Active Directory (Part 10.1)

 







Enumeration

After obtaining the valid set of credentials for an AD environment, they can be used to authenticate the network as well as gather more information on AD setup and structure. It may generally lead to lateral movement or privilege escalation, gaining access to other systems or resources within the network. The process of enumeration and exploitation are closely connected. The information gathered during enumeration phase can be used to identify and exploit vulnerabilities in the system. Hence, some of the methods that can be used to enumerate AD are as follows:

  • Credential Injection- These type of attacks involves inserting false or altered login credentials into an AD environment to gain unauthorized access to sensitive information or resources. It can be easily done by manipulating the authentication process or by changing the login credentials stored within the AD environment. This allows an attacker to potentially gain full access to the systems or resources normally restricted to the authorized users. Therefore, it is important to implement security measures to prevent such attacks and protect sensitive information and resources. 

An attacker can carry out Credential Injection attack via:

  1. Injecting fake login credentials into authentication process to gain access. This includes manipulating the authentication request or response.
  2. Modifying stored login credentials of an AD environment to gain access. It includes modifying existing credentials or adding new fake credentials. 
  3. Using stolen or compromised login credentials to gain access. It involves the use of credentials obtained through phishing attacks, password cracking, or via other means.

The "Run As" feature might also be an effective way to gain unauthorized access. It allows a user to run a program or command with privileges of a different user, helping them in performing tasks or access the resources normally restricted to the higher-privileged user. 

  • Microsoft Management Console (MMC)- It is a very familiar tool. A penetration tester must be familiar with this main management tool of AD. The tester can follow these steps to enumerate AD via MMC:

  1. To open MMC, click the start button and type "mmc" into the search field. Then, press enter to launch.
  2. Now, in MMC, click "File" and the click "Add/Remove Snap-in." Then choose "Active Directory Users and Computers" within "Add/Remove Snap-ins" window list and click "Add." Now, click "OK" to close the window. 
  3. In MMC window, expand  "Active Directory Users and Computers" tree and select the desired domain. Right-click the domain and select "Connect to Domain." After that, enter the credentials with sufficient privileges to view and manage AD objects. 
  4. Now browse the AD structure by expanding the tree in the MMC window. The users, groups, and computers can be viewed and managed, along with the configuration and viewing of security and access settings.

Some of its advantages includes- the Graphical User Interface (GUI) allows the penetration tester a good method to fully understand the structure of the environment, it is a faster way of searching, viewing, and updating different AD objects, and with sufficient privileges, the tester can easily update the existing AD objects or add new ones.

However, the GUI requires RDP access to the machine  where it is executed. It causes many issues because usually DC have RDP disabled. Also, although searching is fast, but gathering AD wide properties or attributes cannot be done.

Conclusion

This one talks about some of the Active Directory enumeration methods.



























Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)