Make it Harder for ATTACKERS! | TryHackMe - Active Directory Hardening

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody welcome back to wire dog sec I'm back with another video for you guys hopefully you're all having an awesome day today and ready to learn something today's video we're going to be covering this room called active directory hardening to learn basic concepts regarding active directory attacks and mitigation measures let's go ahead and hop into it [Music] all right y'all as usual there's a lot of text to read through here so I'm just going to skim through a lot of it but be sure to pause the video or go and check out the room yourself and read the material all the way through all right task number one introduction ad is widely used by almost every big organization to manage control and government a network of computer servers and other devices the room aims to teach basic concepts for hardening ad in line with best cyber security best practices learning objectives topics that we will cover in this room include secure authentication methods securing hosts through group policies and implementing least privileged models I think it's known 80 attacks recovery plan post compromise scenario prerequisites be sure to check out these rooms beforehand if you haven't done so already and then continue on with this room connects to the machine all right I'm already connected as you can see there so we're going to continue on to task number two task number two is understanding General active directory concept domain the domain acts as the core units regarding the logical structure of the actual trajectory it initially stores all the critical information about the objects that belong to the domain only domain controller is an active directory server that serves as the brain for a Windows Server domain it supervises the entire network within the domain it acts as a gatekeeper for users authentication it resources got a little flow chart here that explains that user tries to access domain first sends a request to the DC domain validates or domain controller validates the request Grant access if valid user then I access otherwise and as a Defender domain controller is very important right so if that gets compromised the attacker has pretty much owned your network and as a penal charge tester you want to get to the domain controller right so you can upon their entire network so you want to protect this this is like a golden goose egg pretty much let's continue on the trees and forests it's got a little uh picture here trees a tree is a set of domains a forest a forest a set of trees and let's go on here trees are responsible for sharing resources between the domains communication between the domains inside a tree is possible either one way or two-way try when a domain is added to the tree it becomes The Offspring domain of that particular domain to which is added now a parent domain forests when the sharing of the standard Global catalog directory schematological structure and directory configuration between the questions of trees is made successfully it is called a forest communication between two Force becomes possible once a forest level truss is created right and then it goes on to explain trust in active directory right it's basically a bridge of communication so you can talk to each other right when we say one domain trust another in ad Network it means its resources can be shared with no domain right and then it says down here the ad trusts are of two categories which are classified based on their characteristics or the current direction and it's got another picture here ad trust based on characteristics transitive trust non-transitive trust and an 80 trust based on directions one-way trust and or two-way Trust and it goes on to explain even further here 80 trust categorized based on characteristics known as transitive and non-transitive Trust transitive trust reflects a two-way relationship between domains if there are three domains domain a trust domain B and domain b trust or has a chance of trust with domain C consequently domain a will automatically trust domain C for sharing resources again 80 trusts are two types of or of two types when classified on the Direction One Way and two-way trust you can access the 80 trust to the following server Manager Tools active directory domains and trust and it's got the picture here if you want to take a look at that right and it says container and leaves for those familiar each Network part is treated as an object ID anything from resources user services or part of the network can be an object the hierarchy structure of AD defines that an object may or may not contain other objects based on scenario when an object holds another object it is termed a container otherwise it's called a leaf object says what is the root domain and the attached machine so let's go and check that out so we're going to take a look at that server manager see if we can find it here we go server manager just loading up and let's see what it has for us this machine is kind of slow today okay looks like we're finally getting somewhere and it wants us to go to tools here I'm going to go to active directory domains and trusts we got right there okay as soon as this loads up as I stated before the domain controller is very important right if that gets compromised then your network gets owned attacker can do pretty much whatever they want they can get in there and start dumping all usernames and passwords from uh the ad and then get the cracking them offline Etc et cetera and that's going to be this try hack me.look looks like the root domain here so we're going to type that in there and it should be correct or try hack me dot Luke bam okay let's continue on here securing uh let's go back up securing authentication methods task number three in this task we will briefly learn various security authentication methods that can be used for secure communication and ensuring data Integrity from one machine to another and an X directory environment we will use the built-in Microsoft tool group policy uh management editor available in the attached 80 machine configuration and various security policies the instructions to access tool are below and it talks about Lan man hashes the user account password for Windows is a sorting clear text instead of stores passwords with two types of hash representation when the password for any user is changed and sets with fewer than 15 characters both lmhash land manager hash and NT hash Windows NT hash are generated by windows and can be stored in ad the LM hash is relatively weaker than NT and is prone to root fast brute force and attack