Movement
This is a work-in-progress
Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter
😉
.

NTLM configuration

  • Obsolete versions of this protocol (LM, LMv2 and NTLM(v1)) are disabled and NTLM (all versions) is disabled when possible. This allows to stay safe from NTLM relay, NTLM capture and cracking and pass-the-hash attacks.

Kerberos configuration

  • krbtgt's password has been changed in the last 6 months to prevent Golden Ticket persistence attacks. From UNIX-like systems, this can be checked with Impacket's Get-ADUsers.py script.
  • The RC4 etype is disabled for Kerberos to prevent overpass-the-hash and NTLMv1 capture and cracking to Silver Ticket attacks. This can be checked by attempting to obtain a TGT with an NT hash.
  • No account is configured with Do not require Kerberos Pre-Authentication allowing for ASREProast attacks, or make sure those account have strong password resistant to cracking.
  • User accounts that have at least one ServicePrincipalName, hence vulnerable to Kerberoast, have a strong password, resistant to cracking.​

Security patches

  • Domain Controllers are patched against ZeroLogon.
  • ​MS14-068 is patched, preventing forging of powerful Kerberos tickets.
  • ​PrivExchange patches are applied, protecting Exchange servers from authentication coercion attacks relying on the PushSubscription API, and ACE abuse attacks relying on the EXCHANGE WINDOWS PERMISSION group having WriteDacl permissions against the domain object allowing for DCSync.
  • Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit NTLM relay attacks.
  • Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...).

Access Management (IAM/PAM)

  • Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting credential stuffing (i.e. trying to log in on other resources with that password/hash).
  • Strong password and lockout policies exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential bruteforcing, guessing, stuffing and cracking attacks.
  • Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential bruteforcing, guessing, stuffing and cracking attacks.
  • Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other credential-based attacks.
  • No account is configured with Kerberos Unconstrained Delegation capabilities.
  • No computer account has admin privileges over another one. This limits NTLM relay attacks.

Credentials Management

Domain-level configuration and best-practices

  • The Machine Account Quota domain-level attribute is set to 0, preventing domain users from creating domain-joined computer accounts.
  • Default special groups are empty, limiting, among other things, out-of-box ACE abuses.

Networking, protocols and services

  • SMB is required when possible, especially on sensitive servers, preventing NTLM relay attacks.
  • LDAP signing is required on Domain Controllers, preventing NTLM relay attacks.
  • Extended Protection for Authentication (EPA) is required, especially for Domain Controllers supporting LDAPS, preventing NTLM relay attacks.
  • IPv6 is either fully configured and used or disabled, preventing DHCPv6 spoofing with DNS poisoning attacks.
  • ​LLMNR, NBT-NS and mDNS are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols.
  • WPAD is disabled, preventing WPAD spoofing.
  • A record exists in ADIDNS for the * (wildcard) preventing powerful ADIDNS poisoning attacks. Preferably, this is a TXT record.
  • The print spooler is disabled on Domain Controllers and sensitive servers to prevent the PrinterBug authentication coercion attack.
  • The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with WSUS spoofing attacks.
  • Set-up packet filtering & inspection and enable port security on network switched to prevent ARP poisoning attacks and network secrets dumping.
  • Set-up VLANs, 802.1X, NAC (Network Access Control) to limit the attackers progress within the network.

Active Directory Certificate Services

​
​
⚒
Things to add
  • Use of physical tokens (U2F, access cards, ...)
  • Avoiding the use of plaintext protocols (limit ARP poisoning results)
  • Forest and domain trusts
  • sidfilter, sidhistory, etc.
​
Last modified 7d ago