Active Directory Penetration Testing
Posted in: Active Directory

Active Directory Penetration Testing: Methodology

Written by RFS Leave a Comment on Active Directory Penetration Testing: Methodology

Today I am writing about Active Directory penetration Testing methodology, this is part of my study for eCPPTv2 by eLearningSecurity and CRTP by Pentester Academy.

Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.

My goal in this article is to describe how AD works and identify what should be enumerated on each AD service

active directory architecture

Microsoft Permissions can be checked here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Active Directory Port Numbers

PortProtocolDescription
53/TCPDNS Server
88/TCPkerberos-sec
135/tcpMSRPC
139/tcpNetBIOS SSN
389/tcpLDAP
445/tcpSamba
636/tcpLDAP SSL
3389/tcp

Basic AD Functions

Tools Arsenal

Steps

  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

nmap -sP -p 192.168.10.1

Classic Scan

nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output 192.168.10.1

How to Find Domain Control IP?

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test
nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions

LDAP

SMB

Kerberos

How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Attacks

  • Zerologon
  • Petitepotam
  • Poisoning
  • Replay Attacks
  • MiTM

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445 192.168.10.1

ZeroLogon AD Attack

BloodHound

https://raw.githubusercontent.com/SadProcessor/HandsOnBloodHound/master/BH21/BH4_SharpHound_Cheat.pdf

Leave a Reply Cancel reply

Back to Top

Table of Contents

Index