The Active Directory (Active Directory) is a critical component in the infrastructure of many organizations, used to manage resources and users in environments Windows. The Active Directory audit is essential to ensure the network security and data integrity. Next, starting from assumed commitment that a domain user has been breached, we will explore the main attack vectors that we must identify:
1. Privilege Escalation
is always necessary, it is highly recommended to start with permissions
administration on the attacking machine. In this way the use of tools
It will be much more comfortable. To do this you can use tools such as PowerUp,
WinPeas or SeatBelt among others, to identify paths that allow a
escalation to local administrator.
2. Password Policies
weak password can be useful for carrying out passwordspraying attacks
(this must be done carefully so as not to block accounts) or for the
subsequent cracking of identified hashes. Furthermore, if there is no
blocking policy after failed attempts, it would be possible to brute force
against the entire domain without fear of blocking user accounts.
3. Identify secrets in
If you have a domain user, it is recommended to list the folders
shared files that you have access to (for example, with smbclient). In
Occasionally, documents can be identified that contain some type of
credential, which may be valid or serve as a starting point for
guess other passwords.
4. Identification of systems
verify that out of support operating systems are not being used and/or
outdated. This type of equipment can be very useful, since it is
highly likely to have exploitable vulnerabilities with exploits
public. Even if they are not relevant objectives, accessing them can
be interesting to obtain the credentials they have stored. Is very
It is important to notify the IT manager that you are going to use exploits,
in case these could cause a drop in the company's service.
5. Account identification
interesting to carry out an initial enumeration process in which
identify the target accounts that allow the entire amount to be committed
domain. During this enumeration phase, not only the accounts of
Domain admin, but it is also important to identify accounts with permissions
special ones that allow movements to be carried out in the domain. In points
Next we will see why this is important.
6. Identification and Abuse
accounts with Constrained Delegation
At a point
Previously it was indicated that it was necessary to identify accounts with permissions
high, as this is a specific type of privileged account. These can
have delegated to them the power to impersonate any user of the domain
for a series of specific services. Thanks to this, if it is achieved
compromise an account with constrained delegation, it is possible to impersonate
to any user for Windows services like host, RPCSS, http, wsman, cifs,
ldap, krbtgt or winrm.
8. Identification and Abuse ofUnconstrained
This is another
type of high-interest privileged account. These accounts are authorized
to receive and store TGT (Ticket Granting Ticket) of kerberos of
any account. That is why, by accessing them, it would be possible to extract the
tickets stored in them. On the other hand, it is also possible to
forced authentication attacks on this machine, that is, forcing
any domino machine to authenticate against the unconstrained machine
engaged. In this way, the new victim (the domain controller, for example)
example) would send a copy of your TGT to the unconstrained machine, being
9. Identify and Abuse
We continue with interesting privileged accounts. In this case it is necessary to identify accounts with DCSync permissions, that is, accounts that have DS-Replication-Get-Changes-All permissions and DS-Replication-Get-Changes. If we manage to compromise a credential With these permissions, we can carry out a DCSync attack, or what is same, pretend that we are a domain controller that wants to synchronize its database (ntds.dit) with that of the real domain controller. This way All domain hashes would be obtained, including those of the Domain Admin.
10. Identify and AbuseResource-Based
Yes like Attackers can identify an account with “GenericWrite” permissions or “GenericAll” over “ActiveDirectoryRights”, will mean that this account has the ability to grant constrained delegation permissions to any domain account. This means that, if we compromise this account, We can indicate that any account on the domain can request TGSs (Ticket Guarantee Service) for services on any machine in the domain, including our main target: the domain controller.
11. Identify and Abuse
Vulnerable Certificate Templates
This type of attack is based on using tools like certify or certipy to identify vulnerable certificate templates in the CA (certificate corporate authority. There are a number of vulnerable scenarios possible, which allow an attacker to request certificates on behalf of others users, for example, from a Domain Admin or from any account privileged.
12. Identify Services
It is possible that
In the active directories there are machines with services other than
those of the active directory deployed (although it is not a good practice),
for example, Jenkins or SQL services. It is important to identify these services
to check if they are vulnerable, since in many cases they can serve
as an access point to the machine they are running on. The situation
ideal for an attacker would be to identify a service that they can exploit, and that
this was being executed with a local administrator user of the
machine. In this way, by achieving remote code execution through the
exploitable service, it would be possible to compromise the entire machine.
is an attack that is based on the exploitation of service accounts that have
associated Service Principal Names (SPNs). These SPNs are records that
associate a specific service or application with a service account on the
The objective of
to do kerberoasting is to request tickets from these service accounts to,
later, decrypt them offline and obtain the original passwords. This
it is possible since part of the requested ticket is encrypted using a key
derived from the original password.
14. Credential Extraction
Once compromised any machine, the procedure to follow is to extract from the same any stored password. Tools can be used for this. like Mimikatz. These credentials can be useful for making moves laterals across the domain, compromising machines on which users that are being collected are local administrators.
We have just seen just a few of
the most used techniques during an audit, but attackers discover
new techniques every day, each one more innovative. For this reason we invite you
to investigate and discover your own paths to controllers of