Active Directory Penetration Testing

I had several clients come to me before a pentest and say they think they’re in a good shape because their vulnerability scan shows no critical vulnerabilities and that they’re ready for a pentest, which then leads me to getting domain administrator in few hours by just exploiting misconfigurations in AD.

The goal of a penetration test is to identify any possible attack vector an adversary would use in order to compromise a network. It is not to get domain administrator.

Now that we have a goal, there’s several steps we follow in order to accomplish it, below

What is AD?

Active Directory is a service from Microsoft which are being used to manage the services run by the Windows Server, in order to provide permissions and access to network resources. Active Directory is used over 90% of the Fortune Companies in order to manage the resources efficiently.

Active Directory is just like a phone book where we treat information as objects. In Active Directory we have objects like Computers, Users, Printers, etc. Following are some of the components of Active Directory.

Domain Controller

Domain Controller is generally the Admin of the Active Directory that is used to set up the whole directory. The role of Domain Controller is to provide Authentication and Authorization to different services and users. Domain Controller also allows administrative access to manage user account and network resources. In Active Directory the Domain Controller has the topmost priority and has most Authority/privileges.

Active Directory Data Store

An Active Directory Data Store contains Database files and process that store and manages directory information for users, services, and applications. The active Directory Data Store contains “NTDS.DIT” file which the most critical file of the whole AD.

 It is stored in the “%SystemRoot%\NTDS” folder on all domain controllers. This NTDS.DIT file is only accessible only through DC Process and Protocols.

Logical Active Directory Components

The following are the components that an Active Directory Data Store contains that defines rules to create an object in an AD environment.

Domain

A Domain is used to group objects together and manage them. The domain provides an Authentication and Authorization boundary that provides a way to limit the scope of access to the resources of that domain. Consider redteamlabs.com as a domain.

Trees

Trees are generally groups of the Domains in the Active Directory environment. Trees are used to share the contiguous namespace with the parent domain. Trees can additionally have child domains. By default, Trees create Transitive trust with other domains.

 

Here in the image above redteamlabs is the main domain and us. redteamlabs.com, ca.abc.com and au. redteamlabs.com represent the trees from different locations. Ca is for Canada, us is for united states.

Forest

Forest is said to be the collection of the Trees. Forest shares the common schema between its branches. The configuration remains the same in the partition of the branches of Forest. Trust between all domains is maintained in the forest. They are likely to share the Enterprise Admin and Schema Admin Concepts.

Organizational Units

Organizational Units are often referred to as OU. Organizational Units are Active Directory containers that generally contain user groups, Computers, and other OU. OU represents your computer organization in a hierarchically and logically way. OU is used to manage a collection of the object in a consistent way. Organizational Units are being bound to delegate the permissions to the Administrator Group of Object.

Trusts

Trust can be defined as access between the resources in order to gain permission/access to resources in another domain. Trust in Active Directory are generally of two types:

Lab set up

Setup an Active Directory (small) lab for penetration testing. I will go through step-by-step procedure to build an Active Directory lab for testing purposes.

$ Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath “C:\Windows\NTDS” ` -DomainMode “Win2012R2” ` -DomainName “server1.hacklab.local” ` -DomainNetbiosName “server1” `  -ForestMode “Win2012R2” `  -InstallDns:$true `  -LogPath “C:\Windows\NTDS” `  -NoRebootOnCompletion:$false `  -SysvolPath “C:\Windows\SYSVOL” `  -Force:$true

In this section, we have some levels, the first level is reconnaissance your network. every user can enter a domain by having an account in the domain controller (DC).

All this information is just gathered by the user that is an AD user. In the username, there are two parts that first is the domain name and the second part is your username.

Introduction to Android Penetration Testing

The write-up will be covering the basics about android and how to set up an android pentesting lab also will be coming across the two vulnerabilities that are common in all android applications.

Android

Android is an open-source mobile operating system. As it is open-source, android is the first choice for developers as well as consumers.

Android Architecture

The Android Operating System is divided into 4 layers.

Application Layer

As shown above, the first layer is the application layer, In which all the applications are being installed on the mobile phone. It runs within the Android run time with the help of the classes and services provided by the application framework.

Application Framework

The Application Framework layer provides many higher-level services to applications in the form of Java classes. Application developers are allowed to make use of these services in their applications. Content providers and activity managers are examples.

Dalvik Virtual Machine | Android Run Time

Libraries

These are external libraries which are used for additional features or additional functions.

Linux Kernel

This layer is responsible for allocating hardware for the applications. And this layer contain all the drivers.It provides Android with several key security features, like

Security Architecture

Android security architecture consists of two models. They are:

Linux Security Model

The Linux security model is were each app runs through a unique Linux user ID. Linux helps in isolating applications from each other.

