Understanding AD

Enumeration
ATTL4S & ElephantSe4l
# ATTL4S
• Daniel López Jiménez (a.k.a. ATTL4S)
• Twitter: @DaniLJ94
• GitHub: @ATTL4S
• Youtube: ATTL4S
• Loves Windows and Active Directory security
• Senior Security Consultant at NCC Group
• Associate Teacher at Universidad Castilla-La Mancha (MCSI)

Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers

Posts: Crummie5, NCC Group’s blog, Hackplayers
Certs: CRTO, PACES, OSCP, CRTE

[Link]
# ElephantSe4l
• Godlike Programmer and Elephant Seal
• Twitter: @ElephantSe4l
• GitHub: @ElephantSe4l

• Very curious, he enjoys understanding complex and weird things

• Mind behind all the low-level contents of my talks

This has been written by ATTL4S

[Link]
[Link]

[Link]
The goal of this talk is understanding – from an offensive perspective – where is the
relevant information in Active Directory environments, how to access that
information and, lastly, why that information is relevant

[Link]
Agenda
1. Introduction

2. Offensive Enumeration
• Local Privileges

• Logons and Network Sessions

• LDAP

[Link]
Introduction

[Link]
Internal Network

[Link] Domain

[Link]
We will focus on having domain creds
However, a lot of information can be enumerated without them
(exposed services, open shares, network traffic, unauth information…)

[Link]
Credentials
By default, authenticated accounts can access a lot of information in AD

[Link]
Credentials
By default, authenticated accounts can access a lot of information in AD

[Link]
Credentials
By default, authenticated accounts can access a lot of information in AD

[Link]
But Domain Credentials are not only user accounts

• Computer accounts also work

• NT\System acts as the domain computer account in the network

• Domain Service Accounts are essentially user accounts

[Link]
[Link]
[Link]
Enumeration approach?

[Link]
 [Link]

LDAP
NTDS
Domain Controller

HostA
CAP\Goku

[Link]
 [Link]

LDAP
NTDS
Domain Controller

HostA
CAP\Goku

[Link]
Simplifying it
• Local Privileges
• Who is a local admin and where?

• Logons and Network Sessions

• Where are Domain Admins logged on?

• LDAP
• What objects are there, and how they relate to each other?

[Link]
REMEMBER

As long as you have visibility to a Domain Controller and domain

credentials, you can access tons of GOODIES

[Link]
Offensive AD Enumeration

[Link]
Local Privileges

[Link]
Who… and where?
• Who is a local admin and where?

• Who can RDP and where?

• Who can use PS Remoting and where?

•…

[Link]
Privileged Local Groups
Members of the following local groups for each system of the domain?
• Administrators
• Remote Desktop Users
• Distributed COM Users
• Remote Management Users
•…

[Link]
[Link]
We mostly care about:

• Local privileged accounts sharing the same password across systems

(watchout UAC degrading tokens)

• Domain users/groups members of local privileged groups

[Link]
 [Link] Domain

LDAP ? ?
NTDS

Domain Controller 1 SAM SAM

? ?
2 GPO
Enum
SAM SAM

? ?
SAM SAM

HostA
? SAM
? SAM
CAP\Goku

[Link]
Remote SAM
• Win32 API (PowerView)
• NetLocalGroupGetMembers
• NetLocalGroupEnum
• NetUserEnum

• ADSI WinNT Provider (PowerView)

• MS-RPC (Impacket)

[Link]
[Link]
[Link]
Restrictions – Remote SAM
• Older systems allow any Domain User by default

• By default newer systems only allow Administrators (beginning with Windows 10

version 1607 and Windows Server 2016)

[Link]
 Restrictions – Remote SAM
• Controlled by the following policy:
• Network access: Restrict clients allowed to make remote calls to SAM

• An administrator can edit the policy to enforce or relax restrictions

• Manually or with SAMRi10

[Link] [Link]
[Link]
Restricted Groups (and the old GPP)

[Link]
Logons and Network
Sessions

[Link]
 [Link] Domain

LDAP ? ?
NTDS
Domain Controller
? ?
? ?

HostA
? ?
CAP\Goku

[Link]
Logons
• Querying for users logged on in a system is useful for hunting purposes
• where are the Domain Admins?

• These techniques require Local Admin privileges

• Can be enumerated using:

• MS-RPC (e.g. MS-WKST)
• Win32 API (e.g. NetWkstaUserEnum)
• Remote Registry (e.g. HKEY_USERS)

[Link]
Get-NetLoggedon from PowerView uses
NetWkstaUserEnum
PsLoggedOn from Sysinternals uses the
Registry Remotely
Is there a way to identify logons as a low priv user?
*
YES

[Link]
Network Sessions
• Although commonly called “sessions”, they mean to be network sessions

• A network session is created – on the target – when a resource is accessed

through the network (e.g. shared folder)

• Network sessions usually don’t have creds in memory, logons do

• Can be enumerated using:

• MS-RPC (e.g. MS-SRVS)
• Win32 API (e.g. NetSessionEnum)

[Link]
• Network sessions’ output tells us from what IP are users connected

• The system that originated the network session should have an interactive user
logon!

