Attacking and Defending Active Directory Part I

Introduction

Microsoft Active Directory is one of the most interesting services to attack since we can gather a lot of information just by checking if the server is misconfigured which enables us to enumerate treasure trove of information like Domain Users, Administrative Shares, Password Policies and many more.

In this series, I will be separating this into three parts. The first part will include the introduction of Active Directory and its components.

The second part will include different types of attacks against Active Directory and the demonstration on how to execute these attacks.

And lastly, we’ll be covering different approaches in defending and reducing attack surfaces of Active Directory.

What is Active Directory?

Active Directory or AD is a centralized Windows OS directory service that stores information about objects on the network and automates the management of user data, security, and distributed resources.

Active Directory Components

Just to give you an overview of the different components of Active Directory, the Active Directory consists of:

  • Domains
  • Forests
  • Sites
  • Domain Controllers
  • Organizational Units (OU)

Each of these components has their own purpose that enables Active Directory to function within an organization.

I will just summarize the meanings and functions of these components but you can read more about Active Directory on the official documentation of Microsoft.

Domains

Active Directory domains are where the users and computers are located. Each domain holds a database that contains the information of an object’s identity.

For example, I have an AD domain called internal.anotsodev.org. This domain contains all the information of users and computers joined in this domain.

Forests

Active Directory forests are the topmost logical containers of the hierarchy. The illustration below shows the organizational domain forest model of internal.anotsodev.org.

Sites

Active Directory Domain Sites enables the users to authenticate with the nearest domain controller and provides domain preference either administrative or least privilege to the current logged in user.

Sites are organized by one or more IP subnets based on the geographic location of the domain users joined to a domain.

Domain Controllers

Active Directory Domain Controllers handles authentication requests and verifies users if they have access to domain resources. Domain Users’ preference and permissions are defined via group policy set to the Domain Controller.

Organizational Unit (OU)

An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization’s functional or business structure. Each domain can implement its own organizational unit hierarchy. If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in the other domains.


So that ends the first part of the “Attacking and Defending Active Directory” series.

I will be posting the second part of this series which is the actual attacks that are being used against active directories next week.

Stay tuned and be safe!

References:


Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?

How to identify phishing emails

This blog post will help you identify phishing emails and learn what are the tools being used in checking if the sender and links are legitimate.

The scenario in the next section will tell you the example of phishing email attacks and their consequences.

So let’s say you have received an email that is very similar to the services that you are frequently using. For example, from Paypal saying that someone logged in to your account, or from coins.ph (digital wallet used in the Philippines) saying that you have an unclaimed reward because you and your friends are verified.

Since it has gotten your attention and you are indeed convinced that you have a reward waiting to be claimed, you unknowingly ignored the red flags such as the email address of the sender and the inconsistencies of the email format. So you clicked the button and it redirected you to a familiar site but with an unfamiliar URL. Now you entered your credentials and clicked the login button but instead of prompting you to enter the authentication code from your 2FA device, it redirected you to the real site of that service you are using.

Now you are wondering, what happened? Let me tell you…

You just got phished!

The fake site where you entered your credentials has already gotten your login information. Your email address, your username, and password. Everything.

So if you are using similar credentials to other services, you are basically f’d up.

Now, to protect you and help you to be vigilant. Take your time to read this post and familiarize yourself with several characteristics about the emails that you have received that would indicate that these could be phishing emails.

This post will cover the basic approach to identify phishing emails.

Just to give you the overview, here’s the outline of this post.

  • Identify phishing emails by Internet Headers analysis and Email Reputation Lookup
  • Containment Approaches
  • Summary

Identify phishing emails by Internet Headers analysis and Email Reputation Lookup

In this section, you will learn how to analyze headers and identify the source IP of the sender or the relay server that they have used to send the phishing email.

We’ll be using this tool called MxToolbox. You may read the brief description from their site to learn more.

ABOUT EMAIL HEADERS

This tool will make email headers human readable by parsing them according to RFC 822.  Email headers are present on every email you receive via the Internet and can provide valuable diagnostic information like hop delays, anti-spam results and more.
MxToolbox Email Header Analyzer

So before we use this tool, let’s get first the internet headers from the suspected phishing email. I will be using the internet headers of the email that was sent to my Protonmail address.

Coins.ph phishing email sent to Protonmail
Example email sent to Gmail

You may view the internet headers of your email on Protonmail by clicking the dropdown button then View Headers. On gmail, click the ‘kebab’ (three vertical dots) button then Show original.

After clicking the View Headers or Show Original button, just copy all the content then paste it to the email header analyzer tool then click the Analyze Header button.

After you submit the internet headers for analysis, you’ll see this page which contains the summary of the analysis.

Header Analysis Summary

On this email, you may notice that the sender used Gmail to send his/her phishing email

Since we know that Gmail IPs are reputable and are not really dangerous, let’s just use another phishing email internet header for the sake of demonstrating the identification of dangerous sender’s source IP.

Email sent from blacklisted/spammer IP

So you may notice that the sender’s IP is 185.234.219.119. We can copy the IP address to check its reputation using open-source intelligence services such as Talos Intelligence by Cisco.

IP Reputation Lookup result

By using this tool, you can see details such as the location, reputation, owner, content, and blacklists that may help you to assess how dangerous the sender is.

Now, let’s move back to the MxToolbox analysis result to get more details about the email.

Headers Found

You may notice that the display name of the sender is not consistent compared to his/her email address. So this will hint us that the email is not really legitimate.

For the header name starting with “X-“, these are custom header and proprietary set by relay servers or mail gateways.

Let’s now move on to the next section, which is the containment approaches if you unknowingly entered your credentials to the phishing site.

Containment Approaches

Let’s say you have entered your credentials to the phishing site and redirected you to the official site, you kept wondering why it did not prompt you to enter 2FA code. You checked again the email and saw that the sender’s details are not consistent, you have realized that you have entered your credentials to a phishing site since you did not notice the URL since you were using your phone when you clicked the link embedded on the email.

So what should you do about this incident?

These are the steps that you MUST do to contain and prevent the attacker to abuse your credentials:

  1. Install a password manager (1password, Enpass, or Bitwarden) then generate hard to guess password then change your password immediately
  2. Log-out all the sessions of your account
  3. If you are using similar login details on other services, change their passwords immediately
  4. Install virus scanner software then run a full scan in case of malicious executables downloaded on your device
  5. Delete the email on your inbox

After doing these steps, you have now ensured that your account is safe again and won’t be abused by the attacker.

Summary

Just to summarize the topics that I’ve discussed here, we tackled how to spot phishing emails by checking the internet headers and using tools such as MxToolbox and Talos Intelligence to aid us with our analysis. Lastly, we tackled the necessary steps in securing your account again after being a victim of phishing.

So that’s it! I hope you have learned new technologies and tools by reading this blog post. I will be posting more guides and tutorials again soon whenever I have time.

May the force be with you.

Featured Image created by katemangostar – www.freepik.com


Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?