Active Directory

Service that allows sys admin to update and manage OS, apps, users and data access from a centralised system on a large scale.

Content

1. Theory

2. Enumeration

3. Authentication

4. Lateral Movement Techniques

AD Theory

What is it?

• For on-prem Microsoft environments (Cloud uses Azure AD)

• Centralized User, devices and rights management

• Users can authenticate once and access any resource in their authorized domain (SSO)

• Files stored in central repository for sharing

Infrastructure of AD

• 3 tiers:

Domain (management boundary - group of related users, computers and objects)

Tree (security boundary - multiple domains)

• Domains within 1 tree can communicate with different levels of trust

• Share directory configuration, schema, logical structure

• Forest (forest level trust needed to inter comm)

Schema

• Blueprint for type and format of information to be stored in the database

Domain Controller (DC)

• Domain controller (DC) with Active Directory Domain Services (ADDS) installed --> stores information about how specific instance of AD is configured

• Enforces rules about how objects in the AD interact

• Changes made to directory on 1 DC is replicated to all DCs

AD Protocols (LDAP/Kerberos)

1. LDAP (Lightweight Directory Access Protocol)

   1. Used to update and query active directory; access objects in AD

   2. Authentication for accessing server resources over internet/intranet

2. Kerberos

   • Default protocol for authentication service requests between trusted hosts across untrusted network

   • Provides AAA: Authenticate, Authorize, Accounting

   Components

   • 3 Parties: Client, Network resource (App server), Key distribution Cneter (KDC)

     • KDC (Key distribution center) grants tickets (limited lifetime key, ticket allows one time authentication)

     • Kerberos database - identifications of clients & access

     • KAS (Authentication server) - Grants the TGT (Ticket granting ticket)

     • KTGS (Ticket granting server) - Authenticates based on TGT, issues ticket as a service

Mechanism:

1. Client sends ID; request for TGT from AS (plain text)

2. KDC verify Client ID; check DataBase, generate client secret key (using user password hash)

3. AS computes

   • TGS Secret key

   • session key (SK1) encrypted by Client Secret key

   • TGT = encrypt by TGS Secret key (SK1 + Client data

   Cient decrypts with client secret key

   SK1

   TGT

4. Client send TGT and authenticator

1. Kerberos Attacks

2. 1. Pass the key - impersonate clients by using their creds

   2. Pass the ticket - use ticket when KDC Sends the session ticket

   3. Golden ticket attack - use windows DC to create client creds

AD Attack Vectors

• LLMNR Poisoning (Name resolution for hosts on same local-link)

• • LLMNR used to identify hosts when DNS fails

  • This service utilize user’s username and NTLM hash (crypto format of user passwords in Windows systems, stored in SAM)

  • MITM Attack; await and intercepts requests, capture NTLM hashes (Responder.py)

  • • When user enters wrong network drive → DNS failure → intercept NTLMv2, IP, username

    • Hashcat –module 5600 /rockyou.txt or SecList→ Crack password (if easy)

  • Defense:

  • • Strong password policy - no reuse/expiry/complexity/clean desk

    • disable LLMNR & NBT-NS

    • Enable NAC (Network access control) - need MAC address to authenticate

• SMB Relay Attacks

• • Relay hashes to specific machines > gain access > dump SAM file (usr/pass hashes of local user)

  • Required:

  • • SMB signing disabled → System does not verify, only recognises the hash → grant access

    • User must have admin priv on both machines

  • Defense:

  • • Enable SMB signing on all devices (decrease in file transfer speeds)

    • Account Tiering: Limit Domain Admins to specific tasks (can’t log in to user Acc)

    • Local Admin Restriction (no local admin > limit lateral movement)

• IPv6 Attacks

• • IPv4 predominantly used, IPv6 enabled, usually no on responsible for DNS in IPv6

  • Impersonate as legitimate DNS server > redirect Victim’s IPv6 Traffic

  • • Authenticate via LDAP or SMB protocols > initiate reboot > gain access to Domain Controller (do not need admin privileges)> create new account

  • Defence: Disable IPv6/Block rules in firewall via Group Policy (DHCPv6)/ add user to protected group (blocks delegation)

Securing AD/Best Practices

• Secure Domain administrator account

• • Only use Domain admin for domain setup OR disaster recovery (DRP for AD)

  • Deny access to this computer from network

  • No log on as batch job/service/RDP

• Use 2 Accounts (Normal and admin)

• • Normal Acc (no admin rights) for BAU

• Disable local admin acc on all devices

• • SID remains same even if admin acc is renamed

• LDAPs (Local admin password solution)

• • Sets random pass for local admin acc on each computer using LDAPs

• Monitor AD for signs of compromise

• • Log analyzer

  • • Bad password attempts

    • Account lockouts

    • Privilege account activities

    • Logon/Logoff events

    • Use of Local admin accounts

    • Changes to Privileged groups - Domain, enterprise, Schema admins

• Identify and Delete inactive users

• Remove Users from Local Admin Group

• Patch Management & Vuln Scanning

• • Regular automated scans of all systems

  • Patch known vulneraibilities

  • Automate software updates

  • Identify Out of date/No longer support software and patch

• Enable 2FA

• Lock down service accounts - launch executables, tasks or service, authenticate with AD