Active Directory Pentesting Methodology

Active Directory pentesting involves testing the security of an organization's Active Directory environment to find weaknesses. Security professionals explore potential vulnerabilities like weak passwords, misconfigured permissions, and unauthorized access points. The goal is to identify and fix these security gaps before attackers exploit them.

In this blog, explore Active Directory pentesting techniques to identify and mitigate network vulnerabilities effectively with step-by-step methodology.

What is Active Directory Pentesting?

Active Directory Pentesting is the proactive assessment of Active Directory (AD) environments uncovers vulnerabilities and security flaws. This process involves simulating real-world attack scenarios to identify weaknesses that malicious individuals could exploit.

Pentesters employ various tools and techniques to enumerate AD objects, identify misconfigurations, and exploit vulnerabilities such as weak passwords, insecure group policies, or inadequate access controls.

Why Pentesting Active Directory is Crucial?

Pen testing Active Directory (AD) is crucial because Active Directory (AD) is often the central point of authentication and authorization within an organization's network.

Since AD manages access to critical resources, including servers, applications, and sensitive data, it becomes a prime target for attackers seeking to escalate privileges or move laterally across the network.

By actively testing the security of AD, organizations can identify potential vulnerabilities and misconfigurations that may allow unauthorized access or privilege escalation.

Testing helps uncover weak passwords, inadequate access controls, and improperly configured permissions, which attackers can exploit to gain control over user accounts, including those with administrative rights.

Pen testing also highlights potential paths for lateral movement, enabling organizations to address gaps that might allow attackers to compromise other parts of the network. Moreover, assessing AD's security ensures that organizations identify and mitigate common attack techniques, such as Pass-the-Hash, Kerberoasting, and Golden Ticket attacks.

By proactively testing Active Directory, organizations strengthen their defense against cyberattacks, ensuring the secure management of user accounts and access within the network.

Types of Attacks on Active Directory

Active Directory (AD) faces various types of attacks, each targeting different vulnerabilities to compromise the system’s security. Here are some common attack types on AD:

1. Pass-the-Hash (PtH) Attacks

Attackers exploit stolen password hashes to authenticate as users without needing their plaintext password. By obtaining and passing these hashes, they can gain access to privileged accounts, move laterally across the network, and compromise other systems within the domain.

2. Kerberoasting

Attackers request service tickets for accounts with a Service Principal Name (SPN). Attackers then crack these tickets, which are encrypted with the target account's password, offline to obtain plaintext passwords. This attack targets service accounts that often have elevated privileges and weak password policies.

3. Golden Ticket Attacks

By compromising the KRBTGT account (the Kerberos service account in AD), attackers create Golden Tickets. These forged Kerberos tickets provide unrestricted access to the domain, allowing attackers to impersonate any user, including domain administrators, and maintain persistent control over the network.

4. DCShadow Attacks

Attackers register a rogue domain controller within the AD environment, which allows them to inject or manipulate directory data, such as adding backdoor accounts or modifying security settings. This attack exploits the AD replication process to spread malicious changes throughout the domain.

5. DCSync Attacks

Attackers use tools like Mimikatz to impersonate a domain controller and extract credentials from AD without directly accessing the domain controller. By performing a DCSync attack, they can retrieve password hashes for any account, including domain admins, which they can then use for further attacks.

6. NTLM Relay Attacks

Attackers exploit the NTLM authentication protocol by intercepting and relaying NTLM authentication attempts to another system. This allows them to gain unauthorized access or execute malicious actions without needing valid credentials, taking advantage of systems that accept NTLM authentication.

Active Directory Methodology

Active Directory pentesting follows a structured methodology to systematically identify and exploit vulnerabilities within an organization's network infrastructure.

Reconnaissance

Reconnaissance is the first phase that focuses on identifying weaknesses in a target network's defenses. This includes finding outdated software, misconfigured services, or unpatched systems. The primary goal is to gather enough information to plan an effective attack strategy based on the network's layout and infrastructure, increasing the chances of successful penetration. By conducting thorough reconnaissance, security teams can also minimize risks by avoiding unexpected obstacles, reducing the likelihood of detection or failure in later stages.

