Research On Attack And Defense In Active Directory Domain

With the turbulence of the current international network environment,China is paying more and more attention to the network security of national assets.As an important measure to deal with the network security problem,network protection action is vigorously carried out in enterprises and institutions.Network protection action involves two teams.The attacking team will launch cyber attack on the defense side to detect and exploit security vulnerabilities in the protected assets.The defense team is responsible for sorting out assets and checking exposed surfaces to resist attack.With the normalization and deepening of network protection action in recent years,the security of Active Directory domain environment with high authority and centralized management characteristics is paid more and more attention by both sides.The security of Active Directory domain environment is closely related to the security of national infrastructure and the data security of the people,so it is urgent to study the security of Active Directory domain environment.Based on this,the different offensive schemes and corresponding defense schemes are necessary to be studied in Active Directory domain environment.NTLM,Kerberos,and LDAP are the three most important protocols in the domain environment.They are used to authenticate the security of communication in the network environment full of threats and have a great impact on the overall security of an Active Directory domain.Focusing on the problem,the different attack schemes and corresponding defense schemes of three network authentication protocols in the current Active Directory domain environment are verified and improved in this paper.Specifically,the main work of this paper includes the following:1)The attack schemes of three representative protocols in the domain environment are completely replicated and analyzed in detail in the experimental environment set up in this paper to verify the effectiveness of the existing attack schemes in the latest domain environment.The typical attack schemes in this paper are included: Pass The Hash attack,NTLM Relay attack and CVE-2021-1675 printer vulnerability of NTLM;Gold Ticket attack,Silver Ticket attack,Resource-Based Constrained Delegation attack,Skeleton Key attack,and CVE-2021-42287 No Pac attack of Kerberos;LDAP information collection attack and LDAP Relay attack of LDAP.2)Based on the implementation and analysis of different attack schemes,the defense schemes of different protocols are completely verified by experiments in this paper.Meanwhile,the effectiveness of different defense methods is deeply analyzed,and the invalid defense schemes on Windows 9 Pro are excluded.After that,in view of the shortcomings of the existing defense schemes,the improved schemes are conceived and designed,and the effectiveness of the improved defense plan is evaluated.The result shows that the improved defense schemes can provide effective reference for the defense and operation personnel of enterprises and public institutions.3)Finally,the attack schemes and the improved defense schemes are evaluated according to five parameters: attack method,attack stage,attack tool,attack difficulty and defense difficulty.By evaluating the parameters of the attack schemes and the improved defense schemes,the preconditions,detailed process and attack limits of the attack schemes can be understood by attack researchers,the attacker’s current stage of exploitation chain and next steps can be understood and predicted by defense researchers,while necessary changes can be made to the victim systems to ensure that the attacker cannot reuse the previous attack path to gain access.At the same time,the Active Directory intra-domain experimental environment with the latest Windows Server 2019 system as the domain controller,Windows 10 system as the intra-domain member and Exchange Server as the intra-domain auxiliary controller is set up in this paper.During this process,the challenges of promoting Exchange Server as a secondary domain controller and validating different types of attacks and defense schemes are solved.In view of the scalability and practicability of attack and defense solutions in the old environment,the research of this paper makes up for the current situation of Active Directory domain attack and defense schemes in the latest domain environment with Windows Server 2019 as the domain controller.It is expected to provide reference for emergency response,intrusion detection and security reinforcement in Active Directory domain environment of large enterprises and institutions in China.