🔴Active Directory

Definition

Active Directory is a centralized directory service used to manage Windows networks. It stores information about objects on the network and make it easy to configure what is needed.

Intro

Active Directory attacks is a huge topic, a lot of the scenarios depend on the situation of attacker and network infrastructure. this section of the book is about the known active directory attacks and tips/tricks.

Most of the attacks in this section (in real world scenarios as well) are based on the assumption that you already have a low-privilege access to a system inside the internal network or have physically attached your system and you are pass the firewall. normally, you wont see a domain controller out in the open or directly accessible from the internet, so most of the active directory attacks are part of an internal pentest or red team engagement.

The Process

Typically the process of Active Directory penetration testing ( aka internal pentesting ) is like this:

1. Initial Domain Access ( through a low-privileged user account )

2. Local Privilege Escalation

3. Internal Domain Recon

4. Poisoning / MITM

5. Domain Admin Access

6. Domain Dominance ( fancy name for " full compromise " )

7. Domain Persistence

8. Asset Access

9. Exfiltration

Active Directory Kill Chain

Build your own lab

Creating Active Directory Labs for Blue and Red TeamsSEC Consult

Resources

Attacking Active Directory: 0 to 0.9 | zer1t0

Domain ACLsBufu-Sec Wiki

PowerSploit

MicrosoftWontFixList/README.md at main · cfalta/MicrosoftWontFixListGitHub

PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Attack Defense & DetectionActive Directory Security

GitHub - Integration-IT/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.GitHub

GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.GitHub

Tools

GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

GitHub - maaaaz/impacket-examples-windows: The great impacket example scripts compiled for WindowsGitHub

GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

GitHub - S3cur3Th1sSh1t/PowerSharpPackGitHub

GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-SecurityGitHub

GitHub - Kevin-Robertson/InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testersGitHub

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

GitHub - funkandwagnalls/ranger: A tool for security professionals to access and interact with remote Microsoft Windows based systems.GitHub

AD Explorer - Windows Sysinternalsdocsmsft

GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networksGitHub

GitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub

GitHub - sense-of-security/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.GitHub

GitHub - hausec/ADAPE-Script: Active Directory Assessment and Privilege Escalation ScriptGitHub

GitHub - vletoux/pingcastle: PingCastle - Get Active Directory Security at 80% in 20% of the timeGitHub

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350posts.specterops.io

GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain AdminGitHub

GitHub - NetSPI/PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL ServerGitHub

GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHub