Active Directory Penetration Testing
Basic Understanding of Computer Networking
- Knowledge of IP addresses, subnetting, routing, and network devices (switches, routers, firewalls).
- Familiarity with common network protocols (TCP, UDP, HTTP, DNS, etc.).
Fundamentals of Operating Systems
- Basic knowledge of Windows and Linux operating systems, including their command-line interfaces.
- Understanding of system processes, file systems, and user permissions.
Experience with Exploitation and Post-Exploitation
- Knowledge and experience in exploitation and post-exploitation on Windows.
- Ability to target Windows-specific ports, protocols and services (SMB, RDP, WinRM, etc).
- Ability to identify and exploit vulnerabilities/misconfigurations in Windows systems.
Experience with Penetration Testing Tools
- Some experience using common penetration testing tools (e.g., Metasploit, Nmap, Wireshark).
- Knowledge and understanding of the penetration testing methodology and lifecycle.
Learning Objectives:
- Active Directory Fundamentals
- Understand Active Directory Architecture: Gain a comprehensive understanding of Active Directory components, including domains, domain controllers, forests, trust relationships, OUs, and Group Policy Objects (GPOs).
- Active Directory Penetration Testing Methodology & Process
- Gain a comprehensive understanding of the Active Directory penetration testing methodology, including the systematic approach to assessing and exploiting vulnerabilities within AD environments.
- Active Directory Enumeration
- Conduct reconnaissance and enumeration of Active Directory environments using tools like PowerView and BloodHound to gather information about users, groups, permissions, and trust relationships.
- Active Directory Privilege Escalation
- Demonstrate proficiency in leveraging Active Directory privilege escalation techniques like Kerberoasting and AS-REP roasting to escalate privileges and gain unauthorized access to sensitive resources.
- Active Directory Privilege Lateral Movement
- Demonstrate proficiency in moving laterally within AD environments by leveraging techniques like Pass-the-Hash and Pass-the-Ticket attacks.
- Active Directory Persistence
- Demonstrate proficiency in leveraging persistence techniques like Silver Ticket and Golden Ticket attacks in order to maintain access to compromised systems within Active Directory environments.
Users, Groups & Computers
Domain Users
- Security principals refer to entities in the Windows security infrastructure that can be assigned permissions to access various resources within a Windows environment.
- These entities can represent users, groups, computers, or services, and they play a central role in controlling access to resources through security descriptors.
- Users represent individuals who interact with the network. Each user has a unique account within Active Directory, identified by a username and associated with a password. Users use their credentials to log in to computers, access network resources, and perform various tasks.
- User accounts in Active Directory can store information such as full name, email address, phone number, job title, and department. This information can be used for authentication, authorization, and management purposes.
- Administrators can manage user accounts by creating, modifying, or deleting them using Active Directory management tools. They can also assign permissions, group memberships, and other settings to control user access to network resources.
Groups
- Groups are collections of user accounts, computer accounts, or other groups within Active Directory. They provide a convenient way to manage access permissions and apply settings to multiple users or computers simultaneously.
- There are two main types of groups in Active Directory:
○ Security Groups: Security groups are used to manage access permissions to network resources. Users can be added to security groups, and permissions can be assigned to these groups to control resource access.
○ Distribution Groups: Distribution groups are used for sending email messages to a group of recipients. They do not have security-related permissions and are primarily used for email distribution purposes. - Group membership allows administrators to apply settings, permissions, and policies to a group of users or computers collectively, rather than individually managing each account.
Security Groups
| Security Group | Function |
|---|---|
| Domain Admins | Domain Admins is one of the most powerful security groups in Active Directory. It is automatically created when the domain is first installed and is granted full administrative control over the entire domain. |
| Enterprise Admins | Enterprise Admins is a forest-wide security group that holds administrative privileges over all domains within the Active Directory forest. |
| Server Operators | Server Operators is a security group with permissions to manage domain controllers and member servers within the domain. |
| Backup Operators | Backup Operators is a security group with permissions to perform backup and restore operations on domain controllers and member servers. |
| Account Operators | Account Operators is a security group with permissions to manage user accounts, groups, and computer accounts within the domain. |
| Domain Users | Domain users are individual accounts created within the Active Directory domain to represent people who interact with the network. Each user is assigned a unique username and password, which they use to log in to domain-joined computers and access network resources. |
| Domain Computers | Domain computers are devices, including workstations, laptops, servers, and other networked devices, that are joined to the Active Directory domain. When a computer is joined to the domain, it establishes a trust relationship with the domain and becomes a member of the domain. |
| Domain Controllers | A Domain Controller (DC) is a server that operates within the Active Directory (AD) environment and is responsible for authenticating users, authorizing access to resources, and maintaining the directory database. |
Computers
- Computers represent physical or virtual devices that are joined to the Active Directory domain. This includes workstations, servers, laptops, and other network devices.
- Each computer within the domain has a corresponding computer account in Active Directory, identified by a unique name. When a computer joins the domain, a secure trust relationship is established between the computer and the domain, allowing the computer to authenticate users and access network resources.
- Computer accounts in Active Directory store information such as the computer name, domain membership status, operating system version, and last login time. Administrators can manage computer accounts by adding, removing, or modifying them using Active Directory management tools.