Resources:

• Virtualbox

• Attacker Host: Kali VM

• Vulnerable VMs: (Retrieved from Vulnyx)

  • Observer

  • Admin

  • Experience

  • Lower2

Setting up the Laboratory:

1. After downloading each virtual machine .ova file from Vulnyx/Kali, set them up on Virtualbox using the import utility. Repeate this step for every vm using their corresponding .ova file.

   • On Virtualbox, follow the following steps:

     • Source: Local File System

     • File: (add vm .ova file using file explorer)

     • Click on Finish

       

       

2. Creating network interfaces

   • On Virtualbox, follow these steps to create the DMZ network.

     • Tools > Network manager > NAT Networks > Create

       • Name: DMZ_Network

       • IPv4 Prefix: 10.0.2.0/24

       • Apply the Changes

         

         

   • On Virtualbox, follow these steps to create the Internal network.

     • Tools > Network Manager > NAT Networks > Create

       • Name: Internal_Network

       • IPv4 Prefix: 192.168.100.0/24

       • Apply the Changes

3. Assigning Network Interfaces to each VM

   • First, set DMZ_Network interface for Kali, Observer, & Admin:

     • Settings > Network > Adapter 1

       • Attached to: NAT Network

       • Name: DMZ_Network

       • Click OK

• Following that, set DMZ_Network interface on adapter 1 and Internal_Network interface on adapter 2 for the pivot system, in my case, Experience.

  • Settings > Network > Adapter 1

    • Attached to: NAT Network

    • Name: DMZ_Network

    • Click OK

  • Settings > Network > Adapter 2

    • Attached to: NAT Network

    • Name: Internal_Network

    • Click OK

• Finally, set the Internal_Network interface for the end target system located in the internal network, in my case, Lower2.

  • Settings > Network > Adapter 1

    • Attached to: NAT Network

    • Name: Internal_Network

    • Click OK

Summary

This lab can be used for many purposes, be it to try a specific attack or test a new tool, practicing pivoting and privilege escalation, or even simulating a full penetration test and creating a sample report to improve your skills. The standalone machines can always be switched at your liking, and other network interfaces could be created to practice double pivoting scenarios. I’ve created this lab to prepare for the Junior Penetration Tester (eJPTv2) certification exam from INE. If you are preparing for a similar exam or evaluation, most likely pivoting will be required in order to compromise internal systems. Building an environment similar to the setup presented above can be of great benefit. Pivoting can be somewhat confusing at first, and by creating your own laboratory you will be able to truly understand and interpret the tooling, commands, and actions being performed to make it happen, including the how’s, what’s and why’s.

Note: Non-Windows devices, such as Linux machines, can also authenticate to Active Directory via RADIUS (Remote Authentication Dial-In Service) or LDAP (Lightweight Directory Access Protocol).

Active Directory Services

• Domain Services (AD DS): AD DS manages and organizes directory information about network objects such as users, groups, and devices. Basically, it’s job is to distribute information about network objects such as users, groups, and devices across the network while enforcing the policies set by network administrators. For example, if an administrator creates a network share for the HR team, AD DS ensures that only users in the HR group can access that share by applying specific permissions and access controls. Additionally, AD DS manages user privileges, authentication, and authorization, ensuring that security policies are consistently enforced across the network.

• Certificate Services (AD CS): AD CS manages digital certificates for users, devices, and services within the network. These certificates can be used for authentication, encryption, and digital signatures. Also, AD CS is in charge of creating the Public Key Infrastructure (PKI), which supports the use of public and private keys for secure communications. Think of it as a digital ID card system, each time a user tries to communicate with another user or service, AD CS scans their digital ID card to verify their identity, making sure that they are who they claim to be.

• Federation Services (AD FS): AD FS helps users to access multiple applications using a single account, and it supports single sign-on (SSO). AD FS is used in resource sharing situations, for example, if I want to access a specific service from a partner company, AD FS helps to securely share a digital identity in order to access that service without using multiple credentials.

