Logo
RSS Feed

๐Ÿบ Active Directory

Created: 28.07.2022

Moving accounts and auth policies to the server side. Azure Active Directory is when instead of having a physical server, you have a server in the cloud โ›…๏ธ. Defines a set of rules to restrict users’ access to resources. PCs that are part of AD usually don’t have full access to the systems.

AD DS store contains db files and processes that manage directory information for users, services and applications. Consists of Ntds.dit file, at %SystemRoot%\ NTDS folder on all DC. Is only accessible thtough the DC’s processes and protocols.

Class objects. What objects can be created in the dir (User, Computer).

Attribute objects. Info attached to an object (Display name).

Forests. Share common schema, config partition, global catalog, trusts between domains in the forest, Enterprise Admins and Schema Admins groups.

OU. Organisational Units. Containers with users, groups, computers or other OUs. Represent the org hierarchy and logically, manage objects in consistent way, delegate permissions and apply policies.

Trust. Directional (peer to peer) and Transitive (the friend of my friend is my friend).

๐Ÿบ NTDS.DIT

๐Ÿบ \%SystemRoot%\NTDS. If the file is not here, check ๐Ÿ”‘ HKLM\SYSTEM\CurrecntControlSet\Services\NTDS\Parameters to see where it’s stored. To access this key, use ntdsutil or another tool to get raw access to the disk or get Volume Shadow copy with ๐Ÿ› ๏ธ VSSAdmin.

You need ๐Ÿ‘‘ to load a drive to access the raw disk or use Volume Shadow copy. Active Directory database stored encrypted passwords for all the domain accounts along with the password history. NTDS.DIT is in ESE format.

๐Ÿ› ๏ธ VSSAdmin (to get Volume Shadow copy), ๐Ÿ› ๏ธ NTDSXtract, ๐Ÿ› ๏ธ Metasploit, ๐Ÿ› ๏ธ PowerShell, ๐Ÿ› ๏ธ secretsdump.py (impacket), ๐Ÿ› ๏ธ Bloodhound (looks a lot like a threat modelling tool). ๐Ÿ› ๏ธ Bloodhound uses LDAP and is quite stealthy. ๐Ÿ› ๏ธ GoFetch uses Bloodhound to create a graph and then uses Invoke-Mimikatz and Invoke-Psexec and ๐Ÿ› ๏ธ DeathStar, which uses ๐Ÿ› ๏ธ PowerShell Empire to achieve pretty much the same result.

Attacks & Investigation

LLMNR Poisoning. NBT-NS (former name). Used when DNS screws up. Uses NTLMv2 hash and username. โš”๏ธ Disable LLMNR (Turn off multicast name resolution) and NBT-NS. If these are needed: require network access control, strong user passwords (14+ chars).

SMB Relay. Resend the stolen hashes to the machines that can use them instead of cracking them. Pass the hash? SMB must be disabled for the attack to work, relayed creds are admin for the machine. nmap --script=smb2-security-mode.nse -p445 <IP range> to check for SMB with signing off. Use the tool ntlmrelayx.py tf targets.txt -smb2support -i (i for Interactive shell) along with the responder (HTTP and SMB off). Use nc <IP> <port> to connect to the open connection. โš”๏ธ Enable SMB signing, disable NTLM auth over network, local admin restriction ()

Default accounts

Administrator account.

Guest account.

HelpAssistant Account.

KRBTGT account. More like a system account.

Protecting Domain Accounts

First of all, separate admin accs from user accs. For admin accs follow the least priv principle.

Privileged account:

Minimum. Several levels of admins with separate accounts: domain, enterprise admins and other types of admins. They have various levels of access. This one ๐Ÿ‘ฎโ€โ™‚๏ธ has most access, this one ๐Ÿ‘จโ€๐Ÿซ a little more and this one ๐Ÿ‘จโ€๐ŸŽจ has not so much access as he would like to.

Better. Separate accounts with different right for different admins roles (admin that only set up the PCs, admins that manage AD etc). Some of them have reduced rights. Usually, segregated by OU (org unit, i.e. department). For example, there is a marketing unit and they have their own admins, that support their daily activity.

Ideal. Different accs for different trust levels. So, for example, one administrator ๐Ÿ‘จโ€๐Ÿซ will have several accounts: main admin account for managing resources, another admin account for adding users. Also, standard account for his daily routine and say personal, for something that’s not related to work.

Standard user accountย ๐Ÿคช:

E-mail ๐Ÿ“ฌ, browsing the Internet ๐ŸŒŽ, using business applications.

It’s also a good practice to create dedicated workstations that don’t have network and email access:

Minimum. Build dedicated worstations ๐Ÿ–ฅ that don’t have internet access.

Better. Don’t grant local admin rights for the machine to the admins that are using these machines.

Ideal. No network ๐ŸŒŽ๐Ÿšซ access, only access to domains and servers that this admin manages.

Restrict admin logon to servers and workstations.

Minimum. Identify all machines that admins cannot login to. Then restrict access appropriately.

Better. Don’t let domain admins login to non-domain controller servers and worstations.

Ideal. Restrict server admins logging into workstations in addition to domain admins.

โž•Disable the account delegation for admins. Account delegation lets servers and PCs impersonate certain accounts and perform actions with these rights. For admin accs that should be disabled.

Group Policy

Allows system administrators to define and enforce settings and configurations for user accounts and computers in a Windows domain

Attacks

Active Directory. Did you know that 95% of the Fortune 1000 companies run Active Directory in their environments? Due to this, Active Directory penetration testing is one of the most important topics you should learn and one of the least taught. The Active Directory portion of the course focuses on several topics. You will build out your own Active Directory lab and learn how to exploit it. Attacks include, but are not limited to: LLMNR poisoning, SMB relays, IPv6 DNS takeovers, pass-the-hash/pass-the-password, token impersonation, kerberoasting, GPP attacks, golden ticket attacks, and much more. You’ll also learn important tools like mimikatz, Bloodhound, and PowerView. This is not a section to miss!

References

Expand… Something here