Practical AD Attacks and Protection Booklet

Practical Active Directory Attacks and Protection
Practical Active Directory Attacks and

Protection
Building a LAB environment in 15 minutes
Testing Modern AD Attacks and Mitigate
them
Prevention, Detection and Mitigation
PREPARED BY: WALID HADDAD
Prepared by Walid Haddad
v1.0 July | 5 | 2021

Contents
Contents ............................................................................................................................................................. 2
Introduction ....................................................................................................................................................... 5
LAB Prerequisites ............................................................................................................................................... 5
Building the LAB in 15 min ................................................................................................................................. 6
Deploying a new Microsoft Windows Server 2016 Domain Controller .................................................... 6
Windows Server 2016 Installation ................................................................................................... 6
Disable IE enhanced security ........................................................................................................... 6
Active Directory Domain Services role Installation.......................................................................... 6
Active Directory Objects Creation Using BadBlood ......................................................................... 7
Setting UP Victim Machine (Windows 10) ................................................................................................ 7
Setting Up windows 10 .................................................................................................................... 7
Joining to Domain ............................................................................................................................ 7
Set the DNS IP configuration ............................................................................................................ 7
Kali Machine (Attacker Machine).............................................................................................................. 7
BloodHound and bloodhound.py Installation.................................................................................. 7
Active Directory Enumeration ........................................................................................................................... 8
Finding the Active Directory Server using windows commands ............................................................... 8
Finding the AD server using Nmap............................................................................................................ 8
Enumerating AD Usernames using Guessing technique ........................................................................... 9
Enumeration Using BloodHound ............................................................................................................ 12
What is BloodHound ...................................................................................................................... 12
What is BloodHound.py ................................................................................................................. 12
Prerequisites .................................................................................................................................. 12
Enumeration .................................................................................................................................. 13
Kerberos Explained .......................................................................................................................................... 15
Modern Active Directory Attacks..................................................................................................................... 15
AS-REP Roasting ...................................................................................................................................... 15
Attack prerequisites ....................................................................................................................... 15
Creating an explicitly vulnerable user account .............................................................................. 16
Discover AS-REP Roastable users ................................................................................................... 18

Using Bloodhound and Bloodhound.py (Kali).................................................................... 18
Using Bloodhound and Sharphound.exe (Compromised Windows machine) .................. 19
Using Powershell (Compromised Windows machine, it can be also using PSREMOTING or

Metasploit ) ....................................................................................................................... 22
Using Impacket (from kali) ................................................................................................ 22
Using ASREPROAST.ps1 (Windows) ................................................................................... 23
AS-Rep Roasting Attack using ASREPRoast.ps1 (from windows) ...................................... 23
AS-Rep Roasting Attack using impacket (GetNPUsers.py) (from kali)............................... 24
AS-Rep Roasting Attack using Rubeus (from windows) .................................................... 25
Mitigations ..................................................................................................................................... 26
Monitoring ..................................................................................................................................... 27
Kerberoasting .......................................................................................................................................... 27
What is Kerberoasting Attack ........................................................................................................ 27
Creating an explicitly vulnerable user account .............................................................................. 27
Kerberoasting Attack Using Windows PowerShell......................................................................... 28
Identify accounts with registered SPNs ......................................................................................... 28
Using Bloodhound ............................................................................................................. 29
Using GetUserSPNs.ps1 ..................................................................................................... 29
Dump the ticket using Mimikatz .................................................................................................... 31

Crack the Ticket Offline .................................................................................................................. 32
Kerberoasting Using Impacket ....................................................................................................... 33
Identify accounts with registered SPNs ......................................................................................... 33
Cracking TGS using hashcat............................................................................................................ 34
Kerberoasting using Rubeus .......................................................................................................... 35
Mitigations ..................................................................................................................................... 36
Monitoring (SIEM) .......................................................................................................................... 36
Silver Ticket (Escalate Privileges) ............................................................................................................ 37
What is Silver Ticket Attack............................................................................................................ 37
Getting Service Account password through Kerberoasting ........................................................... 37
Getting User SID ............................................................................................................................. 38

Silver Ticket Attack using Impacket (ticketer.py) ........................................................................... 38
Silver Ticket Attack using Mimikatz ............................................................................................... 39
Convert password to NTLM Hash .................................................................................................. 39
Installing DSInternals ..................................................................................................................... 39
Golden Ticket (GainPersistence) ............................................................................................................. 42
What is Golden Ticket Attack ......................................................................................................... 42
Getting domain name and SID ....................................................................................................... 43
Golden Ticket Attack using Mimikatz DCSync................................................................................ 44
Pass-the-Hash (PTH)................................................................................................................................ 47
What is Pass-the-Hash Attack ........................................................................................................ 47
Elevate Privileges and get access to the Domain Controller (using Mimikatz) .............................. 49
Pass-the-Ticket (PTT)............................................................................................................................... 51
What is Pass-the-Ticket Attack ...................................................................................................... 51
Pass The Ticket Attack Using Mimikatz .......................................................................................... 51
Abusing GPO Permissions ....................................................................................................................... 55
Creating a Vulnerable GPO ............................................................................................................ 55
Enumerating GPOs with Powerview .............................................................................................. 56
Enumerating GPOs with Bloodhound ............................................................................................ 58
Abusing GPO Control ..................................................................................................................... 59
Abusing GPO to add a local admin on all company devices .......................................................... 60
Mitigations ..................................................................................................................................... 65
Detection........................................................................................................................................ 65
Abusing ACLs/ACEs ................................................................................................................................. 66
Mitigations ..................................................................................................................................... 66
Abusing AD Delegation of Privileges and Permissions............................................................................ 67
What is Delegation of Privileges .................................................................................................... 67
Mitigations ..................................................................................................................................... 67
Introduction
In order to secure Active Directory, you must understand the techniques used by attackers to Attack AD.
This article will cover most of the modern AD attacks using know and built-in tools like Powershell,
bloodhound, etc.This LAB is based on real attacks and Red team activities. Some of the attacks that will
be covered:
• Privilege Escalation (User Hunting, Delegation issues and more)
• Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
• Credentials Replay Attacks
• Persistence (DCShadow, WMI, GPO, Domain and Host ACLs and more)
LAB Prerequisites
• 180 days trial of Windows Server 2012
• Kali OS
• Windows 10 OS
• Virtual Box/VMWare Workstation
• Computer with 12 GB of RAM (recommended)
• General Knowledge of Active Directory Administration

Building the LAB in 15 min
Deploying a new Microsoft Windows Server 2016 Domain Controller

Windows Server 2016 Installation
Windows Server 2016 can be download from microsoft.com and installed (will not go into installation
details)
Disable IE enhanced security

Copy and Paste the code below and run it using PowerShellISE:
function Disable-InternetExplorerESC { $AdminKey =

"HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-
37EF-4b3f-8CFC-4F3A74704073}" $UserKey = "HKLM:\SOFTWARE\Microsoft\Active
Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" Set-
ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Set-ItemProperty
-Path $UserKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer
Write-Host "IE Enhanced Security Configuration (ESC) has been disabled." -
ForegroundColor Green } Disable-InternetExplorerESC
Active Directory Domain Services role Installation

Copy and Paste the code below and run it using PowerShellISE:
Enable-PSRemoting -Force set-ItemProperty -Path

'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTS
Connections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote
Desktop" set-ItemProperty -Path
'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-
Tcp' -name "UserAuthentication" -Value 1 Rename-Computer -ComputerName
(hostname) -newname "AD-LAB" #netsh winhttp set proxy 1.3.5.2:8080
#removed Set-TimeZone -Name "Eastern Standard Time" Import-Module
ServerManager Install-windowsfeature -name AD-Domain-Services –
IncludeManagementTools Install-WindowsFeature –Name GPMC shutdown /f /r /t
1
After Restart, Run the following code using PowerShellISE to create the Domain:
$domainname = "badblood.com" $NTDPath = "C:\Windows\ntds" $logPath =

