Blogs by Ashwin

  Lateral Movement and Pivoting These are the general techniques used by the attackers within a network or domain. Penetration testers should make themselves familiar with these tactics.  WMI Lateral Movement WMI enables administrators to perform various management tasks on Windows system. It is based on the WBEM standard, an enterprise standard for management information across devices. It can be very useful for performing tasks like accessing system information, starting/stopping services and executing processes remotely. However, it can also be abused by attackers to move from one system to another within a network.  The penetration tester can connect to WMI via PowerShell commands. WMI sessions can be established with the help of DCOM (Distributed Component Object Model) or Wsman (Web Services Management) protocols to perform various management tasks on Windows system. PowerShell and WMI technologies makes it possible to remotely spawn a process on a Windows system. Once the WMI re

  Lateral Movement and Pivoting These are the general techniques used by the attackers within a network or domain. Penetration testers should make themselves familiar with these tactics.  Pivoting Through the Network Lateral movement is a tactic used by attackers to move within a network. Although, it is typically considered an additional step in a linear process, but it is actually part of a continuous cycle. In this cycle, the attacker uses any available credentials to move from one system to another within the network, gaining access to new machines and attempting to elevate their privileges and extract extra credentials. This process can be repeated using the obtained credentials.  There are many methods that an attacker can use to move laterally. One such simple method is to use standard administrative protocols like WinRM, RDP, VNC, or SSH to connect with other systems. This method can mimic behavior of regular users as long as the connections are not suspicious. Recently, attack

  Enumeration Some of the methods that can be used to enumerate AD are as follows: Command Prompt: Many situations requires quick information gathering of an AD environment via Command Prompt. It may be because RDP access to a system is not available, if PowerShell use is being monitored by defenders, or if the penetration tester is using a Remote Access Trojan (RAT) for the access. The Command Prompt (CMD) tool contains an in-built command called net. This command is used to gather information about the local system and AD. It can also be useful for quick enumeration of AD information or even be included in phishing payloads to hep gather information to stage a final attack. Hence, it allows the gathering of a variety of information on an AD environment.           Information gathered via net command can be used in planning additional password spraying                 attacks against other enumerated user accounts. The only problem a tester might face is that the               net com

  Enumeration After obtaining the valid set of credentials for an AD environment, they can be used to authenticate the network as well as gather more information on AD setup and structure. It may generally lead to lateral movement or privilege escalation, gaining access to other systems or resources within the network. The process of enumeration and exploitation are closely connected. The information gathered during enumeration phase can be used to identify and exploit vulnerabilities in the system. Hence, some of the methods that can be used to enumerate AD are as follows: Credential Injection- These type of attacks involves inserting false or altered login credentials into an AD environment to gain unauthorized access to sensitive information or resources. It can be easily done by manipulating the authentication process or by changing the login credentials stored within the AD environment. This allows an attacker to potentially gain full access to the systems or resources normally re

  Microsoft Deployment Toolkit The Microsoft Deployment Toolkit (MDT) is a service of Microsoft that can automate the deployment of Microsoft Operating Systems (OS) in large organizations. It helps the organizations to efficiently deploy new images across their IT infrastructure, as the base images can be stored and maintained in a central location. It helps in streamlining the deployment process, ensuring the smooth running of the most up-to-date versions of the OS. Generally, MDT is used with Microsoft's SCCM, which is a tool for managing updates for all Microsoft applications, services, and operating systems. MDT is designed such that it can easily deploy new images, allowing the IT staff to preconfigure and manage boot images. Hence, even if a new device is added to the network, it will be automatically configured with necessary software settings by simply connecting it to the network.  The SCCM is like an extension to the MDT. However, SCCM is responsible for managing updates