• Lightweight Directory Services (AD LDS): AD LDS provides a lighter, and more flexible alternative to the full AD DS environment. AD LDS is designed to support directory enabled applications without requiring the overhead of a full AD domain. It allows organizations to store and manage directory data in a way that is similar to AD DS, but without the need to deploy domain controllers, manage AD domains, or join systems to a domain.

• Rights Management Services (AD RMS): Manages and protects sensitive information through encryption, rights management, and policy enforcement using information rights management (IRM). Helps organizations safeguard their property and confidential data by restricting the amount of access and actions users can take with protected data.

Active Directory is composed of both physical and logical components.

Physical:

• Data Store (NTDS.DIT): The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications.

  • Serves as the principal database file within AD DS, it stores and organizes all information related to objects in the domain, including users, groups, computers, account details, password hashes, and more.

• Domain Controllers: The most important component. Provides administrative access, the ability to setup group policies, change user passwords, etc. Think of the DC as the main base of a domain, it’s from where you control and mange everything under its tree.

• Global Catalog Server: Stores a catalog of every object in the directory. Serves to look up directory information regardless of the object’s location.

• Read-Only Domain Controller (RODC): Type of domain controller that holds a read-only copy of the AD database. Unlike a regular DC, which can both read and write to the database, an RODC only allows read operations. This means that it cannot make changes to the database, such as adding or modifying user accounts, groups, or other objects.

Logical:

• Schema: The Schema defines every type of object that can be stored in the directory, think about it as a rule book or a blueprint that enforces rules regarding object creation and configuration.

• Domains: Used to group and manage objects in an organization. It serves as an administrative boundary for applying policies to groups of objects, allowing administrators to manage users, systems, and other resources together. It is also a replication boundary, ensuring that directory data is replicated between domain controllers within the domain.

• Domain Trees: A hierarchy or chain of domains in AD DS. When we have multiple domains, they are controlled in a hierarchy, just like a tree. Shares a contiguous namespace with the parent domain (ex: domain’.’com), and can have additional child domains (ex: dev.domain’.’com and hr.domain’.’com)

• Forests: A collection of one or more domain trees. Think of forests as a group made of other groups of domains. As a family, if the forest is made of domain trees, which represent a group of domains in a parent/child style hierarchy, then the forests can be seen as the overall family, including different groups. Forests serve to share a common schema, configuration, and global searching catalog. It enables trusts between all domains in the forest and shares the enterprise admin and schema admin groups.

• Sites: They define the physical layout of the network. Each site includes one or more subnets and is linked to other sites via site links, which represent the network connections between them.

• Organization units (OUs): Active Directory containers that can contain users, groups, computers, and other OUs. Represents the organization hierarchically and logically, manages a collection of objects in a consistent way, applies policies, and delegates permissions to administer groups of objects.

Things to know

Trust relationships: Trusts provide a mechanism for users to gain access to resources in another domain.

• Directional → The trust direction flows from trusting domain to the trusted domain.

• Transitive → The trust relationship is extended beyond a two-domain trust to include other trusted domains.

Objects: An object is an element, such as a user, group, application, device, etc.

Understanding Kerberos

Kerberos: The network authentication protocol used in Active Directory (AD) that verifies user and service identities without transmitting passwords over the network. It utilizes tickets for authentication and relies on the Key Distribution Center (KDC) to manage secret keys and tickets used by clients and services.

• Authentication Service (AS): When a user attempts to log in, the AS verifies the user’s credentials and issues a Ticket Granting Ticket (TGT). This ticket allows the user to request access to other services without needing to re-enter their password.

• Ticket-Granting Service (TGS): Service used by Kerberos to grant a ticket to a user in order to access a certain service or server.

Overview of Kerberos:

1. When a user logs on to the Active Directory environment, the user authenticates to the Domain controller using the user’s password which of course the Domain Controller knows.

2. The Domain Controller sends the user a Ticket Granting Ticket (TGT) Kerberos Ticket. The TGT is presented to any Domain Controller to prove authentication for Kerberos service tickets.

