Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Improve the Security of Your Own Active Directory (AD)
Georg Bube
Georg Bube
|
13.09.2023
(updated on: 09.09.2024)

The vast majority of companies nowadays use Windows and therefore Active Directory. The default settings are often designed for functionality rather than security. Also, when an environment has grown over the years, misconfigurations can easily creep in. In addition, weak passwords also compromise its security. All this can make it easy for attackers once initial access to the Active Directory is gained.

How can you protect yourself? Find such misconfigurations and weak passwords yourself with appropriate tools in your Active Directory before attackers do!

Die Sicherheit des eigenen Active Directory (AD) verbessern

Trust vs. Control: The Dilemma of Using Online Tools

If you want to examine your own infrastructure, you should have an offline backup of all relevant data – just in case. Besides, sooner or later you will face the question whether a tool or code from the internet is trustworthy and can be executed on the internal network. Trust is good, but control is better in this case. If, for example, the source code is available, a review can verify that only the promised functionality is included.

Presumably, defensive measures such as Microsoft Defender or PowerShell execution policies will interfere with the execution of appropriate tools and code. These should be temporarily deactivated in consultation with the system administrators for the self-audit of one’s own Active Directory.

Increasing the Security of Active Directory With Pingcastle

There are several tools, such as PingCastle and Purple Knight, that can help you identify misconfigurations and other vulnerabilities in your own Active Directory (AD). In the following, we will take a look at PingCastle as an example.

PingCastle is developed by Vincent Le Touc and has been available since 2017. It is licensed under both a proprietary license and the Non-Profit Open Software License 3.0 – so organizations can use PingCastle against their own AD environment for free. The current version of PingCastle is available for download from the website. A clear documentation of the various functionalities can also be found there.

PingCastle’s standard Healthcheck runs through relatively quickly, even in large, complex AD environments:

PS > .\PingCastle.exe --healthcheck --no-enum-limit

PingCastle delivers the results as an interactive HTML file and can be viewed in the web browser. The risk level of the scanned domain is given as a numerical value between 0 and 100, where 100 describes the highest risk level. The risk level is the maximum of the risk levels of the four indicators used by PingCastle: operations related to user and computer objects (Stale Objects), trust relationships between different Active Directories (Trusts), Privileged Accounts, and all security aspects that do not fit into any of the previous categories (Anomalies).

Healthcheck - Assessment of the Risk Level of the Domain and Individual Indicators
Figure 1: Healthcheck – Assessment of the Risk Level of the Domain and Individual Indicators

Below this is a tabular overview of the risks per indicator, the Risk Model. The color coding helps you with the prioritization. However, the risks should also be evaluated in the context of your own environment, which may result in changes in prioritization.

Risk Model - An Initial (Color-Coded) Overview of Detected Vulnerabilities
Figure 2: Risk Model – An Initial (Color-Coded) Overview of Detected Vulnerabilities

Clicking on individual entries in the table displays brief information about the risk, including a link to the raw data further down in the report. Below the Risk Model is the Maturity Level section, which lists the detected vulnerabilities. The vulnerabilities of the different maturity levels can be displayed by selecting the appropriate tab. Clicking on individual vulnerabilities in the list displays technical details of the vulnerability as well as recommended measures and links to further information.

Maturity Level - Listing of Detected Vulnerabilities Including Their Score (In Points)
Figure 3: Maturity Level – Listing of Detected Vulnerabilities Including Their Score (In Points)

Somewhat hidden in the control path analysis table, there are links that open analyses in the form of graphs. In these graphs, the relationships of various objects of the Active Directory are shown, and details about the relationships are displayed when hovering over the connection with the mouse.

Control Path Analysis - Graphs to Illustrate Relationships Between Ad Objects
Figure 4: Control Path Analysis – Graphs to Illustrate Relationships Between Ad Objects

These graphs can be used to identify possible attack paths that may lead to, for example, privilege escalation in the AD environment. They are similar to the graphs that can be generated with BloodHound. BloodHound is often used to look for potential attack paths in AD environments. An example of such attack paths are paths to the domain administrator’s account or other privileged user accounts.

Password Check With “Have I Been Pwned?”

A crucial building block for Active Directory security is strong passwords. You should not just look at highly privileged accounts – any device connected to the Active Directory can serve as a gateway for attackers. Strong passwords protect against various attacks such as kerberoasting, password spraying, and brute-force attacks on intercepted password hashes (this is the form in which passwords are stored). Recommendations on password policies for strong passwords can be found in our blog article “Passwords: Common Mistakes, Best Practices & Tips”. To check password security in your own Active Directory, password hashes can be checked against known password hashes from data leaks.

