08 Feb, 2023

ACTIVE DIRECTORY PENETRATION TESTING

What is Active Directory (AD)?

Imagine you have a Windows-based network in your company that has various network objects: servers, domains, computers, printers and other services. All the information about these resources need to be organized in hierarchy and stored somewhere to effectively manage the network of your business and let its users have access to the resources they need.

AD is a Microsoft technology that solves these challenges. It’s presented as a database or directory that stores all the information about organizational units and their credentials and defines their permission privileges or authorization. More than 2 billion objects can be created in AD, which makes it possible to use in companies with hundreds of thousands of computers and users. From this point we see that AD is a critical component in the business infrastructure and such vulnerabilities as Broken Access Control, Identification and Authentication Failures, Sensitive Data Exposure due to OWASP top 10 can lead to destructive consequences for the company and its users.

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

Let’s dive in deeper. What is AD structure and how it stores information?

First of all, we talk not about any device that runs Windows but also runs Active Directory Domain Services that define specific roles and functions for it with its own protocols. Also we mention only local AD in this article, but be aware that there is another technology for the cloud environments — Azure AD.

AD consists of domains as parts of domain trees and forest or groups with its root domain, Windows servers with domain controllers roles that store copy of directory for the entire domain, and finally directory itself with its own structure as partition of the information about objects. Partition is needed to structure and store different types of information in different places. The design of data organization is called a schema. One of the partitions is Domain data that holds all the critical information about network objects (usernames, emails, passwords) and changes of their states (change password, delete user, create new user etc.). 

When changes are saved to one domain controller (or Windows server), they are copied to other domain controllers. This process is called replication. So how do users and applications find information about a specific object among all of the information stored in different places?

Suppose you want to find a printer in the system. The printer has its own ID number, which is stored not only in its own directory in the domain controller, but also in the Global Catalog. Global Catalog is a domain controller that keeps a full copy of all objects in its domain directory and a partial copy of all objects of all other domains in its domain forest. So you will find information about the printer faster thanks to it. But remember, the information about the printer will remain within the boundaries of a certain domain forest. This object cannot interact with objects from other domain forests. However, this can be configured by administrators. This is done for security reasons, and only administrators can set permissions for such interactions.

What happens if the Global Catalog stops working?

The entire database is stored on this domain controller, so if it fails, the entire system will be unavailable. To prevent this, there is replication of one or more duplicate domain controllers, in the best case it’s automatic. And if one replicant fails, it will not disrupt the entire system, as the others will continue to work.

Speaking from a security perspective, AD is all about authorization to the network and the effectiveness of AD as a security asset will depend on the up-to-date services, patches and security protocols implemented in it. Default protocols or standards that are used in AD are LDAP (Lightweight Directory Access Protocol) and DNS (Domain Name System). The very basic requirement for the authentication services is: when a user, device or app tries to use any of the network objects (PC, server, printer), these services allow this action if the necessary rights are available or block it. 

It all starts small

It all starts with compromising parts of the infrastructure. The entry points for the hacker are the weakest and most vulnerable places in the system most often are not patched, use outdated versions of software and weak policies, there are gaps in antivirus and antimalware deployment and lack of up-to-date security. 

On the other side of the coin is the increase in the complexity of the system and its oversaturation with services, technologies, and security solutions. The main enemy of security is complexity. The more complex the system is, the more resources are needed to maintain it, the more difficult to understand and monitor it and the more entry points for the hacker arise. 

The most attractive for the hacker are the accounts of high privileged users. It’s not just about using default, easy-to-guess usernames and passwords. Sometimes such users leave the possibility of their credentials being stolen (logs into account on an insecure computer, browsing the Internet with a highly privileged account and saving credentials in the browser, opening phishing emails). Without administration monitoring of anomaly user actions with access to sensitive data, a hacker can freely change system configurations without being noticed. In addition, if the system does not explicitly restrict the rights of administrators, it gives the hacker the opportunity to cover as wide an area of attack as possible. 

It is also worth paying attention to the fact that AD backups are not always sanitized: if there are any backups at all! Information about most network objects or even all of AD schema may remain in the backups. As soon as a user logs into the domain controller he or she has access to almost all the information in the network.