During reconnaissance, security teams use various tools to gather information about the network. For example, tools like nmap are used to identify the target's network range, while DNS records can be enumerated with commands like nslookup or dig to discover domain names and subdomains. Additional information about the network infrastructure, such as IP addresses, open ports, and running services, is gathered to understand the network better.

An essential command used is:

nmap -sT -Pn -n --open

The command nmap -sT -Pn -n --open <target_ip> uses several flags to perform an efficient scan of a target IP. The -sT flag initiates a TCP connect scan, fully establishing a TCP connection to identify open ports.

The -Pn flag bypasses the host discovery step, assuming the host is up even if it doesn't respond to ping requests. By using -n, DNS resolution is disabled, speeding up the scan by not attempting to map IP addresses to hostnames. Finally, the --open flag filters the output to display only open ports, hiding closed or filtered ones, which helps testers focus on active services available on the target host.

For instance, running this command on 192.168.73.20 could produce output like:

After running the command successfully, it reveals open ports and their corresponding services, which are critical for identifying potential vulnerabilities in the network.

Analyzing Ports

Analyzing open ports is crucial for discovering entry points into a target network. Each open port represents a potential vulnerability, and by understanding which services are exposed, security teams can focus on exploiting the weaknesses of those services. The process also allows them to assess the network's overall security posture and identify potential weak spots that may be targeted.

After scanning for open ports, the next step is to analyze the services running on those ports and understand their potential vulnerabilities. Security teams use commands like:

nmap -sT -Pn -n --open 192.168.73.20 -sV -p53

This command scans all specified ports for services, providing a deeper insight into the types of applications running and their versions. Another useful command is:

netstat -an

netstat -an is used to check listening ports on a local system, which helps to understand which ports are open and what services can be accessed. This analysis helps prioritize which targets to focus on based on their vulnerabilities and potential exploitability.

LDAP Enumeration

LDAP (Lightweight Directory Access Protocol) enumeration focuses on gathering detailed information about LDAP services to identify vulnerabilities or misconfigurations that can be exploited. When the ldap service is found on a port (e.g., 3268/tcp), it usually indicates that the system is a domain controller within a network. Consider the following command:

This finding reveals that ldap is open and that the system runs Microsoft Windows Active Directory. Tools like Nmap can extract more information about the domain. For instance, the following command enumerates key details:

nmap -sT -Pn -n --open 192.168.73.20 -p389 --script

An example of the response might appear as:

The response provides comprehensive information, such as subschemaSubentry, naming contexts, and supported LDAP policies. It also reveals key details about domain controllers, directory configurations, and schema attributes, which are crucial for further enumeration and exploitation.

Another tool for LDAP enumeration is:

ldapsearch -x -h

The ldapsearch command queries LDAP services for directory information, helping to uncover details about users, groups, and other domain entities, which can be critical for mapping the network and finding potential security gaps.

SMB Enumeration

SMB enumeration involves identifying file and printer shares on a target network, which can reveal sensitive information or potential entry points into systems. By enumerating these SMB shares, security teams may find misconfigurations or security gaps that can be exploited for unauthorized access or privilege escalation. This enumeration process provides valuable insights into the network layout, helping to understand relationships between systems and potential targets for further attacks.

To perform SMB enumeration, tools like Nmap or SMBMap are commonly used. Running scans and analyzing their outputs can reveal open shares, user details, and possible vulnerabilities.

For example, the following command enumerates SMB shares and users:

nmap -p445 --script

This Nmap command targets port 445 and uses scripts to uncover available SMB shares and their associated users, providing a starting point for further exploration and exploitation.

