Active Directory (AD) lies at the heart of your organization’s Windows network, silently orchestrating user access, authentication, and security. But do you truly understand its workings? This blog peels back the layers of AD, revealing its core components and how they empower centralized control. Explore how AD streamlines administration, enhances security, and ensures seamless network operations.
What is Active Directory?
Active Directory is a service developed by Microsoft for Windows domain networks. It offers a centralized location for network administration and security and is present in the majority of Windows Server operating systems. AD manages user authorization and authentication, giving network administrators centralized control over users, PCs, printers, and other devices.
AD can be perceived as a phone book that contains all kinds of information, such as computers, users, printers, and other devices. Active Directory allows a user to use single credentials to authenticate throughout the network.
- Components of AD
- Domains:
- Basic units of organization within AD.
- Domains hold collections of objects (such as users, computers, and groups) that share a common database.
- Each domain has its own security policies and authentication mechanisms.
- Trees:
- A collection of one or more domains grouped together in a hierarchical structure.
- Domains within a tree share a contiguous namespace (e.g., example.com, sub.example.com).
- Forests:
- The topmost logical container in AD.
- A forest can contain multiple domain trees.
- Domains within a forest share a common schema and global catalog but may not have a contiguous namespace.
- Organizational Units (OUs):
- Containers used to organize objects (users, groups, computers) within a domain.
- OUs help manage and delegate administrative tasks by logically grouping related objects.
- Group Policy Objects (GPOs):
- Tools for defining and enforcing settings (policies) for users and computers.
- GPOs can be linked to domains, OUs, and sites to control security, software installation, and other configurations across the network.
- Domains:
- Key Terminology
- Users: These are individual accounts created for people who need access to the network. Each user account has a unique username and password for authentication and authorization.
- Groups: Groups are collections of user accounts, computer accounts, or other groups. They simplify administration by allowing permissions and policies to be applied collectively rather than individually.
- Computers: These represent physical or virtual machines within the network. Computer accounts are used to manage and authenticate machines as part of the domain.
- Trusts: Trusts are relationships established between different domains, allowing users in one domain to access resources in another domain. Trusts can be one-way or two-way and facilitate resource sharing and collaboration across different parts of the network.
- Importance of AD Security
- Central Control Point: Active Directory (AD) functions as the central hub for managing user access, authentication, and permissions. If compromised, attackers can gain control over the entire network.
- Data Protection: AD stores sensitive information about users, computers, and devices. Strengthening AD security is crucial to safeguard this critical data from unauthorized access and breaches.
- Mitigation of Attacks: AD is a common target for cyberattacks, including phishing, ransomware, and insider threats. Enhancing AD security helps prevent these attacks and reduces the risk of successful breaches.
Active Directory Attacks
Active directory attacks are divided into three different phases which are mentioned below.
- Initial Attack Vector on AD.
- Post-compromise Enumeration
- Post-compromise Attacks.
1. Initial Attack Vector on AD
Let’s suppose, We have established a foothold in an Active Directory (AD) environment by gaining access to a Windows machine within the organization. The following bypasses and attacks are some of the initial steps, we can take to further bypass the security mechanism that would allow us to execute the malicious scripts in the AD environment.
- Bypasses
- AMSI Bypass
- DLP Bypass
- Powershell attacks – Downgrading, Policy bypass
- AV and Monitoring bypass
- Attacks
- LLMNR Poisoning
- Capturing NTLMv2 Hashes
- Cracking the hashes
- SMB Relay Attacks
- LDAP Relay Attacks
- IPv6 MiTM Attacks
- Enumerating Kerberos for usernames
- Enumerating usernames using rpclient
- AS-Rep Roasting
- Enumerating SMB Shares
2. Post-compromise Enumeration
Now that We’ve obtained access and gathered data from the initial attacks, it’s time to perform enumeration on the Active Directory (AD) environment. This process involves gathering additional information to better understand the AD structure and identify potential vulnerabilities or attack paths. Let’s explore the steps for enumeration:
- Powerview Enumeration: Utilize Powerview, a powerful PowerShell script, to query AD objects, discover group memberships, and uncover potential attack vectors.
- BloodHound/SharpHound Enumeration: BloodHound is a visualization tool that relies on data collected by SharpHound. SharpHound gathers information about users, groups, ACLs, and more. Analyzing this data helps identify privilege escalation opportunities.
- Enumeration with Server Manager: Consider using Server Manager (available on Windows Server) to explore AD-related components, such as domain controllers, DNS servers, and group policies.
3. Post-compromise Attacks
We’ve gathered the necessary data, let’s discuss some targeted attack strategies for other systems and components within the Active Directory (AD) environment:
- Dump Hashes w/ Mimikatz: Mimikatz is an open-source hacking tool that extracts credential information from compromised Windows machines. It highlights vulnerabilities in Microsoft authentication protocols, such as Windows New Technology LAN Manager (NTLM). Over time, Mimikatz has become a standard tool for penetration testing and red team engagements.
- Extract credential data from memory or on-disk password stores (including plaintext passwords, pin codes, Kerberos tickets, and NTLM password hashes).