"C:\Windows\ntds" $sysvolPath = "C:\Windows\Sysvol" $domainmode =
"win2012R2" $forestmode = "win2012R2" Install-ADDSForest -
CreateDnsDelegation:$false -DatabasePath $NTDPath -DomainMode $domainmode
-DomainName $domainname -ForestMode $forestmode -InstallDns:$true -LogPath
$logPath -NoRebootOnCompletion:$false -SysvolPath $sysvolPath -Force:$true
Active Directory Objects Creation Using BadBlood

BadBlood is a group of scripts that help us build a complete realistic Active Directory Environment
(Domain, Organization Units, Users, Groups, Permissions, etc.) without creating any AD object manually.
You can download BadBlood from https://github.com/davidprowe/badblood
• Extract the Zip file to C:\badblood
• Open the “invoke-badblood” script found in C:\badblood directory with PowerShellISE and run it
The Domain Controller with the Groups and Users is now build and ready.
Setting UP Victim Machine (Windows 10)

Setting Up windows 10
Joining to Domain
Join the device to the Domain and try to login with the domain user
Set the DNS IP configuration

Set the DNS server Ip to the Domain controller IP
Kali Machine (Attacker Machine)

BloodHound and bloodhound.py Installation
• Use the script below to install BloodHound
apt-get install bloodhound
• Use the script below to to configure Neo4j
neo4j console
• Goto http://localhost:7474/ to set up a Database B user and password, you will need those
credentials when launching BloodHound.
• Run bloodhound by typing “bloodhound” and login with the credentials previously set
• Download and extract BloodHound.py from https://github.com/fox-it/BloodHound.py
Active Directory Enumeration

Finding the Active Directory Server using windows commands
Echo %logonserver%
gpresult /r
Finding the AD server using Nmap

In order to discover the Active Directory server on the server, we need to check for open ports related
to Active Directory Service.
Port 88 (Microsoft Kerberos)
Port 3268 (Microsoft LDAP Service)

Let’s run Nmap over the subnet to search for a host having these ports open
More Enumeration reveals the domain name and the OS version, which could be useful for later
Enumerating AD Usernames using Guessing technique

AD Users Enumeration using nmap
Quick dive on what’s happening under the hood using Wireshark
AS- REQ requests with the users requested from LDAP
Reply Obtained user worker exist and does not require preauthentication
Reply obtained with and Error : User Test exist but require preauthentication
User does not exist
Enumerating users with Preauthentication disabled

Enumeration Using BloodHound

What is BloodHound
BloodHound is a tool used to visualize/Enumerate an Active Directory Environment and Object
relationships along with their permissions, allowing attackers visualize and plan their attacks.
What is BloodHound.py
BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.
Prerequisites
You need a valid user and password (can be from ophishing, as rep …)
Enumeration
Go to the BloodHound.py-master repository and run the following command
Python3 bloodhound.py -u {user} -p {password} -ns {name server (DC IP)} -d {domain} -c All (collect data
as much as possible)
NB: how we got the user credentials? With a successful phishing campaign that allowed us to get the
user credentials or by compromising the victim machine using a malicious file then dumping the user
password via Mimikatz, keylogger, etc.. , or via a Malicious internal user, etc…
Lunch bloodhound
Import data generated by bloodhound.py to BloodHound by drag and dropping the generated JSON files
NB: these queries are run locally on the database that we have exported and not live active directory
queries. Changes made to the domain after we gathered our data will not be reflected.
Kerberos Explained
Kerberos is an authentication protocol .It issues tickets to nodes to allow access to services/resources
based on privilege level. It is used mainly in Active Directory and sometimes in Linux Environments
Kerberos Ticketing:
Ticket Granting Ticket (TGT) Ticket assigned for users to authenticate to the KDC and issues requests
for TGS.
Ticket Granting Server (TGS) An authentication subset of the KDC that issues Service Tickets after
verifying an end user’s TGT and if they have access to the requested resource.
Service Ticket (ST) Ticket granted to you by the TGS for authentication purposes against services.
Modern Active Directory Attacks