Enumerate Users

User enumeration can be performed using the Metasploit module scanner/smb/smb_lookupsid. This module scans the SMB service on a target to extract information about user accounts and group memberships. Here is the output from running the module against 192.168.73.20:

msf5 auxiliary(scanner/smb/smb_lookupsid) > run 

[*] 192.168.73.20:445 - PIPE(LSARPC) LOCAL(ICHILD1 - 5-21-3578234567-448745970-15253
02398) DOMAIN(ICHILD1 - 5-21-3578234567-448745970-1525302398) 
[*] 192.168.73.20:445 - USER=Administrator RID=500 
[*] 192.168.73.20:445 - USER=Guest RID=501 
[*] 192.168.73.20:445 - USER=krbtgt RID=502 
[*] 192.168.73.20:445 - USER=DefaultAccount RID=503 
[*] 192.168.73.20:445 - GROUP=Domain Admins RID=512 
[*] 192.168.73.20:445 - GROUP=Domain Users RID=513 
[*] 192.168.73.20:445 - GROUP=Domain Guests RID=514 
[*] 192.168.73.20:445 - GROUP=Domain Computers RID=515 
[*] 192.168.73.20:445 - GROUP=Domain Controllers RID=516 
[*] 192.168.73.20:445 - TYPE=4 NAME=Cert Publishers rid=517 
[*] 192.168.73.20:445 - GROUP=Group Policy Creator Owners RID=520 
[*] 192.168.73.20:445 - GROUP=Read-only Domain Controllers RID=521 
[*] 192.168.73.20:445 - GROUP=Cloneable Domain Controllers RID=522 
[*] 192.168.73.20:445 - GROUP=Protected Users RID=525 
[*] 192.168.73.20:445 - GROUP=Key Admins RID=526 
[*] 192.168.73.20:445 - TYPE=4 NAME=RAS and IAS Servers rid=553 
[*] 192.168.73.20:445 - TYPE=4 NAME=Allowed RODC Password Replication Group rid=571 
[*] 192.168.73.20:445 - TYPE=4 NAME=Denied RODC Password Replication Group rid=572 
[*] 192.168.73.20:445 - USER=IC1DC1$ RID=1000 
[*] 192.168.73.20:445 - TYPE=4 NAME=DnsAdmins rid=1101 
[*] 192.168.73.20:445 - GROUP=DnsUpdateProxy RID=1102 
[*] 192.168.73.20:445 - USER=INTERNAL$ RID=1103 
[*] 192.168.73.20:445 - USER=child.user RID=1104 
[*] 192.168.73.20:445 - USER=child.admin RID=1105 
[*] 192.168.73.20:445 - USER=client1testspn$ RID=1106 
[*] 192.168.73.20:445 - USER=child.local RID=1107 
[*] 192.168.73.20:445 - USER=ChildTestSPN$ RID=1109 
[*] 192.168.73.20:445 - USER=WIN10TEST$ RID=1110 
[*] 192.168.73.20:445 - ICHILD1 [Administrator, Guest, krbtgt, DefaultAccount, IC1DC
1$, INTERNAL$, child.user, child.admin, client1testspn$, child.local, ChildTestSPN$, WIN
10TEST$ ] 
[*] 192.168.73.20: - Scanned 1 of 1

The output reveals a variety of users and groups within the domain ICHILD1. Each user is associated with a RID (Relative Identifier), which uniquely identifies them in the domain. Standard accounts like Administrator, Guest, and krbtgt are listed, as well as machine accounts indicated by a $ at the end (e.g., IC1DC1$).

The module also identifies groups such as Domain Admins, Domain Users, Domain Controllers, and other special groups like Key Admins and Protected Users. Some entries, like Cert Publishers, have a TYPE=4, indicating they are non-user entities, such as service accounts or groups with specific roles.

In the end, all discovered usernames are summarized in a list, showing the overall user landscape within the target domain. This enumeration can help pinpoint high-value accounts or identify targets for further attacks.

Null Authentication

Null authentication is an attempt to access network resources without providing credentials, such as a username or password. In the context of Active Directory pentesting, establishing a null session allows security teams to gather sensitive information about the domain or network, including users, groups, and shared resources. This provides an understanding of the network's structure and configuration and can highlight potential unprotected access points.

To conduct null authentication, tools like Nmap, rpcclient, or Metasploit can be utilized. If security teams establish null session, it is possible to enumerate network resources and identify vulnerabilities.

One common command to attempt a null session is:

rpcclient -U "" -N

This command uses rpcclient to connect to the target system without any credentials. If successful, it allows access to various rpcclient commands that can enumerate users, groups, and shared resources.

