Blogs by Ashwin

  Resource Based Constrained Attack The purpose of this script is to set up a low-privilege AD account for a "Resource Based Constrained" attack. With this kind of attack, an attacker can gain access to a target resource by utilizing a low-privilege user account to authenticate with a different account—typically, a service account with more privileges. Using the names assigned to the $domain, $lowPrivilegeAccount, and $targetResource variables, respectively, this script first sets the domain to be used for the attack as well as the low-privilege account and target resource to be utilized in the assault. SID History Injection The purpose of this script is to carry out a "SID History Injection Attack." Through this kind of attack, a hacker can obtain the same access privileges as the user whose SID was added by adding a user's Security Identifier to another user's SID History property in Active Directory. The script begins by specifying the domain to be used i

  Constrained Delegation This is used to set up authentication delegation for one of the accounts and establish new user accounts in AD. The following three lines add new AD user accounts. To create new user accounts, use the New-ADUser cmdlet and supply the required parameters, like the account's name, path, and password. The parameters -Name, -Path, and -AccountPassword indicate the user's name, account password, and location in the AD hierarchy, respectively. The ConvertTo-SecureString cmdlet transforms the supplied plaintext password into a secure string. The script's final line enables user 1 to assign authentication to user 2. The Set-ADUser cmdlet is used to change an AD user's attributes in order to do this. The users or groups that are permitted to delegate to this account are specified using the -PrincipalsAllowedToDelegateToAccount argument. Any user can delegate to this account by using the wildcard (*) character. GPO Abuse This script is used in a Windows e

  About There are different types of Vulnerable Active Directory Scripts that make AD environment vulnerable to various kinds of attacks. Every script is written in PowerShell.  ACL In Active Directory, this is used to establish an Organizational Unit and configure Access Control Lists (ACLs). The script's first two lines import the Active Directory module, which sets the current location to the AD disc and offers the cmdlets required to operate with AD.    The script then defines the "SetAcl" function, which has four parameters: $right, $inheritance, $for, and $to." The username of the user for whom the ACL is being set is represented by the $for parameter, the name of the OU to which the ACL is being applied is represented by the $to parameter, and the right being granted to the user is represented by the $right parameter. To indicate if the access rule should be inherited by child objects, use the $inheritance argument. Additionally, the function contains an extr

  Domain Controller New Technologies Directory Services (NTDS) is a database that contains all Active Directory data, including objects, attributes, credentials, etc. The NTDS.DTS data consists of following three tables: Schema Table contains types of objects and their relationships.  Link Table contains the object's attributes and their values. Data Type contains users and groups. Ntdsutil is a Windows utility tool to manage and maintain Active Directory configurations. It can be used to: Restore deleted objects in AD. Perform maintenance for the AD database. AD snapshot management. Set Directory Services Restore Mode (DSRM) administrative passwords. Local dumping is usually done if there are no credentials available but there is administrator access to the domain controller. Also, the popular attack DC Sync can be used to dump credentials remotely. The penetration tester can leverage these configurations to perform domain replication.  Local Administrator Password Solution (LAPS)

  Local Security Authority Subsystem Service (LSASS) The Windows process known as Local Security Authority Server Service (LSASS) manages and implements the operating system security policies on a machine. It checks passwords, hashes, and Kerberos tickets and confirms accounts that are currently logged in. In order to save users from having to enter credentials each time they connect, the Windows system saves credentials in the LSASS process. This allows users to access network resources including file sharing, SharePoint sites, and other network services. However, because it retains private data about user accounts, penetration testers find the LSASS process to be a tasty target. Credential dumps are frequently used to elevate privileges, steal data, or move laterally using the LSASS. The LSASS process memory dump requires administrator access. The Windows operating system permits the production of dump files and snapshots of certain processes. To prevent LSASS from being accessed and

  Overview Credential Harvesting is a process of obtaining sensitive information like login credentials, hashes, authentication tickets, and any other information that can be useful in login into a system. The extracted information is used to gain unauthorized access to systems, networks, or applications. There are two types of credential harvesting- external and internal. External credential harvesting generally include phishing emails and other techniques to trick a user into disclosing his username and password. Different approaches are used to obtain credentials via internal networks.  Credential Access Credential access describes how hackers find compromised systems and get their login credentials. This can enable them to assume the identity of authentic users and navigate laterally across a network to gain access to additional resources like systems and apps. Attackers believe that using authentic credentials is a more desirable strategy than taking advantage of weaknesses. Sensi

