Hello everybody,
This is the final post about the Pentesting Methodology towards an Active Directory where I will give some results that have been obtained after the monitoring of the project and a small conclusion about it.
Results
The result of this project refers to the integrated management of an AD from its deployment, assessment and execution of vulnerabilities, as well as possible mitigations offered to protect against these vulnerabilities. This is the result of the work process offered, which could be divided into several activities of which the planning and configuration of the AD system and the development of the attack methodology using different techniques should be highlighted.
On the one hand, in a general way, the knowledge obtained about the different aspects of cybersecurity, as well as AD, virtualisation and the current state of pentesting has been superficially presented, showing the knowledge obtained from the subjects taken during the degree, seeking more information and detailing different alternatives in order to obtain a good final result.
An overview has been given of all the essential aspects surrounding an AD, as well as the protocols it uses and the different risks to which it is exposed, taking as a reference works and articles that explained only part of the result obtained and avoiding going into different topics such as the deployment or defence of the AD.
In a compressed file, the platform used as a test environment composed of the different equipment and administered by an AD is offered, which has been breached using the tools and exploits of protocols open to the attacker, so that they can be replicated for future studies. This environment is a controlled space, in which the inclusion of certain attack vectors has been facilitated in order for the tests to be successful. However, this work and its outcome can serve any pentester to deploy an AD environment, execute and learn about the vulnerabilities and attack methodologies of an AD and how to defend against these vulnerabilities.
On the other hand, due to the nature of the work, it has not been possible to go into detail on certain aspects that are closely related to essential security concepts, such as, for example, hardware elements that allow establishing a barrier against the attacks shown or implementing more attack vectors through different third-party services. However, it has made it possible to establish an effective and efficient working mechanism, designed so that a pentester can follow an optimal working methodology when attempting to breach an AD, either by means of the tools explained or through different services.
Finally, the results of this project point towards a more complex development of the platform, including more users, groups, teams, complicating passwords and increasing the level of attacks, in order to prepare the pentester to successfully exploit his victims, since, although the defence systems of the teams improve, the pentester must know the attack vectors that must always be carried out on an AD, and thanks to the methodology presented, he will be able to achieve this.
Conclusions and possible future work
One of the main reasons why the different organisations that have services such as AD are attacked is that they do not have great knowledge or infrastructure in terms of security, this allows any attacker to hijack the service and ask for money for it, by this I mean that most SMEs in the Spanish market are not aware of cybersecurity which allows any attacker, with some basic knowledge, such as those that have been shown in the report, to violate the systems of an organisation. Currently, cybercrime is based on a business model in which criminals take full control of an organisation’s systems and ask for money to “free” these resources; the vast majority of these attacks are based on the well-known ransomwares, this type of malware is usually executed by interaction with the user, by not having adequate protection measures such as good antivirus or firewalls to prevent the spread of malware, this allows the attacker to take full control of the network.
On the other hand, in terms of cybersecurity knowledge, many of the system administrators who manage enterprise environments have not been specifically trained in the area of cybersecurity, so the knowledge they have acquired is very general. This means that after the deployment of different environments, the appropriate security measures to prevent attacks by cyber criminals are not implemented. There is a widespread misconception that one will never be targeted by a cybercriminal, when in fact such people work for an organisation that only seeks its own profit, regardless of whether the target is large or small.
I would also like to comment that, although user awareness of cybersecurity is currently quite “poor”, great efforts are being made by different agencies such as: INCIBE or Hack By Security to provide employee-oriented courses on security, which will allow a user to think twice before interacting with malware.
As we have seen, it is often not necessary for the attacker to have advanced scripts or improved tools, simply with configuration flaws or incorrectly established defences it is possible to perpetrate the attack, allowing high privileges to be obtained within a network, although this is not considered to be something simple.
This project has presented an effective methodology for assessing the security system in place in an AD, analysing the most common vulnerabilities and exploiting them in detail, allowing a pentester to know precisely the next step in their work.
This work has presented several challenges, from the continuous failure of the platforms to the actual understanding of the protocols used in order to breach them, however, the main challenge that this work has encountered, under this main objective, is with the accurate monitoring of the current pentesting procedure, as this methodology has been practised for a long time and is the usual one in pentesting environments; If the use of this procedure is avoided, a valid security standard will be modified, so we have tried to avoid its abusive modification in order to detail as much as possible this work process and that it can be used to carry out penetration tests under other services.
The basic concepts of pentesting and cybersecurity were explained; it was also possible to install a virtualisation solution and configure it properly; the tools and techniques for AD pentesting were studied; as well as the tools and techniques for elevating privileges in AD. On the other hand, the definition of persistence in different environments was explained, post-exploitation tools in computer systems were studied and executed, and finally, defence techniques against different attack vectors were studied. The only objective that could not be fulfilled was the presentation of tools for the deployment of platforms to be breached, since due to problems in the tools it was not possible to use it.
As the main design platform, Detection-Lab, could not be deployed, this implied a more superficial development on the configuration and deployment of the AD, as the VMs were already deployed and configured, however, this has allowed us to manage and elaborate a more detailed platform, with the configurations and processes that we wanted to develop, these changes made in the deployment of the vulnerable AD platform had to be carried out in order to achieve its success.
With regard to the failures found in the first platform, after the attempt to resolve the problems caused by the automatic updates of the equipment, which prevented its correct configuration, we have tried to introduce old releases without the expected result and several incidents have been opened in the repository that manages the tool, so that it is aware of these failures.
In conclusion, a satisfactory result was obtained for the methodology to be used when attempting to breach an AD. The results are adequate, but not the expected ones since, after the failure of the first deployment option, the development of the work and the main part exposed by the deployment has had to be modified, varying the expected results.
Finally, some of the lines of exploration following the results of the work could be the possibility of attacking the AD with Windows Defender active using tools such as Invoke-SharpLoader, to decrypt a sample in memory or salsa tools, which is used to avoid the latest detection techniques (AMSI). On the other hand, more ambitious results could be sought with a more advanced configuration on the platform, including new users or security teams.
I hope you have enjoyed this series of posts and see you in the next ones.
Best regards.