Post

Active Directory

active directory concepts and main attack paths

Posted
By ed0x
1 min read
Active Directory

AD is based on the protocols x.500 and LDAP that came before it and still utilizes these protocols in some form today. AD provides authentication, accounting, and authorization functions within a Windows enterprise environment

It is designed to be backward-compatible, and many features are arguably not “secure by default,” and it can be easily misconfigured. This weakness can be leveraged to move laterally and vertically within a network and gain unauthorized access. AD is essentially a sizeable read-only database accessible to all users within the domain, regardless of their privilege level

Table of Contents

Fundamentals:

AD History

AD Trusts and structure

AD Terminology

AD Objects

AD Functionality

AD Accounts and Groups

Protocols:

Kerberos, DNS, LDAP, MSRPC

NTLM Authentication

Methodology:

AD PT Methodology

AD Password Spraying

BloodHound

Tools

Common tools

Main Attack Path

Typology of keys are defined in Kerberos section

image.png

Kerberoast

  • Target: Users/Service/Security Principal account with human defined password
  • Require: an User access to AD
  • Scope: Collecting ST and cracking weak service key to retrieve credentials ?

Asreproast

  • Target: Users/Service/Security Principal with Kerberos preauthentication disabled
  • Require: an User access to AD
  • Scope: Collecting TGT and cracking weak user session key to retrieve credentials ?

PTK

  • Target: Users/Service/Security Principal
  • Require: access to AD infrastructure, Knowledge of the user key or user password
  • Scope: Impersonating target/gaining TGT of the user to access different services

DCSync

  • Target: Domain Controller
  • Require: Domain admin privileges ( DS-Replication-Get-Changes and DS-Replication-Get-Changes-All specifically)
  • Scope: retrieve Domain Controller data simulating a DCSync, data obtained typlically are
    • LM and NT password hashes
    • Passwords stored using reversible encryption
    • Kerberos keys (DES, AES128 and AES256)
    • Domain controller’s SAM secrets
    • Domain controller’s LSA secrets

Golden ticket

  • Target: KDC
  • Require: Domain admin privileges or krbtgt key
  • Scope: Forge a TGT with a PAC, used for lateral movement

Silver ticket

  • Target: Service
  • Require: service key
  • Scope: Forge a ST with a PAC to access target service

Group Policy

  • Target: GPOs
  • Require:
    • WriteProperty to the GPC-File-Sys-Path property of a GPO (specific GUID specified)
    • GenericAllGenericWriteWriteProperty to any property (no GUID specified)
    • WriteDaclWriteOwner
  • Scope: Perform malicious actions editing existing GPOs

[TODO]

https://www.thehacker.recipes/ad/movement/trusts/

https://www.thehacker.recipes/ad/movement/kerberos/delegations/unconstrained

https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained

[Useful resource]

https://github.com/Orange-Cyberdefense/ocd-mindmaps

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

AD, INFRA
red team penetration testing
This post is licensed under CC BY 4.0 by the author.