Scribd
Upload
174 views26 pages

AD Pentest

Active Directory Penetration Testing

Uploaded by

James Joy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
174 views26 pages

AD Pentest

Active Directory Penetration Testing

Uploaded by

James Joy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 26
Links > Active Directory Methodology & Twitter & - & Twitch # - % Youtube a Basic overview Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level. The Active Directory structure includes three main tiers: 1) domains, 2) trees, and 3) forests. Several objects (users or devices) that all use the same database may be grouped in to a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges. Main concepts of an Active Directory: 1. Directory - Contains all the information about the objects of the Active directory ASL GUE HK BEPLATS REAL URN AR AUS LAR HALA EY Aa Re pAb Diregigyy,Dgmain Services," or AD DS. These services include: #: Bamain sdicedeticreshseiranbey ane coniannhgswecth man ealoA SAK aeA USES THEGAMEAATIAS BY PALAHEAA EAL AD Oa FANEMBRLIEY"” CPlects collection. 4: CS RIT ELE R AVIRA MEDS APDGERS trio TBR EG SE Ce Lea! BMA IOC, www.dom.local 3. Lightweight Directory Services - supports directory-enabled applications using the 5. BpERSt DRS EAeRSEN the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships. 4. Directory Federation Services — provides single-sign-on (SSO) to authenticate a user in multiple web applications in a single session 5. Rights Management - protects copyrighted information by preventing unauthorized use and distribution of digital content 6. DNS Service - Used to resolve domain names AD DS is included with Windows Server (including Windows Server 10) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials. From: https://techterms.com/definition/active_directory Kerberos Authentication To learn how to attack an AD you need to understand really good the Kerberos authentication process. Read this page if you still don't know how it works. Cheat Sheet You can take a lot to https://wadcoms.github.io/ to have a quick view of which commands you can run to enumerate/exploit an AD. Recon Active Directory (No creds/sessions) if you just have access to an AD environment but you don't have any credentials/sessions you could: Pentest the network: Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, printers could be very interesting targets. Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc. gobuster dns -d domain.local -t 25 -w Jopt/Seclist/Discovery/DNS/subdomain-top2000.txt Take a look to the General Pentesting Methodology to find more information about how to do this. Check for null and Guest access on smb services (this won't work on modern Windows versions): enum4linux -a -u "" -p "" && enum4linux -a -u "guest" -p "" smbmap -u "" -p "" -P 445 -H && smbmap -u "guest" -p "" - 445 -H smbclient -U '%' -L // && smbclient -U 'guest%' -L // Amore detailed guide on how to enumerate a SMB server can be found here: DB 139,445 - Pentesting SMB Enumerate Ldap nmap -sV --script "Idap* and not brute" -p 389 Amore detailed guide on how to enumerate LDAP can be found here (pay special attention to the anonymous access): ) 389, 636, 3268, 3269 - Pentesting LDAP Poison the network Gather credentials impersonating services with Responder Access host by abusing the relay attack Gather credentials exposing fake UPnP services with evil-SSDP OSINT: Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available. If you find the complete names of company workers, you could try different AD username conventions (read this). The most common conventions are: NameSurname, Name.Surname, NamSur (3letters of each), Nam.Sur, NSurname, N.Surname, SurnameName, Surname.Name, SurnameN, Surname.N, 3 random letters and 3 random numbers (abc123) Tools: wOTx/generate-ad-username urbanadventurer/username-anarchy User enumeration Anonymous SMB/LDAP enum: Check the pentesting SMB and pentesting LDAP pages. Kerbrute enum: When an invalid username is requested the server will respond using the Kerberos error code KRBSKDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to. determine that the username was invalid. Valid usernames wil illicit either the TGT ina AS-REP response or the error KRBSKDC_ERR_PREAUTH_REQUIRED, indicating that the user is required to perform pre-authentication. -/kerbrute_Linux_amd64 userenum -d lab.ropnop.com --de 10.10.19.10 usernames. txt # nmap -p 88 --script=krbS-enum-users --script-args="krbS-enum-users.realm= Nmap -p 88 --scrip' msf> use auxiliary/gather /kerberos_enumusers crackmapexec smb dominio.es -u '! -p '* --users | awk '{print $4}' | uniq DOMAIN'" rbS-enum-users --script-args krbS-enum-users.realm=!' OWA (Outlook Web Access) Server If you found one of these servers in the network you can also perform user enumeration against it. For example, you could use the tool MailSniper: ‘ipmo C:\Tools\Mailsniper\Mailsniper. psi. # Get info about the domain Invoke-DomainHarvestOWA -ExchHostname [ip] # Enumerate valid users from a list of potential usernames Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possib’ # Password spraying Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summe1 4 Get_addresses List from the compromised mail © You can find lists of usernames in this github repo **** and this one (st likely-usernames). tically- However, you should have the name of the people working on the company from the recon step you should have performed before this. With the name and surname you could used the script namemash.py to generate potential valid usernames, Knowing one or several usernames Ok, so you know you have already a valid username but no passwords... Then try: ASREPRoast: If a user doesn't have the attribute DONT_REQ_PREAUTH you can request a AS_REP message for that user that will contain some data encrypted by a derivation of the password of the user. Password Spraying: Let's try the most common passwords with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) Note that you can also spray OWA servers to try to get access to the users mail servers. fi) Password Spraying LLMNR/NBT-NS Poisoning You might be able to obtain some challenge hashes to crack poisoning some protocols of the network: fn Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks Relay If you have managed to enumerate the active directory you will have more emails and a better understanding of the network. You might be able to to force NTML relay attacks **** to get access to the AD env. Steal NTLM Creds If you can access other PCs or shares with the null or guest user you could place files (like a SCF file) that if somehow accessed will trigger an NTML authentication against you so you can steal the NTLM challenge to crack it: B Places to steal NTLM creds Enumerating Active Directory WITH credentials/session For this phase you need to have compromised the credentials or a session of a valid domain account. If you have some valid credentials or a shell as a domain user, you should remember that the options given before are still options to compromise other users. Before start the authenticated enumeration you should know what is the Kerberos double hop problem. DB Kerberos Double Hop Problem Enumeration Having compromised an account is a big step to start compromising the whole domain, because you are going to be able to start the Active Directory Enumeration: Regarding ASREPRoast you can now find every possible vulnerable user, and regarding Password Spraying you can get a list of all the usernames and try the password of the compromised account, empty passwords and new promising passwords. You could use the CMD to perform a basic recon You can also use powershell for recon which will be stealthier You ca also use powerview to extract more detailed information Another amazing tool for recon in an active directory is BloodHound. It is not very stealthy (depending on the collection methods you use), but if you don't care about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc. Other automated AD enumeration tools are: AD Explorer, ADRecon, Group3r, PingCastle. e™"DNS records of the AD **** as they might contain interesting information. A tool with GUI that you can use to enumerate the directory is AdExplorer.exe from Sysinternal Suite You can also search in the LDAP database with Idapsearch to look for credentials in fields userPassword & unixUserPassword, or even for Description. cf. Password in AD User comment on PayloadsAliTheThings for other methods If you are using Linux, you could also enumerate the domain using pywerview. You could also try automated tools as: tomearver16/ADSearch 61106960/adPEAS Extracting all domain users It's very easy to obtain all the domain usernames from Windows (net user /domain ,Get-DomainUser or wmic useraccount get name, sid). In Linux, you can use: GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username or enum4linux -a -u "user" -p "password" Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you fee! comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done. Kerberoast The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of domain user accounts. Part of these TGS tickets are encrypted wit keys derived from user passwords. As a consequence, their credentials could be cracked offline. More about thi [3 Kerberoast Remote connexion (RDP, SSH, FTP, Win-RM, etc) Once you have obtained some credentials you could check if you have access to any machine. For that matter, you could use CrackMapExec to attempt connecting on several servers with different protocols, accordingly to your ports scans. Local Privilege Escalation If you have compromised credentials or a session as a regular domain user and you have access with this user to any machine in the domain you should try to find your way to escalate privileges locally and looting for credentials. This is because only with local administrator privileges you will be able to dump hashes of other users in memory (LSASS) and locally (SAM). There is a complete page in this book about local privilege escalation in Windows and a checklist. Also, don't forget to use WinPEAS. Current Session Tickets it's very unlikely