Active Directory for penetration testers — Part2 [Active Directory Attacks, Risks, and Mitigation]

Hello mates!
In the last articles I have talked about “What is the meaning of Active Directory?”, and today I will talk about Active Directory Attacks, risks, and mitigations.

An Active Directory attack is when an unauthorized individual tries to take advantage of the weak spots in an AD system. They might be after usernames and passwords, want to sneak in through badly set up access rights, or they could use other methods to get into the network when they’re not supposed to.

So…. What are the most common Active Directory attack you need to know?

It is imperative to be are aware of the most common ways that attackers can compromise Active Directory, which is explained below:

1. Kerberoasting:

Kerberoasting is a type of cyberattack that targets the Kerberos authentication protocol, commonly used in Windows networks to securely authenticate users and devices. In a Kerberoasting attack, an attacker exploits weaknesses in the Kerberos protocol to gain access to encrypted Kerberos tickets and then attempts to crack the encryption to obtain sensitive information or access network resources.

• Risks of Kerberoasting Attack:

1. Unauthorized Access: a Kerberoasting attack allows the attacker to impersonate the compromised account and gain unauthorized access to systems, assets, or networks associated with that account.
2. Data Theft: Once the attacker has access to the compromised account, they can steal sensitive data, such as intellectual property, customer information, or financial records.
3. Privilege Escalation: The attacker may attempt to elevate their account privileges and move laterally throughout the network, collecting other account credentials and gaining access to higher-level systems or sensitive information.
4. Backdoor Creation: Attackers can set up backdoors in the network to ensure future access, making it easier for them to carry out further attacks or maintain persistence within the compromised network.

• How To defend against Kerberoasting attack?

1. Strong Password Policies
2. Service Account Hardening: Review and secure service accounts in Active Directory. Limit the privileges of service accounts to only what is necessary for their intended purpose. Regularly review and remove unnecessary service accounts.
3. The Least Privilege Principle: Implement the principle of least privilege by assigning users and service accounts with the minimum level of privileges required to perform their tasks. Avoid granting unnecessary administrative privileges.
4. Privileged Access Management (PAM): Implement a privileged access management solution to tightly control and monitor privileged account access. This includes implementing just-in-time access, session monitoring, and strong authentication for privileged accounts.
5. Disable Kerberos Pre-Authentication: Disable pre-authentication for service accounts that do not require it. This can reduce the risk of Kerberoasting attacks by making it more difficult for attackers to obtain the necessary information to crack the Kerberos tickets.

• Read more about Kerberoasting attack:
  1. cracking kerberos tgs ticket using kerberoasting
  2. how to perform kerberoasting attack

2. Password Spraying:

• Password spraying is a type of cyberattack where an attacker attempts to gain unauthorized access to user accounts by systematically trying a few commonly used passwords or a list of previously compromised passwords against multiple user accounts. Unlike traditional brute-force attacks that target a single account with multiple password attempts, password spraying involves trying a few passwords against many accounts.
• The goal of password spraying is to avoid detection by avoiding multiple failed login attempts on a single account, which could trigger account lockouts or alert security systems. By using a few attempts per account, the attacker can fly under the radar and increase their chances of success.
• Here’s how a typical password spraying attack works:
  1. Target Selection: The attacker identifies a target organization or network and selects a list of user accounts to target. This can be done through reconnaissance, social engineering, or by obtaining leaked or publicly available user credentials.
  2. Password Selection: The attacker chooses a small set of commonly used passwords or a list of previously compromised passwords. These passwords are often selected based on their popularity or the likelihood that users might select them.
  3. Attack Execution: The attacker uses automated tools or scripts to systematically try each password against multiple user accounts. They typically use a slow and steady approach to avoid detection, spacing out the login attempts over an extended period of time.
  4. Account Compromise: If the attacker successfully guesses a password for a user account, they gain unauthorized access to that account. They can then use the compromised account to further their attack, such as escalating privileges, accessing sensitive data, or launching additional attacks within the network.
• How to defend against password spraying attacks?

1. Strong Password Policies: Enforce strong password requirements, including complexity, length, and regular password changes. Discourage the use of easily guessable passwords.
2. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security. Even if an attacker manages to guess a password, they would still need the second factor (e.g., a code from a mobile app) to gain access.
3. Account Lockout Policies: Implement account lockout policies that temporarily lock user accounts after a certain number of failed login attempts. This can help prevent brute-force and password spraying attacks.
4. User Awareness and Training: Educate users about the importance of using strong, unique passwords and the risks associated with password reuse. Encourage them to enable MFA and report any suspicious login attempts.
5. Monitoring and Detection: Implement security monitoring and detection systems that can identify patterns of suspicious login activity, such as multiple failed login attempts from different accounts or unusual login locations.

