Understanding Active Directory Authentication and Security

 

1. Active Directory (AD) Authentication

Active Directory (AD) Authentication is a Windows-based system that manages who can access the network (authentication) and what they can do once they are in (authorization).

Centralized Management: AD provides centralized control over user and device settings, and streamlines user and rights management using Group Policy.

Single Sign-On (SSO): With AD, users log in once and then can access all authorized resources within the network without needing to log in again.

2. Authentication Protocols

Kerberos Protocol:

  • Secure Logins: Users log in once and get a “ticket” instead of sending passwords over the network.
  • Key Distribution Center (KDC): It has two parts – an Authentication Server (AS) and a Ticket Granting Server (TGS). The AS verifies the user and gives them a Ticket Granting Ticket (TGT). The user then uses the TGT to get access tokens from the TGS to access different services.
  • Session Keys: These are temporary keys used for the session to keep communication secure.

Lightweight Directory Access Protocol (LDAP):

  • Open-Source Protocol: It allows AD to provide authentication services.
  • Simple Authentication: Uses basic login credentials.
  • SASL (Simple Authentication and Security Layer): Uses other authentication methods like Kerberos for added security.

3. Older and Less Secure Protocols

LAN Manager (LM) Hash:

  • Weak Security: It splits passwords into two 7-character chunks and hashes them separately, making it easier to crack.
  • Outdated: Modern systems don’t use LM by default but might still be present in old systems.

NT LAN Manager (NTLM) Hash:

  • Improved Security: Supports longer passwords and is case-sensitive.
  • Pass-the-Hash Attack: Attackers can use the hash to impersonate the user without knowing the actual password.

NTLMv1 and NTLMv2:

  • Challenge-Response Mechanism: The server sends a challenge, and the client responds with an encrypted version of the challenge.
  • NTLMv2: More secure with added client challenge and server timestamp but still less secure than Kerberos.

4. AD Domain Users and the KRBTGT Account

Domain Users:

  • Access Resources: Domain users can access shared resources like file servers and printers.
  • Log in Anywhere: They can log in to any computer within the domain.

KRBTGT Account:

  • Special Account: It’s crucial for the Kerberos authentication process.
  • Target for Attackers: If compromised, it can be used to create “Golden Tickets” that give attackers unlimited access.

5. Golden Ticket Attack

Step-by-Step Attack:

  1. Initial Compromise: Attackers get into the network, often using phishing.
  2. Privilege Escalation: They gain higher access, targeting admin accounts.
  3. Extract KRBTGT Hash: Using tools, they extract the hash from the AD database.
  4. Create Golden Tickets: With the KRBTGT hash, they forge tickets that give them unrestricted access to the domain.

6. Local Accounts

Types of Local Accounts:

  1. Administrator: Has full control over the system.
  2. Guest: Disabled by default, provides temporary access.
  3. SYSTEM: Used by the OS for internal functions.
  4. Network Service: Used by services that need to access network resources.
  5. Local Service: Used by services that need minimal privileges.

Summary

  • Authentication: Verifies who you are.
  • Authorization: Determines what you can do.
  • Access Control: Manages permissions.
  • Users: Individuals with access to the network.
  • KRBTGT: Key account in Kerberos authentication.
  • Golden Ticket Attack: A major security threat that exploits the KRBTGT account to gain full domain access.

By understanding these elements, you can better grasp how Active Directory helps secure a Windows-based network and why it’s crucial to protect against specific threats like the Golden Ticket attack.

Understanding Active Directory Authentication and Security Read More »

Active Directory (AD): The Key to Network Security

Introduction to Active Directory (AD)

Active Directory (AD) is a service used in Windows-based networks to manage an organisation’s resources such as users, computers, groups, and network devices. It allows centralised management, making it easier to handle all these resources from one place. AD’s structure is hierarchical and distributed, which means it can grow with the organisation, supporting millions of objects and allowing the creation of new domains as needed.

