# Movement {% hint style="danger" %} **This is a work-in-progress** {% endhint %} Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter :wink: . ### NTLM configuration * [ ] Obsolete versions of this protocol (LM, LMv2 and NTLM(v1)) are disabled and NTLM (all versions) is disabled when possible. This allows to stay safe from [NTLM relay](https://red.infiltr8.io/ad/broken-reference), [NTLM capture](https://red.infiltr8.io/ad/movement/ntlm/capture) and [cracking](https://red.infiltr8.io/ad/credentials/cracking#tips-and-tricks) and [pass-the-hash](https://red.infiltr8.io/ad/broken-reference) attacks. ### Kerberos configuration * [ ] `krbtgt`'s password has been changed in the last 6 months to prevent [Golden Ticket](https://red.infiltr8.io/ad/persistence/kerberos/forged-tickets) persistence attacks. From UNIX-like systems, this can be checked with [Impacket](https://github.com/SecureAuthCorp/impacket/)'s [Get-ADUsers.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py) script. * [ ] The RC4 `etype` is disabled for Kerberos to prevent [overpass-the-hash](https://red.infiltr8.io/ad/movement/kerberos/opth) and [NTLMv1 capture](https://red.infiltr8.io/ad/movement/ntlm/capture) and [cracking](https://red.infiltr8.io/ad/credentials/cracking#tips-and-tricks) to [Silver Ticket](https://red.infiltr8.io/ad/persistence/kerberos/forged-tickets) attacks. This can be checked by attempting to obtain a TGT with an NT hash. * [ ] No account is configured with `Do not require Kerberos Pre-Authentication` allowing for [ASREProast](https://red.infiltr8.io/ad/broken-reference) attacks, or make sure those account have strong password resistant to [cracking](https://red.infiltr8.io/ad/movement/credentials/cracking). * [ ] User accounts that have at least one `ServicePrincipalName`, hence vulnerable to [Kerberoast](https://red.infiltr8.io/ad/broken-reference), have a strong password, resistant to [cracking.](https://red.infiltr8.io/ad/movement/credentials/cracking) ### Patch management * [ ] Domain Controllers are patched against [ZeroLogon](https://red.infiltr8.io/ad/broken-reference). * [ ] Domain Controllers are patched against [Kerberos sAMAccountName spoofing](https://red.infiltr8.io/ad/broken-reference). * [ ] [MS14-068](https://red.infiltr8.io/ad/kerberos/forged-tickets#ms-14-068-cve-2014-6324) is patched, preventing forging of powerful Kerberos tickets. * [ ] [PrivExchange](https://red.infiltr8.io/ad/movement/exchange-services/privexchange) patches are applied, protecting Exchange servers from [authentication coercion attacks relying on the PushSubscription API](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse), and [ACE abuse](https://red.infiltr8.io/ad/broken-reference) attacks relying on the `EXCHANGE WINDOWS PERMISSION` group having `WriteDacl` permissions against the domain object allowing for [DCSync](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/dcsync). * [ ] Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit [NTLM relay](https://red.infiltr8.io/ad/broken-reference) attacks. * [ ] Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...). ### Access Management (IAM/PAM) * [ ] Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting [credential stuffing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/stuffing) (i.e. trying to log in on other resources with that password/hash). * [ ] Strong [password and lockout policies](https://red.infiltr8.io/ad/broken-reference) exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential [bruteforcing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing), [guessing](https://red.infiltr8.io/ad/broken-reference), [stuffing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/stuffing) and [cracking](https://red.infiltr8.io/ad/movement/credentials/cracking) attacks. * [ ] Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential [bruteforcing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing), [guessing](https://red.infiltr8.io/ad/broken-reference), [stuffing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/stuffing) and [cracking](https://red.infiltr8.io/ad/movement/credentials/cracking) attacks. * [ ] Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other [credential-based attacks](https://red.infiltr8.io/ad/movement/credentials). * [ ] No account is configured with [Kerberos Unconstrained