🔴Active Directory

Definition

Active Directory is a centralized directory service used to manage Windows networks. It stores information about objects on the network and make it easy to configure what is needed.

Intro

Active Directory attacks is a huge topic, a lot of the scenarios depend on the situation of attacker and network infrastructure. this section of the book is about the known active directory attacks and tips/tricks.

The Process

Typically the process of Active Directory penetration testing ( aka internal pentesting ) is like this:

1. Initial Domain Access ( through a low-privileged user account )

2. Local Privilege Escalation

3. Internal Domain Recon

4. Poisoning / MITM

5. Domain Admin Access

6. Domain Dominance ( fancy name for " full compromise " )

7. Domain Persistence

8. Asset Access

9. Exfiltration

Active Directory Kill Chain

Build your own lab

Creating Active Directory Labs for Blue and Red TeamsSEC Consult

Resources

Attacking Active Directory: 0 to 0.9 | zer1t0

Domain ACLsBufu-Sec Wiki

PowerSploit

MicrosoftWontFixList/README.md at main · cfalta/MicrosoftWontFixListGitHub

PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

GitHub - Integration-IT/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.GitHub

GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.GitHub

Tools

GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

GitHub - maaaaz/impacket-examples-windows: The great impacket example scripts compiled for WindowsGitHub

GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

GitHub - S3cur3Th1sSh1t/PowerSharpPackGitHub

GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-SecurityGitHub

GitHub - Kevin-Robertson/InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testersGitHub

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

GitHub - funkandwagnalls/ranger: A tool for security professionals to access and interact with remote Microsoft Windows based systems.GitHub

AD Explorer - Windows Sysinternalsdocsmsft

GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networksGitHub

GitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub

GitHub - sense-of-security/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.GitHub

GitHub - hausec/ADAPE-Script: Active Directory Assessment and Privilege Escalation ScriptGitHub

GitHub - vletoux/pingcastle: PingCastle - Get Active Directory Security at 80% in 20% of the timeGitHub

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain AdminGitHub

GitHub - NetSPI/PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL ServerGitHub

GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHub