Active Directory Through an Attacker's Lens

    Say you work as the sole IT personnel in a small newly formed company. This company currently has five computers which could be easy for you to manage, but as the company grows, the computers you are tasked to handle will grow with it. This can quickly lead to there being too much for a single person to oversee, causing the company to look for solutions for easier management of the company's ever-growing computer arsenal. This is where Active Directory can step in and take some significant load off the IT Department's shoulders. 

 

What is Active Directory

    Active Directory is Microsoft's directory service that can be implemented into company networks for more accessible and efficient management of their resources. This will allow the administrators to set up groups, users, Organizational Units, Computers, etc., and manage all the differing policies and access each person has to the network more easily. This is an extensive system with many different features that allow administrators to tailor the domain to their company's needs. 

    Active Directory Domain Services is the primary feature that helps store domain objects and manage the interaction of the users within the domain. This will help delegate each user's access as they attempt to connect to each of the network's resources. This will also contain Group Policies, which are implemented to delegate permissions, enforce security, customize the user experience, and maintain network consistency. These are implemented onto Organizational Units, which will be comprised of different objects in the domain. [1]

    Active Directory uses a tiered layout consisting of domains, trees, and forests. The first domain will create the forest and be part of a tree in said forest. This tree can then have additional domains added to it, which would include the original domains name, called subdomains. When a new domain is created apart from this initial domain, this will create another tree. All these trees will be under the initial forest. [2]

    This hierarchy of domains will use trusts to manage the access that each of the domains has with each other. There are many different types of trusts, including one-way, two-way, trusted domain, transitive, intransitive, explicit, forest, etc. One-way trusts are when one domain has access privileges to a second domain but not the other direction. A two-way trust occurs when both domains have access privileges to each other. [3]

 

The Attacker's POV

    Over 90% of Fortune 1000 companies have Active Directory in their environment. [4] If an attacker targets one of these companies, they are highly likely to come across an Active Directory in the network. These Active Directory systems have significant control over the company's network, primarily managing their resources, including databases. These databases can have valuable information, allowing the attacker to sell what they could exfiltrate to the dark web. On top of this, these organizations often rely on their systems to generate income, and if this system goes down, it can cause the company to lose money that they would otherwise be generating. If an attacker can gain privileged access to the domain, they could hold the company's network ransom, preventing it from conducting daily operations. Today, the average ransomware payment is up to $1.5 million. [5] This is why attackers study Active Directory. It is the crutch of many companies' systems, and with one fell swoop, an attacker can bring even the most prominent companies to their knees, forcing them to lose millions or even billions of dollars in revenue. 



Resources

[1] https://www.techtarget.com/searchwindowsserver/definition/Active-Directory

[2] https://www.oreilly.com/library/view/dns-on-windows/0596005628/ch08s01s01.html

[3]https://www.windows-active-directory.com/active-directory-trusts.html

[4] https://www.securitymagazine.com/articles/96245-how-to-convince-the-c-suite-to-buy-in-to-active-directory-security

[5] https://www.theguardian.com/technology/2023/may/10/ransomware-payments-nearly-double-in-one-year

 

Popular posts from this blog

VHL002 - Setting up the Domain Controller and Workstations

Image
For the initial creation, I'm going to create 5 machines in total. 1 Microsoft Windows Server 2016 3 Windows 10 Enterprise Workstations 1 Kali Linux Machine      To create the virtual machines of the Windows Server and Enterprise, you will need the ISO files of these systems. These can be found at the following links. You may be required to fill out a form of information, however, this has no checking on it so you can use completely fake information. Windows Server 2016 Windows 10 Enterprise Kali Linux      You might be wondering why I chose a 2016 server. In company networks, the most common servers you are going to come across are 2012 and 2016, there will be minimal 2019. Outside of those, it is rare to find other Active Directory server years, so I chose the more recent of the two most common.      I will get into how to set up the Kali Linux machine in the next post where I will cover the installation of the system and tools that you...
Read more

VHL005 - Own the Workstations, Local Admin Password Re-use

Image
     From the last attack that we accomplished; we were able to gain a user’s credentials. This opens more attacks for us to attempt on the network. The first that I’m going to attempt is an attack dumping the SAM and LSA Secrets files to get the accounts associated with the workstation and possibly search for local admin password re-use. The program that we will be doing this with is secretsdump.py in the impacket’s repository. This is a large repository of applications that are great for attacks against an Active Directory environment. You can access the repository from this link. impacket In your kali, type in “git clone https://github.com/fortra/impacket” and this will download the impacket’s repository with all the applications in it.
Read more

VHL004 - LLMNR Poisoning

Image
     In an active directory environment, attackers can use the mistakes of the users to their advantage to gain information that they should otherwise not have access to. One such attack is exploiting LLMNR and using it to gather user credentials. The LLMNR, Link-Local Multicast Name Resolution, protocol is used to locate host in a local network without the need of DNS. It will do so by contacting every machine in its network asking for a specific hostname in hopes to find it. As an attacker, this can be very beneficial. If we are on that network, that query will be sent to us as well, which we can respond to. Attackers can use the program Responder to answer this query and request the machine to give their username and hash to authenticate. It will in turn hand over their credentials to the attacker who can use that credential to further their attacks. [1]
Read more

VHL003 - Kali Linux Setup

Image
     The first attacker machine that we are going to set up is a Kali Linux machine. This is a popular operating system for attackers as it has many of the tools that they need come pre-installed. We will be creating another attacker virtual machine much later on using the Windows operating system.  To install this operating system, go to the Kali Linux website and scroll down till you see the virtual machine tab and select your virtual machine application that you are using. You can use the link provided as well. 
Read more

VHL001 - In the Beginning

     This post is the beginning of my Virtual Home Lab series. This series will go into how I set up my home lab and act as a guide to help anyone attempting to create their own Active Directory lab environment. These blog posts will go into my thought process, guide to creating the environment, and demonstrating attacks you can simulate in this Active Directory environment.      I want to start by laying out some plans before flying in blind into this project. I want to have a base understanding of where I want this project to go, and where I might want this project to possibly end if at all. To start I'm going to lay out the components that I know I want this lab to eventually include.  2 Active Directory Domain Controllers  1 Active Directory Certificate Services Server 2+ Windows Workstations Multiple Organizational Units Many Domain Users I would like this lab to allow me to simulate the following attacks.  Responder Bloodhound Enumerati...
Read more