Pentesting Windows Active Directory
MITRE ATT&CK Mapping
nmap 10.10.43.224 -vv -Pn
nmap -sV 10.10.43.224 -vv -Pn
SMB share enumeration
smbclient -L \\\\10.10.84.141\\
We now grab all the text files
smbmap -H 10.10.84.141 -u guest -p ‘ ‘
Because IPC$ Share is readable so we can enumerate valid domain users via impacket’s
We can check the files (we can extract usernames from the text files but we can get usernames as well in a different way).
We can use enumerate SID of the users (that’s because IPC$ is to set as READ) and we can use the impacket tool
The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that…
Performing AS-REP Roasting
If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers from the impacket to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password.
Steal or Forge Kerberos Tickets: AS-REP Roasting
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking…
GetNPUsers.py -dc-ip 10.10.208.82 -usersfile /home/mic/Desktop/roasted/users.txt -no-pass vulnnet-rst.local/
Kerberos pre-authentication is disabled for the user
t-skid and we have the hash so let crack it using the hashcat.
Cracking the KRB5 AS-REP hash using the hashcat
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt
- username: t-skid
- password: tj072889*
Performing Kerberoasting with t-skid’s credentials
Steal or Forge Kerberos Tickets: Kerberoasting
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a…
Because we have a valid credential we can perform kerberoasting to retrieve a KRB5 TGS hash.
Cracking the KRB5 TGS hash using the hashcat
- password: ry=ibfkfv,s6h,
We can log in now via evil-winrm.
Creds hardcoded in a visual basic script
Performing a DC Sync attack to get the Administrator hash (Privilege Escalation)
OS Credential Dumping: DCSync
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's…
We can perform a DCSync attack to get the administrator hash and login via EvilWinRM
- SMB Null Session: Null sessions should be disabled, restricted, and monitored.
- Kerberos pre-authentication should be enabled for all the user accounts.
- Weak authentication credentials.
Finally, you can try something on your own here