Active Directory (AD) is often described as the heart of enterprise IT infrastructure. It governs authentication, authorisation, and resource management for users and systems. However, its complexity and default configurations make it a frequent target for attackers. This guide delves into common AD misconfigurations, their exploitation techniques, and tools used during penetration testing or red team operations.

Exchange Server Misconfigurations

Microsoft Exchange‘s integration with AD introduces significant attack surfaces due to its elevated privileges. Understanding these vulnerabilities is critical for both offensive and defensive security professionals.

Exchange Windows Permissions Group

• Members of this group can modify Discretionary Access Control Lists (DACLs) on domain objects.
• Attackers can exploit this to grant themselves DCSync privileges, enabling the extraction of password hashes from the domain.
• Accounts in this group often include power users or support staff in remote offices, making them prime targets.

Organisation Management Group

• This group wields administrative control over Exchange and can access all user mailboxes.
• Compromising an Exchange server often yields cached credentials from Outlook Web Access (OWA), including clear-text passwords or NTLM hashes.

PrivExchange Attack

• Exploits the PushSubscription feature in Exchange Server.
• Allows any authenticated user to force the server (running as SYSTEM) to authenticate to an attacker-controlled host via HTTP.
• Pre-2019 updates enable relaying these credentials to LDAP for dumping the NTDS database, potentially leading to Domain Admin privileges.

Tools and Techniques:

• Use PowerShell scripts or BloodHound to enumerate Exchange-related groups.
• Tools like PrivExchange automate the exploitation of Exchange vulnerabilities.

Printer Bug (MS-RPRN Protocol)

The Printer Bug leverages a flaw in the MS-RPRN protocol, allowing attackers to:

• Trigger authentication requests from a print server running as SYSTEM to an attacker-controlled SMB share.
• Relay these credentials to LDAP for obtaining DCSync privileges or enabling Resource-Based Constrained Delegation (RBCD).

This attack is particularly effective across forest trusts with unconstrained delegation enabled.

Steps to Exploit:

1. Enumerate vulnerable systems using tools like Get-SpoolStatus.
2. Relay captured credentials using NTLM relay tools, such as Impacket.

Defensive Measures:

• Disable the spooler service on non-essential systems.
• Apply security patches addressing MS-RPRN vulnerabilities.

Kerberos Exploits

Kerberos, while robust, has known vulnerabilities that attackers can exploit for privilege escalation.

MS14-068 (Kerberos PAC Forgery)

This vulnerability allows attackers to forge Privilege Attribute Certificates (PACs) in Kerberos tickets:

• Attackers can impersonate privileged accounts like Domain Admins by crafting fake PACs.
• Tools like PyKEK and Impacket simplify this attack.

ASREPRoasting

• Targets accounts with “Do not require Kerberos pre-authentication” enabled.
• Attackers request an AS-REP encrypted with the user’s password hash for offline cracking.
• Enumerate vulnerable accounts using PowerView or Impacket’s GetNPUsers.py.

Example Workflow:

1. Use PowerView:

Get-DomainUser -PreauthNotRequired

2. Crack the AS-REP hash offline using Hashcat:

hashcat -m 18200 hash.txt wordlist.txt

Credential Harvesting

LDAP Credentials

Applications often store LDAP credentials insecurely:

1. Redirect LDAP test connections to an attacker-controlled machine using Netcat (nc -lvp 389).
2. Extract clear-text credentials during test connections.

SYSVOL Share

The SYSVOL directory frequently contains sensitive scripts or plaintext credentials in Group Policy Preferences (GPP) files:

1. Use PowerShell scripts like Get-GPPPassword.ps1 to locate GPP files.
2. Decrypt passwords using tools such as gpp-decrypt.

DNS Enumeration

DNS records within AD can reveal critical infrastructure details:

1. Use tools like adidnsdump to enumerate DNS zones.
2. Discover hidden records pointing to high-value targets like Jenkins servers or database hosts.

Example Command:

adidnsdump -u domain\\user ldap://dc-ip -r

Group Policy Object (GPO) Abuse

Misconfigured GPOs provide attackers with opportunities for privilege escalation and persistence:

1. Assign rights such as SeDebugPrivilege or add users to local admin groups.
2. Deploy malicious startup scripts or scheduled tasks.

Enumeration:

• Use PowerView:

Get-DomainGPO | Select DisplayName

• Check ACLs on GPOs:

Get-DomainGPO | Get-ObjectAcl

Exploitation Tools:

• SharpGPOAbuse automates GPO abuse scenarios.

Password Mismanagement

Passwords in Description Fields

Sensitive information may be stored in user account description fields:

Get-DomainUser * | Select samaccountname, description

PASSWD_NOTREQD Flag

Accounts with this flag bypass password policies, allowing weak or blank passwords:

Get-DomainUser -UACFilter PASSWD_NOTREQD

Advanced Persistence Techniques

Attackers often seek long-term access through persistence mechanisms:

1. Abuse Resource-Based Constrained Delegation (RBCD).
2. Exploit trust relationships between forests/domains.

Key Tools:

• BloodHound for mapping trust relationships.
• Impacket for executing RBCD attacks.

Conclusion

Active Directory misconfigurations pose significant risks but also offer opportunities for defenders to strengthen their environments through proactive assessments and remediation efforts. By understanding these vulnerabilities and leveraging tools like BloodHound, PowerView, and Impacket, security professionals can uncover weaknesses before attackers do.

For more insightful and engaging write-ups, visit kosokoking.com and stay ahead in the world of cybersecurity!