10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Transcription

1 10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

2 1. Group Policy Preferences Visible Passwords Group Policy Preferences allow an administrator to configure local administrator accounts, schedule tasks, and mount network drives with specified credentials when a user logs in. GPPs are written to the SYSVOL share of the domain controllers. An attacker can gain access to the GPP xml files inside the SYSVOL share and extract the specified credentials that were stored in the GPP. An attacker can gain the same privileges of the accounts it extracts from the GPPs. Accounts being used for the GPPs typically have local admin user rights for every machine. 2. Hidden Security Identifier (SID) Abuse of an Active Directory SID History object enables an attacker to inherit permissions from other high-privileged SID accounts (or groups) without any trace of additional group membership for the user. Using a SID attribute could indicate that the attacker is trying to hide high-privileged group membership, e.g. Domain Admins, in a low-privileged account to conceal a post-exploitation domain backdoor.

3 3. Golden Ticket If an attacker has the long-term key for the krbtgt account, he can forge a logon ticket (TGT) with any user rights. The ticket can contain a fictitious username with domain admin membership (or any other membership the attacker chooses). An attacker can gain any privileges for any service or machine in the network and can use it everywhere. These privileges can last as long as the krbtgt account is not reset. 4. Domain Replication Backdoor If a low-privileged user was added to the domain replication object, then the attacker would be able to access all the domain-sensitive data, e.g. user hashes in the domain, without being a high-privileged user. Because some domain services require domain replication capabilities, replication permissions must be assigned to Active Directory objects. Full access to the entire domain user s database.

4 5. Unprivileged Admin Holder ACL Abuse of AdminSDHolder ACLs such as adding an unprivileged user to the AdminSDHolder security object with full control or write permissions gives that unprivileged user the ability to add himself or other users to powerful groups, such as Domain Admins, without having high-privileges. Enabling and modifying this feature would allow an attacker to leave hidden administrator privileges on the DC without using domain accounts. 6. Power User Enumeration Authenticated users can enumerate any object in the domain. Enumerating users whose passwords never expire could reveal high-privileged users in the domain. These credentials will allow an attacker to gain access to high privileges in the network that can last indefinitely.

5 7. Silver Ticket A user can request service tickets to any service in the domain. Since the service ticket is encrypted with the service account s long-term key, an attacker can gather service tickets and attempt local brute-force attacks on the long-term key. This attack could allow the attacker to obtain fully privileged access to the machines running the service account. 8. Anonymous LDAP Allowed Unmanaged endpoints can query the Active Directory and gather information on the domain environment without authentication. Attackers can view the entire directory structure and permissions from an unauthenticated user and computer with a network connection.

6 9. DSRM Login Enabled DSRM is a special boot mode for repairing or recovering Active Directory when the Directory Services are down. Enabling and modifying this feature would allow an attacker to leave hidden administrator privileges via a backdoor on the DC without using any domain accounts. Full control of and access to the organization s Domain Controllers. 10. Local Admin Traversal Since many companies use imaging software, the local administrator password is frequently the same across the entire enterprise. An attacker stealing local administrator credentials from a local computer in the network can pass the local admin long-term key to a remote machine to authenticate itself. Once an attacker obtains local admin credentials on one machine, he can move laterally and obtain access to every machine in the network with the same local admin password.

7 Attackers exploit misconfigurations and utilize backdoors to compromise your entire domain. Find them first with AD Assess. AD ASSESS All Domain and Active Directory Assessment Attack simulation to find misconfigurations and backdoors in AD and the domain network that lead to total compromise. GET ASSESSMENT