Today I am writing about Active Directory penetration Testing methodology, this is part of my study for CRTP by Pentester Academy.
Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.
My goal in this article is to describe how AD works and identify what should be enumerated on each AD service inside a single Domain Controller.
Microsoft Permissions can be checked here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Table of Contents
Active Directory Port Numbers
| Port | Protocol | Description |
|---|---|---|
| 53/TCP | DNS Server | |
| 88/TCP | kerberos-sec | |
| 135/tcp | MSRPC | |
| 139/tcp | NetBIOS SSN | |
| 389/tcp | LDAP | |
| 445/tcp | Samba | |
| 636/tcp | LDAP SSL | |
| 3389/tcp | ||
Basic AD Functions
Tools Arsenal
- Nmap
- CrackMapExec
- Enum4Linux
- Covenant
- Impacket
- BloodHound
- EvilWinRM
- Empire
- Deathstar
- Rubeus
- Certutil.exe
- Cobalt Strike
Steps
- Scan Network
- Scan Host
- Detect Public Shares
- Detect Users
- Extract Hashes
- Crack Passwords
- Escalate Privileges
- Escalate to Domain Admin
Scanning an Active Directory
Finding Hosts Running Windows clients or Active Directory Servers
What information do I need to collect?
Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.
Ping Scan
The ping scan functionality in Nmap is a way to determine which hosts on a network are active and reachable.
nmap -sn -Pn 192.168.10.1Classic Scan
nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -PnFull Scan
nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -PnUDP Scan
nmap -sU -sC -sV -oG nmap.output 192.168.10.1How to Find Domain Control IP?
Ask the network
nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.testVerify in your machine:
nmcli dev show tun0Enumerating Active Directory
Is Port 53 Open?
dig @$DOMAIN -x $TARGET DNS Zone Transfer
dig axfr donain.test @nameserverHow to Find Usernames?
Null Sessions
LDAP
SMB
Kerberos
How to find Passwords?
Password Hashes?
Crack Active Directory Hashes
| Hash | Hashcat Command |
| LM | hashcat -m 3000 -a 3 hash.txt |
| NTLM | hashcat -m 1000 -a 3 hash.txt |
| NetNTLMv1 | hashcat -m 5500 -a 3 hash.txt |
| NetNTLMv2 | hashcat -m 5600 -a 3 hash.txt rockyou.txt |
| Kerberos 5 TGS | hashcat -m 13100 -a 3 hash.txt rockyou.txt |
| Kerberos 5 TGS AES128 | hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt |
| Kerberos 5 TGS AES256 | hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt |
| Kerberos ADREP | hashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt |
| MsCache 2 | hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt |
Active Directory Penetration Testing
- Zerologon
- Petitepotam
- Poisoning
- Replay Attacks
- MiTM
LLMNR/NBT-NS Poisoning
Vulnerabilities Scanning
Discover SMB Vulnerabilities using Nmap
nmap -PN --script smb-vuln* -p139,445 192.168.10.1ZeroLogon AD Attack
BloodHound
