-
Notifications
You must be signed in to change notification settings - Fork 0
Review of AD
Make new user and join it to all group: Domain admin, guests, schema admins, domain users, domain guests, domain controllers and enterprise admin
- Domain Admins: • Role and Permissions: Domain Admins have the highest level of administrative access within a domain. Members of this group can make changes to the domain, add or remove users, and modify domain-wide policies. They essentially have full control over the domain.
- Guests: • Role and Permissions: The Guests group in Active Directory is a built-in group with limited access. Members of this group have minimal rights and are typically used for providing temporary or restricted access to resources.
- Schema Admins: • Role and Permissions: Schema Admins have the authority to make changes to the Active Directory schema. Modifying the schema is a sensitive operation as it affects the structure of the entire directory. This group is restricted to a small number of trusted administrators.
- Domain Users: • Role and Permissions: Domain Users is a default group that includes all user accounts created in the domain. Members of this group have basic user rights and permissions. They can log in, change their passwords, and access resources for which they have been granted permission.
- Domain Guests: • Role and Permissions: Domain Guests is a built-in group similar to the Guests group. Members have limited access rights and are typically used to provide temporary access to guests within the domain.
- Domain Controllers: • Role and Permissions: Domain Controllers are servers that host a copy of the Active Directory database and handle authentication requests within a domain. The Domain Controllers group includes all domain controller objects. Members of this group have specific permissions and responsibilities related to the replication and management of the Active Directory database.
- Enterprise Admins: • Role and Permissions: Enterprise Admins have the highest level of administrative access across all domains in a forest. Members of this group can make changes to the entire forest, including adding or removing domains and managing trust relationships. This group is crucial for overarching forest-wide administration.
let's organize the mentioned groups by their access level in ascending order:
- Domain Guests: • Access Level: Limited access rights. Typically used for providing temporary or restricted access to resources.
- Domain Users: • Access Level: Basic user rights and permissions. Can log in, change passwords, and access resources for which they have been granted permission.
- Domain Controllers: • Access Level: Specific permissions and responsibilities related to the replication and management of the Active Directory database. Handles authentication requests within a domain.
- Domain Admins: • Access Level: Highest level of administrative access within a domain. Full control over the domain, including the ability to make changes, add or remove users, and modify domain-wide policies.
- Schema Admins: • Access Level: Authority to make changes to the Active Directory schema. Restricted to a small number of trusted administrators due to the sensitivity of schema modifications.
- Guests: • Access Level: Limited access rights. Typically used for providing temporary or restricted access to resources.
- Enterprise Admins: • Access Level: Highest level of administrative access across all domains in a forest. Can make changes to the entire forest, including adding or removing domains and managing trust relationships. Crucial for overarching forest-wide administration.
A Security Identifier (SID) is a unique alphanumeric identifier that is assigned to each security principal (such as a user, group, or computer) in a Windows operating system. SIDs are used internally by Windows to identify and manage security principals, and they play a crucial role in access control and security. Here are key points about SIDs:
- Uniqueness: • SIDs are designed to be globally unique. Every security principal in a Windows domain has a unique SID, and this uniqueness extends across different domains and forests.
- Composition: • SIDs are composed of a variable-length binary identifier along with a fixed-length authority value that identifies the authority or issuer of the SID. The combination of these elements creates a unique identifier for each security principal.
- Format: • SIDs are typically represented as a string in the following format: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-rid. Here, "rid" represents the Relative Identifier, which is unique within the scope of the authority.
- Checking the SID of a User: • You can check the SID of a user in several ways: • Command Line (PowerShell): powershellCopy code $username = "username" $user = New-Object System.Security.Principal.NTAccount($username) $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value Write-Host "SID for $username: $sid" • Command Line (Command Prompt): batchCopy code whoami /user • Graphical User Interface (GUI): • Open the "Computer Management" console. • Navigate to "System Tools" > "Local Users and Groups" > "Users." • Right-click on the user and select "Properties." • In the "General" tab, you will find the user's ObjectSID. • Active Directory Users and Computers (ADUC): • Open Active Directory Users and Computers. • Locate the user, right-click, and select "Properties." • In the "Object" tab, you will find the ObjectSID. Remember to replace "username" with the actual username of the user you want to check.
