Active Directory Pentest

---

1. We start our scan with a very popular tool called Nmap. It shows lots of ports and services running, but only 2 services stand out as of now.

2. The port 88 "KERBEROS" and 389 "LDAP" indicate that we are dealing with an Active directory environment thats managed by "Kerberos", which is an authentication protocol within AD.

Also, the port 445 "SMB" is active which means we can try and query information or even log in as guests if the service allows it.

3. We query users through the aformentioned "SMB" port since the service allows guest access -- which is something very common and can be overlooked easily.

4. Carrying out whats known as "AS-REPROASTING" attack, its basically asking the domain controller for a user ticket among the names we found before.

A security feature called "No-Pre Authentication Required" exists in keberos, if its enabled, then we can send a request and get a response with encrypted password hash.

5. Getting the user hash in the reply allows us to try and crack it offline through some tools like Hashcat and John The Ripper.

If the password is weak, then its more likely to be cracked.

6. Having managed to crack the password for the user "svc-alfresco". We can proceed and log in with that user's account.

We have a foothold inside the Active Directory environment by now.

7. Being inside AD allows us to "map" the environment visually using a very robust tool called BloodHound.

It maps out and visualizes the environment then presents it in a very easy to read and understandable way.

8. We can see our user "svc-alfresco" in the far left in green, our goal is to get to the "administrator" account at the far top. I drew lines to visualize my path.

Simply put, the yellow nodes are groups within the domain that we have to move through or "hop" from. Luckily for us, our user inherits permissions from all the groups you see, so we can make our way shorter to the top.

9. This yellow group "Exchange Windows Permissions" has an ACL -- Access Control List, called "WriteDacl" which means if you join this group, you can grant yourself any permission you want within Active Directory.

You see where this is going, right?

10. When we set foot inside the environment and mapped it, our very first group had the permission "GenericAll" over the group we are targeting "Exchange Windows Permissions".

Meaning, we can add ourself to that group and therefore inherit its permissions. So we added ourself now and you can see we are a part of it

11. Everything we have done so far from group hopping to granting permissions sets the stage for our final attack, the DCSync permission.

DCSync attack is a powerful technique that simply allows us to contact the domain controller and dump all user encrypted password hashes.

12. After the newly added DCSync permission, we are able to get or "dump" all domain users encrypted password hashes.

Moreover, there is no need to crack these encrypted passwords.

We will simply move laterally and vertically within the environment using "Pass The Hash" attack and authenticate anywhere we want.

13. Using the Administrator hash, we can confirm that we have access to the domain controller as that account with the highest privileges indicated by the orange "Pwn3d!" message.

14. Armed with the new permissions, access and administrator hash, We can proceed to log in as this domain admin account and pretty much compromise everything since we have total control!

15. Key Takeaways:

- A simple overlooked password or account can pave the way to something big that would damage your structure.

- Microsoft Active Directory security is not the best if left unchecked or misconfigured.

- Permissions and Access Control Lists can be daunting and prone to errors especially with the involvement of the human element.

- Such environment needs constant checks and periodical