  Overview Deploying persistence by a penetration tester is important during penetration testing assessment. Hence, implementing persistence throughout the AD compromise process, the tester can ensure that his access cannot easily be revoked by the blue team.  ACLs AdminSDHolder container exist in every AD domain and its Access Control List (ACL) can be used as a template to copy permissions to all protected groups. A process known as SDProp takes the ACL of the AdminSDHolder container and applies it to all protected groups every 60 minutes. If the blue team is unaware of this persistence, then, every time they remove the inappropriate permission on the protected object or groups, it will reappear within an hour. Since this reconstruction occurs via normal AD process, it would not show any alert, making it more difficult to pinpoint the source of the persistence. GPOs They are also excellent in deploying persistence. A penetration tester can hide GPO in a way that it becomes almost imp

  Overview Deploying persistence by a penetration tester is important during penetration testing assessment. Hence, implementing persistence throughout the AD compromise process, the tester can ensure that his access cannot easily be revoked by the blue team.  SID History A Security Identifier (SID) is a unique value assigned by the Windows operating system to security principals such as users and groups. A penetration tester can try to exploit it to achieve persistence by attempting take control of an SID assigned to a high-privilege security principal like domain administrator. SIDs are used for tracking the security principal and the account's access while connecting to resources. However, there is another attribute on accounts called the SID History. The main use of SID History is to enable access for an account to effectively be cloned to another. Although it is good for migration, the penetration tester can still take advantage of this feature and use it for persistence. This

  Overview Deploying persistence by a penetration tester is important during penetration testing assessment. Hence, implementing persistence throughout the AD compromise process, the tester can ensure that his access cannot easily be revoked by the blue team.  Credentials It is one of the most common but least reliable persistence techniques. DC sync is a process in which AD DC exchange updates and replicate data with each other. Each DC runs a Knowledge Consistency Checker (KCC) that generates a replication topology for the AD forest. Also, it automatically connects to other domain controllers via Remote Procedure Calls (RPC) to synchronize information. It contains updated information like the user's new password and new objects such as when a new user is created. DC sync attack is very popular. If the penetration tester has access to an account that has domain replication permissions, he can stage a DC Sync attack to harvest credentials from a DC. Tickets Golden Ticket AD environ

  Exploitation Several methods can be used to exploit misconfiguration in an Active Directory environment. Such methods includes AD delegation, forcing authentication relays, targeting AD users, domain trusts, and using Group Policy Objects or Silver and Golden Tickets. Other methods can also be used according to the AD environment. Certificates- AD Certificate Services (AD CS) is Microsoft's Public Key Infrastructure (PKI) implementation. AD CS is used for many things like encrypting file systems, creating and verifying digital signatures, and user authentication, making it a promising avenue for attackers. It is a privileged function and generally runs on selected domain controllers. So, normal users cannot really interact with the service directly. Administrators of AD CS can create several templates that can allow any user relevant permissions to request a certificate themselves. Hence, to find a vulnerable template, the penetration tester must enumerate the available ones and

  Exploitation Several methods can be used to exploit misconfiguration in an Active Directory environment. Such methods includes AD delegation, forcing authentication relays, targeting AD users, domain trusts, and using Group Policy Objects or Silver and Golden Tickets. Other methods can also be used according to the AD environment. Automated Relays- They allow authentication credentials to be forwarded or "relayed" from one system to another. These relays can be established via various protocols and techniques like SMB, NTLM, Kerberos, and others. A penetration tester can use automated relays to capture and use credentials to gain unauthorized access to sensitive information or resources within the AD environment.  Printer bug is a vulnerability that affects certain versions of the Microsoft Windows operating systems. It allows an attacker to remotely execute arbitrary code on a system by sending a specially crafted print job to a printer that is shared on the network. So, i

  Exploitation Several methods can be used to exploit misconfiguration in an Active Directory environment. Such methods includes AD delegation, forcing authentication relays, targeting AD users, domain trusts, and using Group Policy Objects or Silver and Golden Tickets. Other methods can also be used according to the AD environment. Permission Delegation- This feature allows the administrators to assign specific permissions to other users or groups. It is useful in larger organizations where it is not feasible to handle all requests (like resetting passwords), for a small group of users. However, the principle of least privilege must be followed while using permission delegation. Penetration tester may exploit its misconfigurations in AD to move laterally and gain unauthenticated access information.  Permission Delegation exploits are often called ACL-based attacks because AD allows administrators to configure Access Control Entries (ACEs) that populates Discretionary Access Control Li