The Australian security expert Troy Hunt operates the services “Have I Been Pwned” and “Pwned Passwords”. The latter is a collection of known compromised passwords or rather their hashes. This treasure trove of data can be downloaded for offline use. The PwnedPasswordsDownloader has meanwhile become available for this purpose – it requires .NET 6.0. The PwnedPasswordsDownload can be installed via PowerShell as follows:

PS > dotnet tool install --global haveibeenpwned-downloader

If the package is not found, adding the following package source will help:

PS > dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org

The password hashes (SHA1, NTLM) can then be downloaded and saved as a text file using the following commands:

PS > haveibeenpwned-downloader.exe pwnedpasswords_sha1.txt
PS > haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm.txt

The download takes a while because the download works via the HTTP requests to an API. By summer 2023, both files are between 30 and 40 GBytes in size.

Password Check With DSInternals

The cmdlet “Test-PasswordQuality” of the framework DSInternals allows to check the passwords in the own Active Directory for leaked passwords. The installation of DSInternals via PowerShell works as follows:

# Enable TLS1.2 on older versions of Windows
PS > [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Download the NuGet package manager binary.
PS > Install-PackageProvider -Name NuGet -Force

# Install DSInternals
PS > Install-Module -Name DSInternals -Force

The “Test-PasswordQuality” cmdlet checks all AD passwords for weak entries, duplicates, default passwords or passwords that have not been set. The analysis can be performed online (DCSync) or offline (ntds.dit).

For the online option, the privileges of a domain administrator (or comparable) are required:

# Perform password quality test (DCSync)
PS > Get-ADReplAccount -All -Server DC -NamingContext "dc=windomain,dc=local" |
Test-PasswordQuality -WeakPasswordHashesFile E:\pwnedpasswords_ntlm.txt -
IncludeDisabledAccounts

Running the "Test-Passwordquality" Cmdlet
Figure 5: Running the “Test-Passwordquality” Cmdlet

For the offline option, a copy of the ntds.dit file must first be created, which contains the NT Hashes of the passwords. Since it is used continuously by the Active Directory, it is locked and cannot be copied in the conventional way. In the following, this is done via command line using a shadow copy:

C:\Windows\system32>vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
Shadow Copy ID: {e776fc8c-8b9d-424e-a558-11db177a56f4}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1I

C:\Windows\system32>copy

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\tmp\ntds.dit
1 file(s) copied.

C:\Windows\system32>reg SAVE HKLM\SYSTEM C:\tmp\SYS
The operation completed successfully.

C:\Windows\system32>vssadmin delete shadows /shadow={e776fc8c-8b9d-424e-a558-11db177a56f4}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Do you really want to delete 1 shadow copies (Y/N): [N]? y

Successfully deleted 1 shadow copies.

This also created a copy of the registry entry “HKLM/SYSTEM”, since this contains the boot key for decrypting the copied ntds.dit. The password check with the PowerShell cmdlet “Test-PasswordQuality” then works as follows:

PS > $key = Get-BootKey -SystemHivePath C:\tmp\SYS
PS > Get-ADDBAccount -All -BootKey $key -DBPath C:\tmp\ntds.dit | Test-PasswordQuality -
WeakPasswordHashesFile E:\pwnedpasswords_ntlm.txt

If the error message “The database is not in a clean state.” is returned, ntds.dit must be repaired first:

# Repairing ntds.dit in case the error message “The database is not in a clean state.” is returned
PS > ESENTUTL /p C:\tmp\ntds.dit /!10240 /8 /o

Conclusion

The tools presented here are a good way of identifying basic misconfigurations in Active Directory yourself. iX’s “Hacking Yourself” series of tutorials presents even more ways to take a close look at your own IT environment (published so far: external network, web applications, internal network). Simple misconfigurations and weak passwords can thus be easily dealt with.

To identify more complex vulnerabilities and attack vectors, we recommend a detailed penetration test by our experts.

Awareness training by the Cyber Security Academy on the handling of passwords can serve as a contribution to sustainably secure passwords. We are happy to help you with these and all other cyber security topics. We look forward to hearing from you:

Georg Bube

Author

Georg Bube is a Senior Penetration Tester at Oneconsult Deutschland AG. He is a Certified Red Team Operator (CRTO) und Offensive Security Certified Professional (OSCP).

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts