Active Directory makes administration and information access in an organization fast and simple, but can also pose security risks. Over 90% of Fortune 500 companies use Active Directory, giving it the highest market share of any domain service by far. The proprietary system designed by Microsoft is often riddled with vulnerabilities that attackers can exploit. These attacks can be especially dangerous since the internal network will often be where the most sensitive information is stored.
Within Active Directory, or AD, internal domains can quickly get extremely complicated. This is a good thing and a bad thing. The ability for systems administrators to configure anything to their exact needs can make work within the company much more simple. The problem here is that without the proper configurations, it can be easy for attackers to abuse normal AD features to get dangerous levels of access.
Abusing Intended Functionality
Hacking is often thought of as bad guys exploiting poorly written software to get access to information, but this is not always the case. When looking at an internal network, the most likely avenue of attacks will be simple misconfigurations. Some intended features of AD can give attackers easy paths through the network. Blue Goat can help you identify these paths with an Internal Penetration Test.
A good example of this is the Kerberos protocol. Kerberos allows users to securely request access to certain resources in the domain. The previous implementation involved users passing their credentials across the domain, which could be intercepted by hackers. Kerberos solves this problem, but is still prone to problems of it’s own.
Kerberoasting is an attack that abuses the way that the Kerberos service handles requests to access network resources. Within Active Directory, any account can request access to network services, which involves asking for a Kerberos “ticket”. These tickets are encrypted with the password hash of service accounts in the domain. Since any user can request these tickets, any user can request the password hash for associated accounts.
These hashes can then be cracked offline, which will give the attacker access to the service account. These accounts often have elevated privileges compared to normal accounts. This can give attackers easy ways to move higher up in the internal network. Kerberoasting is just one
example of ways attackers can move through a domain.
In Active Directory, there is typically a machine called the Domain Controller that has absolute power over any resource in the domain. Accessing this machine, or accessing a user account that has administrative powers over that machine is often the objective of attackers. This allows them access to pretty much anything stored on the domain, and often can allow them to branch off into other domains to further their reach.
AD can be a prime target for ransomware for this reason. Attackers that can compromise the Domain Controller can push out changes to any machine on the network. This can allow the malicious hackers to reach out across the internal network and push out encryption software to many machines at once, largely circumventing the need to individually compromise each machine on the network.
Active Directory will also often contain vast amounts of sensitive information about an organization. In the modern digital age, it is common for companies to keep massive amounts of data on their internal machines. Attackers being able to completely compromise the domain will give them unrestricted access to data stored on any connected machines.
The average data breach in 2023 cost 9.48 million USD (https://www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/). Breach of sensitive data can not only cause massive financial damage to an organization but can also greatly weaken public trust. This makes it vital to harden internal networks and ensure the safety of sensitive information.
Test Your Active Directory Security with Blue Goat Cyber
Our team of skilled penetration testers uses cutting-edge techniques to fully test the security of your internal network. The complexity of Active Directory makes it difficult to properly secure, and even harder to secure while remaining simple and functional. At Blue Goat, we strive to work with our customers to find solutions that ensure security against cybercrime while reducing the impact on the normal business flow as much as possible. Contact us to find out more.