the best recommendation is to prevent windows restoring the passwords lmhash you can access it through the following all right so we're going to go through here and then take a look but yes as I said you want to get rid of that you want to go in and disable um those lineman hashes they're just garbage right you can crack them quickly these days with just the computer you can buy at Walmart I mean it's crazy all right let's continue on here it's got a little screenshot of where to go to right so GPO uh editor you can see it there or you can do it yourself on your machine SMB signing SMB stands for service message block generally microsoft-based networks utilize protocol for file and print communication moreover it allows security transmission over Network configuring SMB signing through group policy is crucial to detect man and metal attacks that may result in modification of SMB traffic and Transit SMB signing ensures that the Integrity of data for both client and server all supported Windows version has an SMB packet signing option and yes you would want to enable this as well on your network that's the best practice sometimes well I've heard stories that sometimes if you enable sap signing some older Technologies may or may not work so be sure to properly test everything in here before implementing it in a production environment you know just have a test group of computers or something like that and then go forward with that ldap signing lightweight directory access protocol ldap enables locating and authentication resources on the network hackers May introduce relay or sorry replay or middleman tax to launch custom ldap request therefore ldap signing is a simple authentication and security layer sassle property that only accepts sign ldap request and ignores other requests plain text or non-ssl we can enable ldap signing through the following it tells you how to do it here through GPO as you can see you can do all kinds of stuff with GPO if you want to if you're managing an entire network of computers right you don't want to just go to each and every computer and start enabling these different settings why do that we just do it through GPO right it's a lot easier anyway continue on and that's that's true a lot of times when it comes to pen test they'll use like relay attacks right and then end up compromising an account of your entire network or something like that uh continue on here it's going to talk about password rotation active directory password security is critical to address because of security breaches in Past reviews it becomes challenging for any organization to reset accounts or update them everywhere so they prefer not to do it the scenario could have a few alternative approaches and each method has pros and cons first you need to create a script to update password automatically and schedule tasks help a Powershell uh second technique add MFA solution ad and choose not to change the password often third technique Microsoft provides a solution for services account password rotation through group managed Services accounts what's your next passwords after every 30 days you can learn more about it here so be sure to check these out if you haven't done so already right you might come across this in your career and password policies attackers use various corporate password compromise techniques including Brute Force dictionary password spring credential attacks Etc or all organizations must have a strict policy to defend against all such attacks Bachelor policies mean different rules for creating passwords and yada yada you can read the rest there and GPO tells you how to do it shows you a little screenshot of what it looks like and that's absolutely true you want to use best practices when it comes to a password like it says from nist the latest next documentation says the longer the password is the stronger it will be right so they don't have to really be nearly as complex as past guidance was right as long as the password is long I recommend at least you know 15 or 16 characters minimum right so that's going to take a long time to compromise if they're using a best practices when creating passwords and of course you want to use MFA as anywhere as possible right that's another security measure in place that will slow down attackers or even prevent them from getting access to your network understanding password policy settings enforce password history prevent at least 10 to 15 year old or old passwords from being set as new ones minimum password length it says 10 to 14 characters long like I said I recommend at least 15 to 16 characters minimum uh complexity requirements must not contain the name of fuse account ensure the password has uppercase letters lowercase letters digits or special characters uh like I said the most important thing here is length right you want the password is to be long as possible that the user can't remember and then maybe throw in a couple of digits or special characters it says change degree policy setting in the VM so that it does not store the land man a hash on the next password change what is the default minimum password length number of characters in the attachment so be sure to pause the video and go ahead and answer these questions and then come back to the video once you're done continuing on with task number three here and these are the correct answers to the question below right it's going to be seven for what is the default minimum password length number of characters in the attached VM right we can open up the group policy management right and you're going to go down to group policy objects default domain policy you can go through and scroll down to get to this section here and there's security settings account policy slash password policy and you can see that here minimum password length seven characters now let's continue on to uh task number four implementing least privileged model implementing the least privileged model requires limiting the user or application access to minimize security risk and attack Services when the application or the users are allowed to operate with administrative privileges they're granted complete access to modify alter create other resources on the system and perform any action with administrative rights contrary to this least privileged model grants limited and authorized access per current conditions advantages implementing privilege least privileged model prevent malware spread minimize Cyber attack chances improve productivity demonstrate compliance Aid with data classification this is another important concept here so make sure you understand the least privileged model I'm sure you'll come across it in