I had several clients come to me before a pentest and say they think they’re in a good shape because their vulnerability scan shows no critical vulnerabilities and that they’re ready for a pentest, which then leads me to getting domain administrator in few hours by just exploiting misconfigurations in AD.
The goal of a penetration test is to identify any possible attack vector an adversary would use in order to compromise a network. It is not to get domain administrator.
Now that we have a goal, there’s several steps we follow in order to accomplish it, below
What is AD?
Active Directory is a service from Microsoft which are being used to manage the services run by the Windows Server, in order to provide permissions and access to network resources. Active Directory is used over 90% of the Fortune Companies in order to manage the resources efficiently.
Active Directory is just like a phone book where we treat information as objects. In Active Directory we have objects like Computers, Users, Printers, etc. Following are some of the components of Active Directory.
Domain Controller is generally the Admin of the Active Directory that is used to set up the whole directory. The role of Domain Controller is to provide Authentication and Authorization to different services and users. Domain Controller also allows administrative access to manage user account and network resources. In Active Directory the Domain Controller has the topmost priority and has most Authority/privileges.
Active Directory Data Store
An Active Directory Data Store contains Database files and process that store and manages directory information for users, services, and applications. The active Directory Data Store contains “NTDS.DIT” file which the most critical file of the whole AD.
It is stored in the “%SystemRoot%\NTDS” folder on all domain controllers. This NTDS.DIT file is only accessible only through DC Process and Protocols.
Logical Active Directory Components
The following are the components that an Active Directory Data Store contains that defines rules to create an object in an AD environment.
A Domain is used to group objects together and manage them. The domain provides an Authentication and Authorization boundary that provides a way to limit the scope of access to the resources of that domain. Consider redteamlabs.com as a domain.
Trees are generally groups of the Domains in the Active Directory environment. Trees are used to share the contiguous namespace with the parent domain. Trees can additionally have child domains. By default, Trees create Transitive trust with other domains.
Here in the image above redteamlabs is the main domain and us. redteamlabs.com, ca.abc.com and au. redteamlabs.com represent the trees from different locations. Ca is for Canada, us is for united states.
Forest is said to be the collection of the Trees. Forest shares the common schema between its branches. The configuration remains the same in the partition of the branches of Forest. Trust between all domains is maintained in the forest. They are likely to share the Enterprise Admin and Schema Admin Concepts.
Organizational Units are often referred to as OU. Organizational Units are Active Directory containers that generally contain user groups, Computers, and other OU. OU represents your computer organization in a hierarchically and logically way. OU is used to manage a collection of the object in a consistent way. Organizational Units are being bound to delegate the permissions to the Administrator Group of Object.
Trust can be defined as access between the resources in order to gain permission/access to resources in another domain. Trust in Active Directory are generally of two types:
Lab set up
Setup an Active Directory (small) lab for penetration testing. I will go through step-by-step procedure to build an Active Directory lab for testing purposes.
$ Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath “C:\Windows\NTDS” ` -DomainMode “Win2012R2” ` -DomainName “server1.hacklab.local” ` -DomainNetbiosName “server1” ` -ForestMode “Win2012R2” ` -InstallDns:$true ` -LogPath “C:\Windows\NTDS” ` -NoRebootOnCompletion:$false ` -SysvolPath “C:\Windows\SYSVOL” ` -Force:$true
In this section, we have some levels, the first level is reconnaissance your network. every user can enter a domain by having an account in the domain controller (DC).
All this information is just gathered by the user that is an AD user. In the username, there are two parts that first is the domain name and the second part is your username.