The whoami command is a built-in utility in Windows that displays information about the current user. When used with the /? option, it provides information about the available command-line options. Here is the output of whoami /?: plaintextCopy code WHOAMI [/UPN | /FQDN | /LOGONID] [/USER | /GROUPS | /PRIV | /ALL] /UPN Display the user name in User Principal Name (UPN) format. /FQDN Display the user name in Fully Qualified Domain Name (FQDN) format. /LOGONID Display the logon ID of the current user. /USER Display the user name and security identifier (SID). /GROUPS Display the groups to which the current user belongs. /PRIV Display the security privileges of the current user. /ALL Display all information. Examples: WHOAMI /? WHOAMI WHOAMI /USER WHOAMI /USER /UPN WHOAMI /USER /FQDN WHOAMI /GROUPS WHOAMI /PRIV WHOAMI /ALL Here's a brief explanation of some of the commonly used options: • /UPN: Displays the user name in User Principal Name (UPN) format. • /FQDN: Displays the user name in Fully Qualified Domain Name (FQDN) format. • /LOGONID: Displays the logon ID of the current user. • /USER: Displays the user name and security identifier (SID). • /GROUPS: Displays the groups to which the current user belongs. • /PRIV: Displays the security privileges of the current user. • /ALL: Displays all available information.
Impacket: Description: Impacket is a collection of Python classes focused on providing low-level programmatic access to network protocols. It's commonly used for crafting and manipulating network packets and protocols. Reference: Impacket GitHub Repository
Responder: Description: Responder is a tool designed for LLMNR, NBT-NS, and MDNS poisoning. It is used to capture credentials by tricking network hosts into sending authentication requests. Reference: Responder GitHub Repository
InveighZero: Description: InveighZero is a Windows C# LLMNR, NBT-NS, and MDNS responder with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP, and Basic HTTP authentication. Reference: InveighZero GitHub Repository
Mimikatz: Description: Mimikatz is a powerful post-exploitation tool that can extract plaintext passwords, hashes, PIN codes, and kerberos tickets from memory. It is commonly used for credential harvesting and pass-the-hash attacks. Reference: Mimikatz GitHub Repository
Ranger: Description: Ranger is an open-source, cross-platform file manager with a focus on providing a minimalistic and efficient interface. It is not primarily a security tool but can be used in various contexts, including security assessments. Reference: Ranger GitHub Repository
AdExplorer: Description: Active Directory Explorer (AdExplorer) is a tool from Sysinternals (now a part of Microsoft) that allows users to view and navigate the Active Directory database. It provides a graphical interface for exploring AD objects and their properties. Reference: Sysinternals Suite
• CrackMapExec (CME): Description: CrackMapExec is a post-exploitation tool that automates the assessment of large Active Directory networks. It can be used for various tasks, including lateral movement, execution of commands on remote systems, and gathering information about the network. Reference: CrackMapExec GitHub Repository root@payload$ wget https://tinyurl.com/2yajgbrm/releases/download/v5.0.1dev/c
root@payload$ cme smb -L root@payload$ cme smb -M name_module -o VAR=DATA root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f29 root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f29 root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f29 root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mim root@payload$ cme mimikatz --server http --server-port 80
• Description: Mitm6 is a penetration testing tool designed to perform Man-in-the-Middle (MitM) attacks against IPv4 networks by leveraging IPv6. It was developed to exploit the transition challenges organizations face when moving to IPv6. By intercepting and manipulating IPv6 traffic, Mitm6 can facilitate various attacks, including capturing sensitive information and executing network reconnaissance.