that you will find tickets in the current user 1g you permission to access unexpected resources, but you could check: ## List all tickets (if not admin, only current user tickets) «\Rubeus.exe triage ## Dump the interesting one by luid «\Rubeus.exe dump /service:krbtgt /luid: /nowrap [10. File] ::WriteAllBytes("ticket.kirbi", [Convert] ::FromBase64String(" -Set @{serviceprincipalname="fake/NOTHING —loN CO Make users vulnerable to ASREPRoast Set-DomainObject -Identity -XOR @{UserAccountControl=4194304} | Grant D@Syne privileges to a user Add-DomainObjectAcl -TargetIdentity UB , DC=DOMAIN,DC=LOCAL" -Principalident ees Silver Ticket The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user (like privileged access to a computer). (3 Siver Ticket Golden Ticket A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain ad the impersonated user. | (9) orden ck Diamond Ticket These are like golden tickets forged in a way that bypasses common golden tickets detection mechanisms. (3) diamond Ticket Certificates Account Persistence Having certificates of an account or being able to request them is a very good way to be able to persist in the users account (even if he changes the password): QO AD CS Account Persistence Certificates Domain Persistence ‘ificates is also possible to persist Using cer high privileges inside the domain: B AD CS Domain Persistence AdminSDHolder Group The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all “protected groups” in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins, Backup Operators and krbtgt. By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group AdminSDHolder for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour). And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group. More information about AdminDSHolder Group here. DSRM Credentials There is a local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. QB DSRM Credentials ACL Persistence You could give some special permissions to a user over some specific domain objects that (3) Abusing Active Directory ACLs/ACEs Security Descriptors The security descriptors are used to store the permissions an object have over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group. DB Security Descriptors Skeleton Key Modify LSASS in memory to create a master password that will work for any account in the domain, (3) skeleton key Custom SSP Learn what is a SSP (Security Support Provider) here. You can create you own SSP to capture in clear text the credentials used to access the machine.\ fh) Custom SSP DCShadow It registers a new Domain Controller in the AD and uses it to push attributes (SIDHistory, SPNs...) on specified objects without leaving any logs regarding the modifications. You need DA privileges and be inside the root domain. Note that if you use wrong data, pretty ugly logs will appear. QO DCShadow LAPS Persistence Previously we have discussed about how to escalate privileges if you have enough permission to read LAPS passwords. However, these passwords can also be used to maintain persistence. Check: (5 tas Forest Privilege Escalation - Domain Trusts Microsoft considers that the domain isn't a Security Boundary, the Forest is the security Boundary. This means that if you compromise a domain inside a Forest you might be able to compromise the entire Forest. Basic Information At a high level, a domain trust establishes the ability for users in one domain to authenticate to resources or act as a security principal in another domain Essentially, all a trust does is linking up the authentication systems of two domains and allowing authentication traffic to flow between them through a system of referrals. When 2 domains trust each other they exchange keys, these keys are going to be saved in the DCs of each domains (2 keys per trust direction, latest and previous) and the keys will be the base of the trust. When a user tries to access a service on the trusting domain it will request an inter-realm TGT to the DC of its domain. The DC wills serve the client this T6T which would be encrypted/signed with the inter-realm key (the key both domains exchanged). Then, the client will access the DC of the other domain and will request a TGS for the service using the inter-realm TGT. The DC of the trusting domain will check the key used, if it's ok, it will trust everything in that ticket and will serve the TGS to the client, ‘two-way domain trust Different trusts It's important to notice that a trust can be 1 way or 2 ways. In the 2 ways options, both domains will trust each other, but in the 1 way trust relation one of the domains will be the trusted and the other the trusting domain. In the last case, you will only be able to access resources inside the trusting domain from the trusted one. If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in Domain A, this would be an Outbound trust; and in Domain B, this would be an Inbound trust. Different trusting relationships Parent-Child — part of the same forest - a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you'll encounter. Cross-link — aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times. External - an implicitly non-transitive trust created between disparate domains. "External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.” External trusts enforce SID filtering, a security protection covered later in this post. - | Tree-root - an implicit two-way transitive trust between the forest root domain and the new tree root you're adding. | haven't encountered tree-root trusts too often, but from the Microsoft documentation, they're created when you create a new domain tree in a forest. These are intra-forest trusts, and they preserve two-way transitivity while allowing the tree to have a separate domain name (instead of child.parent.com). Forest — a transitive trust between two forest root domain. Forest trusts also enforce SID filtering MIT - a trust with a non-Windows RFC4120-compliant Kerberos domain. | hope to dive more into MIT trusts in the future. Other differences in trusting relationships A trust relationship can also be transitive (A trust B, B trust C, then A trust C) or non- transitive. A trust relationship can be set up as bidirectional trust (both trust each other) or as one- way trust (only one of them trust the other). Attack Path 1. Enumerate the trusting relationships 2. Check if any security principal (user/group/computer) has access to resources of the other domain, maybe by ACE entries or by being in groups of the other domain. Look for relationships across domains (the trust was created for this probably) 1. _kerberoast in this case could be another option 3. Compromise the accounts which can pivot through domains. There are three main ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain: They can be added to local groups on individual machines, i.e. the local “Administrators” group ona server. They can be added to groups in the foreign domain. There are some caveats depending on trust type and group scope, described shortly. They can be added as principals in an access control list, most interesting for us as principals in ACEs in a DACL. For more background on ACLs/DACLs/ACEs, check out the “An ACE Up The Sleeve” whitepaper. Child-to-Parent forest privilege escalation Get-DomainTrust SourceName : sub.domain. local -> current domain TargetName : domain. local -> foreign domain TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : WITHIN_FOREST -> WITHIN FOREST: Both in the same forest TrustDirection : Bidirectional -> Trust direction (2ways in this case) WhenCreated + 2/19/2021 00 PM WhenChanged : 2/19/2021 100 PM © There are 2 trusted keys, one for Child — Parent and another one for Parent > Child. You can the one used by the current domain them with: Invoke-Nimikatz -Command '"\sadump::trust /patch"' -ComputerName de.my.dor desyne /user:dcorp\mcorp$"* Invoke-Mimikatz -Command '"Lsadumy SID-History Injection Escalate as Enterprise admin to the child/parent domain abusing the trust with SID-History injection: DB SID-History Injection Exploit writeable Configuration NC The Configuration NC is the primary repository for configuration information for a forest and is replicated to every DC in the forest. Additionally, every writable DC (not read-only DCs) in the forest holds a writable copy of the Configuration NC. Exploiting this require running as ys pennible-tecpmienpeRmise the root domain in various ways covered below. Link GPO to root DC site The Sites container in Configuration NC contains all sites of the domain-joined computers in the AD forest. It is possible to link GPOs to sites when running as SYSTEM on any DC in the forest, including the site(s) of the forest root DCs, and thereby compromise these. More details can be read here Bypass SID filtering research. Compromise any gMSA in the forest The attack depends on privileged gMSAs in the targeted domain. The KDS Root key, which is used to calculate the password of gMSAs in the forest, is stored in the Configuration NC. When running as SYSTEM on any DC in the forest, one can read out the KDS Root key and calculate the password of any gMSA in the forest. More details can be read here: Golden gMSA trust attack from child to parent. Schema change attack The attack requires the attacker to wait for new privileged AD objects to be created. When running as SYSTEM on any DC in the forest, one can grant any user full contro! over all classes in the AD Schema. That control can be abused to create an ACE in the default security descriptor of any AD object that grants full control to a compromised principal. All new instances of the modified AD object types will have this ACE. More details can be read here: Schema change trust attack from child to parent. From DA to EA with ADCS ESC5 The ADCS ESCS (Vulnerable PKI Object Access Control) attacks abuse control over PKI objects to create a vulnerable certificate template that can be abused to authenticate as any user in the forest. Since all the PKI objects are stored in the Configuration NC, one can execute ESCS if they have compromised any writable (child) DC in the forest. More details can be read here: From DA to EA with