Listen to Statistics

Back in 2015, Microsoft estimated that 95 million AD accounts were under attack every day. Moving on today, COVID-19 and the war in Ukraine later has dramatically changed the workplace. In our cloud- and mobile-centric world, the reliance on AD is skyrocketing, as is the attack surface. 

In Ukraine, 4 cases of serious attacks on AD have been recorded since the beginning of the war: HermeticWiper, CaddyWiper, RansomBoggs, Prestige. And these are just the most famous cases of 2022. The actual number of attacks is much higher. These are not the only and certainly not the last cases of attacks. And this once again confirms the need for reliable protection, timely response to an attack and rapid remediation of its consequences. 

The consequences of such attacks hit the budget hard. In most cases, hackers use ransomware. Ransom payments encourage new attacks, fund terrorism, and offer no guarantees. But the alternative is often even more expensive, with global ransomware damages projected to reach $20 billion USD by 2021

Organizations are woefully unprepared: In a wide-spread outage, you must recover AD before you can recover your business. But according to a poll by the SANS Institute, only one in five organizations have a tested plan in place for recovering AD after a cyberattack. 

More than 50% of responders have never actually tested their AD cyber disaster recovery process, or have no plan in place at all. Good news for the hackers! 

The most common AD attacks with exploits

Pass the Ticket 

The attacker gains unauthorized access to a network by using stolen credentials. He or she uses a valid authentication ticket (a type of password) to gain access to the network. This allows the attacker to move laterally within the network, compromising multiple systems and potentially stealing sensitive information.

! Use Kerberos Pre-Authentication tool for exploiting a vulnerability in the Kerberos authentication protocol to gain access to AD resources.

! Use Mimikatz to extract sensitive information from Windows systems (memory), including usernames and passwords.

Pass-the-Hash

The attacker is able to steal a user’s password hash (a type of encrypted password) and use it to gain unauthorized access to a network. Instead of cracking the hash to determine the actual password, the attacker can simply pass the hash to the network, bypass the need for entering the password (because hash changes only when the password itself is changed)  and gain access as the compromised user. 

! Use Responder tool for capturing and exploiting the NTLM hashes of AD users.

Password Spraying

Is a type of attack that targets multiple user accounts with a few commonly-used passwords, instead of using a large number of passwords for each individual account. The idea is that, even if a large percentage of users have strong passwords, a small percentage may use easily guessable passwords, such as “123456” or “password”. The attacker will spray these weak passwords across many accounts, hoping to find a match and gain access to the network. This type of attack is particularly effective against organizations with a large number of users, as the attacker can potentially compromise a significant number of accounts with a relatively small number of password attempts.

Golden Ticket

The attacker creates a fake authentication ticket, known as a “Golden Ticket” (think of Willy Wonka’s chocolate factory)  that can be used to gain unauthorized access to the whole AD network. The attacker can use the Golden Ticket to impersonate any user in the network, including privileged users. This type of attack is particularly dangerous as it can bypass traditional security measures and can remain undetected for a long period of time.

DCShadow

The attacker creates fake AD objects, such as user accounts or groups, and modifies existing objects, such as password policies in the shadow copy of the AD database. Changes made to the shadow copy do not appear in the actual AD database. The attacker can then use the fake objects to gain unauthorized access to the network and then compromise the security of the entire network by targeting the domain controllers, the central repository of all AD information.

! Use Mimikatz to perform DCShadow attack. 

! Use Metasploit for developing and executing exploits.

CWE References

CWE-532 Information Exposure Through Directory Listing If Directory Listing is allowed in the host (this option can be configured) then the contents of the directory can be easily enumerated by the attacker. This can provide attacker with valuable information, such as the names of configuration files or sensitive data, which can then be used to carry out further attacks.

CWE-255 Credentials Management Weaknesses in the way that credentials are stored, managed, and protected, leading to the risk of theft or unauthorized access.

CWE-306 Missing Authentication for Critical Function Weaknesses in the way that AD applications implement authentication controls, leading to the risk of unauthorized access to sensitive information.

CWE-306 Authentication Bypass by Alternate Name Weaknesses in the way that AD applications handle alternative names for users, leading to the risk of unauthorized access.

CWE-311 Missing Encryption of Sensitive Data Weaknesses in the way that AD applications encrypt sensitive information, leading to the risk of data theft or exposure.