• Best locations to check network sessions are servers (DCs, fileservers…)

[Link]
Restrictions – Network Sessions
• Older systems allow any Authenticated User!

• By default newer systems only allow Administrators (beginning with Windows 10

version 1607 and Windows Server 2016)

[Link]
 Restrictions – Network Sessions
• Controlled by the following registry key
• HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\Sr
vsvcSessionInfo

• An administrator can edit the registry key to enforce or relax restrictions

• Manually or using Net Cease

[Link] [Link]
LDAP

[Link]
LDAP
• By default, any low privileged domain account can query information about
almost anything through LDAP

• You just need something to interact with LDAP!

[Link]
General Offensive Approaches
• Builtin or developed tools that leverage Win32 API ([Link])

• LDAP tools (ldapsearch, JxExplorer, dsquery)

• .NET (PowerView, SharpView, AD module)

• .NET DirectorySearcher class [adsisearcher]

• .NET DirectoryEntry class [adsi]

• .NET RPC classes

[Link]
Pentest Recommendation
• Install RSAT and feel at home

• If we are already joined to the domain, we are ready to go

[Link]
What if we are not part of the domain?

[Link]
Internal Network

[Link] Domain

LDAP

[Link]
1. take care of DNS!
(hosts file also works)
2. Impersonate!
(password, hash, ticket…)

[Link]
3. Enumerate!

[Link]
[Link] [Link]
What should I look
• Domain Users
• Domain Computers
• Domain Groups
• OUs / GPOs
• Forest / Domain Trusts
• Relationships (ACLs)

[Link]
Domain Users

[Link]
User Account Control

• Password never expires

→ same password for years

• Account is sensitive
→ does not delegate credentials

• Do not require Kerberos Preauthentication

→ can be As-Reproasted

• Store password using reversible encryption

→ plaintext password stored in NTDS

• Kerberos Delegation
→ TRUSTED_FOR_DELEGATION = Unconstrained
→ TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained
Protocol Transition

• …

[Link]
Attributes
• servicePrincipalName not null
→ can be Kerberoasted

• adminCount = 1
→ member of one of the administrative groups

• lastLogon / logonCount …
→ logon information

• msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo
→ Kerberos Delegation related

• userPassword / unixUserPassword / unicodePwd

→ sometimes plaintext passwords

• …

[Link]
Checks
✓ Check out group memberships
• Domain Admin? Local admin somewhere? …

✓ Check out User Account Control settings

• Kerberos Delegation? As-Reproastable? …

✓ Check out those attributes

• Passwords? Kerberoastable? …

[Link]
Domain Computers

[Link]
User Account Control
• Trust this computer for delegation to any service
→ TRUSTED_FOR_DELEGATION = Unconstrained

• Trust this computer for delegation to specific services

only – use any authentication
→ TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol
Transition

[Link]
Attributes
• servicePrincipalName
→ enumerate Kerberos services on the machine! (a.k.a SPN
scanning)

• adminCount = 1
→ member of one of the administrative groups

• msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-
AllowedToDelegateTo
→ Kerberos Delegation related

• ms-Mcs-AdmPwd
→ LAPS password

• operatingSystem

• …

[Link]
SPN Scanning

[Link]
Checks (same as users)
✓ Check out group memberships
• Domain Admin? Any interesting group? …

✓ Check out User Account Control settings

• Kerberos Delegation? …

✓ Check out those attributes

• Operating system? SPN Scanning? …

[Link]
Interesting Links
• Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning
• [Link]
• Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast
• [Link]
• Will Schroeder - Kerberoasting Revisited
• [Link]
• Will Schroeder - Roasting AS-REPs
• [Link]
• Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation
• [Link]
• Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation
• [Link]
• Will Schroeder – Another Word on Delegation
• [Link]

[Link]
Domain Groups

[Link]
Not Only Domain Admins
• Server Operators: sensitive actions on DCs (Default GPO)
• Backup Operators: sensitive actions on DCs (Default GPO)
• Account Operators: modify accounts and groups in the domain (Default GPO)
• Schema Admins: modify AD’s forest schema
• Print Operators: manage printers and sensitive actions on DCs
• DNSAdmins: logon to DCs and privilege escalation opportunities
• Group Policy Creator Owners: Playing with GPOs

[Link]
Nested Groups

[Link]
1. Group1 is a member of Domain Admins
2. Group2 is a member of Group1
3. Puar is a member of Group2
4. Puar is a Domain Admin

[Link]
Checks
✓ Find explicit privileged groups and their members
• DA’s, EA’s, Schema Admins, DNSAdmins…

✓ Find those nested groups

• Group1 is member of Group2 and blablablaDOMAINADMIN!