• Key Features: • IPv6 Man-in-the-Middle Attacks: Mitm6 specializes in intercepting and manipulating IPv6 traffic, allowing attackers to insert themselves between communication endpoints. • Packet Sniffing and Spoofing: The tool enables packet sniffing and spoofing, allowing attackers to capture and alter network traffic, leading to potential security vulnerabilities. • Network Reconnaissance: Mitm6 can be used for reconnaissance activities, gaining insights into the target network's structure, devices, and potential vulnerabilities. • Usage Scenarios: • IPv6 Transition Attacks: Mitm6 is particularly useful in scenarios where networks are transitioning from IPv4 to IPv6, taking advantage of the challenges and potential security gaps during this process. • Man-in-the-Middle Assessments: Security professionals and penetration testers use Mitm6 to assess the security posture of networks by simulating MitM attacks. • Reference: • Mitm6 GitHub Repository
• Description: ADRecon is an open-source tool designed for Active Directory (AD) enumeration and reconnaissance during penetration testing, red teaming, and security assessments. Developed in PowerShell, ADRecon automates the collection of information about an Active Directory environment, providing insights into its structure, users, groups, permissions, and potential vulnerabilities. • Key Features: • Comprehensive Enumeration: ADRecon comprehensively enumerates Active Directory objects, including users, groups, computers, trusts, trusts, ACLs (Access Control Lists), and other relevant information. • Low and Slow Approach: The tool adopts a "low and slow" approach to avoid detection, making it suitable for stealthy information gathering in environments where noise must be minimized. • Output in Multiple Formats: ADRecon generates output in various formats, such as CSV, JSON, and HTML, facilitating easy analysis and reporting. • Usage Scenarios: • Security Assessments: ADRecon is employed by security professionals, penetration testers, and red teamers to assess the security posture of Active Directory environments. • Enumeration and Discovery: The tool is used to discover, enumerate, and document AD objects, permissions, and configurations, aiding in identifying potential attack vectors. • Sample Command: • This command generates a CSV report of Active Directory information and saves it to the specified folder. • Reference: • ADRecon GitHub Repository
.\ADRecon.ps1 -CSV -FolderPath C:\ADReconOutput • Active Directory Assessment and Privilege Escalation Script powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1
While there isn't a specific tool or script universally referred to as "Active Directory Assessment and Privilege Escalation Script," security professionals often use a combination of tools and scripts to assess and identify potential security vulnerabilities within Active Directory (AD) environments, including those related to privilege escalation. Let me provide you with a general overview: Active Directory Assessment:
• Description: BloodHound is a powerful tool for analyzing Active Directory environments. It visualizes the relationships and attack paths that users, computers, and groups have within an AD environment, helping identify potential security risks. • Reference: BloodHound GitHub Repository 2. PowerView: • Description: PowerView is a PowerShell tool for situational awareness and post-exploitation on Windows networks. It is part of the PowerSploit project and can be used to gather information about AD users, groups, trusts, and more. • Reference: PowerSploit GitHub Repository
• Description: As mentioned earlier, ADRecon is a PowerShell script designed for Active Directory enumeration during security assessments. It provides detailed information about AD objects and configurations. • Reference: ADRecon GitHub Repository Privilege Escalation:
- PowerUp: • Description: PowerUp is a PowerShell tool designed to assist with local privilege escalation on Windows systems. It automates various checks and common privilege escalation techniques. • Reference: PowerUp GitHub Repository
- Windows-Exploit-Suggester: • Description: This tool suggests potential exploits based on the version of Windows running on the target system. While not specific to AD, it can be useful for identifying potential vulnerabilities that might lead to privilege escalation. • Reference: Windows Exploit Suggester GitHub Repository
• Description: As mentioned earlier, Mimikatz is a powerful post-exploitation tool that can extract plaintext passwords, hashes, and other credentials from memory, potentially aiding in privilege escalation. • Reference: Mimikatz GitHub Repository • Ping Castle PingCastle is a security tool designed for Active Directory security assessments. It focuses on analyzing and assessing the security of Active Directory environments, providing insights into potential vulnerabilities, misconfigurations, and security risks. PingCastle is particularly known for its ability to assess the security posture of large and complex Active Directory infrastructures. pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME pingcastle.exe --healthcheck --server domain.local pingcastle.exe --graph --server domain.local pingcastle.exe --scanner scanner_name --server domain.local available scanners are:aclcheck,antivirus,computerversion,foreignusers,laps_b • Key Features: • Risk Scoring: PingCastle assigns