your career creating the right type of accounts implementing lease privilege model requires setting up different accounts types for diverse purposes it includes the following account types user counts privileged counts shared accounts so be sure to read through these and understand the differences between them role-based Access Control hosts or own hosts as a sys admin it is of utmost importance to Grant rights resources while keeping the principle of least privilege in mind which states that per Wikipedia principle of minimum privilege or the principle of least Authority requires that in a particular abstraction layer of a Computing environment every module such as a process a user or a program depending on the subject must be able to access only the information and resources that are necessary for its legitimate purpose a role-based access controls allows you to indicate access privilege at different levels includes DNS Zone server resource record levels tiered access model that directory tiered access model Tam com comp prizes um plenty of technical tools that reduce the principle or sorry the privileged escalation risk it consists of logical structure that separates act directories assets by creating boundaries for security purposes the primary goal is protection of ads Top Value identities you've got tier zero tier one tier two Etc goes on to explain those different ones tier zero top level all admin accounts Etc et cetera tier one domain member application service tier two and user devices HR cell staff non-it Personnel he's got a picture here for easy um review implementation of tiered access module or a model the critical implementation of this model is based on the principle of prevention of privileged credentials from crossing boundaries either accidentally or intentionally implementing technical trolls via Group Policy objects is crucial to avoid such scenarios these gpos put together the security rights that can deny access or Grant permission you can read more about the tiered access or yeah tiered in Enterprise access module eam here so be sure to check that out if you're unfamiliar with it get some of that good knowledge in your head auditing accounts account audits is a crucial task mainly carried out by setting up the correct account assigning Privileges and applying restrictions three audit types related to accounts must be done periodically usage privilege and change audits it goes on to explain everything here usage audits allow monitoring of each account specific task and validating their access rights privilege yada yada so be sure to read through this and understand it and down to the questions here computers and printers must be added to tier zero yay or nay so if you're not if you don't remember what it was be sure to go back up there and review suppose the vendor arrives at your facility for a two-week duration task being a system Minister you should create a high footage account for him yay or nay so be sure to answer these questions and come back to the video back to business the first question here computers and printers must be added to tier zero well that's going to be nay why do you need a computer or printer and tier zero tier zero is pretty much God mode right that's for admins and such as explained up above here top level and includes all admin accounts domain controller and groups so there's no reason why those should be in there and it says event is going to be there for two weeks doing a task and should you make them a high privilege account and that's going to be no why did vendors need to have that level of access right A lot of times you'll see conflicting viewpoints or maybe the organization you're at or the organization that you're assessing doesn't with all these best practices right well you're there to help them out you're there to solve problems right you need to inform them that this is not the right way to do it and then give them recommendations on what the right way is now let's continue on to task number five here and this one is going to be about Microsoft security compliance tool Microsoft security Appliance tool msct is an official toolkit provided by Microsoft to implement and manage local and domain level policies you don't have to worry about complex policy syntaxes and scripts as Microsoft will provide pre-developed security baselines per the end user environment sounds pretty nifty right and so be sure to check that out you can download it through this link here and it says go to desktop scripts on the VM so we're going to do that in a second installing security baselines as it just goes through here and it tells you how to install it right it's pretty easy go in here you're going to download it it's like click through that's what it looked like then you got to run with Powershell here you're gonna run that Powershell script and then I'm going to go down to policy analyzer one of the security Appliance toolkits features is a policy analyzer which allows comparison of group policies to quickly check inconsistencies redundant settings and the alterations they need to be made between them consider a scenario where plenty of gpos are applied at diverse levels there will be conflicting and redundant settings and many more avenues that can be quickly resolved with a policy analyzer so this sounds pretty freaking useful if you ask me right you go through and then launch this particular tool here it'll go through and compare things and you can see what's what's jacked up in your environment what needs to be fixed right and tells you how to do it here once you download it policy analyze XE to add and manage local domain level policies be careful while downloading security baselines as they should only be downloaded from the official Microsoft store that's correct make sure you get in from here not from Tom and Jerry's um security website or whatever answer the questions below find and open Baseline local install script and Powershell editor can you find the flag so we're going to do that here uh find an open merge policy rule script policy analyzer and Powershell editor can you find the flag so pause the video be sure to do this in your account on this machine and come back to the video for this first question here it wants us to look at the Baseline local install script and that's going to be located in this Windows Server 2019 security Baseline I'm going to go to local script and there's the script right there and I already have it open inside of uh Powershell ISE for the next question we're going to locate that merge uh policy rule one and policy analyzer folder right so you're gonna go here and then we're going to open it up inside of