.
- Edit the Domain Policy or a policy linked to the domain.
3. Navigate to the path specified above.
- Double-click the “Store passwords using reversible encryption” policy setting.
- Select “Define this policy setting” and set it to Disabled.
- Apply the GPO and force a group policy update (
gpupdate /force) on domain controllers. After this change, once a user changes their password, it will no longer be stored with reversible encryption.
What Undercode Say:
- The existence of even a single service account with reversible encryption enabled creates a critical path for total domain compromise, rendering other complex security controls moot.
- DCSync is not an exploit in itself; it is a legitimate replication function. The vulnerability is the misconfiguration that makes this function lethal.
The real danger of Active Directory Reversible Encryption lies in its deceptive nature. It’s not a software bug but an administrative misstep, often enabled for legacy compatibility with specific applications like CHAP authentication. This makes it a silent killer in otherwise mature environments. Attackers prize this finding because it provides a direct, low-noise method to obtain plaintext credentials, which are far more valuable than standard NTLM hashes. For defenders, hunting for and eliminating this setting is a non-negotiable hardening step. The fact that tools like Mimikatz and Impacket automate the entire process—from enumeration to plaintext extraction—demonstrates the urgent need for proactive configuration management over reactive threat hunting in this specific case.
Prediction:
The abuse of reversible encryption will remain a staple in enterprise attacks as long as legacy systems persist in complex AD environments. However, we predict a shift in how this technique is leveraged. As core detection for DCSync improves, advanced threat actors will increasingly use “living off the land” techniques, such as abusing built-in PowerShell modules or third-party management tools with AD replication permissions, to perform the sync operation, thereby blending in with legitimate administrative traffic and evading signature-based alerts. The mitigation, however, remains constant and effective: comprehensive policy enforcement to disable the feature entirely.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ashray Gupta – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
