Intro to Windows & Active Directory

Adam Hassan / October 2024 (1091 Words, 7 Minutes)

windows

This is part 1/3 of my Windows Week series that I did for UFSIT

Transcript:

Windows & Active Directory

Intro to Windows & Active Directory TODAY (10/17) Filesystem & Registry Hashes & Credentials Protocols & Services Domains & Objects Intro to Windows & AD Hacking MONDAY (10/21) Service Enumeration Common misconfigurations Exploits … Intro to Windows & AD Defense TUESDAY (10/22) Common attacks Common defenses Tool fingerprinting … Schedule

Why do I care about AD? Most enterprise networks run Windows (~88% of the operating system market share is Windows according to a random stat I pulled from a random site in 2020) The standard for managing major enterprise networks is Active Directory

Why this talk? There are a ton of automated tools for all things Windows

To be an effective Windows researcher, pentester, or defender, you need to understand the underlying technologies. ropnop (Ronnie Flathers)

The basics - Windows

File System Is similar to Linux Directories use backslashes () instead though Root of the filesystem is C:
Paths are case-insensitive and (kinda) don’t require quotes

Important paths (>= Vista): C:\Users C:\Program Files C:\System32 C:\Program Files (x86)

Registry A large collection of configurations and environment variables Includes keys, subkeys, and values HKEY: Handle to Keys HKCU: Handle Key Current User HKLM: Handle Key Local Machine Value Types: DWORD/QWORD: 32 / 64 bit numbers (double word / quad word) *_SZ: a string Edit with regedit.msc

Command-line shells cmd.exe Original MS-Dos CLI. Almost everything is an executable (whoami.exe, …) Some internal commands powershell.exe More modern Has a scripting language Uses “Cmdlets”, which typically call .NET Terminal Nice and clean Lets you have multiple tabs with different shells

Powershell.exe Commands are called “cmdlets” Supported on many operating systems Verb-Noun syntax Get-ChildItem (ls) Get-Content (cat) Invoke-Expression Start-VM Integrated with the Windows API Can manage pretty much anything with it Users, Services, Apps, Registry Keys

Learn Powershell

https://underthewire.tech/

TryHackMe

https://tryhackme.com/module/windows-fundamentals

The basics - Active Directory

Active Directory Microsoft’s “Directory Service” for use in Windows domain networks Also works with Linux and MacOS (just not as well) Usually AD refers to AD DS Active Directory Domain Services Provides centralized and standard management of network “objects” Users, Groups, Computers, Policies, etc.

Active Directory

Active Directory concepts Forest Logical collection of AD domain(s). Shares Schema, Global Catalog, Configurations, etc. Domain Logical grouping of resources (user, machine, OUs, Containers, etc.) Domain Controller Server that handles security authentication requests within a domain. Users Accounts within the domain. Groups Groups of users. Groups can be used to delegate permissions to multiple users rather than having to give each user permission. Policies Rules that can apply to objects in the domain

TryHackMe

https://tryhackme.com/room/winadbasics

Local vs Domain Accounts Every account on windows has a local admin and local users If an account is on AD, it will also have a domain account This is often associated with a specific machine account Sometimes passwords are re-used

Local System, and NT AUTHORITY\SYSTEM The same thing. Local Admin SYSTEM Also local admin, but slightly different Domain Admin (Admin of all accounts on the domain)

Windows Credentials I LM Old, extremely weak hashing from windows. Mostly unused AAD3B435B51404EEAAD3B435B51404EE NT The equivalent of a password in Windows. Not as weak, but still weak hash. ufsit ⇔ 272AEA395D8D6B05F1BC78E1A7213AEF NTLM LM + NT hash AAD3B435B51404EEAAD3B435B51404EE:272AEA395D8D6B05F1BC78E1A7213AEF For Network Auth: NetNTLMv1: Reversible hash NetNTLMv2: Crackable Hash Kerberos …

