Today I am writing about Active Directory penetration Testing methodology, this is part of my study for CRTP by Pentester Academy.

Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.

My goal in this article is to describe how AD works and identify what should be enumerated on each AD service inside a single Domain Controller.

active directory diagram4 1024x515 1
Active Directory Penetration Testing: Methodology 4

Microsoft Permissions can be checked here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference.

Active Directory Port Numbers

PortProtocolDescription
53/TCPDNS Server
88/TCPkerberos-sec
135/tcpMSRPC
139/tcpNetBIOS SSN
389/tcpLDAP
445/tcpSamba
636/tcpLDAP SSL
3389/tcp

Basic AD Functions

Tools Arsenal

Steps

  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

The ping scan functionality in Nmap is a way to determine which hosts on a network are active and reachable.

nmap -sn -Pn 192.168.10.1

Classic Scan

nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output 192.168.10.1

How to Find Domain Control IP?

Ask the network

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test

Verify in your machine:

nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions

LDAP

SMB

Kerberos

How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Penetration Testing

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445 192.168.10.1

ZeroLogon AD Attack

BloodHound

image
https://raw.githubusercontent.com/SadProcessor/HandsOnBloodHound/master/BH21/BH4_SharpHound_Cheat.pdf
Avatar of RFS

RFS (40)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.