- Perform lateral movement by authenticating to other machines within the local network using stolen credentials (e.g., creating golden tickets or using pass-the-hash techniques).
- ACL Enumeration: Access Control Lists (ACLs) regulate access to objects like user accounts, groups, and organizational units. Each object has a security descriptor containing its ACL, which outlines permissions granted by the Discretionary Access Control List (DACL). The DACL specifies who can perform actions on the object.
This information helps the attacker to escalate privileges, maintain persistence, or further exploit the compromised environment. - Pass the hash/password: Pass-the-Hash is an attack technique where attackers use hashed passwords to authenticate to a remote server or service without knowing the actual plaintext password. This can allow attackers to move laterally within a network and gain higher levels of access.
If an attacker can obtain a hashed password, they can use it to access other systems and escalate their privileges without needing to crack the hash. - Sensitive file dumping: Attackers often seek to extract sensitive files that can provide valuable information for further exploitation. Key targets include unattend.xml, files in the SYSVOL directory, SAM and SYSTEM files, and the NTDS.dit file
- unattend.xml: This file contains configuration settings used during Windows installation. Attackers may extract it to discover system details, such as domain names, usernames, and passwords.
- SYSVOL Directory Files: The SYSVOL directory stores Group Policy objects and scripts. Attackers might seek sensitive files within this directory, such as login scripts or Group Policy preferences, which could reveal credentials or other critical information.
- SAM and SYSTEM Files: The Security Account Manager (SAM) database stores local user account information, including password hashes. The SYSTEM file contains system-specific data. By extracting these files, attackers can attempt offline password cracking or pass-the-hash attacks.
- NTDS.dit File: The NTDS.dit file is part of Active Directory (AD) and contains user account information, including password hashes. Extracting this file allows attackers to perform offline attacks against AD accounts.
- TGT Harvesting: TGT harvesting refers to the process of extracting Ticket Granting Tickets (TGTs) from memory or network traffic. By doing so, attackers can gain access to network resources without requiring the user’s password. Essentially, it’s a technique used to exploit authentication mechanisms.
- Pass the Ticket w/ mimikatz : Pass-the-Ticket is an attack technique where attackers use stolen Kerberos tickets (TGTs or service tickets) to authenticate to services within the network. This can allow attackers to move laterally and escalate their privileges.
Kerberos tickets can grant access to various resources within the network. If an attacker obtains a ticket, they can impersonate the ticket holder and access sensitive data and systems. - Golden / Silver Ticket Attack: Kerberos is an authentication protocol commonly used in Active Directory (AD) environments to verify user identities. The process involves the issuance of tickets by a Key Distribution Center (KDC) , which includes the Ticket Granting Ticket (TGT) and Service Tickets (TGS).
- Golden Ticket: An attacker can create a forged TGT by gaining access to the KRBTGT account hash. With a Golden Ticket, the attacker gains indefinite access to any service within the domain, bypassing normal authentication.
- Silver Ticket: Similarly, an attacker can create a forged TGS by accessing the service account’s hash. A Silver Ticket provides access to specific services without requiring a valid TGT.
- Kerberoasting: Kerberoasting is an attack technique that exploits the Kerberos authentication protocol in AD. Attackers request service tickets for service accounts, and then attempt to crack the ticket offline to retrieve the plaintext password.
Service accounts often have elevated privileges. If an attacker successfully cracks the ticket, they can gain access to critical systems and data. - Skeleton Key: A Skeleton Key is a type of malware that infiltrates the memory of a Domain Controller (DC). It alters the authentication process to accept a “master” password alongside the legitimate user password. As a result, an attacker can log in as any user using the master password, effectively bypassing normal authentication mechanisms.
- DCsync attack: DCsync is a type of attack where the attacker uses the Directory Replication Service Remote Protocol (MS-DRSR) to mimic the behavior of a domain controller. By doing so, the attacker can request replication of user account credentials, including password hashes, from other domain controllers.
- Man-in-the-Middle (MITM) Attack: An MITM attack occurs when an attacker intercepts and potentially alters communication between two parties who believe they are directly communicating with each other. This can compromise sensitive AD communications, such as authentication processes and data exchanges.
Final Words
As organizations continue to depend on Active Directory for managing network resources and user access, a thorough grasp of its functionalities and security considerations is indispensable. Vigilant management and continuous improvement of AD security practices will help safeguard against emerging threats and maintain a secure network infrastructure. Embrace a proactive approach to ensure your AD environment remains secure and operational.
Authors
Raushan:
He is an avid security enthusiast with experience over Active Directory, Linux Environments and Application security. He has extensive interest and contributes in breaking security restrictions in applications on internet and windows environments. He is a certified OSCP.
Prakash:
He is an experienced professional skilled in Cloud Security, Active Directory Exploitations, Compliance and Application Security. He contributes to open source community projects and is certified OSCP, CISA, AWS/Azure Security.
Shubham:
He is a skilled security professional with expertise in Active Directory , Linux Environments, network service and device exploitations. He also has extensive interest in breaking security in internet devices over VoIP, Active Directory etc. He is CEH, CHFI and CRTO Trained professional.