Pentesting Active Directory and Windows-based Infrastructure

Book description

Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations

Key Features

  • Find out how to attack real-life Microsoft infrastructure
  • Discover how to detect adversary activities and remediate your environment
  • Apply the knowledge you’ve gained by working on hands-on exercises
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

This book teaches you the tactics and techniques used to attack a Windows-based environment, along with showing you how to detect malicious activities and remediate misconfigurations and vulnerabilities.

You’ll begin by deploying your lab, where every technique can be replicated. The chapters help you master every step of the attack kill chain and put new knowledge into practice. You’ll discover how to evade defense of common built-in security mechanisms, such as AMSI, AppLocker, and Sysmon; perform reconnaissance and discovery activities in the domain environment by using common protocols and tools; and harvest domain-wide credentials. You’ll also learn how to move laterally by blending into the environment’s traffic to stay under radar, escalate privileges inside the domain and across the forest, and achieve persistence at the domain level and on the domain controller. Every chapter discusses OpSec considerations for each technique, and you’ll apply this kill chain to perform the security assessment of other Microsoft products and services, such as Exchange, SQL Server, and SCCM.

By the end of this book, you'll be able to perform a full-fledged security assessment of the Microsoft environment, detect malicious activity in your network, and guide IT engineers on remediation steps to improve the security posture of the company.

What you will learn

  • Understand and adopt the Microsoft infrastructure kill chain methodology
  • Attack Windows services, such as Active Directory, Exchange, WSUS, SCCM, AD CS, and SQL Server
  • Disappear from the defender's eyesight by tampering with defensive capabilities
  • Upskill yourself in offensive OpSec to stay under the radar
  • Find out how to detect adversary activities in your Windows environment
  • Get to grips with the steps needed to remediate misconfigurations
  • Prepare yourself for real-life scenarios by getting hands-on experience with exercises

Who this book is for

This book is for pentesters and red teamers, security and IT engineers, as well as blue teamers and incident responders interested in Windows infrastructure security. The book is packed with practical examples, tooling, and attack-defense guidelines to help you assess and improve the security of your real-life environments. To get the most out of this book, you should have basic knowledge of Windows services and Active Directory.