  LDAP Bind Credentials Lightweight Directory Access Protocol (LDAP) authentication is another way used by the applications to authenticate with AD. Although LDAP is same as NTLM, but the application directly verifies user credentials via a pair of AD credentials to query LDAP and then verify the AD user's credentials, instead of operating as a challenge-response protocol like NTLM. LDAP authentication is a popular mechanism with third-party applications that integrates with AD like gitlab, jenkins, and different kinds of VPNs.  Every authentication protocol and security system contains some vulnerable ways to exploit them. Similarly, some of the LDAP authentication attack methods that a penetration tester can utilize are: LDAP injection- In this attack, the tester injects malicious LDAP statements into an application's LDAP queries, allowing them to gain unauthorized access to network resources or manipulate data stored in AD.  LDAP authentication bypass- In this one, the test

  Foothold Gaining initial access through valid AD credentials is a must to gain unauthorized access in an AD domain. There are various ways to obtain these credentials. However, itis not necessary for these credentials to have high privileges as they are only required to authenticate to AD and perform further enumeration.  OSINT and Phishing OSINT (Open Source Intelligence) and Phishing techniques are the two most popular methods amongst penetration testers and attackers to gain access of AD credentials.  OSINT is a process of collecting and analyzing publicly available information from various sources, like social media, news websites, and public databases. It helps in gathering information about target organization or individual. It can help a penetration tester to gain information about an organization's AD environment such as the names and titles of employees, the technologies and software they use, and nay information that can prove useful in a targeted phishing attack. Metho

  Basics Authentication Methods There are many authentication methods in an AD environment to verify the identity of a user or a computer. The most common method is password authentication method and every penetration tester must have knowledge of them to take advantage of their features and pivot through the network. Kerberos authentication is a default protocol in the latest Windows versions. If a user logs in to a service via Kerberos, they get a ticket as a proof of their previous authentication. After that, the tickets can be shown to a service, as an authentication proof, to allow further access. Hence, the tester can attack Kerberos to gain unauthorized access. Some of the most common types of attacks are: Brute force attack- Here, the attacker tries to guess the password of a user account or a service account in the AD domain and use it to authenticate to the domain using Kerberos. It can be done with the help of an automatic tool that allows the trying of different password co

  Basics Group Policies Group Policy Objects (GPOs) can centrally manage and configure settings for users and computers. They help the administrators in applying policies, configurations, and settings for specific users or groups of users in an Active Directory domain. It is one of the many powerful tools for system administrators that automate and synchronizes a process. These policies can be used to configure a wide range of settings, and some of them are: Security settings, such as password policy, account lockout policy, and auditing policy. Software deployment and updates. Network and connectivity settings. Desktop and taskbar settings. Internet Explorer settings. Folder redirection and roaming profiles. Remote access and VPN settings. GPOs are very useful and can save time and reduce the risk of errors, because administrators do not have to manually configure each individual computer or user. They also allow easy roll back changes or application of updates to all affected compute

  Basics Trees, Forests, and Trusts There are in-built logical structures called Trees and Forests, within Active Directory, to organize as well as manage the resources and the users in a domain. A tree is a hierarchical structure consisting of a root domain and one or more child domains organized in a hierarchy. All domains in a tree share a common namespace, meaning they have the same naming conventions and naming structure. A forest is a collection of one or more trees that are connected by trust relationships. Trust relationships helps the users present in one tree to access the resources of another tree, if they have required permissions. Forest often represent different business units or organizations that need to share resources but maintain separate identities and namespaces. All trees have trust connection with each other. Trusts that can be established in an AD are: External Trusts- They allow the users of one domain to access the other forest's domain resources. These tr

  Basics Management of Users and Computers Active Directory (AD) management of users and computers is the process of creating, modifying, and deleting user and computer accounts in AD, as well as managing group membership and permissions. AD management of users and computers are important because: Security- AD provides a way to manage user accounts and permissions and helps secure the network. It can also be used to create unique user accounts for each person requiring access, and assign them specific permissions to control what they can do on the network. This offers help in preventing unauthorized access and ensures that only authorized users can have access to the required resources. Productivity- Via AD, it is easier to manage user accounts and permissions. It can help in improving productivity because it allows the users to easily and quickly access the needed resources.  Centralization- AD offers a centralized location for managing users and computers on the network. This will ma