uh ISE or any text editor that you choose so let's go and take a look at this first one here once you scroll down you'll see the flag here th M yada yada and then for that merge policy rule scroll down a little bit you'll see it here there you go now let's continue on to task number six it says protecting against known attacks if an intruder successfully gains domain admin access you may consider that the game is over no one is ready to disclose the company's confidential data or for financial loss before we discuss some known attacks it is crucial to think like an attacker and develop a mindset wearing their shoes here are some already developed interesting rooms on THM to get you going through the possibilities and swath of attack vectors for an adversary so be sure to check these out you got zero logon breaching ad exploiting 80 and post exploitation these are awesome rooms so highly recommend checking these out if you haven't done so already let's review a few methods for active directory protection against known attack Kerber roasting curb roasting is a common and successful post exploitation technique for attackers to get privileged access ad the attacker exploits Kerberos ticket granting service TGs to request an encrypted password and then the attacker cracks it offline through various Brute Force attacks and I've done this before on exams and such like that so be sure to read through this and understand it do that even create your own VM environment and try that out yourself um see weak and easy to guess passwords the easiest Target for intruders to breach security is the weak and easy to guess old passwords the best recommendation is to use strong passwords and avoid already known ones strong password consists of a combination upper uppercase and lowercase letters yada yada yada you can learn more password strength by clicking here so be sure to check the link out and it says we already have a report on this machine here at desktopassreport.png so we're going to take a look at that in a second brute forcing remote desktop protocol that's RDP The Intruders or attackers use scanning tools to Brute Force the weak credentials once the brute force is successful they quickly access the compromise systems and try to do proved escalation along with a persistent put all into the target's environment the best recommendation it's never exposed RDP without additional controls to the pub enter and that's absolutely true but you see this all the time in the news just go ahead and Google RDP brute forcing attacks you'll see a bunch of articles about this right or some organizations out there don't follow best practices and then they end up getting rich and they have that surprise Pikachu face like oh what happened how did this happen well there you go a publicly accessible share during ad configuration some shares folders are publicly accessible or left unauthenticated providing an initial foothold for attackers for lateral movement you can use the get SMB open file commandlet and Powershell to look for any undesired share on the network and configure access accordingly so that's very helpful I don't even know about this command line so be sure to check this command let out in your environment see if you have anything um interesting that you find uh so your questions does scrub roasting utilize an offline attack scene for cracking encrypted passwords yay or nay as per the generated report how many users have the same password as Aaron dot to boot so be sure to go through and answer these questions and then come back to the video back to the questions does curb roasting utilize an offline attacks game for cracking cryptic passwords and yes it does because once you have that that ticket you can go out there and you can crack it offline with like hashcad or something like that right and explains it up above here if you read through here you can see that it says the attacker's voice curb row sticker running service TGs to request an encrypted password and then the attacker cracks offline through various Brute Force techniques and they're difficult to attack yada yada yada um next question here is as per the January report how many users have the same password as Aaron's well let's go and take a look at that all right Aaron boots right here it says number accounts with same password and that's going to be 186 that's quite a bit of accounts with the same password all right so let's continue on to task number seven and it says Windows Active Directory hardening cheat sheet are you sure your ad is secure from all types of attacks I believe we're done here so I'm just going to close this out of split view all right hardening of an 80 is a continuous process and demands Collective efforts by System administrators and end users there have been various system hardening standards and we discussed a few of them in this room below as a quick summary of the hardening techniques that we will enable system and management 80 quickly and has a fancy little uh graphic here hardening act directory cheat sheet goes through and explains everything here so be sure to review this this is simple isn't it the room was a basic introduction we are planning to develop a few detailed 80 hardening rooms to discuss in depth how to protect an ad through group policies and implement the least privileged model stay tuned awesome so I'm looking forward to seeing more and more of this hardening of active directory because as explained before most organizations are using some form 80 whether that be on-prem in the cloud or a hybrid you know a combination of the two so you may come across this in your career more than likely you'll come across this in your career so you need to understand these different types of tax against active directory and how to defend against those attacks how to properly secure active directory you want to cause a big headache for the bad guys you know you don't want to make it easy for them to get in there compromise your domain controller get access to domain admins Enterprise admins any other type of privileged accounts and just own your entire network right you want to do as much as possible as you can to secure your organization from attackers alright guys if you enjoyed this video you know what to do hit the Subscribe button if you're new here hit the like button comment below in your thoughts and opinions on information shared and have an awesome day see you later

Info

Channel: WireDogSec

Views: 1,298

Rating: undefined out of 5

Keywords: #wiredogsec, #infosec, #informationsecurity, #cybersecurity

Id: bWn5VSXnE2U

Channel Id: undefined

Length: 25min 34sec (1534 seconds)

Published: Fri Aug 04 2023