risk scores to various aspects of the Active Directory environment, helping organizations prioritize and address critical security issues. • Security Assessment Reports: The tool generates detailed reports that highlight security findings, potential risks, and recommendations for improving the overall security of the Active Directory infrastructure. • Attack Path Analysis: PingCastle assesses the attack paths within Active Directory, identifying potential avenues for lateral movement and privilege escalation. • Capabilities: • Health Check: PingCastle performs health checks on various components of Active Directory, including trusts, permissions, configurations, and more. • Mitigations and Recommendations: The tool provides actionable recommendations and mitigations to address identified security issues, empowering organizations to enhance their security posture. • Graphical Interface: PingCastle offers a user-friendly graphical interface, making it accessible to security professionals with varying levels of expertise. • Usage Scenarios: • Security Assessments: Security professionals use PingCastle for security assessments, penetration testing, and red teaming to identify and address security vulnerabilities within Active Directory environments. • Risk Management: Organizations leverage PingCastle to assess and manage the risks associated with their Active Directory infrastructure. • Reference: • PingCastle Official Website
./kerbrute passwordspray -d <USERS.TXT> • Description: Kerbrute is an open-source tool designed for performing Kerberos-based attacks, particularly focused on password spraying and brute-force attacks against Active Directory services. Developed in Go, Kerbrute is used by security professionals, penetration testers, and red teamers to test the strength of user passwords and identify potential weak points in Kerberos authentication. • Key Features: • Password Spraying: Kerbrute facilitates password spraying attacks, where a limited set of passwords is systematically tested against multiple user accounts to avoid account lockouts. • Brute-Force Attacks: The tool supports traditional brute-force attacks, attempting all possible password combinations to gain unauthorized access. • Kerberos Authentication Testing: Kerbrute is specifically designed for testing the security of Kerberos authentication in Windows environments. • Capabilities: • User Enumeration: Kerbrute can be used to enumerate valid usernames, aiding attackers in identifying valid accounts for subsequent attacks. • Password Guessing: The tool allows attackers to guess passwords by trying different combinations, making it effective in scenarios where weak or easily guessable passwords may exist. • Usage Scenarios: • Penetration Testing: Security professionals use Kerbrute during penetration testing engagements to assess the strength of Kerberos-based authentication and identify potential weaknesses. • Red Teaming: Red teamers leverage Kerbrute to simulate real-world attack scenarios, helping organizations understand and mitigate risks associated with Kerberos. • Sample Command: kerbrute userenum --dc <domain_controller_ip> -d <domain_name> usernames.txt Reference: • Kerbrute GitHub Repository
Rubeus Rubeus.exe asktgt /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID] Rubeus.exe klist [/luid:LOGINID] Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:D
• Rubeus is a powerful post-exploitation tool developed in C# and designed for Kerberos ticket manipulation in Windows environments. It is widely used by penetration testers, red teamers, and security professionals to interact with Kerberos tickets, perform Kerberos-related attacks, and gain unauthorized access to systems. • Key Features: • Ticket Extraction: Rubeus can be used to extract and display Kerberos tickets (TGTs and TGSs) from memory, facilitating the retrieval of credential information. • Ticket Renewal and Renewal TGTs: The tool supports ticket renewal and the creation of renewal TGTs, which can extend the validity of Kerberos tickets. • Pass-the-Ticket (PTT) Attacks: Rubeus enables attackers to perform Pass-the-Ticket attacks, allowing them to reuse Kerberos tickets to gain access to network resources without knowing the account password. • Kerberoasting: The tool supports Kerberoasting attacks, which involve requesting and cracking service tickets for service accounts. • Capabilities: • Ticket Renewal and Ticket Purge: Rubeus provides features for renewing tickets and purging tickets from memory, contributing to post-exploitation activities. • Ticket Request and TGT Renewal: The tool allows users to request TGTs and renew TGTs, providing flexibility in manipulating Kerberos authentication. • Usage Scenarios: • Post-Exploitation: Rubeus is often used in post-exploitation scenarios to interact with Kerberos tickets obtained during an attack. • Credential Theft: Security professionals leverage Rubeus to extract and manipulate Kerberos tickets, leading to potential credential theft and unauthorized access. • Red Team Operations: Red teamers use Rubeus to simulate and test Kerberos-related attacks, helping organizations identify and remediate vulnerabilities. • Sample Command: Rubeus.exe asktgt /user: /rc4: /domain: /service:
