Ok you need to do some AD Security Auditing or Security Testing/Exploitation, great. Let’s look at some of the common misconfigurations and some tools to help you, a list of things will obviously not be the answer, you will need a method and process to go through from recon/enumeration through to exploitation and impact (effects), but that’s what google is for (and CTFs/Labs)! This post is just me jotting down some notes, hopefully they help defenders think about improving their posture.

Common Misconfigurations

1. NULL bind to LDAP
2. Weak passwords
3. Passwords in scripts
4. Users have local administrator access.
5. Standard Users can join machines to the domain.
6. Password in Group Policy
7. Insecure Group Policy Permissions
8. Vulnerable to Kerberoasting
9. Vulnerable to AESRepRoast
10. Lateral movement via RDP/WINRM/SMB
11. Domain Joined Backup Servers
12. Unpatched domain controllers
13. Unpatched servers
14. Printer Nightmare
15. Unpatched Exchange Servers
16. Overly permissions accounts
17. Lack of dedicated admin workstation/PAWS
18. LLMNR/MDNS not disabled.
19. Overly permissive firewalls
20. Lack of AV on Domain Controllers
21. Lack of Proactive Security monitoring
22. Credentials in SMB Shares
23. Credentials in SharePoint
24. Insecure Backups/AD backups in SMB Shares
25. LAPS is not deployed
26. Local administrator passwords are the same on servers/workstations to PTH attacks work

Toolbox

There’s a shed load of tools, I’m not going to list them all, but here are some useful ones.

• Adalanche
• Pingcastle
• Bloodhound
• Mimikatz
• Printer Nightmare
• Eternal Blue (MS17-010)
• Bluekeep (realistically this is a very low likelihood method to use)
• SysInernals
  • ADExplorer
• Responder/Inveigh
• Impacket
• CrackMapExec
• LDAPSearch
• ADfind
• PowerShell AD Modules/Exchange Modules

Member Servers

• Cached Credentials
• Insecure Credential Storage
• Lack of Least Privilege Access
• Unpatched Software Vulnerabilities
• Insecure applications

Active Directory Certificate Services

https://github.com/TrimarcJake/Locksmith

Networking

This is a huge subject so I’m going to just touch on some common areas I find in the field:

• Overly permissive egress (e.g., egress via NAT on any port to the internet)
• Lack of DNS Monitoring
• Lack of segmentation
• Management interfaces accessible on device networks
• Lack of Centralised Logging/Security Monitoring
• Weak DMZ ACLs
• Unpatched Known Software Vulnerabilities
• Insecurely Stored Configuration Backups
• Insecure Protocols (e.g. TELNET)

Summary

This is just a few notes, there’s loads of materials out there including a nice new blog from MS DART