• Read more about password spraying:
  1. comprehensive guide on password spraying attack
  2. https://www.cyberlands.io/adpasswordspraying
  3. password spraying attacks detecting and preventing credential based threats
  4. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/password-spraying

3. Pass-the-hash with Mimikatz:

• Pass-the-hash with Mimikatz attack is a type of cybersecurity attack where an attacker steals the hashed credentials of a user and uses them to gain unauthorized access to a system or network. Mimikatz is a popular tool used to extract passwords and hashes from memory, enabling attackers to perform pass-the-hash attacks.
• The risks associated with pass-the-hash with Mimikatz attacks are significant. Once an attacker has obtained the hashed credentials, they can use Mimikatz to impersonate the user and gain access to sensitive resources, escalate privileges, and perform malicious activities. This can lead to data breaches, unauthorized access to critical systems, and the ability to move laterally within a network.
• How to defend against pass-the-hash attack:

1. Implement strong password policies: Enforce the use of complex and unique passwords to make it harder for attackers to crack or guess the passwords associated with the hashed credentials.
2. Implement multifactor authentication (MFA): Require users to provide additional verification, such as a one-time password or biometric authentication, in addition to their password. This adds an extra layer of security and makes it more difficult for attackers to gain unauthorized access.
3. You should use logon restrictions to ensure that your privileged account hashes are never stored in a place where they can be extracted.
4. Implement privileged access management (PAM): Use PAM solutions to manage and control privileged accounts. This includes regularly reviewing and revoking unnecessary privileges, implementing just-in-time access, and monitoring privileged account activity.
5. consider enabling LSA Protection, leveraging the Protected Users security group and using Restricted Admin mode for Remote Desktop.

• Read more about pass-the-hash attack:
  1. pass_the_hash_attack_explained
  2. https://www.stationx.net/pass-the-hash-attack/

4. Default Credentials:

• Yes!… Default Credentials is considered as an Active Directory attack!.
  A Default Credentials attack is a type of cybersecurity attack where an attacker exploits the use of default usernames and passwords that are commonly set by manufacturers or vendors for their systems, devices, or applications. These default credentials are often publicly known or easily discoverable, making it easier for attackers to gain unauthorized access to these systems.
• The risks associated with Default Credentials attacks:

1. Unauthorized access: Attackers can gain access to systems, devices, or applications using default credentials, allowing them to view, modify, or steal sensitive information.
2. Privilege escalation: Default credentials may provide administrative or privileged access to systems, enabling attackers to escalate their privileges and gain control over critical resources.
3. Data breaches: Default credentials can be used to access databases or web applications, potentially leading to the exposure or theft of sensitive data.
4. Network compromise: Attackers can exploit default credentials on network equipment such as routers, switches, or firewalls, compromising the entire network infrastructure.

• How to defend against the Default Credentials attacks:
  Simply Change the default credentials ^__^

5. Access Control List (ACL):

• Access Control List (ACL) attacks refer to malicious activities aimed at exploiting vulnerabilities in ACL configurations to gain unauthorized access to network resources or bypass security measures. These attacks can pose significant risks to the security and integrity of a network. However, there are several mitigation strategies that can help protect against ACL attacks.
• The Risks of Access Control List Attacks:

1. Unauthorized Access: Attackers may exploit ACL misconfigurations to gain unauthorized access to sensitive network resources, compromising the confidentiality and integrity of data.
2. Network Service Disruption: ACL attacks can disrupt network services by blocking legitimate traffic or allowing malicious traffic to pass through, leading to service outages and potential loss of productivity.
3. Data Exfiltration: Attackers may exploit ACL weaknesses to exfiltrate sensitive data from the network, leading to potential data breaches and financial losses.
4. Elevation of Privileges: ACL attacks can enable attackers to escalate their privileges within the network, granting them unauthorized control over critical systems and resources.

• How to defend against Access Control List Attacks:

1. Principle of the Least Privilege: Apply the principle of least privilege by granting only the necessary access permissions to users and systems. Restrict access to sensitive resources and limit the scope of ACL rules to minimize the attack surface.
2. Network Segmentation: Implement network segmentation to divide the network into smaller, isolated segments. This helps contain the impact of ACL attacks by limiting the attacker’s ability to move laterally within the network.
3. Intrusion Detection and Prevention Systems: Deploy intrusion detection and prevention systems (IDPS) to monitor network traffic and detect any suspicious or malicious activities. IDPS can help identify and block ACL attacks in real-time.
4. Security Awareness and Training: Educate network administrators and users about ACL best practices, potential risks, and common attack techniques. Regular security awareness training can help mitigate human errors and improve overall security awareness.

