Offsec Quick Tips: Info Attribute in Domain Objects // Echelon Risk + Cyber

Posted in

Author

Diego Pérez Barrueta: Senior Cybersecurity Consultant

Diego Pérez is a Senior Cybersecurity Consultant at Echelon with over four years of experience in the field. He has served as training staff at a respected cybersecurity education organization and has worked in bug bounty programs, performing vulnerability testing and exploitation. Diego also has experience as a web developer specializing in e-commerce and is passionate about malware development and reverse engineering.

Summary

Offensive security techniques show that sensitive data like plaintext passwords can be stored in the overlooked “info” attribute of Active Directory user and group objects, and while typical tools need valid credentials to access it, modifying ntlmrelayx allows attackers to retrieve this data through NTLM relay attacks without authentication. The article demonstrates adding a custom “dump-userinfo” option to extract these attributes and save them in multiple formats, then using network poisoning to capture and relay credentials and uncover stored secrets. It highlights the risk of leaving sensitive information in domain attributes and stresses that attackers can adapt tools for deeper access, while defenders should regularly audit and avoid storing confidential data in these fields.

In several engagements, I have found plaintext credentials stored in the “info” attribute of user and group domain objects. Tools such as NetExec can automatically dump this attribute, but they require valid domain user credentials. You can also run a raw LDAP query with any of the available tools, but again, you need valid domain user credentials. However, offensive tools can be used to perform raw LDAP queries via NTLM/Kerberos authentication relay attacks without requiring valid domain user credentials. Of course, there are a couple of prerequisites for this to occur, but this is out of scope for now.

One of my favorite tools for relay attacks is the “ntlmrelayx.py” script from Impacket’s suite. It uses “ldapdomaindump” in the background to enumerate all the domain objects and retrieve the contents of certain attributes, such as “description,” which sometimes contains interesting information, but it doesn’t retrieve the contents of the “info” attribute. So, let’s implement it.

The custom “ntlmrelayx” can be found here.

The Solution

After reviewing the “ntlmrelayx.py” script, I found that two of the implemented options performed raw LDAP queries: “—dump-laps” and “—dump-gmsa.” So, the skeleton code to implement what I wanted was already in place. The code can be found in “impacket/examples/ntlmrelayx/attacks/ldapattack.py”.

Figure 1: LAPS password read LDAP query.

Based on that code, I wrote an LDAP query to find the user and group domain objects whose “info” attribute contained a value. Additionally, I added code to save the results in three formats: HTML, JSON, and greapable, similar to “ldapdomaindump” files. The results are saved in the loot directory specified by the “—lootdir” ntlmrelayx option. This functionality can be enabled by passing the “—dump-userinfo” option to “ntlmrelayx.py.”

Figure 2: Info attribute lookup.

Demo

In the AD lab, let’s first add text to the “info” attribute of a user and a group object. This attribute is not linked to an “info” field in the object properties window, as the “description” attribute is. For user objects, the “Notes” field maps to the “info” attribute and appears under the “Telephones” tab.

Figure 3: Notes field in user objects.

For the group objects, the “info” attribute maps to the “Notes” field on the “General” tab.

Figure 4: Notes field in group objects.

Now, we can run my custom “ntlmrelayx.py” version and pass the “—lootdir, -l” and “—dump-userinfo” options to trigger the query and retrieve the expected information.

Figure 5: Ntlmrelayx options.

Then, we can use “mitm6” to poison the network and capture and relay any NTLM authentication over HTTP.

Figure 6: Info attribute dump.

And if we take a look at the HTML file that was created, we can see that someone has stored a user's plaintext password and added a comment to a group.

Figure 7: HTML file created.

To summarize, we obtained a plaintext password and a potential default password without needing valid domain user credentials.

Key Takeaways

For the offensive folks: It’s important to know your tools and how they work. Adapt them to your needs, and improve them.

For the defensive folks and domain administrators: Avoid storing any sensitive information in domain objects’ attributes, as many of them are readable by any authenticated domain user. Audit these fields regularly.