Active Directory Penetration Testing Methodology

Today I am writing about Active Directory penetration Testing methodology, this is part of my study for CRTP by Pentester Academy.

Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.

My goal in this article is to describe how AD works and identify what should be enumerated on each AD service inside a single Domain Controller.

Active Directory Penetration Testing: Methodology 4

Microsoft Permissions can be checked here: learn.microsoft.com/en-us/azure/active-dire...

Active Directory Port Numbers

Port

Protocol

Description

53/TCP

DNS Server

88/TCP

kerberos-sec

135/tcp

MSRPC

139/tcp

NetBIOS SSN

389/tcp

LDAP

445/tcp

Samba

636/tcp

LDAP SSL

3389/tcp

Basic AD Functions

Tools Arsenal

• Nmap

• CrackMapExec

• Enum4Linux

• Covenant

• Impacket

• BloodHound

• EvilWinRM

• Empire

• Deathstar

• Rubeus

• Certutil.exe

• Cobalt Strike

Steps

• Scan Network

• Scan Host

• Detect Public Shares

• Detect Users

• Extract Hashes

• Crack Passwords

• Escalate Privileges

• Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

The ping scan functionality in Nmap is a way to determine which hosts on a network are active and reachable.

nmap -sn -Pn 192.168.10.1

Classic Scan

nmap -sP -sC -sV -oG nmap.output 192.168.10.1 -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output 192.168.10.1 -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output 192.168.10.1

How to Find Domain Control IP?

Ask the network

nslookup -type=SRV ldap.tcp.dc._msdcs.domain.test

Verify in your machine:

nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x $TARGET

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions

LDAP

SMB

Kerberos

How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

Hash

Hashcat Command

LM

hashcat -m 3000 -a 3 hash.txt

NTLM

hashcat -m 1000 -a 3 hash.txt

NetNTLMv1

hashcat -m 5500 -a 3 hash.txt

NetNTLMv2

hashcat -m 5600 -a 3 hash.txt rockyou.txt

Kerberos 5 TGS

hashcat -m 13100 -a 3 hash.txt rockyou.txt

Kerberos 5 TGS AES128

hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt

Kerberos 5 TGS AES256

hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt

Kerberos ADREP

hashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt

MsCache 2

hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt

Hash to crack Windows Hashes

Active Directory Penetration Testing

• Zerologon

• Petitepotam

• Poisoning

• Replay Attacks

• MiTM

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445 192.168.10.1

ZeroLogon AD Attack

BloodHound

raw.githubusercontent.com/SadProcessor/Hand..