Today I am writing about Active Directory penetration Testing methodology, this is part of my study for CRTP by Pentester Academy.

Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.

My goal in this article is to describe how AD works and identify what should be enumerated on each AD service inside a single Domain Controller.

active directory architecture
active directory architecture

Microsoft Permissions can be checked here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Active Directory Port Numbers

PortProtocolDescription
53/TCPDNS Server
88/TCPkerberos-sec
135/tcpMSRPC
139/tcpNetBIOS SSN
389/tcpLDAP
445/tcpSamba
636/tcpLDAP SSL
3389/tcp

Basic AD Functions

Tools Arsenal

Steps

  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

The ping scan functionality in Nmap is a way to determine which hosts on a network are active and reachable.

nmap -sn -Pn 192.168.10.1

Classic Scan

nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output 192.168.10.1

How to Find Domain Control IP?

Ask the network

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test

Verify in your machine:

nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET 

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions

LDAP

SMB

Kerberos

How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Penetration Testing

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445 192.168.10.1

ZeroLogon AD Attack

BloodHound

Active Directory Penetration Testing
https://raw.githubusercontent.com/SadProcessor/HandsOnBloodHound/master/BH21/BH4_SharpHound_Cheat.pdf

Oh hi there 👋 It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Read our privacy policy for more info.

PopLAbSec_Logo

Hacking tips!

We don’t spam! Read our privacy policy for more info.