• Read more about Access Control List Attacks:

1. how-to-exploit-active-directory-acl-attack-paths-through-ldap-relaying-attacks
2. active directory access control list attacks-and-defense
3. how-to-exploit-active-directory-acl-attack-paths-through-ldap-relaying-attacks
4. from-botnets-to-dacl-backdoors-a-journey-through-modern-active-directory-attacks-part-i/

6. NTDS.dit Extraction:

All data in Active Directory is stored in the file ntds.dit (“the dit”) on every domain controller (in C:\Windows\NTD\ by default). Attackers can use the password hashes directly from the dit to advance objectives. Cracking user passwords is beneficial even if an adversary has already obtained domain dominance, as users frequently re-use passwords across domain-joined and non-domain-joined systems and applications.

To gain access to the ntds.dit file on a domain controller, an adversary must have already gained administrator access to Active Directory. Alternatively, an adversary could compromise the enterprise backup solution responsible for backing up domain controllers and copy ntds.dit from a backup. Most organizations do not frequently rotate the krbtgt secret (see the Golden Ticket attack) so even older backups can be useful.

• Risks of NTDS.dit Extraction Attack:

1. Unauthorized Access: With access to the NTDS.dit file, an attacker can crack user passwords and log in using valid credentials without being detected.
2. Privilege Escalation: By compromising user accounts, the attacker can escalate their privileges and gain access to sensitive resources and systems within the network.
3. Data Breach: The stolen user credentials can be used to access sensitive data, leading to a potential data breach and exposure of confidential information.
4. Disruption of Services: If the attacker successfully extracts the NTDS.dit file, they can disrupt the Active Directory services, causing downtime and impacting business operations.

• How to defend against NTDS.dit Extraction Attack?

1. Implement Strong Access Controls: Limit access to domain controllers and ensure that only authorized personnel have administrative privileges.
2. Microsoft best practices recommend using a tiered administrative model for Active Directory to strictly control access rights, which can minimize attack paths in Active Directory. In addition, keeping an eye out for anomalous authentication and login activity can help uncover attempts to exploit attack paths.

• Read more about NTDS.dit extraction attack:

1. extracting-password-hashes-from-the-ntds-dit-file
2. https://www.tenable.com/indicators/ioa/I-NtdsExtraction

7. BloodHound Reconnaissance:

BloodHound Reconnaissance attack is a type of attack that utilizes the BloodHound tool to gather information about an organization’s Active Directory (AD) environment. This tool visualizes the relationships, permissions, and attack paths within the AD, allowing attackers to identify vulnerabilities and potential paths to gain elevated privileges, such as membership in the Domain Admin group

• Risks of BloodHound Reconnaissance Attack:

1. Unauthorized Access: By identifying hidden relationships and vulnerabilities, attackers can gain unauthorized access to sensitive data and systems within the AD environment.
2. Lateral Movement: BloodHound helps attackers identify attack paths that allow them to move laterally within the network, potentially compromising multiple systems and escalating their privileges.
3. Privilege Escalation: BloodHound can reveal chains of permissions that, if exploited, can enable attackers to elevate their privileges and gain control over critical resources.

• How to defend against BloodHound Reconnaissance Attack: particularly there is no direct way to prevent BloodHound Reconnaissance, but here are some best practices to reduce risks that may come from BloodHound Reconnaissance Attack:

1. Regular Permissions Review: Conduct regular reviews of Active Directory permissions to identify and remove unnecessary or excessive privileges. This helps reduce the attack surface and minimize the potential impact of BloodHound reconnaissance.
2. Principle of Least Privilege (PoLP): Implement the principle of least privilege by granting users only the permissions necessary to perform their tasks. This reduces the potential for attackers to exploit excessive privileges.
3. User Training and Awareness: Educate users about the risks of social engineering and phishing attacks, as these are common entry points for BloodHound reconnaissance. Encourage users to report suspicious activities and maintain strong password hygiene.
4. Network Segmentation: Implement network segmentation to limit lateral movement within the network. By separating critical systems and resources, you can minimize the impact of a BloodHound reconnaissance attack.
5. Monitoring and Detection: Implement robust monitoring and detection systems to identify suspicious activities and potential BloodHound reconnaissance attempts. This includes monitoring for unusual access patterns, privilege escalation attempts, and abnormal user behavior.

