For authentication and authorization on window platform, Microsoft itself provide a directory service that known as Active Directory. It is a centralized repository for user credentials.
It is a directory service, dispersed in structure, used for securing, updating, managing and organizing computers based on window’s OS at very large scale. It divide whole window base infrastructure to groups, users and network devices. AD saves data as objects; these objects are individual such as group, device or services.
Example: An organization have 100 employee and these 100 employees associated with different user groups. Therefore, by using AD we can implement policy to different group and in sort span of time and we can successfully implement policy for 100 employees. We do not need to set it up for every computer of the organization, instead just set it on the AD and it will be applied to every computer of the organization.
Note: Mostly it implemented on large scale so it pose large attack surface also.
i. To implement any policy on groups basis becomes very easy; from the centralized managed AD sever.
ii. Easier to administer and more secure and no need to maintain user accounts on each resource.
iii. Gives facility of SSO (Single sign on) means to get access of all integrated windows services. So no need to enter credentials multiple times for different services.
iv. Easy to push any configuration settings like registry, software upgrade or any installation.
v. It provide distributed administrations as different group admin can implement different policies.
vi. It provides scalability by using organizational units.
i. It requires skilled professionals to setup whole environment. Therefore, it might be costly.
ii. It not so effective in cloud environment.
Components of Active Directory
i. Domain Service/DS: It is a framework for domain management and it will communicate between users and domain because it contain information of directory. Whenever user try to sign to a device, this service validates the access. It provide security service, SSO, domain service and LDAP. DS can be managed from any computers.
a. In case of DC failure, it provide replication until another DC was not up.
b. It can be customized as per needs.
c. It handles multi-domain trusts.
ii. Domain Controller/DC: It is used to provide that service on your windows network. So it serves that AD service. Computer used by users to access the AD is by DC and AD must have at least one DC controller. AD uses many services (more than one) that are provided by DC. With its help, user and server can work simultaneously in distributed network. DC also host DNS server for authorization purpose.
a. Their work included checking your username, password and other credentials and on top, they have rights to allow or deny any user.
b. Vast varieties of rules, policy configured inside this by which it can perform all its functionality.
To understand it is little typical as it has complex rule set configuration. During the cyber-attack, DC was on top target by hackers because it contain juicy information like credentials. Therefore, for DC security it is necessary in order to secure the user information
Note: DC authenticate your authority where AD handle your identity and security or we can understand it like AD is domain where DC is precious server on that domain.
iii. Instance/Ad-Forest: Whenever an instance is created/configured in AD, generally domain is created with <org_name>.com, “org_name” can be name of the organization. Now inside this instance, we can add various objects such as computers or users and each domain are joined by trust relationship.
iv. Organizational Units/OU: To manage instance we need OU, manage means in which policy we have to assign that particular instance. From here, we cannot assign common permissions.
v. User Objects and Domain Objects: user objects (user instance) representation employee in the organization or computer objects represents servers and work station that are especially for domain-joined. These objects contain attributes and those attributes vary according to the type of objects.
Note: Some computers are not in domain-joined; they may be connected through internet- facing machine.
Penetration testing on AD starts with AD enumeration. In AD we have multiple users some have admin privilege and some have low privilege. As I already said hacker, always focus on DC first. So initially, we will try to enumerate the domain users and explore more on those users.
i. Traditional approach: In this we are using net.exe605 that is incorporated in Windows OS at the initial installation.
a. (i) If you want to enumerate whole group of a domain, we can use below given command
Command: net group /domain
In above image we can see there is one group named as “blessgroup”. Now if we want to check members and the information of the group we can use the below given command.
Command: net group <Group name> /domain
There can be possibility we find one group inside another group that is known as nested group but net.exe605 cannot enumerate nested group.
(ii) If you want to enumerate individual user, we can use below command
Command: net user
Type net user command in cmd, it will show all the available user’s form particular account.
In above screen shot we can see there are five user in my DC. Due to privacy, I hide some of them.
b. Command: net user /domain
As I added “/domain” in previous command it will enumerate user in DC for particular a domain. That particular domain may have lots of user, we can query each and every to individual user.
c. Now if you want to check full information of a particular user you can use this command.
Command: net user <user_name> /domain
Output of above command indicate lots of information such as account status (active/expire), when last password was set, Is password have expiration policy or not? Like this.
ii. Modern approach: Now days so many tools available in market such as cmdlets, PowerShell. We will discuss them one by one. But they
a. Cmdlets: It will work well if they are installed in DC. If they are installed on window workstation they need admin privilege to use. This is a light weight utility which is used in the context of the running automated scripts in the PowerShell.
b. PowerShell: In it, we will going to use script in power shell, with admin rights in DC so that we can execute those scripts to enumerate users on DC or gather information about particular DC.
We need domain name and primary DC name (on which we are going to fetch our records).
I. $dobj: Store entire domain object.
II. $PDC: Simple storing name.
III. $SString: Provider path for output
IV. $DNAME: It took individuals parts of domain name.
As we run above script, we got the whole LDAP path of DC, on which we can perform more enumeration options (as per out needs). We save above script with abc.ps1.
Now we initiate Directory Searcher class on basis of LDAP path. So inside it we have to provide path from where we want to start out AD search.
Note: If we are not able to specify any path in Directory search then it will start searching from root and return result come from entire AD.
So updated Script:
I have added Last 3 lines in previous script.
As I run this script, I got the details of all user inside my AD account, as we got in manual process.