CWE-522 Insufficiently Protected Credentials Weaknesses in the way that AD applications store and manage sensitive information, such as credentials, leading to the risk of theft or exposure.

Pentesting process Reconnaissance

Use WADComs as a Cheat Sheet,  HackTricks AD testing Methodology and the little Mindmap for AD pentesting. In this article we will focus in detail on the Recon phase.  

Collect all the information about the network architecture, the types of resources used and stored in AD, the types of organizational units and groups and their privileges in the accessing network. Collect IP addresses, domains, hostnames. Explore the company docs, websites, social media profiles, job postings, and other publicly accessible sources. Scan all ports to determine which services are running on each host with automated tool Nmap with its scripts. and identify potential vulnerabilities in the target network or its entry points. 

! Use Bloodhound or ADEnum for visualizing and analyzing the relationships between users, computers, and other objects in an AD environment.

To collect information about open ports and services on them, use these nmap techniques:

     nmap -sP -p <ip>  
     nmap -PN -sV –top-ports 50 –open <ip># quick scan 
     nmap -PN -sC -sV <ip># classic scan 
     nmap -PN -sC -sV -p- <ip># full scan 
     nmap -sU -sC -sV <ip># udp scan
     nmap -PN –script smb-vuln -p139,445 <ip># search smb vulns

Nmap also can be used to run custom scripts, known as NSE (Nmap Scripting Engine) scripts, to perform specific tasks.  

     nmap –script ldap-search.nse <ip> 

Perform an LDAP search of the target environment and gather information about the AD structure.

     nmap –script msrpc-enum.nse <ip>

Gather information about the target environment’s Microsoft Remote Procedure Call (RPC) services, including the names of users and groups.

     nmap –script smb-enum-domains.nse <ip>

Enumerate the domains in the target environment and gather information about the domain structure.

     nmap –script smb-enum-groups.nse <ip>

Enumerate the groups in the target environment and gather information about the group structure.

     nmap –script smb-enum-users.nse <ip>

Enumerate the users in the target environment and gather information about the user structure.

⠀⠀

Enumerate LDAP (Lightweight Directory Access Protocol)

LDAP enumeration involves using tools such as ad-ldap-enum to query the LDAP directory service and Nmap scripts. 

     nmap -n -sV –script “ldap” and not brute” -p 389 <dc-ip>
 

Enumerate AD IP

     nslookup -type=SRV _ldap._tcp.dc._msds.//DOMAIN/

List guest access on SMB share

     enum4linux -a -u ”” -p “” <dc-ip> &&
     enum4linux -a -u “guest” -p “” <dc-ip> 
     smbmap -u “” -p “” -P 445 -H <dc-ip>&& 
     smbmap -u “guest” -p “” -P 445 -H <dc-ip>
     smbclient -U ‘%’ -L //<dc-ip>
     guest%’ -L //<dc-ip> 
     cme smb <ip> -u “ -p “ 
     cme smb <ip> -u ‘a’ -p “ 

Enumerate users 

     enum4linux -U <dc-ip> | grep ‘user:’
     crackmapexec smb <ip> -u <user> -p’<password>’ –users 
     nmap -p 88 –script-krb5-enum-users –script-args-”krb5-enum-users.realm-’<domain>’, userdb-<users_list_file>” <ip>

Additional Tools for Recon

CrackMapExec for executing post-exploitation modules in an AD environment.

Aclpwn for exploiting misconfigured ACLs in AD environments.

ADExplorer for exploring and editing AD objects and attributes.

Conclusion

Active Directory is a centralized database in Microsoft’s Windows server environment used by organizations to manage user and computer accounts and access to network resources. It is important to know how it needs to be designed, deployed, managed, monitored and secured to successfully test it for known vulnerabilities. Remember that strength of AD security is determined by how well the little weakest things are secured. 

Cryeye has dozens of different audits aimed at identifying weaknesses in Active Directory. And the number of audits is growing every day. It includes vulnerability audits, collecting information about users, hardware used, password hashes, domains, administrators, and domain controllers. All information is visualized and displayed so that even a user without deep technical knowledge can easily understand it and, subsequently, eliminate weaknesses. 

Thanks for reading! 

Other Services

Ready to secure?

Let's get in touch