Windows Credentials II SAM: Security Access Manager Stored in Registry (HKLM\SAM) HKLM means this stores local passwords Stored in file (C:\Windows\System32\config\SAM) LSASS: Local Security Subsystem Service Handles and stores logon information in memory This happens at boot and stores hashes and Kerberos tickets Crucial for SSO to work NTDS: NT Directory Services AD database that includes hashes of all domain accounts (also has user info, group info, security descriptors…) On the domain controller C:\Windows\NTDS\ntds.dit LAPS: Local Administrator Password Solution Basically a password manager for accounts on a domain (AD) Can be cloud or not cloud

Services Background processes

Usually run as SYSTEM

Windows Identifiers SID: Security Identifier S-1-5-21-2574976019-2108132042-3243833284 Domain SID S-1-5-21-2574976019-2108132042-3243833284-512 Group SID RID: Relative Identifier Last part of the SID. 500-1000 is built-in users and groups 1000+ is users

Protocols

Windows Protocols There are a lot… Read the Windows protocol overview here: [MS-WPO]

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wpo/c5f54a77-65be-40a0-bb82-9e4181d8ab67

Too Many!!

Windows Protocols We’ll cover the important ones: IIS SMB Kerberos DNS LDAP MSSQL RDP WMI/RPC

IIS - 80/443 TCP IIS - Internet Information Services Webserver Usually has .aspx, .asp, .php files

SMB - 445 TCP SMB - Server Message Block For sharing files over the network Also for IPC, SYSVOL, NETLOGON

Example File: \IT\adam\notes.txt File share is IT Folder is adam File is notes.txt SYSVOL stores a domain’s public files, which are replicated to each domain controller NETLOGON contains logon scripts and group policies that can be used by computers deployed to a domain

Null Authentication: No username and no password Anonymous (Guest) Authentication: Any username and no password

Kerberos - 88/464 TCP Kerberos Authentication protocol Almost like SSO Based on MIT’s implementation, but modified Most secure authentication protocol on windows Still has a lot of problems

Kerberos - Terms KDC: Key Distribution Center What everyone has to talk to to authenticate to stuff Usually on the Domain Controller KRBTGT Service account that handles Kerberos TGT: Ticket Granting Ticket This is given to a client once you’ve authenticated TGS: Ticket Granting Service The service on the KDC that allows you to access other services ST: Service Ticket This is used to gain access to services (SMB, MSSQL, LDAP…) PAC: Privilege Attribute Certificate Inside the TGT and ST. Has information about groups and permissions

Kerberos Authentication slides.xfr.best

TGT Response

Kerberos Simplified When you go to a carnival, you get wristband to prove you you paid The ticket stand is the KDC The wristband is the TGT When you want to play a game, you show the wristband and get tickets The wristband is the TGT The tickets you get for the game is the ST

DNS - 53 DNS/TCP DNS - Domain Name System Resolves domain names to IP addresses Is required for Kerberos to work

DC01.UFSIT.LOCAL -> 10.10.0.1 SRV1.UFSIT.CLUB -> 10.10.0.2 Everything in Windows has a domain “WORKGROUP” for local machines UF’s domain is ufl.edu This is different from a website domain

LDAP - 389/636/3268/3269 LDAP - Lightweight Directory Access Protocol Kinda like a database of objects in AD

LDAP is a tree. The root is the domain (DC=LAB,DC=LOCAL)

The above identifier (DC=LAB,DC=Local) is the distinguished name for the domain. This defines where you can find an object in the tree

https://github.com/bradleypeabody/godap https://github.com/adamkadaban/ldapfilters DONT BE DUMB!!! THIS IS EASY TO MESS UP

MSSQL - 1433 TCP MSSQL - Microsoft Structured Query Language SQL, but make it Bill Gates Mostly the same as other SQL but if you’re an admin, you can get code execution Two types of authentication: Windows Authentication Using a Domain Account SQL Authentication Using an account that only works on the SQL Database (On the local computer)

RDP - 3389 TCP RDP - Remote Desktop Protocol

WinRM - 5985 TCP WinRM - Windows Remote Management PowerShell remote management

Enabled by default on users that are local admin

Think of it like SSH but for PowerShell

RPC - 135/139/593 RPC - Remote Procedure Call You can remotely call procedures

The backbone of all things in Windows: SMB Printer SMB DCOM …

Questions