Active Directory Penetration Testing
Posted in: Active Directory

Active Directory Penetration Testing: Methodology

Today I am writing about Active Directory penetration Testing methodology, this is part of my study for eCPPTv2 by eLearningSecurity. Active Directory is a service to manage corporate domains

active directory architecture
active directory architecture

Active Directory Port Numbers

PortProtocolDescription
53/TCPDNS Server
88/TCPkerberos-sec
135/tcpMSRPC
139/tcpNetBIOS SSN
389/tcpLDAP
445/tcpSamba
636/tcpLDAP SSL
3389/tcp

Tools Arsenal

Steps

  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

nmap -sP -p 192.168.10.1

Classic Scan

nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output 192.168.10.1

How to Find Domain Control IP?

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test
nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET 

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions

LDAP

SMB

Kerberos

How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Attacks

  • Zerologon
  • Petitepotam
  • Poisoning
  • Replay Attacks
  • MiTM

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445 192.168.10.1

ZeroLogon AD Attack

BloodHound

Active Directory Penetration Testing: Methodology
https://raw.githubusercontent.com/SadProcessor/HandsOnBloodHound/master/BH21/BH4_SharpHound_Cheat.pdf

Leave a Reply

Back to Top