Hacking and exploiting Active Directory Permissions

Share this…

Hacking and exploiting Active Directory Permissions

PowerView is a PowerShell tool to achieve network information on Windows domains for cyber security services and ethical hacking training professionals. It implements diverse practical meta-functions, including some user-hunting functions which will discover where in the network explicit users are logged in. It can also find which machines in the domain network the user has local administrator access. It also includes a number of functions for the enumeration and abuse of domain trusts. You can easily find function descriptions for suitable usage and accessible options mentions ethical hacking training professor.

It also includes a set of PowerShell replacements for diverse windows “net *” commands, which employ PowerShell AD hooks and essential Win32 API functions to execute useful Windows domain functionality as per cyber security services researchers. To run on a machine, start PowerShell with “powershell -exec bypass” and then load the PowerView component with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1

For comprehensive output of original functionality, add the -Debug flag to the functions. For functions that enumerate several machines, add the -Verbose flag to obtain a progress status as each host is enumerated. Most of the “meta” functions acknowledge an array of hosts.

How to use PowerView to exploit Active directory

AdminSDHolder is a unique Active Directory object positioned at “CN=AdminSDHolder,CN=System,DC=domain,DC=com“. The declared intention of this object is to protect certain privileged accounts from unintentional alteration.  Every one hour, a unique process called SDProp recursively enumerates association for a specific set of protected groups, revises the access control lists for all accounts found, and clones the ACLs of the AdminSDHolder object to any protected objects with a different ACL mentions ethical hacking training professor. If we alter the permissions of AdminSDHolder, that permission template will be removed from all protected accounts automatically by SDProp. So we can add an unprivileged user even with no group membership to the ACL of AdminSDHolder, and have a backdoor mechanism implemented that allow us to alter the membership of groups like Domain and network admin.

Any account/group which is or was a part of a protected group has their AdminCount property set to 1, even if the object is not any more in that protected group. With PowerView, we can effortlessly enumerate all users and groups with AdminCount=1 with Get-UserUser -AdminCount and Get-NetGroup -AdminCount, respectively. Thus it lets us speedily find all high value accounts, even if those accounts are not a part of a protected group. With Invoke-UserHunter we can use AdminCount flag, to effortlessly hunt for all high valued users in the domain.

Active Directory access rights are a somewhat unexplored area from an offensive cyber security perspective. Network admins should start auditing and monitoring the access rights of all privileged domain objects, particularly the domain root and AdminSDHolder. You can this manually, through PowerView’s Get-ObjectACL, or through help of cyber security services and ethical hacking training professionals.