cybertaya

Active Directory Definition, Forest, Authentication

By: Mohamed Ashraf

October .21, 2024 3p.m

Introduction

Active Directory is a service developed by Microsoft to manage and organize resources such as computers, users, and services within a network. It allows admins to grant access rights to the available services in the network.

Still not quite clear? Let’s clarify with an example…

Imagine I have a company where employees don’t have a fixed desk and move between branches. Would I need to create a user account for each employee on every device they use and assign their permissions every time they use a different device?

Definitely not.

Now, let’s say an employee resigns or retires. Would I have to go to every device they used and remove their user account? Again, no. This is where Active Directory comes in. Each employee is registered with their profile information, including permissions and settings. As soon as they log in to a device connected to the company network, their profile is automatically loaded.

Moreover, Active Directory deploy software across multiple machines from a centralized point. This level of control helps maintain a secure and compliant environment.

Active Directory also supports services like Single Sign-On (SSO), allowing users to authenticate once and gain access to multiple applications without needing to log in repeatedly.

This is just a summary of many other tasks that Active Directory performs.

So, what is it made up of?

  1. Domain:

A domain is a collection of objects (like users, computers, and others) that share the same Active Directory database. It acts as a boundary for security policies and administrative tasks.

  1. Domain Controllers:

These are responsible for storing the database and managing the authentication process between users and the server.

  1. Organizational Units (OUs):

For example, if my company has departments like HR and IT, OUs represent them. We use OUs to organize all users, computers, and groups specific to each department, and I can also apply policies to them.

  1. Schema:

The schema defines the types of objects that can exist, such as first name, last name, and email.

  1. Forest and Tree:

Let’s assume I have a large company with branches in different regions. For example, their domains are under a structure called a “Tree,” like NorthAmerica.Example.com and Europe.Example.com.

Under each domain, there are subdomains, such as Sales.Europe.Example.com.

Now, the Forest is a collection of these trees.

Each tree represents a specific geographic area with its own domain structure, but they share the same overall schema as part of the forest. Trees allow for separate management of regions while ensuring that the entire organization operates under a unified framework, which simplifies the management of users and resources across different areas.

Kerberos Authentication

Its authentication protocol is responsible for verifying the identity of users in Active Directory (AD) so they can log in and use the services available in AD. This process occurs through operations carried out by the Domain Controller, which include:

AS, TGT, KDC, TGS

Authentication Server (AS):

The purpose of the AS is to verify the user’s identity and check if they exist in the database. If the user is found, it informs the KDC that the user exists and requests a Ticket Granting Ticket (TGT). 

This is the first operation that occurs in the authentication process.

Hmm, what are the KDC and TGT?

Key Distribution Center (KDC):

This is a part of the authentication service located on the Domain Controller. It is responsible for the authentication processes and sends the TGT, which allows the user to access the requested service, such as logging in. The KDC also stores user information and hashes in the database used by the AS

Ticket Granting Ticket (TGT):

This ticket is issued after your identity is verified by the AS and is the second step in the authentication process.

The Ticket Contains:

User Information: For example, “Administrator.”

Session Key:

A secret key used to encrypt communications between the user and the Ticket Granting Service (TGS).

Flags:

Indicators that define the properties of the ticket, such as whether it can be forwarded or if it requires pre-authentication.

Validity Period:

Start Time: When the TGT becomes valid.

End Time: When the TGT expires, indicating how long it can be used to request service tickets.

Renewal Information:

Details about whether the TGT can be renewed, including renewal timings.

Ticket Granting Service (TGS):

This is the final step, where the TGS checks if the TGT is valid and sends a service ticket to the user, allowing them to access the desired service.

How are Tickets Encrypted and Decrypted?

This process involves a component known as KRBTGT.

Kerberos Ticket-Granting Ticket Account (KRBTGT):

This is an account automatically created during the installation of Active Directory. Its purpose is to generate the session key used for encrypting and decrypting TGTs.

Example:

When a user requests a TGT to access a service, the KDC uses the same secret key (KRBTGT) established during the initial setup to encrypt and decrypt the ticket. This ensures that only authorized users can access specific services, maintaining the security of the network.

As we know, everything has vulnerabilities.

Kerberoasting

Kerberoasting is a specific attack that targets Service Principal Names (SPNs) in a Kerberos authentication environment

SPNs??

Service Principal Name (SPN):

SPN is a unique identifier for a service instance in a network. It allows clients to authenticate to the service using Kerberos. SPNs are typically associated with service accounts, which are often used to run applications or services.

So how does it work?

In this attack, the attacker needs to be an authenticated domain user to request the Kerberos ticket for the service. The ticket they get is encrypted with the password hash of the service account linked to that service. The attacker then takes this hash and tries to crack the password offline using brute-force methods.

 This attack does not require admin privileges. Any authenticated user in the domain can initiate the attack by requesting a Kerberos ticket for a service account, making it a serious security concern.

Once the attacker gets the service account’s password, they can pretend to be that account. This lets them access any systems, assets, or networks that the compromised account can access

Tools

Tools for cracking the password:  Hashcat or JohnTheRipper.

Rubeus: Tool for interacting with Kerberos Tickets

GetUserSPNs.py: This script retrieve and display SPNs associated with accounts in the domain

This output example of Rubeus

We got the hash !!! 😀

Let’s crack it using offline Hashcat

Common Attacks on Active Directory

  1. Phishing Attacks:

Phishing attacks attempt to trick users into clicking on malicious links or opening attachments.

Solution:

  • User education and awareness: Conduct regular security awareness training to educate users about phishing threats and how to recognize and avoid phishing attempts.
  • Email filtering: Implement robust email filtering and spam protection solutions to block phishing emails before they reach users’ inboxes.
  • Phishing simulations: test users’ ability to identify and report phishing attempts. This can help identify training gaps and improve user awareness
  1. Privilege Escalation:

Attackers exploit vulnerabilities in AD or other systems to gain higher privileges.

Solution:

  • Least privilege principle: Grant users only the necessary permissions to perform their job functions.
  • Application whitelisting: Restrict the execution of unauthorized applications to prevent malicious code from running.
  1. DNS spoofing: Attackers can use DNS spoofing to redirect users to malicious websites that attempt to steal credentials or distribute malware.

Solution:

  • DNSSEC: Deploy DNSSEC (Domain Name System Security Extensions) to verify the authenticity of DNS responses.
  • Firewall rules: Configure firewall rules to restrict DNS traffic to trusted sources and prevent unauthorized access.

Kerberoasting: a technique that attackers use to extract password hashes from Kerberos tickets.

Solution:

  • Disable unneeded services: Disable unnecessary services that don’t require Kerberos authentication to reduce the attack surface.
  • Use strong service account passwords: Implement strong password policies for service accounts that are used for Kerberos authentication.

Conclusion:

Active Directory and Kerberos authentication play a crucial role in modern network environments. Active Directory provides a centralized platform for managing users, devices, and services, while Kerberos ensures secure access to resources through a robust authentication process. By understanding the key concepts and best practices, organizations can effectively leverage these technologies to improve security, efficiency, and overall network management.

Categoriees

About me

Read also…

  • Active Directory