Active Directory Exploitation Part 1 - First, The Basics
Today, I'm going to start writing a quick blog series that explores Active Directory, implementation, and most importantly, how it is most commonly exploited in the wild. Why? Active Directory is the most common method of managing Windows computers and other devices on large networks. It's difficult to find an exact number, but most private and government organizations utilize Active Directory. It allows users to authenticate onto domains, which can be closely managed and monitored by administrators. However, like any other technology, it is prone to flaws and misconfigurations. As a result, if a potential attack vector is discovered within Active Directory, countless organizations may be vulnerable due to Active Directory's extremely wide use. It is for this reason that Active Directory is always an initial target evaluated by ethical hackers/penetration testers and, more often than not, it allows these would-be attackers to escalate privileges and pivot to different networks and domains using multiple techniques and tools, most of which we will discuss later.
If you're not familiar with Active Directory, that may have been a bit overwhelming at first, so I will utilize Part 1 as an introduction to Active Directory components. I may mention common attacks/vulnerabilities along the way, but we will explore those further in later parts. For now, let's focus on Active Directory components and implementation; the basics!
Active Directory (AD) 101 - What is AD?
Active Directory (commonly referred to as AD) is not exactly a single program, but rather a structure/service that has been around since 2000. Today, a conservative estimate would be that 90% of companies use Active Directory for authentication. Active Directory contains a number of services, including Certificate Services and Rights Management Services, but for the purposes of this article, and to explain AD to someone totally new, we will focus on AD DS or Active Directory Domain Services.
Without AD DS, it would be incredibly difficult for administrators of large networks to find devices actually connected to that network, let alone manage what those devices can and cannot do. AD enables just that; the widespread management of devices (objects) through policies, as well as account management, account policies, user information, and more. Through AD, and administrator could, for example, for a password policy across all users that requires a 10 character minimum. AD can also store all of this user's information, which is tied to their account, providing accountability for all of the user's actions on that network, or 'domain.' This and more is all achieved through a carefully configured "forest" of domain controllers, objects, users, organizational units (OUs), trusts, schema, and policies. These devices all communicate to each other over LDAP/LDAPS (Secure Lightweight Directory Access Protocol) and support Kerberos authentication - however, for now, just remember LDAP is essentially the language used to communicate in an AD environment, while Kerberos handles the mighty task of secure authentication and access to resources on the network. Keep in mind that, also, AD implementation is going to vary from use case to use case.
I've said a lot of strange words here - domains, forests, policies, OUs - and now we will dig into these definitions to help you hopefully better understand AD before we begin to talk about exploitation. There are many, many incredible learning resources out there for further understanding Active Directory, and one of my personal favorites was The Cyber Mentor's Practical Ethical Hacking course, which requires zero previous knowledge (outside of the basics of using a computer) and explores Active Directory and exploitation in-depth. This is an incredible course and sometimes it goes on sale for as low as $10 - if you're new to the security world, I couldn't recommend this enough.
Physical Structure of Active Directory
The physical structure is best defined as the components that allow management of all combined network traffic. This consists primarily of the domain controller(s), and the Active Directory Data Store. The actual, physical layout/implementation of AD is going to vary between every use case as I stated earlier (some companies use 'sites' to connect domains that are separated geographically), but every single implementation will contain domain controllers and the data store, so that is what we will focus on.
Domain Controllers (DCs) - A domain controller is a server with the AD DS server role and is the highest role within a domain. There may be multiple domains, and multiple domain controllers, but these DCs set at the very top. They store all directory data, manage authentication for all clients on the domain, manages and copies directory changes to other domain controllers in the domain/forest, handles trusts, and enforces security policy. It is important to note that is also contains all relevant credentials for ALL devices connected to the network/domain. The domain controller is an extremely valuable piece of equipment - if the DC is compromised, the entire domain is compromised. We will, in later blogs, explore how DCs may indeed be easily compromised, even today.
Active Directory Data Store - The data store contains database files and processes that store and manage all directory information. On a high level, the data store manages the storage and retrieval of all data. The data store, importantly, consists of the ntds.dit file, which consists of absolutely everything stored within Active Directory - password hashes for ALL users, objects, user profiles and information themselves, and everything else.
Logical Structure of Active Directory
It is important to state that there is no relationship between the physical structure and the logical structure of the AD network - the logical components all ensure that the physical components act coherently and efficiently as one. We will now define the primary defining logical factors of every Active Directory implementation.
Schema - The schema is an important logical component of AD that contains the rules for object creation and the types of objects that can be stored within the forest. This is essentially a list of rules and information about objects.
Domains - Domains are used to limit the scope of access to resources within forests. The term "domain" is used to refer to that administrative, authentication, and authorization boundary that is used to manage and control objects within an organization. An example would be "company.com." So, as an example, if Bob Jones worked for Company, his AD username may be BobJones@company.com.
Trees - A domain "tree" is a hierarchy of domains within Active Directory, which means there can be multiple domains in a tree. All domains in this tree will share similar naming conventions to the parent domain. For example, a child domain for the above example could be "sc.company.com" or "va.company.com." The parent domain in that case would be "company.com."
Forests - This is probably the easiest concept to grasp - trees make up forests! An AD forest contains common schema, configuration, naming conventions (ideally), trusts, and a global catalog for searching between domains in the forest.
Organizational Units (OUs) - OUs are simply containers that are used to organize users, computers, groups, and even other OUs. These, for example, may be sorted by departments, and provide additional control and organization through the hierarchy of AD. This is simply a lower-level logical component and, like the higher levels, objects within OUs contain common names, policies, and etc.
Trusts - Trusts are important if a user in one domain needs to access resources from another domain. Trusts are universal to domains within forests, meaning that all domains within a forest "trust" each other. Trusts may even extend outside the forest depending on the implementation. Directional trusts flow from one domain to the other, while transitive trusts extend beyond a simple two-way trust.
Objects - Objects are essentially the lowest level of this hierarchy, and they are simply "things" in the domain that access resources. They can be users, computers, printers, shared folders, and etc.
I hope this summary of Active Directory allows you to better understand what we're going to be talking about later. There are other protocols and communications to take into consideration such as NTLM in addition to LDAP, but we will get into those later. If you understand the above information, then congrats, you have passed Active Directory 101! It may not be very exciting, but that changes when we learn how easy it can be to exploit misconfigurations even within the most modern of environments. Ultimately, the security of AD implementations will boil down to the administrators. I have been an AD admin myself, and while I'm certainly not a seasoned veteran, perhaps may later parts to this series could serve as a checklist for security purposes.
For more in-depth reading, check out the articles below, and as always, thank you so much for reading.