Active Directory

Introduction

Active Directory enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world.

Active Directory Introduction

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)

Components

Structure

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759186(v%3dws.10)

Component	Description
Organizational Units	Container object Used to arrange other objects Easier to locate and manage Can delegate the authority to manage Can be nested in other organizational units
Domains	Container object Collection of administratively defined objects that share a common directory database, security policies, and trust relationships with other domains Each domain is an administrative boundary for objects. A single domain can span multiple physical locations or sites
Domain Trees	Collections of domains that are grouped together in hierarchical structures When you add a domain to a tree, it becomes a child of the tree root domain The domain to which a child domain is attached is called the parent domain. A child domain might in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft. .:. a tree has a contiguous namespace.
Forests	Instance of Active Directory Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships. The first domain in the forest is called the `forest root domain`. The name of that domain refers to the forest, such as Nwtraders.msft. By default, information in Active Directory is shared only within the forest. .:. the forest is a security boundary for the information that is contained in that instance of Active Directory
Site Objects	Leaf and container objects Topmost object in the hierarchy of objects that are used to manage and implement Active Directory replication Stores the hierarchy of objects that are used by the `Knowledge Consistency Checker (KCC)` to effect the replication topology Some of the objects located in: `NTDS Site Settings objects`, `subnet objects`, `connection objects`, `server objects`, and `site objects` (one site object for each site in the forest) Hierarchy is displayed as the contents of the Sites container, which is a child of the Configuration container

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759073(v%3dws.10)

Schema - Defines objects and attributes
Query and index mechanism - Ability to search and publish objects and properties
Global Catalog - Contains info about every object in directory
Replication Service - Distributes information across domain controller

Detect Firewall Blocking AD

PortQryUI - http://www.microsoft.com/download/en/details.aspx?id=24009 * Run the “Domains & Trusts” option between DCs, or between DCs and any machine * “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block * Can ignore UDP 389 and UDP 88 messages * TCP 42 errors, that just means WINS is not running on the target server

https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

Implementing Least Privilege Model

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

Scanning

pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession

Automating AD Enumeration (Bloodhound, PowerUp, Responder, CrackMapExec): https://medium.com/bugbountywriteup/automating-ad-enumeration-with-frameworks-f8c7449563be

Tools

ldapsearch

Query the Domain Controller for Active Directory
UserAccountControl attributes of active accounts
Other specific configurations
Possible UserAccountControl values: https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

Active users (2 == disabled account status)

ldapsearch -x -h $ip -p 389 -D 'SVC_TGS' -w $password -b  "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname

Impacket’s GetADUsers.py

Enumerate domain user accounts

GetADUsers.py -all active.htb/svc_tgs -dc-ip $ip

Attack Patterns

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Escalating privileges with ACLs in Active Directory: https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

Defense

Active Directory Core Security Principles & Best Practices: https://ernw.de/download/AD_Summit_2018/01_AD_Summit_CoreSecPrinciples_fk_hw_v.1.2_signed.pdf
Active Directory Kill Chain Attack & Defense: https://github.com/infosecn1nja/AD-Attack-Defense
Microsoft-Blue-Forest: https://github.com/rootsecdev/Microsoft-Blue-Forest
Welcome to building your first domain controller!: https://github.com/rootsecdev/Microsoft-Blue-Forest/blob/master/FirstDomainControllerInstall.md
Pwn and Defend - Active Directory Domain Enumeration: https://www.youtube.com/watch?v=YxeXfHkHAUI&feature=youtu.be