Question

21. What is a Domain Controller, what purpose does it serve in an enterprise environment, what software/hardware combination does it run on, and why would an attacker be interested in compromising a Domain Controller? Additionally, what is the name of the file that stores the user credentials and associations and where is it located on the system? What ways could an attack acquire the file or its content and what dependencies, tools, and techniques would be required?

22. Kerberos is the primary system used for authorization and authentication in Windows Domains. Explain how Kerberos works, which information security services does it provide, and any limitations/security considerations/vulnerabilities associated with Kerberos, the way it issues tickets, or the tickets themselves that an attacker could exploit? Provide the names of the different types of attacks and a short explanation of how they work and what the attacker achieves by performing them.

23. Explain how a user’s password is stored on a local Windows system, how it is stored on a domain, the location for both, and then the authentication process for each to log a user onto the system. If an attacker is able to acquire the stored passwords, identify what an attacker would need to do to use them to move laterally in the network. Provide the specific name for each of the two attacks.

24. Explain the role of Group Policy, how it works, what purpose it serves in an enterprise environment, and why we would want to use it. Assuming we wanted to push an update to the client machines on a network immediately, explain the process for doing so using Group Policy on both the server and client machines.

Answer 1

21.)Domain Controller is a server that responds to security authentication requests within a Windows Server Domain. It is a server on Windows that is responsible for allowing host access to Windows domain resources. We can consider it as a gatekeeper for user authentication and authorization. You require a PC with Windows Server operating system running on it or we can also run it through virtual machines as well. Domain Controller consists of the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes it a primary target. When you store credentials on a Windows computer, they are stored in C:\Users\UserName\AppData\Roaming\Microsoft\Credentials. The files that store the credentials are encrypted.  However, when credentials are input for Windows Credentials, they are also stored in C:\Users\UserName\AppData\Local\Microsoft\Vault.

The attacker can Steal Windows Login Credentials Abusing the Server Message Block (SMB) Protocol, Stealing Windows credentials via Shared folder access, Stealing Windows credentials exploiting a Microsoft Outlook flaw. Attackers also use tools like Mimikatz, Metasploit to hack the credentials.

22)Rather than authentication occurring between each client machine and each server, Kerberos uses symmetric encryption and a trusted third party — known as the Key Distribution Center or KDC — to authenticate users on a network to a suite of services on a network. Once authenticated, Kerberos stores a ticket specific to that session on the user's machine and any kerberized service will look for this ticket rather than asking the user to authenticate using a password. The Kerberos system can be compromised anytime any user on the network authenticates against a non-kerberized service by sending a password in plain text. Therefore the use of non-kerberized services should be discouraged. Such services include telnet and ftp. Use of other secure protocols SSH or SSL secured services is acceptable.

• Biggest lose: the assumption of a secure time system and resolution of synchronization required. Could be fixed by challenge-response protocol during auth handshake.
• Password guessing: no authentication is required to request a ticket, hence attacker can gather the equivalent of /etc/passwd by requesting many tickets. Could be fixed by D-H key exchange.
• Chosen plaintext: in CBC, the prefix of encryption is encryption of a prefix, so an attacker can disassemble messages and use just part of a message. (Is this true for PCBC?) Doesn't work in Kerberos IV, since the data block begins with a length byte and a string, destroying the prefix attack.
• Limitation: Not a host-to-host protocol. (Kerberos 5 is user-to-user; Kerberos 4 is only user-to-server)

Different types of attacks are:

• Kerberos brute-force
• ASREPRoast
• Kerberoasting
• Pass the key
• Pass the ticket
• Silver ticket
• Golden ticket

These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.

Furthermore, each attack will be introduced from the pentesting perspective of 2 common scenarios:

• Linux machine: A computer external to the domain, owned by the auditor (Kali in this case), but with network connectivity to the DC (directly, VPN, Socks, does not really matter). It must be taken into account that the local time of the machine has to be synchronized with the DC.
• Windows machine: A compromised Windows machine in the domain, with a domain account if needed but with no administrator privileges, neither local nor domain.
• The Golden Ticket: It is the Kerberos authentication token for the KRBTGT account, a special hidden account with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network

23) Passwords are hashed and stored in the Windows SAM file or security account manager file. The file is located on your system in the path C:\Windows\System32\Config.Domain accounts passwords are stored in AD and are authenticated by DCs.fter a user provides built-in Windows user account information, the data is transmitted to the webserver. Once IIS receives the authentication data, it attempts to authenticate the user with the corresponding Windows account. This password is encoded using Base64 and sent to the server. It is important to note that the Base64 encoding is not encryption. So the drawback of this mechanism is that the user name and password are sent in clear text (unencrypted) during communication. Unlike Basic Authentication, the user name and password are not transmitted in cleartext. Instead, a cryptographically secure hash with this information is sent. There are different methods for an attacker to acquire hashed passwords that are: 1)boot your target machine to an alternate OS like NTFSDOS or Linux and just copy the SAM from the %sytemroot%system32config folder. 2) we can get the file by using pwdump2. It uses.DLL injection in order to use the system account to view and get the credentials from the registry and stores them in a handy text file that you can use. attackers need password cracking tools to crack the passwords. He can also use some websites to convert hashed credentials to a simple text file

24) Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. Group Policy objects are applied in a hierarchical manner, and often multiple Group Policy objects are combined together to form the effective policy. Local Group Policy objects are applied first, followed by site level, domain level, and organizational unit level Group Policy objects.

In part, controls what users can and cannot do on a computer system: for example, to enforce a password complexity policy that prevents users from choosing an overly simple password, to allow or prevent unidentified users from remote computers to connect to a network share, to block access to them or to restrict access to certain folders. A set of such configurations is called a Group Policy Object (GPO).

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection, and offline files.

This step-by-step article describes how to use Group Policy to automatically distribute programs to client computers or users. You can use Group Policy to distribute computer programs by using the following methods:

• Assigning Software
  You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed.
• Publishing Software
  You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialogue box, and it can be installed from there.