However, because AD centralises so much important information, it is a prime target for cyber attackers. It’s estimated that 95% of Fortune 500 companies use AD, making it a crucial target for attackers aiming to breach networks. If an attacker gains access to AD through phishing or other methods, they can map out the network and find vulnerabilities.

AD is a key target because it handles both authentication (verifying identity) and authorisation (granting access) within a Windows domain. Although AD is designed to be compatible with older systems, this backward compatibility often means it has security weaknesses. A basic user in AD can see a lot of the network’s structure, making it essential to secure AD properly.

Recently, AD has been under increased attack, especially by ransomware operators. For example, Conti Ransomware has been used in over 400 attacks, exploiting AD vulnerabilities like PrintNightmare and Zerologon to gain control and spread within networks.

 

 

Components of Active Directory

  1. Domain Controller: This is the main server that manages AD. It handles user authentication and authorisation, making it a critical component with high administrative power.

  2. Active Directory Data Store: This is a collection of database files that store information about users, services, and applications. The most important file is “NTDS.DIT,” located on all domain controllers.

  3. Logical Active Directory Components: These elements within the AD Data Store set the rules for creating and managing objects in AD, ensuring smooth operation.

  4. Domain: A domain groups objects (users, computers, etc.) and manages access to resources within that group. For example, “abc.com” can be a domain.

  5. Trees: Trees are collections of domains that share a common name and trust relationships, forming a hierarchy. For example, “abc.com” can have child domains like “ca.abc.com” (Canada) and “au.abc.com” (Australia).

  6. Forest: A forest is a collection of trees that share a common schema and trust each other. This allows for a unified configuration across multiple domains.

  7. Organizational Units (OUs): OUs are containers that group objects like users and computers within a domain, allowing for organized management and policy application.

  8. Trusts: Trusts are relationships between domains that allow users in one domain to access resources in another. There are two types:

    • Directional Trust: One-way access between domains.
    • Transitive Trust: Trust extends beyond two domains to include other trusted domains.

Enumerating AD with Bloodhound

BloodHound is a tool used to analyze AD environments and identify vulnerabilities. Here’s a simple step-by-step process to use BloodHound:

  1. Download and Install BloodHound and Neo4j: Download BloodHound and Neo4j Community Edition from their respective websites and install them.

  2. Run BloodHound: Open BloodHound and connect it to the Neo4j database using the default username and your password.

  3. Collect Data with SharpHound: Download SharpHound, run it in your target domain to collect AD data, which will be saved as a ZIP file.

  4. Import Data into BloodHound: Upload the ZIP file to BloodHound to import the collected data.

  5. Analyze Results: Use BloodHound’s interface to explore the data, identify potential vulnerabilities, and map out attack paths within the AD environment.

By following these steps, you can effectively analyze your AD setup and find areas that need better security.

Section Title

Understanding Active Directory Authentication and Security

1. Active Directory (AD) Authentication Active Directory (AD) Authentication is a Windows-based...

Active Directory (AD): The Key to Network Security

Introduction to Active Directory (AD) Active Directory (AD) is a service used in Windows-based...

Five Key Insights on SQL Injection

💻✨ Explore the Depths of Cybersecurity with “Five Things to Know About SQL Injection”!...

Email Header Analysis and Phishing Investigation Guide

Introduction: In the ever-evolving landscape of cybersecurity, email phishing attacks continue to...

Mastering API Testing with Top Tools: A Deep Dive into Postman, Runscope, Katalon, SoapUI, and Rest Assured

API testing holds a crucial position in the realm of software development, acting as a linchpin for...

Troubleshooting Azure Environment Testing with BloodHound and AzureHound

Exploring the vast landscape of cloud environments like Azure often involves navigating intricate...

Relay Attacks: Risks and Mitigation Strategies in Cybersecurity(Real Example)

In today’s interconnected digital landscape, where communication between devices and systems...

The Threat of DOM-Based XSS and the Power of DOM Invader

In the ever-evolving landscape of web security, the specter of DOM-based cross-site scripting (XSS)...

Active Directory (AD): The Key to Network Security Read More »