AS-REP Roasting
AS-REP roasting is an attack that exploits the “Don’t Require Pre-Authentication” misconfiguration. It is
not common to find this configuration unless the environment has some old devices that do not support
Kerberos Pre-Authentication.
Pre-Authentication is the first step in Kerberos Authentication and it’s main role is to try prevent against
brute-force password guessing attacks.
If Pre-Authentication is disabled it would allow an attacker to request a ticket for any user and the DC
would simply return a TGT which will be encrypted similar to the Kerberoast attack which can be
cracked offline.
Attack prerequisites
• A valid username
• “Do not require kerberos preauthentication” (must be enabled) (usually it is not enabled by
default)
• The account’s password should be not hard to be cracked (eg. 123456789)
• Attacking machine doesn’t need to be joined the domain

Creating an explicitly vulnerable user account

Discover AS-REP Roastable users

Using Bloodhound and Bloodhound.py (Kali)
Go to the BloodHound.py-master repository and run the following command
Python3 bloodhound.py -u {user} -p {password} -ns {name server (DC IP)} -d {domain} -c All (collect data as much as possible)
NB: how we got the user credentials? With a successful phishing campaign that allowed us to get the
user credentials or by compromising the victim machine using a malicious file then dumping the user
password via Mimikatz, keylogger, etc.. , or via a Malicious internal user, etc…
Import data generated by bloodhound.py to BloodHound by drag and dropping the generated JSON files
Click on “Find AS-REP Roastable Users (DontReqPreAuth) (found 2 AS-Reproastable users: WALIDTEST & WORKER)
Using Bloodhound and Sharphound.exe (Compromised Windows machine)
Use python -m SimpleHTTPServer to host the bloodhound.exe collector in our kali attacking machine
Download bloodhound.exe to the windows victim machine (use one of the 4 techniques highlighted)
Running Sharphound (with a domain account)

Run Sharphound (manually entering credentials if you are not logged in with a domain account)
Download the generated zip file and import it to bloodhound (same as we did previously)
You can export it using the techniques below
1- You can create an upload page on your kali machine then you can request this page from the
victim browser and upload the bloodhound.zip file
2- You can upload the bloodhound.zip via email service, to an online file sharing website like
Mega.io, etc.
3- You can use the Metasploit download feature if you obtained a reverse shell with Metasploit
(via a vulnerability or a reverse shell, etc.)
4- Create a shared folder on your kali and copy the file to it
5- Create a shared folder on windows and access it from your kali

Using Powershell (Compromised Windows machine, it can be also using PSREMOTING or Metasploit )
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol

| Format-Table name
Using Impacket (from kali)

Download Impacket from https://www.github.com/SecureAuthCorp/impacket and navigate to examples
repository
We will use GetNPUsers.py (AS-Reproastable users: walidtest and worker)

Using ASREPROAST.ps1 (Windows)

Download the ASREPRoast.ps1 from https://github.com/Harm0y/ASREPRoast/blob/master/ASREPRoast.ps1
Import the module in powershell and run the following command to extract user hash with AS_REP message
AS-Rep Roasting Attack using ASREPRoast.ps1 (from windows)

Dump the user hashes with the following command
Then you can copy the the hashes to your attacking machine and crack them using hashcat or John The
Ripper
AS-Rep Roasting Attack using impacket (GetNPUsers.py) (from kali)

Get the encrypted TGT for the user worker and walidtest
Copy the encrypted TGT and save it to a file
Brute force offline the TGT using hashcat (user:worker)