Delegation](https://red.infiltr8.io/ad/kerberos/delegations#unconstrained-delegations) capabilities. * [ ] No computer account has admin privileges over another one. This limits [NTLM relay](https://red.infiltr8.io/ad/broken-reference) attacks. ### Credentials Management * [ ] Caching of domain users is limited on workstations and avoided on servers to prevent [credential dumping](https://red.infiltr8.io/ad/movement/credentials/dumping) of LSA secrets from registry. * [ ] [Group Policy Preferences Passwords](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/group-policies-preferences) are not used. * [ ] LSA protection are enabled to prevent [LSASS dumping](https://red.infiltr8.io/ad/broken-reference). * [ ] Network shares readable by all domain users don't contain sensitive data like passwords or certificates limiting [credential dumping](https://red.infiltr8.io/redteam/credentials/unsecured-credentials/network-shares). ### Domain-level configuration and best-practices * [ ] The [Machine Account Quota](https://red.infiltr8.io/ad/broken-reference) domain-level attribute is set to 0, preventing domain users from creating domain-joined computer accounts. * [ ] Default [special groups](https://red.infiltr8.io/ad/broken-reference) are empty, limiting, among other things, out-of-box ACE abuses. ### Networking, protocols and services * [ ] SMB is required when possible, especially on sensitive servers, preventing [NTLM relay](https://red.infiltr8.io/ad/broken-reference) attacks. * [ ] LDAP signing is required on Domain Controllers, preventing [NTLM relay](https://red.infiltr8.io/ad/broken-reference) attacks. * [ ] Extended Protection for Authentication (EPA) is required, especially for Domain Controllers supporting LDAPS, preventing [NTLM relay](https://red.infiltr8.io/ad/broken-reference) attacks. * [ ] IPv6 is either fully configured and used or disabled, preventing [DHCPv6 spoofing with DNS poisoning](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/dhcpv6-spoofing) attacks. * [ ] [LLMNR, NBT-NS and mDNS](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/llmnr-nbtns-mdns-spoofing) are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols. * [ ] WPAD is disabled, preventing [WPAD spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/wpad-spoofing). * [ ] A record exists in ADIDNS for the `*` (wildcard) preventing powerful [ADIDNS poisoning](https://red.infiltr8.io/ad/mitm-and-coerced-authentications/adidns-spoofing#wildcard-records) attacks. Preferably, this is a `TXT` record. * [ ] The print spooler is disabled on Domain Controllers and sensitive servers to prevent the [PrinterBug](https://red.infiltr8.io/ad/movement/print-spooler-service/printerbug) authentication coercion attack. * [ ] The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with [WSUS spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/wsus-spoofing) attacks. * [ ] Set-up packet filtering & inspection and enable port security on network switched to prevent [ARP poisoning](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/arp-poisoning) attacks and [network secrets dumping](https://red.infiltr8.io/redteam/credentials/unsecured-credentials/network-protocols). * [ ] Set-up VLANs, 802.1X or other [NAC (Network Access Control)](https://github.com/v4resk/red-book/blob/main/physical/networking/network-access-control.md) securities to limit the attackers progress within the network. * [ ] Plaintext protocols are avoided when using credentials (HTTP, FTP, ...), in order to minimize the risks of the [capture of credentials transiting on the network](https://red.infiltr8.io/redteam/credentials/unsecured-credentials/network-protocols). ### Active Directory Certificate Services * [ ] The CA is configured correctly (the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is not set). This prevents [the corresponding domain escalation attack](https://red.infiltr8.io/ad/broken-reference). * [ ] There are no certificate templates that are badly configured. This prevents [the corresponding domain escalation attack](https://red.infiltr8.io/ad/movement/ad-cs/certificate-templates). * [ ] AD-CS web endpoints are secured against [AD-CS NTLM relay attacks](https://red.infiltr8.io/ad/movement/ad-cs/unsigned-endpoints) (HTTPS and EPA (Extended Protection for Authentication) enforced).