Active Directory & Windows

Active Directory Penetration Testing

Active Directory penetration testing is a proactive approach to discover potential vulnerabilities in an AD environment. By simulating cyber-attacks in a controlled setting, organizations can identify weak points and rectify them before malicious actors exploit them.

Key Areas to Focus On:

• Pre-Engagement Interaction: Understand the scope of the test.Establish communication protocols.Ensure necessary permissions are in place.

• Information Gathering: Enumerate domain information.Extract user details, group memberships, and trusts.Identify domain controllers and their roles.

• Enumeration: Utilize tools like PowerView and BloodHound to gather detailed AD data.Enumerate sessions, shares, and group policies.

• Credential Assessment: Extract NTLM hashes and Kerberos tickets.Perform pass-the-hash or pass-the-ticket attacks.Use tools like Mimikatz for credential dumping.

• Lateral Movement: Exploit weak service configurations.Utilize tools like CrackMapExec and PowerUpSQL for lateral traversal.

• Privilege Escalation: Identify misconfigurations using tools like PowerUp.Exploit Kerberos vulnerabilities, such as Kerberoasting.

• Domain Dominance: Extract the NTDS.dit file for offline extraction.Create a Golden Ticket using Kerberos Ticket Granting Ticket (TGT).

• Data Exfiltration: Identify sensitive data.Use tools like Rclone or SMB to transfer data securely.

• Post Exploitation: Maintain persistence using tools like Empire or Metasploit.Deploy backdoors and monitor for ongoing access.

• Reporting:

  • Document findings, methodologies, and tools used.

  • Provide a detailed risk assessment.

  • Offer actionable recommendations to bolster security.

Resources and Tools

• OCD Mind Maps

• OWASP Offensive Active Directory 101 (PDF)

• AD Attack-Defense by infosecn1nja

• Vulnerable AD Lab

• LinWinPwn

• Attacking Active Directory

• ADSecurity

• Dirk-Jan's Blog

• Lateral Movement Megaprimer

• Windows Red Team Lateral Movement Techniques

• Red Teaming Lateral Movement Techniques

• Operator-UP: Windows Lateral Movement Techniques

• SMB Psexec, SMBExec, Winexe - How To

• Offensive Lateral Movement Techniques

• ldapnomnom

• PingCastle - Active Directory Security Assessment

• Forensia

• Windows Notes and Cheatsheet

• Wadcoms

• Useful Random Stuff

• Impacket

• Internal-Monologue

• Windows Active Directory Exploitation Cheat Sheet and Command Reference

• Win32 Offensive Cheatsheet

• Active Directory Exploitation Cheat Sheet

• Purple Knight Resources

• PingCastle

• HardeningKitty

• SecureAD

• WADComs

• Windows Notes and Cheatsheet

• The Hacker Recipes - AD Recon

• AD Pentesting Tools

• Responder

• BloodHound

• Mimikatz

• CrackMapExec

• linWinPwn

• msLDAPDump

• LDAP Nom Nom

• Coercer

• Impacket

• lsassy

• Ridrelay

• Certipy

• Kubestroyer

• GOAD

• vulnerable-AD-plus

• Hardentools

• ForEnergy

• Windows Security

• ADMX

• Ultimate Windows Security

• Woshub