Brute force offline the TGT using hashcat (user:walidtest)
AS-Rep Roasting Attack using Rubeus (from windows)

Upload Rubeus.exe to the victim machine and run the following command: Rubeus.exe asreproast
Export the hashes Then you can copy the the hashes to your attacking machine and crack them using
hashcat or John The Ripper
You can also crack the hashes by downloading hashcat.exe to the victim machine
Hashcat64.exe -m 18200 hash.txt passlist.txt
Once we cracked one username account we can enumerate now all the rest of the users with
Preauthentication not required misconfiguration
Mitigations
1- Continuously monitor/identify for accounts that Do Not Require Preauthentication (you can use the above mentioned
techniques)
2- Enforce strong password policy requirements such as complexity, length and lifetime in the organization as it is the first
line of defense against intruders.
3- It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as
it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again. This query will bring back
all access rights for user accounts which do not require preauthentication:
PS> (Get-ACL "AD:$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access
Monitoring
1- Check out event 4738 looking for changes to the User Account Control “Don’t Reuire Preauth” value.
2- Monitor event ID 5136 looking for changes to User Account Control
Kerberoasting
What is Kerberoasting Attack
Kerberoasing attack is an attack against service accounts (SPNs) in Active Directory .Kerberoasting is a
post-exploitation attack that extracts service account credential hashes from Active Directory for offline
cracking. When you request a service ticket for Service Principal Name (SPN), you get back a ticket that
is encrypted with NTLM hash of the account with that SPN registered.
Creating an explicitly vulnerable user account

Creating an SPN attribute for an AD account
Adding the account to the Aministrators group (optionally)
Kerberoasting Attack Using Windows PowerShell

• Kerberoast toolkit from github.com/nidem/kerberoast
• The account’s password should be not hard to be cracked (eg. 123456789)
• An account in AD that has an SPN registered
• Domain user. (The user need not have elevated or “administrator” privileges)
Identify accounts with registered SPNs

Identify all accounts in Active Directory that has SPNs registered using “GetUserSPNs.ps1”
Using Bloodhound
Using GetUserSPNs.ps1
Results before creating the misconfigured user (optionally)
The Error below indicate that your PC cannot reach the AD (connection/DNS issue)
Running the powershell script “GetUserSPNs.ps1” after creating the misconfigured user. We identified
the “webserver” account which is the webserver account.
Request a Ticket using Powershell passing the ticket request (SPN) and getting service ticket
Dump the ticket using Mimikatz

Using to dump that ticket out to disk .We are interested with the webserver account
Encrypted ticket with NTLM hash of the webserver service account
Crack the Ticket Offline

Bruteforce and crack offline the ticket and obtain the clear text password using “tgsrepcrack.py”
Kerberoasting Using Impacket

Identify accounts with registered SPNs
Identify all accounts in Active Directory that has SPNs registered using impacket “GetUserSPNs.py”
We can see on the DC server event viewer an event related to the credential validation of the user test4
Or
Cracking TGS using hashcat

Kerberoasting using Rubeus

Hashes extracted of all kerberoastable users
Crack the hashes using hashcat same as we did above
Mitigations
- Enforce robust password policies for service accounts.
- Frequent password rotation
- Apply Least privilege while adding service accounts to groups
Monitoring (SIEM)
- Monitoring domain user accounts requesting large numbers of service tickets (Event 4769).
Silver Ticket (Escalate Privileges)

What is Silver Ticket Attack
The Silver ticket Attack allows an attacker to create forged Kerberos TGS ticket that give them access to
a particular service running on a particular host. Silver ticker requires no privileges to create, all you
need is the password for a service account, they do not interact with Domain Controllers directly, they
bypass that and talk only to the servers with the service their impersonating against is hosted.
• Password of a service account
Getting Service Account password through Kerberoasting

Enumerating users and getting hashes
Cracking password
Convert password to NTLM hash
Or it can be done also using Powershell
Getting User SID
Silver Ticket Attack using Impacket (ticketer.py)

Silver Ticket Attack using Mimikatz

We assume that we obtained the password of a service account previously (via phishing attack,
Kerberoasting attack, etc…)
Convert password to NTLM Hash

Installing DSInternals
You can install the DSInternals module directly from the official PowerShell Gallery by running the
following command:
Install--Module DSInternals -Force

Set PowerShell Setting to use TLS 1.2
Converting password to NTLM Hash
Getting Domain SID
Creating Silver Ticket using Mimikatz

Lunch command prompt
ticket from fake account

Mitigations
- Enforce User Least Privilege
- Ensure that local users, administrator and service accounts use strong, unique passwords
- Make sure that your kerberos is leveraging the Privilege Attribute Certificate (PAC) and requiring the TGS to be
signed by the KDC using krbtgt encryption key
Golden Ticket (GainPersistence)

What is Golden Ticket Attack
Golden Ticket attack is an attack on Active Directory Kerberos Authentication. It is considered a
Persistence attack (you already got access to the domain and compromised it and you want to keep
persistence access to that domain, so if they changed the administrator account password you will not
loose the access). The goal of the Golden Ticket attack is to compromise the KRBTGT (Kerberos TGT
granting ticket account) after compromising the Active Directory then forge Kerberos Ticket Granting
Tickets (TGT) that will be used to authenticate users with Kerberos. TGTs are used when requesting
Ticket Granting Service (TGS) tickets, which means a forged TGT can get us any TGS ticket - hence it's
golden.
In this attack, we assumes a Domain Controller compromise where KRBTGT account hash will be
extracted which is a requirement for a successful Golden Ticket attack.
• Compromised Domain Controller
• Compromised user with the following rights (Replicating Directory Changes, ReplicatingDirectory
Changes All, Replicating Directory Changes In Filtered Set) Generally Domain Admins
• Domain name/SID
• KRBTGT password hash

Getting domain name and SID

Getting Domain SID (whoami /user)
Getting Domain name (echo %USERDOMAIN% or or systeminfo | findstr /B /C:”Domain”)

Golden Ticket Attack using Mimikatz DCSync

Using mimikatz DCSync command to obtain the KRBTGT password hash
Using Mimikatz Kerberos golden to create the Golden ticket and impersonate any user
Using Mimikatz Kerberos pass the ticket command (ticket will be loaded into memory)
Whoami command prior loading the ticket into memory
Whoami commad post loading the ticket into memory

Accessing the NTDS folder and (ntds.dit )(database that stores Active Directory data and passwords).
later you can dump the credentials hashes from NTDS.dit file
Pass-the-Hash (PTH)
What is Pass-the-Hash Attack
Pass The Hash is an attack that allow a malicious user to move laterally and elevate privileges. Once the acount is
compromised the attacker can use it's NTLM or another user NTLM hash in memory to replay it against other machines in
your environment.
Screenshot showing the logged in user “lowpriv”
Screenshot showing groups memberships (the user “lowpriv” is a low privilege user, only a local administrator )
Trying to run psexec command angainst the domain controller, we get access denied since the user does not have enough
access/privileges to login to the Active Directory.
Elevate Privileges and get access to the Domain Controller (using Mimikatz)
NB: in this scenario the administrator has logged in with his credentialts to this PC. (Command prompt should be run as
administrator)
Dumping passwords stored in Memory using Mimikatz

we have found the administrator account NTLM hash
Replay “administrator” password hash to Active Directory using PSExec. We were able to use PSExec and logged on to the
AD server (pass the hash technique)
Pass-the-Ticket (PTT)
What is Pass-the-Ticket Attack
Similar to the Pass-The-Hash attack where we can pass a users NTLM hash without cracking it
and authenticate as them, we can pass stored kerberos tickets to access other network
resources.
We have two options here. Either dumping TGT or TGS tickets. If we dump TGT (depends on
level of access) we can then request access to any service within the context of this user. If we
dump a TGS ticket then we can Pass The Ticket to the respective service.
Pass The Ticket Attack Using Mimikatz
get cached tickets using Mimikatz .

