1. ACTIVE DIRECTORY SECURITY
HOW NOT TO
Mendsaikhan Amarjargal
Security Researcher
https://www.linkedin.com/in/mendsaih4n/
2. ABOUT ME
Red team member
Blue team member
Purple team member
No experience as domain admin
First time presenting
Speaking on MNSEC stage
Speaking on MNSEC stage
3. FIRSTTHINGS FIRST
What is Active directory?
What are the components?
What protocols are used?
4. AD COMPONENTS
Logical
Forest
Tree
Domain
Network
LDAP (like Open LDAP)
Kerberos
DNS
Structure
Active Directory sites (physical subnets)
Domain controllers
11. ACTIVE DIRECTORY SECURITY CONCERNS
Deploying systems with default settings.
Too many Domain Admins.
Not tracking/monitoring/documenting delegated access to Active Directory.
Unpatched systems (servers & workstations & even DC’s)
Not monitoring admin group membership
Keeping legacy authentication active on the network (LM/NTLMv1).
Opportunities Risks/Threats
23. SUMMARY
AD makes it easy to manage/configure for admins
At the same time, it enables other risks
Lateral movement/centralized hacking source
AD contains replica of whole domain
The power of domain admin privilege is underrated
Prevention is ideal, but detection is a must.
However, detection without response has minimal value.
- Eric Cole
Active Directory (AD) is a directory service that Microsoft developed for the Windows domain networks.
It is included in most Windows Server operating systems as a set of processes and services.Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services
AD бол нэгдсэн байдлаар Windows domain сүлжээнд обьектүүдийг удирдах сервис юм.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, and is linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.
Everything that you see in Active Directory is an object.
Some objects are containers, which can contain other objects.
Several of the default containers are just called containers, and
they serve as default locations for certain types of objects. Another type of container is called an organizational unit, or OU
LDAP an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network
Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Domain controllers provide several services on the network.They host a replica of the Active Directory database and group policy objects. DCs also serve as DNS servers to provide name resolution and
service discovery to clients.They provide central authentication through a network security protocol called Kerberos
The objects held within a domain can be grouped into Organizational Units (OUs).[19] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms.
It also becomes the central repository of group policy objects, or GPOs, which are ways to manage the configuration of Windows machines.
Through admin console
Everyday Admin tasks
Helpdesk
Group policy management
We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks.
Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.
ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering.
ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization, and builds a behavioral profile about them. ATA can receive events and logs from:
With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets. When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
KRBTGT user iin hash iig awch ticket grant hiih erhtei boldog, tuuniigee ashiglaad user uusgesen. Ene ved privileged operation hiigdeh tul detect hiiih bolomjtoi.
Event 4624 is created with Auth package process name, and sec ID
A big challenge for administrators has been ensuring that the local Administrator account (RID 500) on all Windows computers. The traditional method for doing this (other than buying a product) has been to use a custom script to change the local administrator password. This issue with this is that frequently the password is stored in clear-text within the script (such as a vbs file) which is often in SYSVOL
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture
mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. is targeting running process memory address space, once a process is killed it's memory 'should' be cleaned up and inaccessible however there are some edge cases in which this does not happen.
Mimikatz well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