• Read more about BloodHound Reconnaissance:
  1. https://blog.reconinfosec.com/audit-active-directory-attack-paths-with-bloodhound
  2. https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644
  3. https://www.youtube.com/watch?v=j3Dg7kih628

8. LDAP Reconnaissance:

This is a technique used by attackers to gather information about an Active Directory (AD) environment using LDAP queries. LDAP (Lightweight Directory Access Protocol) is a protocol used for authentication and communication with directory services, including AD.
Adversaries who have already gained access to your Active Directory environment can use LDAP queries to gather further information about the environment. Using this method, they can discover users, groups, and computers, which will help them plan their next move.

• Risks of LDAP Reconnaissance Attack:
  LDAP reconnaissance is one of the first steps in an AD attack and serves as the foundation for further exploitation. By querying the AD, attackers can discover users, groups, computers, and other sensitive information. This knowledge allows them to identify potential targets and plan future stages of their attack. The risk lies in the fact that once an attacker gains access to a user account within the domain, they can perform LDAP reconnaissance without the need for additional credentials
• How to defend against LDAP Reconnaissance Attack?
  LDAP Reconnaissance is like BloodHound Reconnaissance…. Preventing it is tricky because most information in Active Directory is available to all users by default. As such, you will need to closely monitor LDAP traffic for anomalies, and ensure that all accounts are given the least access they need to perform their roles…..
• Read more about LDAP Reconnaissance:
  1. https://www.netwrix.com/ldap_reconnaissance_active_directory.html
  2. https://techcommunity.microsoft.com/t5/security-compliance-and-identity/ldap-reconnaissance-the-foundation-of-active-directory-attacks/ba-p/462973
  3. https://www.youtube.com/watch?v=-xF6bvbXCGE

9. Golden Ticket & Silver Ticket attack:

Golden Ticket and Silver Ticket attacks are two types of privilege escalation attacks that exploit vulnerabilities in the Kerberos authentication protocol to gain unauthorized access to Active Directory domains.

What is the difference between Golden Ticket and Silver Ticket attack?

• A Golden Ticket attack: is a type of credential theft attack in which an attacker obtains a forged Kerberos ticket-granting ticket (TGT) that allows them to impersonate any user in the domain.This is done by extracting the hash of the domain controller’s Kerberos service account, which is typically stored in the SYSVOL directory. Once the attacker has the hash, they can use it to create a forged TGT that will be accepted by all domain controllers.
• A Silver Ticket attack: is a type of credential theft attack in which an attacker obtains a forged Kerberos service ticket (ST) that allows them to request service tickets on behalf of other users. This is done by forging the client name and service principal name (SPN) in the Kerberos authentication request. Once the attacker has a forged ST, they can use it to request service tickets for any service in the domain, including services that the attacker does not have access to.
• Risks of Golden Ticket & Silver Ticket Attack:

1. Data theft: Attackers can use their stolen credentials to access sensitive data stored in Active Directory, such as passwords, email addresses, and financial information.
2. Unauthorized access to systems: Attackers can use their stolen credentials to gain unauthorized access to systems throughout the domain, including servers, workstations, and network devices.
3. Installation of malware: Attackers can use their stolen credentials to install malware on systems throughout the domain.
4. Disruption of operations: Attackers can use their stolen credentials to disrupt operations throughout the domain, such as by shutting down servers or denying access to critical resources.

• How to defend against Golden Ticket and Silver Ticket Attacks?

1. Enable Kerberos AES encryption: Kerberos AES encryption can help to protect Kerberos tickets from being forged.
2. Monitor Active Directory for suspicious activity: Organizations should monitor Active Directory for suspicious activity, such as failed login attempts and unauthorized access to sensitive data.
3. Implement a least privilege policy: A least privilege policy ensures that users only have access to the resources they need to do their jobs.
4. Install endpoint protection to block attackers from loading modules like mimikatz.
5. Create a choke point for access to your DCs, adding another layer of protection.
6. Create a Terminal Server that can only talk to the DCs and Configure the DCs to only accept administrative connections from that Terminal Server
7. Set all admin and service accounts to “Sensitive and cannot be delegated”
8. In addition: Hunt for the malformed or blank fields in Windows logon/logoff events such as (Event ID 4624, 4634, 4672)

• Read more about Golden ticket and Silver ticket attacks:
  1.silver_ticket_attack_forged_service_tickets
  2. how_golden_ticket_attack_works
  3. golden-ticket-attacks-how-they-work-and-how-to-defend-against-them
  4. active-directory-kerberos-attacks-golden-tickets-silver-sarker

10. DCSync attacks:

A Directory Replication Service (DRS) replication attack, also known as a DCSync attack, is a technique used by attackers to steal the entire Active Directory database from a domain controller. This can be done by exploiting a vulnerability in the DRS replication protocol or by compromising a domain controller and using its credentials to replicate the database.

