Searching for Active Directory and password encryption I found a very interesting statement regarding encryption settings at rest:
With Windows Server 2016 TP4 the RC4 encryption has been replaced with AES encryption (AES256 in CBC with IV and zero padding).
Within the Active Directory database NTDS.DIT we have encrypted fields protected against offline data extraction:
- Password Encryption Key (ntds.dit field ATTk590689, attribute pekList)
- LM Hash (field ATTk589879, attribute dBCSPwd)
- LM Hash History (field ATTk589984)
- NT Hash (field ATTk589914, attribute unicodePwd)
- NT Hash History (field ATTk589918)
- Supplemental Credentials (field ATTr589949, attribute supplementalCredentials)
While the LM hash has been disabled with Windows Server 2008, the NT hash is still a MD4 hash of the password (and the key for Kerberos RC4_HMAC_MD5). AES keys and other password hash formats are stored as „KeyPackages“ in the supplementalCredentials attribute. Michael Grafnetter analyzed the supplementalCredentials with his great DSInternals tool and posted some examples on TechNet:
- DES_CBC_MD5 – Salted with user logon name and hashed 4096 times using MD5. Used for Kerberos authentication.
- AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 – Used for Kerberos authentication since Windows Server 2008. Salted with user logon name and hashed 4096 times using HMAC-SHA1.
- 29 MD5 hashes, each using a different combination of login and domain name. Used for WDigest authentication
- Reversibly encrypted cleartext password – Disabled by default. Required by MS-CHAPv1 RADIUS authentication.
According to Csaba Barta there are 3 layers of encryption:
- Password Encryption Key (PEK) encryption with RC4
- Hash encryption with DES
- Hash encryption with RC4
The PEK or Password Encryption Key is used to encrypt data stored in NTDS.DIT. This key is the same across the whole domain, which means that it is the same on all the domain controllers. The PEK itself is also stored in the NTDS.DIT in an encrypted form. The PEK is encrypted with the BOOTKEY which is different on all domain controllers (and in fact on all computers in the domain).
Csaba Barta’s code example shows that the PEK is encrypted using RC4 with the MD5 hash of the bootkey as key. But a post by GuyTe on http://www.activedir.org says that in case of Windows Server 2016 the pekList is encrypted using AES.
GuyTe describes the new encryption process of hashes as followed:
- Each hash is encrypted using DES, while the RID of the security principal is used as salt for the encryption function (SystemFunction026 in AdvApi32.dll). The result is a partially encrypted hash. In the case of password history attributes, the partially encrypted hashes are concatenated into a single blob.
- The resultant blob is encrypted:
- Pre-W2K16. In this case RC4 is used
- Generate random salt of 16 bytes
- RC4key = MD5(Pek, random salt)
- EncryptUsingRC4(partially encrypted blob, rc4key) (SystemFunction033 in AdvApi32.dll)
- W2K16 uses AES
- Generate random salt of 16 bytes
- EncryptWithAES, while the salt is used as IV (initialization vector) and PEK as the encryption key
Another blog post from the Industrial Security Research Group by tijl also states that Microsoft decided to remove RC4 encryption in favor of AES encryption (AES-128-CBC with an IV) for NTLM hashes with Windows 10 Anniversary Update (10.0.14393 or v1607).
I haven’t found any official document for this new way of encryption. If it’s true, a password change will not only remove RC4 but also MD5 for data at rest. When it comes to Kerberos you still have to disable RC4 for your domain but this is another story.
Microsoft Open Specifications (2019): [MS-SAMR]: supplementalCredentials (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/0705f888-62e1-4a4c-bac0-b4d427f396f8)
Michael Grafnetter (20.10.2015): Dumping the contents of ntds.dit files using PowerShell (https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/)
Michael Grafnetter (25.10.2015): Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it? (https://social.technet.microsoft.com/Forums/windowsserver/en-US/034a0e33-a8ab-474e-ba6c-3371724d0be1/forum-faq-how-is-user-password-of-user-objects-stored-in-active-directory-can-i-view-it-can-i?forum=winserverDS)
Microsoft Open Specifications (2019): Active Directory Schema Attributes (https://docs.microsoft.com/de-de/openspecs/windows_protocols/ms-winprotlp/e36c976a-6263-42a8-b119-7a3cc41ddd2a)
Csaba Barta (07.2011): Active Directory Offline Hash Dump and Forensic Analysis (https://www.exploit-db.com/docs/english/18244-active-domain-offline-hash-dump-&-forensic-analysis.pdf)
gentilkiwi (05.09.2013): Croyptographie rapide sous Windows (http://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows)
gdedrouas (2014): GitHub AD-permissions / esent_dump (https://github.com/ANSSI-FR/AD-permissions/tree/master/esent_dump)
Industrial Security Research Group (2018): Retrieving NTLM Hashes and what changed in Windows 10 (http://www.insecurity.be/blog/2018/01/21/retrieving-ntlm-hashes-and-what-changed-technical-writeup/)
Sean Metcalf (03.01.2016): How Attackers Dump Active Directory Database Credentials (https://adsecurity.org/?p=2398)