Here you can witness that it’s inside the package folder of the application diva that is installed on the virtual device. The system has formed a user id (u0_a74) for every resource that is inside the package.  So if there is any malicious application in the device they can’t affect or access other applications.

Android Security Model

In the android security model, the user’s privacy is protected by means of permissions. We all are familiar with the image shown above, we allow some of the permission that the application asking for. The permission is required by the application id declared in the AndroidManifest.xml file.

So, what is AndroidManifest.xml?

What is an APK?

AndroidManifest.xml

The AndroidManifest.xml file is the control file that tells the system what to do with all the top-level components (specifically activities, services, broadcast receivers, and content providers described below) in an application. This also specifies which permissions are required. This file may be in Android binary XML that can be converted into human-readable plaintext XML with tools such as android apktool.

META-INF directory

classes.dex

The classes are compiled in the dex file format understandable by the Dalvik virtual machine.

lib

The directory containing the compiled code that is specific to a software layer of a processor, the directory is split into more directories within it:

res

The directory containing resources not compiled into resources.arsc.

assets

A directory containing application’s assets, which can be retrieved by AssetManager.

resources.arsc

A file containing precompiled resources, such as binary XML, for example.

Setting up a lab

Prerequisites:

First we have to download Genymotion. So goto this link .

If you have already installed virtualbox on your pc then download Genymotion from the second option or if you have not installed virtualbox then download genymotion with virtualbox.

After completing the installation you have to download any virtual device.  We choose to download Google Nexus 6. After that click the install button.

It’s time to customize your device. You can set the Network mode and other settings as you wish or you can follow the same settings shown in the above image. After completing, click install and wait until the installation to be completed.

We have almost gone across the processes for the completed setting up of the virtual device. The next step is to install Google Play Store on your virtual device, to do that click on the “OpenGapps” icon and the download will be started. After the installation is completed you can reboot the device.

If you have any issue in downloading “OpenGapps”, you can manually download this. All you have to do is go to this link and download the compatible file. 

Configuring virtual device with Burp suite

So firstly you have to configure the proxy settings of the virtual device .

Now you completed the configuration in the Burp Suite.

The last step is to add a cacert to the virtual device.

Perfect! We successfully captured the requests from the virtual device.

Practical Time 🙂

Let’s discuss two vulnerabilities that have a high chance to be found in real world applications.

1. Hardcoding Issues

Hard-coding issues means developers hard-code some sensitive strings inside the source code. Hardcoded data might be password, access token etc..

Now we are going to connect to the device using adb.

adb connect [ip address : port]

You have successfully connected with the device. Next thing is to get the shell of the device. In order to do that run the following command:

adb shell

We are going to practice the testing on the application named DIVA (Damn Insecure and Vulnerable Application).

As you can see, diva is already installed in my device.

You can install apk using adb, for that use the following command:

adb install diva.apk

Now open diva app and click on the challenge named Hardcoding Issue Part 1.

So it is asking for a key for the users to access. When you type any value and click access it shows access denied.

So now you have to inspect the source code of the activity.

First, you need to unzip the apk.

unzip diva-beta.apk

As the next step, you have to read the contents inside the file “classes. dex”  but it is not in a human-readable format. The next step is to convert the dex file to jar format, to do that you can use the d2j-dex2jar tool.

d2j-dex2jar classes.dex

After executing this command there will be a new file in .jar format.

After executing this command there will be a new file in .jar format.

jd-gui classes-dex2jar.jar

Here you can find the source code of every activity that is in the application. You are here  to inspect the source code of the Hardcoded Issue, so open the corresponding file:

Here you can see that the developer hardcoded a sensitive string in the source code. So when the user enters any value in the box it validates with this key.

Now let’s enter this key in the box and see what happens.

These types of security vulnerabilities are known as Hard-coding Issues. That’s all about Hard-coding issues. Now you have to move to another vulnerability.

2. Insecure Data Storage

Insecure data storage means sometimes developers store sensitive information without encryption. Here the issue is storing user’s data like passwords, tokens in plain text cause any other application reads those sensitive data. 

Let’s practice this on the diva.

We have opened the Insecure Data Storage challenge in diva.

Now we can save our credentials. For that, we entered a username and password and click save.

It says that credentials are saved successfully. Now let’s inspect the source code of the activity. To do that repeat the process we did the last challenge. That is open the .jar file using jd-gui.

We can see that the credentials are stored in the SharedPreferences folder.

So let’s navigate to that folder.

Now we are inside the package folder of the application diva. Inside this folder, there is the folder that we are looking for that is “SharedPreferences”. The source code of this application says that the credentials are stored inside this folder.

The next step is inspecting the contents of this folder.

We can see that there is one xml file. Let’s read the contents of this file

cat jakhar.aseem.diva_preferences.xml

Here we can see that the credentials that are entered are stored in plain text and also in insecure locations.