• Risks of DCSync Attack:

1. Data theft: Attackers can use their stolen credentials to access sensitive data stored in Active Directory, such as passwords, email addresses, and financial information.
2. Unauthorized access to systems: Attackers can use their stolen credentials to gain unauthorized access to systems throughout the domain, including servers, workstations, and network devices.
3. Installation of malware: Attackers can use their stolen credentials to install malware on systems throughout the domain.
4. Disruption of operations: Attackers can use their stolen credentials to disrupt operations throughout the domain, such as by shutting down servers or denying access to critical resources.

• How to defend against DCSync Attacks:

1. Limit the number of security principals with replication rights to only those that absolutely require those rights.
2. Restrict replication traffic to specific networks.
3. Monitor for and investigate unauthorized replication requests.
4. Use privileged access management (PAM) solutions to manage and control access to sensitive systems.
5. Implement a data loss prevention (DLP) solution to prevent the unauthorized copying or transfer of sensitive data.

• Read more about DCSync attacks:
  1. https://www.extrahop.com/resources/attacks/dcsync/
  2. https://blog.netwrix.com/2021/11/30/what-is-dcsync-an-introduction/
  3. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync
  4. active-directory-dcsync-attacks
  5. kerberos_dcsync_attacks_explained

11. LDAP injection:

An LDAP injection attack is a type of attack that exploits vulnerabilities in the Lightweight Directory Access Protocol (LDAP) to gain unauthorized access to information or resources. LDAP is a protocol used to access and manage information in directory services, such as Active Directory and OpenLDAP.

How does LDAP injection attacks work?
LDAP injection attacks typically occur when an attacker is able to inject malicious code into an LDAP query. This can be done through a variety of methods, such as:

1. User input: Attackers can exploit vulnerabilities in web applications that use LDAP to authenticate users or query directory services. If an attacker is able to control the input that is passed to an LDAP query, they may be able to inject malicious code into the query.
2. Network traffic: Attackers can intercept and modify LDAP traffic that is being transmitted between a client and a server. This can be done by using a network sniffer or by exploiting vulnerabilities in the network infrastructure.

Once an attacker is able to inject malicious code into an LDAP query, they can use it to:

1. Read or modify data in the directory: Attackers can use malicious LDAP queries to read or modify data that is stored in the directory, such as user passwords or access control lists.
2. Execute arbitrary code: In some cases, attackers may be able to execute arbitrary code on the LDAP server. This can give them complete control over the server.
   Risks of DCSync Attack:
3. Data breaches: Attackers can use LDAP injection attacks to steal sensitive data from directory services, such as passwords, email addresses, and credit card numbers.
4. Unauthorized access to systems: Attackers can use LDAP injection attacks to gain unauthorized access to systems that are connected to the directory service.
5. Denial of service (DoS) attacks: Attackers can use LDAP injection attacks to overload LDAP servers and cause them to crash or become unavailable.
   Mitigation of LDAP Injection:
6. Input validation: Organizations should validate all user input before it is used in an LDAP query. This can help to prevent attackers from injecting malicious code into the query.
7. Monitoring and logging: Organizations should monitor LDAP traffic for suspicious activity and log all LDAP queries. This can help to detect and investigate LDAP injection attacks.
8. Use a web application firewall (WAF): A WAF can be used to block malicious LDAP queries before they reach the LDAP server.
9. Use a network intrusion detection system (IDS) or intrusion prevention system (IPS): An IDS or IPS can be used to detect and block malicious LDAP traffic.

• Read more about LDAP Injection:
  1. what-is-ldap-injection?
  2. https://brightsec.com/blog/ldap-injection/
  3.cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet
  4. https://book.hacktricks.xyz/pentesting-web/ldap-injection

See you in the next article…😁
Best Regards.

Contact me:

• LinkedIn: https://www.linkedin.com/in/mohammed-barakat-170ba4174/
• Email: mohammed199709@gmail.com