ESCS, In case the AD forest does not have ADCS, the attacker can create the necessary components as described here: Escalating from child domain's admins to enterprise admins in 5 minutes by abusing AD CS, a follow up. External Forest Domain - One-Way (Inbound) or bidirectional Get-DomainTrust SourceName : a.domain.local ==> Current domain TargetName : domain.external --> Destination domain TrustType + WINDOWS-ACTIVE_DIRECTORY Trustattributes : TrustDirection : Inbound --> Inboud trust WhenCreated + 2/19/2021 10:50:56 PM WhenChanged : 2/19/2021 10:50:56 PM In this scenario your domain is trusted by an external one giving you undetermined permissions over it. You will need to find which principals of your domain have which access over the external domain and then try to exploit it: | (3) External Forest Domain - OneWay (Inbound) or bidirectional External Forest Domain - One-Way (Outbound) Get-DomainTrust -Domain current. local SourceName : current. local > Current domain TargetName : external.local --> Destination domain TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : FOREST_TRANSITIVE TrustDirection : Outbound WhenCreated + 2/19/2021 10:15:24 PM WhenChanged + 2/19/2021 10:15:24 PM > Outbound trust In this scenario your domain is trusting some privileges to principal from a different domains. However, when a domain is trusted by the trusting domain, the trusted domain creates a user with a predictable name that uses as password the trusted password. Which means that it's possible to access a user from the trusting domain to get inside the trusted one to enumerate it and try to escalate more privileges: Gder Fraprealdogssinonaie rOnedaniGQHtRaunid a SQL trusted link created in the ction ofthe d: trust (which isn't Another way to compromise the trusted domain is to wait in a machine where a user from the trusted domain can access to login via RDP. Then, the attacker could inject code in the RDP session process and access the origin domain of the victim from there Moreover, if the victim mounted his hard drive, from the RDP session process the attacker could store backdoors in the startup folder of the hard drive. This technique is called RDPiIncep' n. | OQ RDP Sessions Abuse Domain trust abuse mitigation SID Filtering: Avoid attacks which abuse SID history attribute across forest trust. Enabled by default on all inter-forest trusts. Intra-forest trusts are assumed secured by default (MS considers forest and not the domain to be a security boundary). But, since SID filtering has potential to break applications and user access, it is often disabled Selective Authentication In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. individual access to domains and servers in the trusting domain/forest should be given. Does not prevent writeable Configration NC exploitation and trust account attack. More information about domain trusts in ired.team. AD > Cloud & Cloud > AD Azure AD Connect - Hybrid identity HackTricks Cloud Some General Defenses Learn more about how to protect credentials here. Please, find some migrations against each technique in the description of the technique. Not allow Domain Admins to login on any other hosts apart from Domain Controllers Never run a service with DA privileges If you need domain admin privileges, limit the time: Add-ADGroupMember -Identity ‘Domain Admins? -Members newDA -MemberTimeToLive (New-TimeSpan - Minutes 20) Deception Password does not expire Trusted for Delegation Users with SPN Password in description Users who are members of high privilege groups Users with ACL rights over other users, groups or containers Computer objects https://github.com/samratashok/Deploy-Deception Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires GUID d07dal1f-8a3d-42b6-b0aa-76c962be719a — Verbose How to identify deception For user objects: ObjectSID (different from the domain) lastLogon, lastlogontimestamp Logoncount (very low number is suspicious) whenCreated Badpwdcount (very low number is suspicious) General: = @ Hacktricks DC. Or users against the RID 500 (default admin). Check if something is too good to be true https://github.com/JavelinNetworks/HoneypotBuster Bypassing Microsoft ATA detection User enumeration ATA only complains when you try to enumerate sessions in the DC, so if you don't look for sessions in the DC but in the rest of the hosts, you probably won't get detected. Tickets impersonation creation (Over pass the hash, golden ticket...) Always create the tickets using the aes keys also because what ATA identifies as malicious is the degradation to NTLM. DCSyne If you don’t execute this from a Domain Controller, ATA is going to catch you, sorry. More Tools # Powershell script to do domain auditing automation Python script to enumerate active directory Python script to enumerate active directory References http://www.harmjOy.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ -& Twitter & - & Twitch & - % Youtube % > HackTricks Cloud Previous © Windows C Payloads ’ > Abusing Active Directory ACLs/ACEs Last modified 2mo ago WAS THIS PAGE HELPFUL?

You might also like