Why your Active Directory is compromising penetration tests

Phone directory

Microsoft’s Active Directory (AD) is the most used enterprise system globally, the use of Domain Controllers (DC) and Group Policies make the administration of large numbers of users a simple process. The technology is good with strong authentication methods working seamlessly with users to promote productivity and keep the business rolling. So why do I end up compromising the AD on most penetration tests?

The good, the bad and the ugly

The attack surface for an Active Directory environment quite frankly can be huge, with large numbers of users, servers, production machines, control systems, mail servers, certificate servers, and so on. With so many devices on a company network and all Active Directory joined, a large attack surface seems to be an acceptable risk, right?

Well, the main weakness behind all the common attack methods is simple. Old hardware, be it virtualised or on premise. Maintaining older systems and using older operating systems is the primary enabler of opening up the internal attack surface. You could be running a brand new fully patched DC, but if there are older systems on your network the DC is at risk. Which for me means yet another opportunity to get Domain Admin rights, and for the client results in another report explaining the same attack chains.

The problem behind using older systems is simple and two-fold. Firstly, the systems themselves will most likely have well-known and simple exploits available to hackers. These exploits tend to be what we call “point and shoot”, which normally means that when executed they give instant SYSTEM level privileges on the targeted system. This can then be leveraged to compromise domain credentials on that host, by either seeing what is cached in memory or by waiting for a user (hopefully an admin) to log into it and grab them as they sign in. This method gives a foothold to then move laterally within the domain using valid credentials.

The second problem with older systems is legacy protocols. In a nutshell, legacy protocols are the main attack surface leveraged on most penetration tests, and here’s why. Older operating systems may not be compatible with new authentication methods or encryption, so when they are maintained on a network with a new fully patched DC, the DC needing to administer these systems must allow the use of older, less secure, protocols in order to communicate and authenticate users. If you have seen LLMNR/NetBIOS mentioned on your pen test reports this is precisely why.

LLMNR is the most common and can be leveraged by pen testers on an internal network assessment. Realistically it is no longer needed to run within the AD, I won’t bore you with the details of LLMNR, how it works, and the specific attack methods used. Just know it isn’t required if you are using up-to-date operating systems.

No bang for your buck?

In a word, yes. Older operating systems are one of the biggest risks to network security in enterprise AD environments. They are the weakest link because they do not support newer secure protocols, and they cause a downgrade in your newer systems. Negating the point of running that brand new and shiny, fully patched DC.

The flip side to this is that from the perspective of a penetration tester like me, constantly seeing the same attack methods and leveraging them for DA can stifle the industry. Because we see them there, we must use them as they are the realistic method an attacker would use to compromise the network. But what it is doing is removing the time to experiment on other methods, find new misconfigurations and vulnerabilities to further enhance network security. Penetration tests instead become routine and repetitive, with clients not remediating the issues that come up almost every time, they’re not receiving the best value from a penetration test as the report is almost identical to the previous.

Want to discover the vulnerabilities existing within your network? Get started by taking a look at norm.‘s Penetration Testing services.

Written by Gyles Saunders
Gyles is an experienced security professional and pen tester, having worked across multiple areas of the physical security and information security industries. He has a proven track record in the corporate intelligence and cyber security market and is integral to the Red Team’s service delivery at NormCyber. As well as implementing new processes and enhancements to the service itself, he also takes an active interest in onboarding and mentoring new team members.