NB: in this case the administrator has logged in before to the this machine (victim1)
Cached tickets exported (we are interested in the highlighted one. The administrator ticket)
Reusing the domain admin cached ticket and checking the output of Kerberos::list
Can be done also with klist command
Accessing the domain controller “AD-lab” using psexec with the admin ticket
Purging cached tickets and trying to execute psexec on the AD
Trying to execute again psexec on AD after purging the tickets. We got access denied which is normal
Abusing GPO Permissions

GPOs can be misconfigured and this misconfiguration opens a door for a lot of attack possibilities especially if the GPO can be
edited by a normal user other then domain admins.
Creating a Vulnerable GPO

Create a new policy and link it to the domain object
Making the policy vulnerable by allowing Authenticated users to modify it

Enumerating GPOs with Powerview

Download and run powerview with the below command (we can see the policy that we created)
Policy in details
Get the policy applied on a computer

Get-NetGPO
Enumerate permission on test policy using icacls (we have rights to edit the GPO)
Enumerate permission with powerview

GetNetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name
Enumerating GPOs with Bloodhound

Search for the user “lowpriv”, click on the user node, you will see detailed information about the user on the left.
Click on the number near “Effective Inbound GPOs”, you will see the below.
The GPO “test policy” is applied to user “lowpriv”.
If we take the other side (search for the policy “test policy”, click on it and check how many affected objects by this policy.
(means if we modify the policy for malicious goals these are the objects that will be affected)
Abusing GPO Control

We can do anything with the computers and users inheriting the policy “test policy”
For ex: add new local amin account, schedule a malicious task, create malicious services, spread a virus, update specific registry
keys, deploy malicious shortcut, deploy malicious MSI file, malicious startup script, modify local audit policy to evade detection,
grant rights, alter DACLs, configure windows firewall, etc…
You have 2 options to do that:

1- Install Group Policy Management Console and modify the GPO
2- Manually craft the GPO file and modify tge GPO and gpt.ini file
Abusing GPO to add a local admin on all company devices

We will use first option:
Edit GPO
Adding a group (lowpriv is a member of normal users group)

https://thesysadminchannel.com/add-local-administrators-via-gpo-group-policy/
Normal users group added to the local administrators group
Also te group is added on the AD server

We logged in to the AD server using the recently added local admin account
Mitigations
- Routinely audit the permissions associated to your GPOs (use bloodhound)
Detection
- Enable the GPO setting “Audit Directory Service Changes”. This provide you with event ID 5136 when GPO policies are
modified
Abusing ACLs/ACEs
Access Control Entries allows and denies permission to an object in the AD. DACLs are lists made of ACEs that identify the users
and groups that are allowed or denied to access an object. When it is misconfigured it allows a malicious user to escalate
privilege and move laterally on the network.
Some AD object permissions and types that we are interested in are:

- GenericAll (allows you to add users to groups or reset password)
- GenericWrite (update obect’s attributes(e.g logon script)
- WriteOwner )change object owner to attacker controlled user take over object)
- WriteDACL (modify objects ACEs and give attacker full control right over the object)
- AllExtendedRights(allows you add user to a group or reset password)
- ForceChangePassword (ability to change user’s password)
- Self (ability to add yourself to a group)
Let’s check our user “lowpriv” if he has “GenericAll” rights on the AD object for the user
Administrator. (as a result we were able to change the administrator password with the user
lowpriv)
Mitigations
- Routinely inspect object’s DACL (you can use bloodhound, PowerView)
Abusing AD Delegation of Privileges and Permissions

