Active Directory is a Microsoft solution for managing IT environments in companies of all sizes. You can find it everywhere. Virtually all companies use this solution to manage their users, workstations, servers, and more, making it essential for administrators and attackers to master. Since Active Directory is used everywhere, attackers have become experts at tracking down vulnerabilities that allow them to take control of the information system. That’s because compromising Active Directory equates to compromising virtually the entire information system. Definitely worth a closer look, don’t you think?
Together, we’ll identify the vulnerabilities of an Active Directory environment and how they can be exploited so that we can protect and monitor the environment. In the field of penetration testing, this is known as an internal penetration test.
In this exercise, you’ll play the role of a company administrator looking to secure their environment. This will provide you with enough information to allow you to thoroughly research the subject, along with the necessary skills to secure and monitor your environment.
However, before you can secure and monitor an environment, you need to put yourself in the shoes of an attacker to observe, identify, and exploit vulnerabilities. Understanding how attack techniques are used will provide you with everything you need to improve your Active Directory security.
In this chapter, you’ll learn how to properly equip and organize yourself for the various steps. It’s a bit like preparing for a speech. You don’t just walk up to the microphone with your hands in your pockets and start talking - you prepare yourself in advance. The same principle applies here. This phase is crucial in ensuring that you approach the problem efficiently rather than heading off in all directions.
Ready? Let’s go!
Organize Your Notes
Firstly, bear in mind that during the attacks, you’re going to be overwhelmed with information that was gathered earlier through various methods. This could be machine names, users, IP addresses, network flows, service versions, and vulnerabilities. Most of this information is important enough for you to investigate as thoroughly as possible.
However, as you progress through your penetration test, listing one attack after the other will waste a lot of time and become less relevant to the goal of assessing the level of security of the Active Directory environment. Without a clear strategy, you’re likely to forget certain aspects.
I clearly remember my first audits, when I would repeat the same actions at least ten times, because I didn’t take detailed notes and didn’t keep all the information that the tools collected. What a waste of time!
Trust me, taking notes is essential for organizing all the collected information and deciphering the data.
The first thing you should do is list the types of information that are useful. For example, you know that the names of the machines on the network is relevant information, but the floor number of each printer is much less so.
To attack an Active Directory environment, you will most likely need to collect the following information:
Machine names:
Target machines
IP addresses (or ranges)
Open services:
Service versions
Usernames:
Interesting privileges
Specific configuration settings:
Active Directory
Other
This list is obviously not exhaustive, but preparing a document with this information will be very helpful. You’ll complete this list as the attack progresses.
To further improve your notes, you could organize them into categories corresponding to the various steps of your testing. These steps are similar to your kill chain. This is your intrusion methodology. You can also have the following categories:
Initial Reconnaissance
First Compromise
Lateral Movement
Privilege Escalation
Persistence
Having the right tools allows you to be much more efficient, but like a chef in the kitchen, just because you have the right tools doesn’t mean you’re a good chef! There are numerous note-taking programs available (e.g., Evernote, Microsoft OneNote, TreeNote, and many more), but my favorite is Joplin. After several hundred penetration tests, I haven’t found a better way of organizing my notes. It’s a free, open-source tool that runs on all platforms (Linux, Windows, macOS, Android, and iOS).
Is this the only tool we can use? If I want to organize my notes differently, will I be banished forever?
No, of course not! I’ve given you an example of a tool that I find practical and fully featured, but if you prefer to organize your notes differently or with another tool, go for it! The most important factor is that you are familiar with the program, so you can be efficient and organized. 😉
Finally, most of the tools we’ll be using in this course have the ability to export the results of commands to one or more files. This feature can be very useful, especially when the procedure takes a long time. So, wherever possible, I recommend that you record the output from each tool so that you can revisit it later to find a specific piece of information.
Now that you’re equipped to organize your information, it’s time to structure your work environment.
Structure Your Work Environment
Now that you’re a note-taking pro, it’s time to prepare your arsenal for attacking an Active Directory environment. You’ll be using several tools, but often they are only compatible with specific operating systems. For this reason, it’s important to have the ability to switch between various test environments so you can use the right tool for the right situation.
Choose Your Virtual Machines
To handle any type of situation, it’s important to have the ability to launch tools from either Linux or Windows. Therefore, it is best practice to have at least two machines when attacking an Active Directory environment.
A Linux machine with any distribution you like. If you don’t want to install attack tools one at a time, the Kali Linux distribution can simplify things for you because it was developed specifically for attackers. It can also be beneficial to have control over your chosen distribution, so you can start with a clean Debian and only install what you need. It’s up to you—I promise I won’t judge you!
A Windows machine—ideally a recent Windows Server. A Windows Server simplifies the installation of the Active Directory administration tools used by administrators, and they are also very useful for an attacker.
Tools
Now that you have established your environment, you need to select the tools you want to use. In this course, we’ll try to select tools that can be used for both attack and defense. You’ll realize that the goals of both sides are often similar, and the same paths and tools are used to get there.
We use tools that are exclusive to either Linux or Windows, along with other tools that can run on any platform. That’s why it’s important to be able to switch between these systems. It’s often possible to only use one or the other, but this makes the task much more complicated. Why complicate things when they can be simplified? 😉
Once the essentials for proper organization are in place, all that’s left to do is to define the attack methodology so you can begin testing.
Before moving on, I suggest that you listen to Charlie Bromberg explaining how to structure your work environment:
Use the Penetration Testing Cycle
You’re almost ready to start your attack with the tools you’ve selected. I say almost, because an attack has to be methodical. Rest assured, I’m not going to ask you to invent a methodology. There is a proven sequence in attack methodology, which consists of the following:
Watch the video to learn more about each of these steps.
Let’s Recap!
Note-taking is essential for structuring the information you collect and giving it value.
Having both a Linux and Windows work environment covers all attack requirements.
Attacking a system is a continuous cycle that switches between information gathering and exfiltration.
You’re now equipped and organized to get down to business and begin your search for vulnerable workstations and servers.