Introduction to Active Directory (AD)
Active Directory (AD) is a service used in Windows-based networks to manage an organisation’s resources such as users, computers, groups, and network devices. It allows centralised management, making it easier to handle all these resources from one place. AD’s structure is hierarchical and distributed, which means it can grow with the organisation, supporting millions of objects and allowing the creation of new domains as needed.
However, because AD centralises so much important information, it is a prime target for cyber attackers. It’s estimated that 95% of Fortune 500 companies use AD, making it a crucial target for attackers aiming to breach networks. If an attacker gains access to AD through phishing or other methods, they can map out the network and find vulnerabilities.
AD is a key target because it handles both authentication (verifying identity) and authorisation (granting access) within a Windows domain. Although AD is designed to be compatible with older systems, this backward compatibility often means it has security weaknesses. A basic user in AD can see a lot of the network’s structure, making it essential to secure AD properly.
Recently, AD has been under increased attack, especially by ransomware operators. For example, Conti Ransomware has been used in over 400 attacks, exploiting AD vulnerabilities like PrintNightmare and Zerologon to gain control and spread within networks.
Components of Active Directory
Domain Controller: This is the main server that manages AD. It handles user authentication and authorisation, making it a critical component with high administrative power.
Active Directory Data Store: This is a collection of database files that store information about users, services, and applications. The most important file is “NTDS.DIT,” located on all domain controllers.
Logical Active Directory Components: These elements within the AD Data Store set the rules for creating and managing objects in AD, ensuring smooth operation.
Domain: A domain groups objects (users, computers, etc.) and manages access to resources within that group. For example, “abc.com” can be a domain.
Trees: Trees are collections of domains that share a common name and trust relationships, forming a hierarchy. For example, “abc.com” can have child domains like “ca.abc.com” (Canada) and “au.abc.com” (Australia).
Forest: A forest is a collection of trees that share a common schema and trust each other. This allows for a unified configuration across multiple domains.
Organizational Units (OUs): OUs are containers that group objects like users and computers within a domain, allowing for organized management and policy application.
Trusts: Trusts are relationships between domains that allow users in one domain to access resources in another. There are two types:
- Directional Trust: One-way access between domains.
- Transitive Trust: Trust extends beyond two domains to include other trusted domains.
Enumerating AD with Bloodhound
BloodHound is a tool used to analyze AD environments and identify vulnerabilities. Here’s a simple step-by-step process to use BloodHound:
Download and Install BloodHound and Neo4j: Download BloodHound and Neo4j Community Edition from their respective websites and install them.
Run BloodHound: Open BloodHound and connect it to the Neo4j database using the default username and your password.
Collect Data with SharpHound: Download SharpHound, run it in your target domain to collect AD data, which will be saved as a ZIP file.
Import Data into BloodHound: Upload the ZIP file to BloodHound to import the collected data.
Analyze Results: Use BloodHound’s interface to explore the data, identify potential vulnerabilities, and map out attack paths within the AD environment.
By following these steps, you can effectively analyze your AD setup and find areas that need better security.