Table of contents

  1. Pentesting Active Directory and Windows-based Infrastructure
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Conventions used
    5. Get in touch
    6. Share Your Thoughts
    7. Download a free PDF copy of this book
  6. Chapter 1: Getting the Lab Ready and Attacking Exchange Server
    1. Technical requirements
    2. Lab architecture and deployment
    3. Active Directory kill chain
    4. Why we will not cover initial access and host-related topics
    5. Attacking Exchange Server
      1. User enumeration and password spraying
      2. Dumping and exfiltrating
      3. Zero2Hero exploits
      4. Gaining a foothold
    6. Summary
    7. Further reading
  7. Chapter 2: Defense Evasion
    1. Technical requirements
    2. AMSI, PowerShell CLM, and AppLocker
      1. Antimalware Scan Interface
      2. Way 1 – Error forcing
      3. Way 2 – Obfuscation
      4. Way 3 – Memory patch
      5. AppLocker and PowerShell CLM
    3. PowerShell Enhanced Logging and Sysmon
    4. Event Tracing for Windows (ETW)
    5. Summary
    6. References
    7. Further reading
  8. Chapter 3: Domain Reconnaissance and Discovery
    1. Technical requirements
    2. Enumeration using built-in capabilities
      1. PowerShell cmdlet
      2. WMI
      3. net.exe
      4. LDAP
    3. Enumeration tools
      1. SharpView/PowerView
      2. BloodHound
    4. Enumerating services and hunting for users
      1. SPN
      2. The file server
      3. User hunting
    5. Enumeration detection evasion
      1. Microsoft ATA
      2. Honey tokens
    6. Summary
    7. References
    8. Further reading
  9. Chapter 4: Credential Access in Domain
    1. Technical requirements
    2. Clear-text credentials in the domain
      1. Old, but still worth trying
      2. Password in the description field
      3. Password spray
    3. Capture the hash
    4. Forced authentication
      1. MS-RPRN abuse (PrinterBug)
      2. MS-EFSR abuse (PetitPotam)
      3. WebDAV abuse
      4. MS-FSRVP abuse (ShadowCoerce)
      5. MS-DFSNM abuse (DFSCoerce)
    5. Roasting the three-headed dog
      1. Kerberos 101
      2. ASREQRoast
      3. KRB_AS_REP roasting (ASREPRoast)
      4. Kerberoasting
    6. Automatic password management in the domain
      1. LAPS
      2. gMSA
    7. NTDS secrets
    8. DCSync
    9. Dumping user credentials in clear text via DPAPI
    10. Summary
    11. References
    12. Further reading
  10. Chapter 5: Lateral Movement in Domain and Across Forests
    1. Technical requirements
    2. Usage of administration protocols in the domain
      1. PSRemoting and JEA
      2. RDP
      3. Other protocols with Impacket
    3. Relaying the hash
    4. Pass-the-whatever
      1. Pass-the-hash
      2. Pass-the-key and overpass-the-hash
      3. Pass-the-ticket
    5. Kerberos delegation
      1. Unconstrained delegation
      2. Resource-based constrained delegation
      3. Constrained delegation
      4. Bronze Bit attack aka CVE-2020-17049
    6. Abusing trust for lateral movement
    7. Summary
    8. References
    9. Further reading
  11. Chapter 6: Domain Privilege Escalation
    1. Technical requirements
    2. Zero2Hero exploits
      1. MS14-068
      2. Zerologon (CVE-2020-1472)
      3. PrintNightmare (CVE-2021-1675 & CVE-2021-34527)
      4. sAMAccountName Spoofing and noPac (CVE-2021-42278/CVE-2021-42287)
      5. RemotePotato0
    3. ACL abuse
      1. Group
      2. Computer
      3. User
      4. DCSync
    4. Group Policy abuse
    5. Other privilege escalation vectors
      1. Built-in security groups
      2. DNSAdmins abuse (CVE-2021-40469)
      3. Child/parent domain escalation
      4. Privileged Access Management
    6. Summary
    7. References
    8. Further reading
  12. Chapter 7: Persistence on Domain Level
    1. Technical requirements
    2. Domain persistence
      1. Forged tickets
      2. A domain object’s ACL and attribute manipulations
      3. DCShadow
      4. Golden gMSA
    3. Domain controller persistence
      1. Skeleton Key
      2. A malicious SSP
      3. DSRM
      4. Security descriptor alteration
    4. Summary
    5. References
  13. Chapter 8: Abusing Active Directory Certificate Services
    1. Technical requirements
    2. PKI theory
    3. Certificate theft
      1. THEFT1 – Exporting certificates using the CryptoAPI
      2. THEFT2 – User certificate theft via DPAPI
      3. THEFT3 – Machine certificate theft via DPAPI
      4. THEFT4 – Harvest for certificate files
      5. THEFT5 – NTLM credential theft via PKINIT (nPAC-the-hash)
    4. Account persistence
      1. PERSIST1 – Active user credential theft via certificates
      2. PERSIST2 – Machine persistence via certificates
      3. PERSIST3 – Account persistence via certificate renewal
      4. Shadow credentials
    5. Domain privilege escalation
      1. Certifried (CVE-2022-26923)
      2. Template and extension misconfigurations
      3. Improper access controls
      4. CA misconfiguration
      5. Relay attacks
    6. Domain persistence
      1. DPERSIST1 – Forge certificates with stolen CA certificate
      2. DPERSIST2 – Trusting rogue CA certificates
      3. DPERSIST3 – Malicious misconfiguration
    7. Summary
    8. References
  14. Chapter 9: Compromising Microsoft SQL Server
    1. Technical requirements
    2. Introduction, discovery, and enumeration
      1. SQL Server introduction
      2. Discovery
      3. Brute force
      4. Database enumeration
    3. Privilege escalation
      1. Impersonation
      2. TRUSTWORTHY misconfiguration
      3. UNC path injection
      4. From a service account to SYSTEM
      5. From a local administrator to sysadmin
    4. OS command execution
      1. xp_cmdshell
      2. A custom extended stored procedure
      3. Custom CLR assemblies
      4. OLE automation procedures
      5. Agent jobs
      6. External scripts
    5. Lateral movement
      1. Shared service accounts
      2. Database links
    6. Persistence
      1. File and registry autoruns
      2. Startup stored procedures
      3. Malicious triggers
    7. Summary
    8. Further reading
  15. Chapter 10: Taking Over WSUS and SCCM
    1. Technical requirements
    2. Abusing WSUS
    3. Introduction to MECM/SCCM
      1. Deployment
    4. Reconnaissance
    5. Privilege escalation
      1. Client push authentication coercion
      2. Credential harvesting
    6. Lateral movement
      1. Client push authentication relay attack
      2. Site takeover
      3. Abuse of Microsoft SQL Server
      4. Deploying an application
    7. Defensive recommendations
    8. Summary
    9. References
    10. Further reading
  16. Index
    1. Why subscribe?
  17. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Pentesting Active Directory and Windows-based Infrastructure
  • Author(s): Denis Isakov
  • Release date: November 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781804611364