Alternatively, using a Metasploit module can assist in testing for null authentication:

This output indicates the SMB pipes that are accessible without requiring a username and password. While it's rare to find domain controllers allowing such access today, it may still be encountered in some corporate networks, revealing possible weak points in their security configurations.

Service Exploitation

Service exploitation involves leveraging information from reconnaissance to carry out specific attacks on services. One common technique is a password spraying attack, which targets multiple user accounts with a few commonly used passwords.

The advantage of password spraying is that it avoids triggering account lockouts, as it tries common passwords across many accounts instead of repeatedly guessing passwords for a single account.

When attackers identify a weak password, they gain unauthorized access to the network and resources associated with the compromised account.

Password Spraying Process

The primary goal of password spraying is to identify users with weak or commonly used passwords to gain access to the network. To achieve this, security teams first compile a list of usernames to target.

Security teams can gather these usernames through various enumeration techniques. Once the security team compiles the list, they use tools like CrackMapExec, Metasploit, or Hydra to perform the password spraying attack by testing the list of common passwords or a dictionary file across all user accounts.

Commands and Tools for Password Spraying

CrackMapExec is one of the tools that can execute a password-spraying attack. The command format typically looks like:

crackmapexec smb <target_ip> -u <username_file> -p

For example:

In this instance, CrackMapExec tests the password Password4 against all usernames listed in users.txt. The results show that attempts to log in as Administrator, IC1DC1$, and INTERNAL$ failed, marked by STATUS_LOGON_FAILURE. However, the tool successfully authenticates as child.user with Password4, revealing that this account has a weak password.

An alternative tool for password spraying is Hydra. The command for Hydra looks like:

hydra -L <username_file> -p

Hydra runs against the specified target, testing each username in the file with the provided common password on the SMB service.

Initial Access

The goal of gaining initial access is to establish a foothold within the target network, allowing security teams to start their operations. This first entry point is crucial as it provides security teams the ability to further explore the network and execute malicious activities.

Once inside, teams lay the groundwork for deeper infiltration, including privilege escalation, lateral movement, and data exfiltration. To ensure they maintain access, they often create backdoors or install malware, allowing them to re-enter the network even if they discover and close the original vulnerability.

Tools and Commands for Initial Access

One of the most effective tools for maintaining post-exploitation access is the meterpreter shell in Metasploit. It provides a versatile and powerful environment for executing commands, transferring files, and running further exploits. Another tool commonly used is netcat (or nc), which can be leveraged to create reverse shells, providing remote access to the attacker.

For example, a meterpreter session in Metasploit allows comprehensive control over a compromised machine, while netcat can be used like this:

nc -lvp <port> -e

This netcat command sets up a reverse shell by listening on a specified port and executing a shell (/bin/bash).

Post-Exploitation

In the post-exploitation phase, security teams focus on leveraging their access to achieve specific goals within the environment, such as stealing data, disrupting operations, or causing financial damage. During this stage, they also cover their tracks to minimize evidence of the intrusion, making it difficult for network defenders or forensic investigators to detect the attack.

Post-Exploitation Activities

After gaining initial access to the Active Directory (AD) environment, security teams engage in post-exploitation activities to solidify their control and pursue their objectives. Key activities include:

Kerberoasting

Kerberoasting is a technique targeting service accounts that have Kerberos Service Principal Names (SPNs). Security teams request and obtain the corresponding Ticket-Granting Service (TGS) tickets associated with these accounts.

Security teams commonly use tools like BloodHound or PowerView to identify vulnerable service accounts. Once security teams identify them, tools such as Rubeus or Mimikatz are used to request and extract TGS tickets from the domain controller.

Offline brute-force attacks, typically using Hashcat, subject the extracted TGS tickets to recovery of the plaintext passwords of service accounts.

Successfully retrieving these passwords provides with further access, privilege escalation opportunities, and control over the AD environment.

Tools for Active Directory Pentesting

Active Directory penetration testing requires a diverse set of specialized tools to effectively probe and analyze network vulnerabilities. The following are some of the most crucial tools used in AD pentesting.

