Active Directory (Part 12.3)

 






Exploitation

Several methods can be used to exploit misconfiguration in an Active Directory environment. Such methods includes AD delegation, forcing authentication relays, targeting AD users, domain trusts, and using Group Policy Objects or Silver and Golden Tickets. Other methods can also be used according to the AD environment.

Certificates- AD Certificate Services (AD CS) is Microsoft's Public Key Infrastructure (PKI) implementation. AD CS is used for many things like encrypting file systems, creating and verifying digital signatures, and user authentication, making it a promising avenue for attackers.

It is a privileged function and generally runs on selected domain controllers. So, normal users cannot really interact with the service directly. Administrators of AD CS can create several templates that can allow any user relevant permissions to request a certificate themselves. Hence, to find a vulnerable template, the penetration tester must enumerate the available ones and check for certain characteristics indicating vulnerability. 

A vulnerable temple is one which has the characteristics easy to attack and exploit. Some of the characteristics include:
  • Allowing key archival- key archival allows the private key associated with the certificate to be backed up and restored, which can be a potential vulnerability if the key is not secured. 

  • Allowing private key export- it may allow an attacker to extract the private key associated with the certificate and use it to impersonate the owner of the certificate.

  • Allowing key recovery- key recovery allows the private key linked with the certificate to be recovered if it is lost or forgotten, which is a potential vulnerability if the recovery process is not properly secured.

Domain Trusts- They allow the user of one domain to access resources in another domain. They establish a connection between domains in an AD network and outline how they can communicate with each other. Some of the different types of domain trusts are:
  • Parent-child trusts- These trusts are established between a parent domain and a child domain that is a subdomain of a parent.

  • Shortcut trusts- These trusts are established between two domains in the same forest to allow users of one domain access to resources present in another domain more quickly.

  • External trusts- These trusts are established between two domains of different forests to allow users in one domain access to the resources in another domain. 

  • Forest trusts- these trusts are established between two forests to allow users in one forest access to the resources in another forest.

The two main types of trusts that can be configured between domains are:

  1. Directional- The direction of trust flows from a trusting domain to a trusted domain.
  2. Transitive- The trust relationship expands beyond just two domains to include other trusted domains.

However, domain trusts can be vulnerable to various types of attacks, including:

  • Trust spoofing- In this type of attack, an attacker creates fake trust between two domains to gain access to resources that are normally restricted to users in the trusted domain. 

  • Trust hijacking- In this attack, an attackers takes control of an existing trust between two domains to gain access to resources that are normally restricted to users in the trusted domain.

  • Trust elevation- This attack involves an attacker using a trust relationship to gain higher privileges than they would normally have in a domain.

Conclusion:

This part discuss the remaining exploitation methods of Active Directory. With this, the Active directory topic and its related sub topics are complete.


















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)