What is Delegation of Privileges
Delegation of privileges is when you delegate people to manage your Active Directory and to do some specific tasks.
Misconfiguring delegation of privileges in Active Directory can lead to exposure and potential compromise of your Active
Directory.
Mitigations
- It is not recommended to delegate permissions directly to specific users. Instead create a new security group and add
users to it.
- Avoid using Deny permissions, they take precedence over allowed ones
- Periodically audit the delegated permissions in the domain (using powershell, bloodhound, etc..)
- Do not grant any user permissions to manage the OU with admin accounts

Practical AD Attacks and Protection Booklet

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Practical AD Attacks and Protection Booklet

Uploaded by

Copyright:

Available Formats

Practical Active Directory Attacks and Protection

Practical Active Directory Attacks and

Prepared by Walid Haddad

v1.0 July | 5 | 2021

Discover AS-REP Roastable users ................................................................................................... 18

Using Bloodhound and Sharphound.exe (Compromised Windows machine) .................. 19

Using Powershell (Compromised Windows machine, it can be also using PSREMOTING or

Using Impacket (from kali) ................................................................................................ 22

Using ASREPROAST.ps1 (Windows) ................................................................................... 23

AS-Rep Roasting Attack using ASREPRoast.ps1 (from windows) ...................................... 23

AS-Rep Roasting Attack using impacket (GetNPUsers.py) (from kali)............................... 24

AS-Rep Roasting Attack using Rubeus (from windows) .................................................... 25

Using GetUserSPNs.ps1 ..................................................................................................... 29

Dump the ticket using Mimikatz .................................................................................................... 31

Getting User SID ............................................................................................................................. 38

• Privilege Escalation (User Hunting, Delegation issues and more)

• Credentials Replay Attacks

• Virtual Box/VMWare Workstation

• Computer with 12 GB of RAM (recommended)

• General Knowledge of Active Directory Administration

Building the LAB in 15 min

Deploying a new Microsoft Windows Server 2016 Domain Controller

Disable IE enhanced security

function Disable-InternetExplorerESC { $AdminKey =

Active Directory Domain Services role Installation

Enable-PSRemoting -Force set-ItemProperty -Path

$domainname = "badblood.com" $NTDPath = "C:\Windows\ntds" $logPath =

Active Directory Objects Creation Using BadBlood

You can download BadBlood from https://github.com/davidprowe/badblood

• Extract the Zip file to C:\badblood

Setting UP Victim Machine (Windows 10)

Set the DNS IP configuration

Kali Machine (Attacker Machine)

apt-get install bloodhound

• Use the script below to to configure Neo4j

• Download and extract BloodHound.py from https://github.com/fox-it/BloodHound.py

Active Directory Enumeration

Finding the AD server using Nmap

Port 88 (Microsoft Kerberos)

Port 3268 (Microsoft LDAP Service)

Enumerating AD Usernames using Guessing technique

Quick dive on what’s happening under the hood using Wireshark

AS- REQ requests with the users requested from LDAP

User does not exist

Enumerating users with Preauthentication disabled

Enumeration Using BloodHound

Modern Active Directory Attacks

• The account’s password should be not hard to be cracked (eg. 123456789)

• Attacking machine doesn’t need to be joined the domain

Creating an explicitly vulnerable user account

Discover AS-REP Roastable users

Using Bloodhound and Sharphound.exe (Compromised Windows machine)

Running Sharphound (with a domain account)

You can export it using the techniques below

4- Create a shared folder on your kali and copy the file to it

5- Create a shared folder on windows and access it from your kali

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol

Using Impacket (from kali)

We will use GetNPUsers.py (AS-Reproastable users: walidtest and worker)

Using ASREPROAST.ps1 (Windows)

AS-Rep Roasting Attack using ASREPRoast.ps1 (from windows)

AS-Rep Roasting Attack using impacket (GetNPUsers.py) (from kali)

Copy the encrypted TGT and save it to a file