Active Directory Security - Reconnaissance
Hi security enthusiasts! I created this article from my active directory study notes. Following this post, I plan to publish a series of articles covering active directory attack types.
Active Directory Basics
Important notes about some components of Active Directory:
Active Directory data store : C:\Windows\NTDS\ntds.dit
Domain Controllers:
- Every DC hosts NTDS.dit, LDAP, KDC etc.
- Multiple DCs for redundancy
- Every DC can write the AD database. (changes are synced)
Forest: One or more domains. These domains can also have child domains.
Organizational Units (OU) : It’s like folders in a file system.
Sites : The purpose of the Site is to create multiple DC machines to reduce traffic and create fault tolerance. If one DC machine is damaged, the others are left in reserve. Each region will have access to the nearest DC and thus the traffic will decrease.
Group Policy:
- GPs are managed from a central console.
- GPs turn into registry key on the target computer.
- There is Group Policy Client that checks the changes on every Windows computer.
- Sysvol contains GPs (just readable for all domain users) : \\DOMAINNAME\SYSVOL\DOMAINNAME\Policies
Replication: Synchronization of DC machines in different Sites/ a Site. It is implemented with a protocol called RPC over IP.
Active Directory Lab Setup
I used cfalta’s adsec repository to setup my active directory domain on premise ( on my own laptop)
Many thanks to cfalta for this impressive repository:
Repository : https://github.com/cfalta/adsec
Lab Setup Guide : https://github.com/cfalta/adsec/tree/main/lab-setup
After the installation, you should have the following virtual machines:
Then complete the following steps mentioned in the guide:
2. Prepare domain
3. Prepare member server
4. Prepare attacker vm
If you are ready, let’s start with the first exercise!
Reconnaissance
Tool:
PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Get-Domain : General information about the domain.
Get-DomainController : General information about the domain controller.
Other commands to get some specific information from the domain.
Get-DomainComputer | select samaccountname, dnshostname, whencreated | Format-Table
Get-DomainUser | ? {$_.memberof -like "*Domain Admins*"}
Get-DomainUser | ? {$_.memberof -like "*Domain Admins*"} | select samaccountname
Get-DomainGroup | ? { $_.distinguishedname -notlike “*CN=Users*” -and $_.distinguishedname -notlike “*CN=Builtin*”} | select samaccountname,descriptionReconnaissance Exercices
https://github.com/cfalta/adsec/blob/main/exercises/1-Reconnaissance.md
How many computers are in the domain and what OS are they running on?
2 — Windows
How many user objects are in the domain? Write a powershell query to list all user in table form showing only the attributes samaccountname, displayname, description and last password change.
Get-DomainUser | select samaccountname, distinguishedname, description, pwdlastset | Format-TableCan you identify any custom admin groups? Change the powershell query above in a generic way so it only returns custom admin groups.
Helpdesk Admins
Get-DomainGroup | ? {$_.memberof -like “*Domain Admins*”} | select samaccountname,descriptionWho is a member of the custom admin group you found and when was his password last set?
bwillis — 12/23/2021
Get-DomainUser | ? {$_.memberof -like “Helpdesk Admins”} | select pwdlastset | Format-TableThink of simple ways to identify service accounts in the domain? Write a powershell query that lists all service accounts based on the pattern you came up with.
Get-DomainUser | ? {$_.distinguishedname -like “ServiceAccounts”}