Active Directory
Introduction and Exploitation
Active Directory is a topic which most of the learners find difficult to understand and due to its rise in the industry, aspiring Pen-Testers are keen to exploit practice labs. Therefore I decided to write a blog post regarding it so that the learners could find it easy to understand.
What is Active Directory and why to use it?
Active Directory, commonly known as AD, is a proprietary directory service developed by Microsoft that runs on its own Windows Servers. It is a collection of machines and servers which are connected internally as a single domain. The key function of an AD is to allow administrators to manage and control access to the network resources for each internal machine or server.
Data inside an AD is stored in the form of objects. Here, by objects we refer to users, groups, applications and devices which are categorized according to their name and attributes.
The main service in Active Directory is Domain Services which allows us to store information related to the directory and handles user interaction with the domain. Now, this is a reason why one should use AD. It allows a single user to connect to it via any computer connected to it and access his files as well as local files available. This helps an organization to use any computer owned by the organization instead of creating multiple users on a single computer.
Components of Active Directory
To become familiar with Active Directory, one should have an idea about its components. I’ll be covering all the components in brief but easily understandable by you.
Domain Controllers
It is a server which is responsible for handling the authentication and authorization services which allow us to access the data available in the Domain Service’s Data Storage.
Forest, Trees and Domains
The forest is a container that holds everything together, making it the highest level of the organization’s control. Since the forest is known as the collection of trees, here we refer to a tree as a collection of domains in a logical hierarchy. Now, the domain represents a group of objects available in the AD Database.
Users and Groups
Users are the core to Active Directory, they can be a human user or an automated program interacting with AD for a particular task.
There are four type of users:
- Domain Admins: They are the ruler of the AD and the only user type which can access the Domain Controller.
- Service Accounts: These users are required by the Windows for services to pair with a service account. They can be used for most things except maintenance.
- Local Admins: These users are allowed to make changes in the local machines and can control the normal users. They have no access to the domain controller.
- Domain User: They are the normal users which are interacting with the AD on a daily basis.
Coming to the group, A group is a collection of users which helps the admins to give permissions to the users available in a particular group in an efficient way.
There are two types of groups:
- Security Groups: They are used to specify permissions for a large number of users.
- Distribution Groups: They are used to specify email distribution lists.
Trusts
Trust in AD enables a user to access other resources in the domain with proper authorization.
Policies
We can define policies as a set of rules and regulations according to which the AD Server operates and reacts to incoming requests. They can be applied to the complete AD, particular domains, users and even groups.
Domain Services
It is the core function inside an Active Directory as it allows the admins to manage users and devices connected to the server. It also allows the admins to organize the data into logical hierarchies. Along with this, it provides security certificates, SSO, LDAP and rights management features.
Benefits of Active Directory
- Centralized Resources resulting in better management.
- Better Security due to presence of role based access controls
- Simplicity
- SSO for global resource access
- Redundancy Support
What is Kerberos?
We have talked a lot about the authorization and authentication system in windows domain services, but what actually handles this process in the domain service? It’s the Kerberos, which is the default authentication system available in the Windows Domain Servers.
It has been made more secure by using a ticketing authorization system as well as a strong encryption method instead of using the standard NTLM hashes.
How does Kerberos Work?
Kerberos uses a symmetric encryption and a Key Distribution Center(KDC) which is a trusted third party service.
When an authentication is initiated, a ticket request is made to the KDC which returns the login ticket along with the session key. Now, another ticket request is made along with the Authentication to make a request for the required resource and service and the Server sends the authorization for the resource once the request is validated.
Common Terminologies
- Ticket Granting Ticket (TGT): It acts as an authentication ticket which can be used to make requests for service tickets from the TGS for a specific resource from the domain.
- Key Distribution Center (KDC): It is a service which issues the TGTs and service tickets. It’s a combination of Authentication Service and the Ticket Granting System.
- Authentication Service (AS): As the name says, this service issues the TGTs which are used by the TGS to make a resource or service request in the domain.
- Ticket Granting Service (TGS): This service takes a TGT as input and returns a ticket to a resource on the given domain.
- Service Principal Name (SPN): It is an identifier given to various service instances for associating them with the domain’s service account.
- Session Key: This is like a normal login session key which checks whether the user is authenticated or not. It is generated by the KDC when the user requests to issue a TGT.
- Privilege Attribute Certificate (PAC): The PAC stores all of the user’s required data which needs to be sent when the user requests a service in order to validate him.
Attacking Kerberos
Here I’ll not be explaining the complete attack process but instead I’ll be talking about the methodology and the tools which can be used at every phase.
Enumeration
Enumeration is the very first phase of the standard hacking methodology and to enumerate kerberos you can use a popular tool Kerbrute. It is a very useful tool for brute forcing and enumerating the valid directory users by abusing the kerberos pre-authentication system.
Ticket Harvesting and Kerberoasting
We have a tool named as Rubeus which can be used to harvest the tickets that are being transferred to the KDC, save them and then use them for other attacks. The same tool can also be used to perform Kerberoasting, another popular attack. In this, a user sends a request for a service ticket for any service which is registered with the SPN and then use the same to crack the request service password.
Attacking using the Ticket
Once we have harvested the ticket we can now use it for post-exploitation and to do the same we have a popular tool named as mimikatz which is most commonly used for dumping sensitive data inside the AD network but we can also use the same for other attacks like Pass The Ticket, Golden Ticket Attack and even to place a backdoor in kerberos.
All the tools mentioned above are not just restricted to these attacks only, they are very vast and have a number of modules which could be useful. What I mentioned was the way which I use while exploring any Active Directory Network.
Below I have mentioned links to all the above mentioned tools.
Kerbrute: https://github.com/ropnop/kerbrute/releases
Rubeus: https://github.com/GhostPack/Rubeus
Mimikatz: https://github.com/gentilkiwi/mimikatz/wiki
Impacket (Tool worth mentioning): https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19
Recommend Practice Labs
There are a number of publicly available Pen-Testing labs for everything but a few which I would recommend are as follows
Active Directory Basics and Attacking Kerberos on TryHackMe. (Subscription Required): I have recommended this one first as these two rooms are a guided approach towards the basics as well as exploitation. They cover almost everything you have read above and give a hands-on experience on the tools mentioned.
Attacking and Defending Active Directory Lab on Pentester Academy. (Subscription Required): I have never done this lab but heard that it’s a great lab for those who want to learn the attacking part as well as the defending part. Would recommend only if you can spend money, otherwise the next option could be better in all ways.
Building your own Red Teaming Active Directory Lab.: I would suggest this to be the best option because it will help you learn the Active Directory Setup which could help you understand the vulnerabilities and how to fix them in a better way. Some resources for this are:
Conclusion
I have tried to cover almost everything we need to understand and exploit an Active Directory though I have not covered the attacks in detail as it could make the article too long.
If you guys still have any queries regarding the AD you can ping me on twitter.
Liked this article?