Scenario
In this scenario it is assumed you do not have credentials, but you do have either adjacent or routable access to an Active Directory Domain Controller and can access common ports/services such as: LDAP, LDAPS, SMB, NETBIOS, KERBEROS, DNS
Stage 1 – Recon & Enumeration
This assumes we have routable access to LDAP on a domain controller and well as DNS (likely on a private network (but don’t rule out someone not exposing this to the internet, that occurs sometimes!)
Stage 1 Goals
The primary goal of this stage is to:
- Obtain a list of valid users (and ideally all other domain objects)
- Attempt to gain at least one valid authentication to Active Directory Domain Services (via LDAP at minimum)
- Once authenticated use AD Explorer (and other tools) to take a “snapshot” of the domain.
- You will attempt to take an offline copy of SYSVOL
Process
Try and start with a stealthy approach, use “normal” system calls where possible. The primary target will be Domain Controllers, but we also must consider that we can target member servers for enumeration and exploitation (via RDP, SMB, WINRM etc.) (sorry the formatting broke here I will fix later it’s choccy egg day so much to do!)
- Enumerate DNS
- Find domain name.
- Find domain controllers (via dns)
- Enumerate Domain Services
- Connect to LDAP and enumerate the ROOTDSE
- Conduct OSINT and Recon on corporate internet assets and social media.
- Look at breach data for usernames and passwords.
- Use LDAPPing to enumerate valid usernames (LDAPNOMNOM)
- .\ldapnomnom-windows-amd64.exe -server 172.22.110.52 -input .\users.txt
- Attempt an LDAP NULL BIND (Be warned this is possibly going to trigger an alert)
- Another method of username enumeration is to use exchange to enumerate valid mailboxes (this may not be opsec safe)
- You can also try enumerating via Kerberos
- You can also try RID Enumeration (NULL SESSIONS)
- You can also try enumerating users via SMB (LSA or SAMR)
- Try crackmapexec –users
- Lastly, we can try common usernames:
- Administrator (SID500)
- Itsupport
- Backup
- Svc_backup
- Printer
- Scanner
- Ldad
- Find users via other network services (e.g., RDP with NLA disabled)
- You may also find user credentials in devices such as Multi-Function Devices (like printers) where admin interfaces are not protected.
- Authenticate
- NULL Bind (see above)
- Credential Spray
- Breached credentials
- Company name
- Industry words
- Seasons/days etc.,
- Common weak passwords
- Password guess
- Dictionary attack
- If you are adjacent to domain members attempt to poison LLLMNR/mDNS and obtain both usernames and password hashes
- If you are adjacent, you may be able to relay (SMBRelay/MITMv6 etc.)
- SMB
- HTTP (WPAD/WEBDAV)
- Relay to ADCS (Relay to ADCS HTTP Endpoints)
- Relay to create a machine account (thanks Justin!)
- You may be able to coerce an authentication (phish someone with a link to your responder server etc.)
- You may be able to coerce authentication using petitpotam
- You may be able to use a known software vulnerability such as:
- ZeroLogon (CVE-2020-1472) (risky by default)
- Bluekeep (risky)
- EternalBlue (MS17-010) (May BSOD so I would say this is risky, I ask people before I run this, if you wanna skip forward you can always elevate to system on the target and run a shell back somewhere 😉 )
- Snapshot
- Now that we (hopefully) have either NULL BIND to LDAP or a valid set of credentials we want to take a snapshot of the directory service by using ADEXPLORER (or other similar tools).
- You will also want to consider taking a copy of SYSVOL
Tools
- NSLOOKUP, DNSRECON or DIG
- LDAPNOMNOM – https://github.com/lkarlslund/ldapnomnom
- NMAP – https://nmap.org/
- ADFIND – https://www.joeware.net/freetools/tools/adfind/
- ADRECON – https://github.com/sense-of-security/ADRecon
- LDAPSEARCH – https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html
- CRACKMAPEXEC – https://github.com/Porchetta-Industries/CrackMapExec
- KERBRUTE – https://github.com/ropnop/kerbrute
- pyKerbrute – https://github.com/3gstudent/pyKerbrute
- SMARTBRUTE – https://github.com/3gstudent/pyKerbrute
- IMPACKET – https://github.com/fortra/impacket
- SMBCLIENT
- ENUM4LINUX – https://www.kali.org/tools/enum4linux/#:~:text=Enum4linux%20is%20a%20tool%20for,from%20www.bindview.com.
- RESPONDER – https://github.com/lgandx/Responder
- INVEIGH – https://github.com/Kevin-Robertson/Inveigh
- RUBEUS – https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
- MITMv6 – https://github.com/dirkjanm/mitm6
- NTLMRELAYX – https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py
- COERCER (by P0dalirus) – https://github.com/p0dalirius/Coercer
- DFCoerce – https://github.com/Wh04m1001/DFSCoerce
- PKINTtools – https://github.com/dirkjanm/PKINITtools
- Certipy – https://github.com/ly4k/Certipy
- ETTERCAP/BETTERCAP – https://www.ettercap-project.org/
- TCPDUMP/WIRESHARK – https://www.wireshark.org/
More to follow but I thought I would start here, writing all this stuff is hard, but easier to post some rather than wait for me to complete essays! Thanks to Justin for sanity checking.
Remember the number of variables with this stuff is HIGH. Not every network has a clear path, not every scope allows every method (e.g. lots exclude phishing) and that you can use assumed breach and fast forwards to make simulated progress to change the test perspective (these are all normal things).