• This command requests a TGT (Ticket Granting Ticket) for the specified user, encrypting it with the provided RC4 hash. • Reference: • Rubeus GitHub Repository AutomatedLab New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2 Install-Lab Show-LabDeploymentSummary • AutomatedLab is a framework and set of scripts designed to automate the process of creating, configuring, and managing complex lab environments for testing and learning purposes. It is particularly useful for creating test environments that replicate real-world scenarios, including Active Directory (AD) setups, networking configurations, and other infrastructure components. • Key Features: • Automated Environment Creation: AutomatedLab automates the creation of lab environments, including the deployment of virtual machines, networking, and configurations. • Support for Hyper-V and Azure: The framework supports both on-premises Hyper-V environments and cloud-based setups in Microsoft Azure. • Reusable Configurations: Users can define reusable configurations for lab environments, allowing for easy replication of specific setups. • Extensibility: AutomatedLab is extensible and customizable, enabling users to add their own scripts, configurations, and components to meet specific requirements. • Capabilities: • Active Directory Labs: AutomatedLab can be used to create and configure AD environments, allowing users to simulate various AD scenarios for testing and learning. • Networking Configurations: The framework supports the creation of complex networking configurations, including routers, switches, and subnets, to replicate diverse network environments. • Integration with Desired State Configuration (DSC): AutomatedLab integrates with PowerShell Desired State Configuration, enabling users to define and enforce the desired state of lab environments. • Usage Scenarios: • Test Environments: Security professionals and IT administrators use AutomatedLab to quickly create test environments for software testing, security assessments, and training. • Learning and Certification: Individuals studying for certifications or learning new technologies can use AutomatedLab to create hands-on lab environments for practical exercises. • Sample Command: Install-Lab -ConfigurationFilePath .\MyLabConfiguration.ps1 -Verbose • This command installs a lab environment based on the configuration defined in the specified PowerShell script. • Reference: • AutomatedLab GitHub Repository
Info about AD are (it can gather by tools such as ADRecon): • Forest; • Domain; • Trusts; • Sites; • Subnets; • Schema History; • Default and Fine Grained Password Policy (if implemented); • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles; • Users and their attributes; • Service Principal Names (SPNs); • Groups, memberships and changes; • Organizational Units (OUs); • GroupPolicy objects and gPLink details; • DNS Zones and Records; • Printers; • Computers and their attributes; • PasswordAttributes (Experimental); • LAPS passwords (if implemented); • BitLocker Recovery Keys (if implemented); • ACLs (DACLs and SACLs) for the Domain, OUs, Root Containers, GPO, Users, Computers and Groups objects (not included in the default collection method); • GPOReport (requires RSAT); • Kerberoast (not included in the default collection method); and • Domain accounts used for service accounts (requires privileged account and not included in the default collection method). Note: use RSAT to gather info Remote Server Administration Tools (RSAT) Remote Server Administration Tools (RSAT) is a set of tools provided by Microsoft that allows IT administrators to manage Windows Server roles and features from a remote computer. These tools are especially useful when administrators need to manage servers that are not physically nearby or accessible. RSAT includes a variety of management tools, snap-ins, and command-line utilities that cover a wide range of administrative tasks. Some of the key features and tools included in RSAT are:
- Server Manager: • Server Manager provides a centralized console for installing, managing, and removing server roles and features on remote servers. It allows administrators to view the status of multiple servers in one interface.
- Active Directory Tools: • RSAT includes various tools for managing Active Directory, such as Active Directory Users and Computers (ADUC), Active Directory Sites and Services (ADSS), Active Directory Domains and Trusts (ADDT), and Active Directory Administrative Center (ADAC).
- Group Policy Management Console (GPMC): • GPMC allows administrators to manage Group Policy settings across the domain, including creating, editing, and managing Group Policy Objects (GPOs).
- Hyper-V Management Tools: • Tools for managing Hyper-V, Microsoft's virtualization platform. This includes Hyper-V Manager for managing virtual machines and the Hyper-V PowerShell module.
- DHCP Management Console: • RSAT provides tools for managing the DHCP server, allowing administrators to configure and monitor DHCP scopes and settings.
- DNS Management Console: • Tools for managing DNS servers, enabling administrators to create and modify DNS records and configurations.
- Remote Desktop Services Tools: • Tools for managing Remote Desktop Services, including Remote Desktop Gateway Manager and RemoteApp Manager.
- File Services Tools: • Tools for managing file services, including Distributed File System (DFS) tools and File Server Resource Manager (FSRM).
- Network Policy and Access Services Tools: • Tools for managing Network Policy Server (NPS) and Routing and Remote Access Services (RRAS).