New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Active Directory Hardening - Recon & Initial Access

mini-module tag Mini-Module

Active Directory (AD) presents a vast attack surface and can be challenging to secure and control. Small changes can have a cascading effect, introducing further issues into the environment. Novel attacks are released periodically, taking advantage of vulnerabilities and abusing default configurations. This module covers remediating common AD findings uncovered during penetration tests and best practices for AD hardening and ongoing maintenance, logging, and detection.

Created by mrb3n

Medium Defensive

Summary

This module covers strategies for remediating flaws discovered in Active Directory environments during penetration tests related to unauthenticated recon/enumeration and initial access. We will cover legacy settings, misconfigurations, and hardening steps that are disabled by default, with the goal of preventing an unauthenticated attacker from being able to perform enumeration or gain an unprivileged or privileged foothold in the domain.

In this module, we will cover:

  • Remediating and hardening weaknesses used for recon and enumeration, and initial access
  • Initial access vectors via network traffic response spoofing
  • Post-response spoofing hardening considerations
  • Various other common initial access vectors in Active Directory
  • Hardening considerations for administrators
  • A hands-on skills assessment to remediate and validate flaws

This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. The module includes several guided and non-guided labs to reinforce the techniques covered throughout.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many examples as possible to reinforce the concepts presented in each section further. You can do this in the Pwnbox in the interactive sections or on your virtual machine.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any chosen paths.

The module is classified as "Medium" but assumes a working knowledge of Active Directory, Windows and Linux command line, PowerShell, and an understanding of common security risks posed to Active Directory environments. Completing the Active Directory Enumeration & Attacks module will give you a leg up with a strong base in many of the vulnerabilities and misconfigurations we will cover from the attacker's perspective.

A firm grasp of the following modules can be considered prerequisites for the successful completion of this module:

  • Introduction To Active Directory
  • Active Directory Enumeration & Attacks

Introduction & Scenario


Hardening Active Directory (AD) and remediating findings from third-party penetration tests and internal assessments, along with applying patches for newly disclosed vulnerabilities, performing ongoing security maintenance, and hardening tasks related to Active Directory, frequently fall under the responsibility of systems administrators. These professionals are often simultaneously tasked with numerous operational duties. Active Directory is notoriously vulnerable, from legacy configurations and abuse of built-in functionality to misconfigurations caused during routine setup and configuration changes and significant vulnerabilities with working public exploits. There is a lot to manage and unpack, a lot that can go wrong, and introducing a change in one place can introduce a vulnerability in another. Dealing with Active Directory security in on-premises environments can feel like playing whack-a-mole or patching holes in a leaky boat only to have another leak spring up. Whatever the analogy, Active Directory security is not for the faint of heart. A firm grasp of the issues throughout the penetration testing cycle is imperative for maintaining a well-hardened environment that properly supports day-to-day operations.

Every penetration test or compromise starts with reconnaissance/enumeration. By cleaning up issues that allow for unauthenticated AD enumeration, we can slow an attacker down, but we must also deal with flaws that allow an unauthenticated attacker to gain initial access. The more difficult it is for an attacker to enumerate the environment or gain initial access, the noisier they will have to become, which increases their chances of being caught. However, we want to ensure that no initial access vectors exist. We will focus on the most common flaws seen across enterprises of all sizes, which are possible by an unauthenticated attacker who can gain internal network access.


Scenario

This module, and the others to follow in this path, will simulate a systems administrator at Wyrmwood Mining Co., a mining and logistics company that has just undergone its first internal penetration test. Until now, the focus has been on perimeter security with an annual external penetration test and quarterly vulnerability scans. Due to recent changes in IT leadership, including bringing in a more technical CISO, there is a renewed focus on internal network security, namely related to Active Directory and how far an attacker or malicious insider could go in the network.

For now, we will focus on findings discovered from the primary corporate HQ domain, wyrmwood.local, which is used by departments such as core IT, HR, finance, logistics, and the executive teams. There are additional child domains, such as ops. wormwood.local , used by field personnel, on-site operators, and some legacy equipment, and labs. wormwood.local , which is used by the R&D division, which is developing next-gen geological sensors, mineral detection algorithms, and drone automation for underground mapping. There is also an external forest trust between ops.wyrmwood.local and steelridge.industries used by a heavy equipment and maintenance contractor for remote mining operations named SteelRidge Industrial Solutions. These will be evaluated in later modules.

The results of this first internal penetration test were expected but still sobering. The consultant uncovered many weaknesses that allowed for unauthenticated enumeration and to gain an initial foothold in the domain. Multiple legacy configurations were in place that allowed for the enumeration of data, such as a complete list of AD users and the password policy. The consultant used these two key pieces of data for a successful password spraying attack. Various attack vectors were present for gaining initial access and kicking off attack chains that led to domain compromise. Some of these weaknesses include network traffic response spoofing attacks, coercion attacks, vulnerable applications and services, weak/default credentials, overly permissive file shares, and more.


Module Layout

To provide a structured approach to learning how to address Active Directory security concerns, the module is divided into sections that will examine a specific issue, beginning with background context, followed by validation techniques, remediation procedures, and recommended hardening practices. The module will then conclude with a practical, hands-on skills assessment, where students will apply their knowledge to remediate a set of vulnerabilities and verify whether the applied fixes have resolved the issues effectively.

Note: Domain Admin credentials (htb-student user) are provided in sections 2-6 to follow along with the content and practice applying the fixes. We encourage that you practice each example while working through the sections to properly prepare for the Skills Assessment lab.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.