# Active Directory

Service that allows sys admin to update and manage OS, apps, users and data access from a centralised system on a large scale.

## Content

1. Theory
2. Enumeration
3. Authentication
4. Lateral Movement Techniques

## AD Theory

#### What is it?

* For on-prem Microsoft environments (Cloud uses Azure AD)
* Centralized User, devices and rights management
* Users can authenticate once and access any resource in their authorized domain (SSO)
* Files stored in central repository for sharing

## Infrastructure of AD

* 3 tiers:

Domain (management boundary - group of related users, computers and objects)

Tree (security boundary - multiple domains)

* Domains within 1 tree can communicate with different levels of trust
* Share directory configuration, schema, logical structure
* Forest (forest level trust needed to inter comm)

Schema

* Blueprint for type and format of information to be stored in the database

Domain Controller (DC)

* Domain controller (DC) with Active Directory Domain Services (ADDS) installed  --> stores information about how specific instance of AD is configured
* Enforces rules about how objects in the AD interact
* Changes made to directory on 1 DC is replicated to all DCs

### AD Protocols (LDAP/Kerberos)

1. LDAP (Lightweight Directory Access Protocol)
   1. Used to update and query active directory; access objects in AD
   2. Authentication for accessing server resources over internet/intranet
2. Kerberos

   * Default protocol for authentication service requests between trusted hosts across untrusted network
   * Provides AAA: Authenticate, Authorize, Accounting

   Components

   * 3 Parties: Client, Network resource (App server), Key distribution Cneter (KDC)
     * [ ] **KDC (Key distribution center)** grants tickets (limited lifetime key, ticket allows one time authentication)
     * [ ] **Kerberos database** - identifications of clients & access
     * [ ] **KAS (Authentication server)** - Grants the TGT (Ticket granting ticket)
     * [ ] **KTGS (Ticket granting server)** - Authenticates based on TGT, issues ticket as a service

Mechanism:

1. Client sends ID; request for TGT from AS (plain text)

2. KDC verify Client ID; check DataBase, generate client secret key (using user password hash)

3. AS computes 

   * [ ] TGS Secret key 
   * [ ] session key (SK1) encrypted by Client Secret key
   * [ ] TGT = encrypt by TGS Secret key (SK1 + Client data

   Cient decrypts with client secret key

   SK1

   TGT

4. Client send TGT and authenticator 

5. Kerberos Attacks

6. 1. Pass the key - impersonate clients by using their creds
   2. Pass the ticket - use ticket when KDC Sends the session ticket
   3. Golden ticket attack - use windows DC to create client creds

### AD Attack Vectors

* LLMNR Poisoning (Name resolution for hosts on same local-link)
* * LLMNR used to identify hosts when DNS fails
  * This service utilize user’s username and NTLM hash (crypto format of user passwords in Windows systems, stored in SAM)
  * MITM Attack; await and intercepts requests, capture NTLM hashes (Responder.py)
  * * When user enters wrong network drive → DNS failure → intercept NTLMv2, IP, username
    * Hashcat –module 5600 /rockyou.txt or SecList→ Crack password (if easy)
  * Defense: 
  * * Strong password policy - no reuse/expiry/complexity/clean desk
    * disable LLMNR & NBT-NS
    * Enable NAC (Network access control) - need MAC address to authenticate
* SMB Relay Attacks
* * Relay hashes to specific machines > gain access > dump SAM file (usr/pass hashes of local user)
  * Required: 
  * * SMB signing disabled → System does not verify, only recognises the hash → grant access
    * User must have admin priv on both machines
  * Defense: 
  * * Enable SMB signing on all devices (decrease in file transfer speeds)
    * Account Tiering: Limit Domain Admins to specific tasks (can’t log in to user Acc)
    * Local Admin Restriction (no local admin > limit lateral movement)
* IPv6 Attacks
* * IPv4 predominantly used, IPv6 enabled, usually no on responsible for DNS in IPv6
  * Impersonate as legitimate DNS server > redirect Victim’s IPv6 Traffic
  * * Authenticate via LDAP or SMB protocols > initiate reboot > gain access to Domain Controller (do not need admin privileges)> create new account
  * Defence: Disable IPv6/Block rules in firewall via Group Policy (DHCPv6)/ add user to protected group (blocks delegation)

<br>

### Securing AD/Best Practices

* Secure Domain administrator account
* * Only use Domain admin for domain setup OR disaster recovery (DRP for AD)
  * Deny access to this computer from network
  * No log on as batch job/service/RDP
* Use 2 Accounts (Normal and admin)
* * Normal Acc (no admin rights) for BAU
* Disable local admin acc on all devices
* * SID remains same even if admin acc is renamed
* LDAPs (Local admin password solution)
* * Sets random pass for local admin acc on each computer using LDAPs
* Monitor AD for signs of compromise
* * Log analyzer
  * * Bad password attempts
    * Account lockouts
    * Privilege account activities
    * Logon/Logoff events
    * Use of Local admin accounts
    * Changes to Privileged groups - Domain, enterprise, Schema admins
* Identify and Delete inactive users
* Remove Users from Local Admin Group
* Patch Management & Vuln Scanning
* * Regular automated scans of all systems
  * Patch known vulneraibilities
  * Automate software updates
  * Identify Out of date/No longer support software and patch
* Enable 2FA&#x20;
* Lock down service accounts - launch executables, tasks or service, authenticate with AD

\ <br>