During these two days, the event focuses on three main areas: workshops, OSINT, and conferences. These presentations are given by experts from various fields.
Among the conferences held during my visit to the show on Friday, I stopped by the conference entitled "Active Directory; Hall of Shame" led by Nicolas Aunay (aka joker2a)
During this conference, he presented various ways of penetrating an AD.
But before that, why is Active Directory so popular with hackers?
Active Directory is considered the heart of the IT system; controlling AD means being able to control everything.
What makes it so sensitive is that it contains a lot of information: users, secrets, and security policies.
Unfortunately, privilege escalations to move from simple user to administrator are possible in a short amount of time, often due to poor configurations.
It is important to note that approximately 50% of companies are attacked via their AD, and more than 40% of these attacks result in the theft of information and credentials.
To correct this, it is recommended to perform audits, establish the principle of least privilege, and block old protocols that are considered weak.
I will now summarize the various attack vectors that have been presented.
DC Sync
The principle behind DCSync is that a user with this right can impersonate a domain controller and request sensitive information such as password hashes from another domain controller.
To protect yourself from this attack, it is essential to disable this right, which may be assigned to user groups.
Password policies that are too weak
Effective password policies are the cornerstone of protection against attacks. Without a good password policy, you may end up with identical username/password combinations or very weak passwords that can give an attacker easy access to the account.
It is therefore necessary to define a strong password policy in order to avoid this kind of easily preventable problem.
User account descriptions
Another problem that can arise is the presence of passwords in user description fields. Support staff often enter the initial password in the description in order to provide it to the user, who does not necessarily change it.
To avoid this, support staff must be made aware of this bad practice and users must be forced to change their password when they first log in.
So-called "weak" protocols
Among the protocols considered weak, there is one that is still used too often: NTLMv1.
Its hash calculation method makes it fairly easy to reverse and therefore to recover the password (less than a day for an 8-character password).
It is therefore important to disable this protocol and use NTLMv2 instead, which has a more complex calculation method.
Poorly managed service accounts
A service account is a user account specially created in an AD to allow an application to run with specific access rights.
One of the problems often encountered is that these accounts often have weak passwords, but above all, rights that are far too high for the task at hand. They can therefore be used to access critical resources in the event of a compromise.
When using this type of account, always apply the principle of least privilege and set strong passwords that are changed frequently.
Problem of delegation of rights
All objects (accounts, files, folders, etc.) on Windows have a permissions system. In the event of incorrect configurations, overly broad rights may be applied to certain files or folders, for example.
In this case, taking control of an account that has rights to other objects allows access to the latter.
It is therefore wise to check the rights of each object and restrict them as much as possible to prevent lateral movement.
Incorrect AD CS configuration
AD CS is an Active Directory role that allows the management of different certificates. Incorrect configuration of this role can also allow an attacker to compromise certain data.
The most well-known attack, called ESC1, involves exploiting certificate templates that allow AD CS to apply different default settings to new certificates. After analyzing the template used, it is possible to request a certificate from a high-privilege account and use it to access resources by impersonating that account.
To remedy this, it is important to check the settings used in the templates, whether they are active and necessary, so that not everyone can compromise the certificate.
Accessible network shares
One of the most common things on a network is network shares.
Unfortunately, these are often poorly configured and many people can access them. The first problem is the confidentiality of the data, which is therefore very accessible. In addition, the content is not always controlled. For example, you may find files containing usernames and passwords for high-privilege accounts.
It is therefore important to regularly check network shares and associated permissions, as well as to implement content checks.
Conclusion
In conclusion, most of the attack vectors presented here could have been avoided, as they are mainly due to errors on the part of administrators. It is therefore important to train them properly in these issues and to implement various procedures such as audits and/or the use of detection methods.