[Link]
Interesting Links
• Will Schroeder - A Pentester’s Guide to Group Scoping
• [Link]

• SS64 - Understand the different types of Active Directory group

• [Link]

[Link]
OUs & GPOs
• By default any domain user can read all the GPO
settings stored in SYSVOL
• Local group memberships (Restricted Groups, GPP)
• User rights assignment (SeDebugPrivilege,
SeEnableDelegation…)
• Local admin passwords (GPP!!)
• LAPS settings
• Registry entries
• Scheduled tasks
• Scripts
• …

[Link]
[Link]
[Link]
[Link]
Checks
✓ Check out all the GPOs and their settings
• Firewall, local admin configurations…

✓ Find where they are applied!!

• Computers, users, OUs, sites…

[Link]
Interesting Links
• Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs
• [Link]

• Rastamouse - GPO Abuse

• [Link]
• [Link]

• Will Schroeder - Where My Admins At? (GPO Edition)

• [Link]

[Link]
Forest/Domain Trusts

• Compromising one domain is just the start of

the journey

• One forest can have multiple domains

• One root domain (Ent. Admins here)
• Probably multiple child domains

• One forest may have trust relationships with

other forests

[Link]
Mapping Trusts
External Child/Parent Forest

[Link]
[Link]
[Link]
Child/Parent Trusts
If you compromise [Link], you can compromise [Link]

• Domains inside a forest trust each other

• Once a single domain is compromised, any domain in the forest is vulnerable to

the SIDHistory attack

[Link]
[Link]
[Link]
Forest/External Trusts
• When a domain from other forest trusts you, you can query information about it

• A Forest/External trust does not imply any kind of privilege against the targeted
domain (by default)

• Privileges across trusts must be configured by administrators

• This user from DomainA can access this resource in DomainB
• This user from DomainA is a member of this group in DomainB

[Link]
 Foreign Principals

• TWIN\DCooper from [Link] is a member of the Satriales group in [Link]

• TWIN\Dcooper is a Foreign Security Principal

• We want to identify this kind of objects that could allow us to hop between forests

[Link]
Checks
✓ Find relationships between your domain and other domains
• I’m in a child domain? Root domain?

✓ Find if there are external relationships and

• Forest trusts? external trusts?

✓ Look for accounts who can potentially jump from your forest to another
• ForestA\Paco has sysdb privileges on ForestB\Sqlserver01

[Link]
Interesting Links
• Sean Metcalf - Security Considerations for Active Directory (AD) Trusts
• [Link]
• Sean Metcalf - Kerberos Golden Tickets are Now More Golden
• [Link]
• Will Schroeder - A Guide to Attacking Domain Trusts
• [Link]
• Will Schroeder - The Trustpocalypse
• [Link]
• Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?
• [Link]
• Will Schroeder – Not a Security Boundary: Breaking Forest Trusts
• [Link]
• Carlos García – Pentesting Active Directory Forests
• [Link]
%20Pentesting%20Active%20Directory%20Forests%[Link]?dl=0

[Link]
ACLs
• Access controls in Active Directory are mostly managed through the use of
ACLs (Access Control Lists)

• Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs,
Domains…)

• An ACL consists in a list of rules that grant or deny rights to a user/group over
the object that holds the ACL

[Link]
If you check Domain Admins’
ACL, you will see which
objects have rights over the
Domain Admins group

[Link]
Depending the Rights…
Over Users
→ Reset password Over GPOs
→ Write Attributes (e.g. Kerberoast) →Edit GPO settings
→ Write UAC (e.g. As-Reproast)

Over Computers
Over Groups
→Set Kerberos RBCD
→Adding new members
→Read/modify LAPS password

Over OUs Over Domains

→Link GPOs →DCSync

[Link]
[Link]
Checks
✓ Check the ACL’s of interesting objects
▪ Has anyone DCSync privs on the domain? Reset password on user OU’s?

[Link]
Interesting Links
• Andrew Robbins / Will Schroeder – An ACE Up the Sleeve
• [Link]
[Link]

• Will Schroeder - Abusing Active Directory Permissions with PowerView

• [Link]

• Will Schroeder – The Unintended Risks of Trusting Active Directory

• [Link]

[Link]
MANY THANKS!
Any Question?

Is anybody awake?