Windows Active directory

internal pentesting “all the things” notes

Tools

Attack Vectors

• LLMNR POISONING
  • This is a quick view
  • Attack tool “Responder”
• SMB Relay Attacks
  • This guide is a little bit better than the other one
• Pass the hash
• Password attacks & Cracking
• IPv6 AD Attack (mitm)
• Passback attacks
• Attacking LSASS
• others that i didn’t take notes yet

Quick notes

Initial internal pentest attack strategy

1. mitm6 or responder
2. run scans to generate traffic
3. if scans are taking too long, look for websites in scope (http_version)
4. Look for default credentials on web logins
   • Printers
   • Jenkins
   • Etc
5. enumerate all

Enumerations commands

• net user /domain
• net user $USER /domain
• net group /domain

Post-Compromise AD enumeration

• Bloudhound
  • sudo bloodhound-python -d DOMAIN.local -u $USERNAME -p $PASSWORD -ns $IP -c all
• Plumhound
• Ldapdomaindump
  • sudo ldapdomaindump ldaps://$IP -u 'DOMAIN\username' -p $PASSWORD
  • Caso hipotetico de uso: LLMNR => conseguimos un hash => lo crackeamos => probamos la contraseña en otras maquinas => encontramos nuevo login => secrets dump those logins => local admin hashes => re-spray network with local accs
• PingCastle
• etc
• Trevor Spray tool
• SeatBelt Tool

Post compromise attacks

Now we own the domain what’s next?

• Provide as much value to the client as possible
  • Put your blinders on and do it again
  • Dump the NTDS.dit and crack passwords
  • Enumarate shares for sensitive information
• Persistence can be important
  • What happens if our DA access is lost?
  • Creating a DA account can be useful (remember we have to delete it)
  • creating a golden ticket can be useful too

NTDS.dit

• What is it?
  • A DB used to store AD data.
    • User info.
    • Group info.
    • Security descriptors
    • Password hashes
• Golden Ticket attack
  • When we compromise the krbtgt (kerberos target) account, we own the domain
  • We can request access to any resource or system on the domain
  • Golden tickets = complete access to every machine

Lateral movement notes

• Tools:
  • Psexec => internal tool
  • WinRM

Persistence

• Persistence Scripts
  • run persistence -h
  • exploit/windows/local/persistence
  • exploit/windows/local/registry_persistence
• Scheduled Tasks
  • run scheduleme
  • run schtaskabuse
• Add a user
  • net user hacker password123 /add