Active Directory (Part 6)

 






Basics

Authentication Methods

There are many authentication methods in an AD environment to verify the identity of a user or a computer. The most common method is password authentication method and every penetration tester must have knowledge of them to take advantage of their features and pivot through the network.

Kerberos authentication is a default protocol in the latest Windows versions. If a user logs in to a service via Kerberos, they get a ticket as a proof of their previous authentication. After that, the tickets can be shown to a service, as an authentication proof, to allow further access. Hence, the tester can attack Kerberos to gain unauthorized access. Some of the most common types of attacks are:

  • Brute force attack- Here, the attacker tries to guess the password of a user account or a service account in the AD domain and use it to authenticate to the domain using Kerberos. It can be done with the help of an automatic tool that allows the trying of different password combinations.

  • Ticket forging- An attacker can also try to forge a Kerberos ticket, in order to gain access the AD domain resources. It can be achieved by either modifying a ticket or using a tool to generate a fake ticket.

  • Golden ticket attack- A stolen Kerberos ticket-granting ticket (TGT) can be used to create a "golden ticket." This ticket will allow them to authenticate many users in AD domain. This thing can achieved via tools like Mimikatz. 

  • Kerberoasting- The attacker may try to exploit weak or default passwords of the service accounts in AD domain. It is done to obtain the service account's Kerberos ticket-granting service (TGS) ticket. This helps in gaining access to the resources or services that the service account has access to. 

NTLM is another way of gaining access in an AD domain. However, it supports different but equally devastating types of attacks, in regard to Kerberos. Penetration tester can attempt following NTLM attacks:

  • Brute force attack- Same as Kerberos.

  • Pass-the-hash attack- A stolen NTLM hash is a cryptographic representation of a password that can be used for authentication in AD domain without knowing the actual password. An attacker can use it with the help of tools like Mimikatz. 

  • NTLM relay attack- A compromised system in the AD domain can be exploited by an attacker to relay NTLM authentication requests to other systems, allowing potential access to the attacker in those systems. Tools like Responder can be used to achieve this.

  • NTLM downgrade attack- A system can be forced to use NTLM instead of a more secure authentication method, such as Kerberos, by manipulating the system's network configuration or using a tool like Mimikatz.

It is highly important to properly secure and manage both Kerberos and NTLM authentication protocols in an AD domain to prevent such attacks. This can be done setting strong passwords for all accounts, regularly rotating and reviewing passwords, and monitoring suspicious activities for Kerberos. For NTLM, administrators should disable it completely when not in use and monitor suspicious activities. However, using more secure authentication protocol, like Kerberos, is strongly recommended. 

Conclusion

This part concludes the basics of Active directory and talks about various authentication methods, attacks, and prevention methods. 






















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)