3. The user opens up the application it’s attempting to access, and that causes the user’s workstation to lookup the Service Principal Name (SPN) for the user’s exchange server.

4. Once the SPN is identified, the computer communicated with the Domain Controller again and presents the user’s TGT as well as the SPN for the resource to which the user needs to communicate.

5. The Domain Controller replies with the Ticket Granting Service (TGS) Kerberos service ticket.

   • The TGS is encrypted with the server’s account hash.

6. The user’s workstation presents the TGS to the exchange server for access.

   • Server will decrypt the TGS and check if the user actually has the authority to access the server and proceed to authenticate.

7. If the user is authorized, the application connects successfully.

Tor stands for “The Onion Router”, it's an open-source browser that allows anonymity and privacy online by redirecting internet traffic through a series of servers known as nodes, or relays, which are hosted by volunteers all over the world. Thanks to its distributed network, users are allowed to browse the internet anonymously. The name itself, is a reference to the different layers of cypher, and encryption.

Who and why?

Tor is used by many types of people that perform different types of activities online, going from journalists, and whistleblowers to a group of folks that care about their online privacy. Activists in countries with tight controls also use Tor to get around censorship, or to maintain hidden in the shadows, away from the governmental agencies’ eyes. Even researchers and security geeks use it to explore online security without being tracked.

The main purpose is to maintain browsing activity anonymous and private but can also be used to access certain websites which might impose strict rules by your country of residence, or to visit .onion sites, which are a more secretive and private than the clear net.

Although, we also need to be conscious about the bad content we might be exposed to in Tor’s .onion services. While many .onion sites serve legitimate purposes, some are notorious for illegal activities, which can overshadow the positive uses of Tor. It’s crucial to note that Tor doesn’t inherently imply illicit activity. Anyways, as long as you are using the browser for the good, you don’t have to worry. Just like any other browser, or application, don’t click on random links, or try to go into sketchy places.

What are .onion sites?

A .onion domain is only accessible through the Tor browser, which means that in order to access it we are forced to navigate through the Tor relays. Onion services do not use traditional IP addresses, since the service itself acts as an overlay on top of the TCP/IP infrastructure.

We connect to domains in the clear net using IP addresses, that look something like this “https://172.16.254.1" , made of 32 bits (1’s and 0’s). Although, we don’t always see this thanks to the Domain Name System (DNS) service which takes the load of remembering all of those numbers for each site that we want to access. Onion sites look more like this “vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion", see the difference? There’s no IP addresses or names, just a bunch of random characters. These random characters are actually a base32-encoded version of the public key associated with the Tor hidden service. The .onion address serves as the identity public key of the service, allowing users to connect to it through the Tor network. Unlike regular domains that rely on DNS, .onion addresses provide a level of anonymity and security by directly using cryptographic keys.

How does Tor Work?

To understand how Tor works, we must understand how the internet works first. Normally, when you attempt to connect to a website, your device makes a request to the server where the target domain is hosted. This process is efficient, and fast, but not secure, because it reveals the recipient’s IP address, approximate location, and identity to the webserver and anyone snooping the traffic.

By accessing the tor network, your traffic is rerouted through 3 different relays before reaching the internet. Between those 3 relays, our traffic is encrypted, the only time where our traffic is not encrypted is when it’s going through the exit node. By the time traffic exits the exit node, it will be very hard to find the original source of your requests.

1. Entry Node: Your traffic first enters the Tor network through an entry node. Here, your data is encrypted, but the entry node can see your original IP address.

2. Middle Node: The encrypted data is then sent to a middle node, which further anonymizes your traffic by encrypting it again. The middle node cannot see your IP address or the final destination of the data.

3. Exit Node: Finally, your traffic exits the Tor network through an exit node, where the encryption is removed. This is the only point at which your data is decrypted and sent to the final destination. Note that If the website you’re accessing is not using HTTPS, the exit node can see the content of your traffic, potentially exposing sensitive information. However, the exit node cannot trace the traffic back to your original IP address.