Pentesting Windows Active Directory


Mitre Att&ch & Mapping.


nmap -vv -Pn

nmap scan

nmap -sV -vv -Pn

SMB share enumeration

smbclient -L \\\\\\

We now grab all the text files

smb share enumeration

smbclient -\\\\\\VulnNet-Business-Anonymous


mget *

smb share enumeration

smbclient -\\\\\\VulnNet-Enterprise-Anonymous


mget *

smd share enumeration

smbmap -H -u guest -p ‘ ‘

Because IPC$ Share is readable so we can enumerate valid domain users via impacket’s

We can check the files (we can extract usernames from the text files but we can get usernames as well in a different way).

users enumeration results

We can use enumerate SID of the users (that’s because IPC$ is to set as READ) and we can use the impacket tool guest@

Performing AS-REP Roasting

If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers from the impacket to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password. -dc-ip -usersfile /home/mic/Desktop/roasted/users.txt -no-pass vulnnet-rst.local/


Kerberos pre-authentication is disabled for the user t-skid and we have the hash so let crack it using the hashcat.

Cracking the KRB5 AS-REP hash using the hashcat


hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

Identified creds:

  • username: t-skid
  • password: tj072889*

Performing Kerberoasting with t-skid’s credentials

Because we have a valid credential we can perform kerberoasting to retrieve a KRB5 TGS hash.


Cracking the KRB5 TGS hash using the hashcat


Identified creds:

  • enterprise-core-vn
  • password: ry=ibfkfv,s6h,

We can log in now via evil-winrm.

evil winrm
net user enumeration
smbmap scan
smb shares enumeration

Creds hardcoded in a visual basic script

hardcoded creds
a-whitehat is a domain admin

Performing a DC Sync attack to get the Administrator hash (Privilege Escalation)

We can perform a DCSync attack to get the administrator hash and login via EvilWinRM

admin access

Vulnerabilities identified

  • SMB Null Session: Null sessions should be disabled, restricted, and monitored.
  • Kerberos pre-authentication should be enabled for all the user accounts.
  • Weak authentication credentials.

Finally, you can try something on your own here



Digital Resident

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store