BloodHound

BloodHound is a tool that maps out hidden and often unintended relationships within an Active Directory environment. It uses graph theory to analyze and visualize paths for privilege escalation and lateral movement. Attackers and defenders use it to identify weak points in the AD security posture. It helps provide insights into AD structure and potential attack paths.

Mimikatz

Mimikatz is a well-known tool for extracting credentials from Windows systems. It allows security teams to dump passwords, PINs, and Kerberos tickets directly from memory. Security engineers use Mimikatz to test the robustness of the organization system's credential storage and protection mechanisms. It's often employed for privilege escalation and lateral movement within a network.

PowerSploit

PowerSploit is a collection of Microsoft PowerShell scripts designed for penetration testing and post-exploitation tasks. It includes modules for reconnaissance, code execution, and credential gathering. This tool leverages the power of PowerShell to automate common attack scenarios. Security testers often use it to simulate attacks and test defense mechanisms.

Nmap

Nmapis a network scanning tool used to discover hosts, open ports, and running services in a network. It's essential for identifying entry points and understanding the organization network's structure. With its wide array of scanning options, Nmap helps attackers and defenders map networks comprehensively. It's often the first tool used for reconnaissance in a penetration test.

PingCastle

PingCastle is a tool for auditing the risk level of Active Directory infrastructures. It analyzes the AD setup to find vulnerable practices and potential weaknesses. The tool generates detailed reports to highlight risk areas, allowing organizations to strengthen their AD security. It's valuable for assessing the overall health and compliance of the AD environment.

ADRecon

ADRecon is a tool that gathers extensive information about an Active Directory environment and generates a comprehensive report. This report provides a clear overview of users, groups, permissions, and other critical aspects of the AD. The tool aids in identifying potential security gaps and configuration issues. It's often used for both red and blue team activities to gain insights into AD security.

Best Practices for Active Directory Pentesting

Implementing these best practices will help ensure a thorough and effective Active Directory penetration test, enhancing the organization's security posture. These include:

1. Understand the Environment

Start by gathering information on how Active Directory is structured, including its domains, users, and groups. This knowledge helps security teams know where to focus the testing efforts. Understanding the environment also aids in recognizing any security gaps. Proper context ensures more effective and efficient testing.

2. Identify and Enumerate Accounts

List out all user, admin, and service accounts in the AD environment. Pay close attention to accounts with higher privileges, as they are key targets for attackers. Look for weak or default passwords that can be easily exploited. Knowing who has what access is vital for finding vulnerabilities.

3. Look for Misconfigurations

Search for misconfigurations, such as weak permissions, over-privileged accounts, and unsecured default settings. Attackers often exploit these flaws as entry points to escalate their access. Ensure that critical objects have strict access controls. Correcting misconfigurations is essential for AD security.

4. Check for Weak Authentication

Test authentication mechanisms to find flaws, such as weak passwords, insecure protocols, or unencrypted data transfers. Security professionals can use tools like Mimikatz to exploit these weaknesses.

Strong authentication is key to protecting AD from unauthorized access. Enforce strong password policies and secure authentication methods.

5. Examine Group Policies

Review Group Policy Objects (GPOs) for any insecure or unnecessary settings. Attackers often exploit GPOs to push malicious configurations or gain control over user settings. Keep GPOs clean, only implementing policies that are necessary. Regularly reviewing policies helps to prevent security risks.

6. Analyze Network Traffic

Monitor and analyze network traffic for insecure protocols and sensitive data transfers. Tools like Wireshark can help detect plaintext credentials, weak encryption, or other signs of vulnerabilities. Securing network traffic reduces the risk of sensitive information exposure. Use encrypted protocols like LDAPS to enhance security.

Final Thoughts

Active directory pentesting is a critical process for ensuring the security of an organization's networks. It allows security engineers to identify vulnerabilities and weak points in the organization’s network configurations that attackers could potentially exploit.

The usage of tools like BloodHound, Mimikatz, PowerSploit, Nmap, PingCastle, and ADRecon can greatly enhance the ability to detect potential threats and secure the organization’s systems. However, it's important to remember that these tools and techniques should only be used responsibly and ethically.