{"id":5001,"date":"2024-12-22T11:51:05","date_gmt":"2024-12-22T03:51:05","guid":{"rendered":"https:\/\/mayanknauni.com\/?p=5001"},"modified":"2024-12-22T12:23:11","modified_gmt":"2024-12-22T04:23:11","slug":"decrypting-defenses-advanced-techniques-to-penetrate-active-directory-systems","status":"publish","type":"post","link":"https:\/\/mayanknauni.com\/?p=5001","title":{"rendered":"Decrypting Defenses: Basic Techniques to Penetrate Active Directory Systems"},"content":{"rendered":"

Introduction<\/strong><\/p>\n

In this exploration, I aim to demonstrate a basic penetration test against a Active Directory (AD) setup, showcasing how even robust systems can exhibit exploitable vulnerabilities. The journey starts with initial reconnaissance using nmap<\/code>, a cornerstone tool in network scanning, progressing through more sophisticated tools and tactics. Let’s delve into the details of each tool and its role in unveiling system weaknesses.<\/p>\n

\n

Step 1: Initial Network Scanning with Nmap<\/strong><\/p>\n

Tool Used: Nmap (Network Mapper)<\/strong><\/p>\n

Nmap is a powerful network scanning tool that provides comprehensive information about network environments, including open ports, services, and, crucially for this exercise, details about networked systems such as the AD domain name.<\/p>\n

Command:<\/strong><\/p>\n

nmap -sV -p 139,445 target_IP\r\n<\/code><\/pre>\n
    \n
  • -sV<\/code>: Probe open ports to determine service\/version info.<\/li>\n
  • -p 139,445<\/code>: Specifically scan SMB ports which are critical in AD environments.<\/li>\n<\/ul>\n
    Key Outcomes:<\/strong><\/p>\n
      \n
    • Identified the AD domain name “MYSTIC-AD,” crucial for subsequent targeted attacks.<\/li>\n
    • Verified open SMB ports (139 and 445), confirming potential entry points for exploitation.<\/li>\n<\/ul>\n
      \n
      Step 2: Enumerating SMB with Enum4Linux<\/strong><\/p>\n
      Following the network mapping, enum4linux<\/code> was used to perform a deeper enumeration of SMB services, targeting specific vulnerabilities related to Windows networking and Active Directory services.<\/p>\n
      Tool Used: Enum4Linux<\/strong><\/p>\n
      Command:<\/strong><\/p>\n
      enum4linux -a target_IP\r\n<\/code><\/pre>\n
        \n
      • -a<\/code>: Automates all basic enumeration functions to gather extensive details about users, groups, and more.<\/li>\n<\/ul>\n
        Significant Findings:<\/strong><\/p>\n
          \n
        • Detailed listings of user accounts and SMB shares, notably identifying svc-elite<\/code> and backup-pro<\/code> accounts.<\/li>\n<\/ul>\n
          \n
          Step 3: Exploiting Kerberos with ASREPRoasting<\/strong><\/p>\n
          Kerberos, the default authentication service for Windows domains, was targeted next. Misconfigurations here, such as disabled pre-authentication, can lead to vulnerabilities such as ASREPRoasting.<\/p>\n
          Tool Used: GetNPUsers from Impacket Suite<\/strong><\/p>\n
          Command:<\/strong><\/p>\n
          GetNPUsers.py -no-pass -dc-ip target_IP domain\/svc-elite\r\n<\/code><\/pre>\n
            \n
          • -no-pass<\/code>: Attempts to retrieve the TGT for accounts configured without pre-authentication.<\/li>\n<\/ul>\n
            Outcome:<\/strong><\/p>\n
              \n
            • Successfully extracted the TGT for svc-elite<\/code>, which provided a hash to be cracked.<\/li>\n<\/ul>\n
              \n
              Step 4: Cracking Hashes with Hashcat<\/strong><\/p>\n
              Upon obtaining the Kerberos hash, hashcat<\/code> was employed to decrypt the hash, potentially revealing the user’s password.<\/p>\n
              Tool Used: Hashcat<\/strong><\/p>\n
              Command:<\/strong><\/p>\n
              hashcat -m 18200 -a 0 hash.txt wordlist.txt\r\n<\/code><\/pre>\n
                \n
              • -m 18200<\/code>: Specifies the mode for Kerberos 5 TGT-REP etype 23 hashes.<\/li>\n
              • -a 0<\/code>: Straight attack mode using a predefined wordlist.<\/li>\n<\/ul>\n
                Cracked Password:<\/strong><\/p>\n
                  \n
                • “Vanguard123”, highlighting the need for stronger password policies.<\/li>\n<\/ul>\n
                  \n
                  Step 5: Accessing SMB Shares with Smbclient<\/strong><\/p>\n
                  With valid credentials in hand, smbclient<\/code> was utilized to explore and manipulate SMB shares directly, searching for sensitive information or further network access points.<\/p>\n
                  Tool Used: Smbclient<\/strong><\/p>\n
                  Command:<\/strong><\/p>\n
                  smbclient -L \\\\target_IP\\ -U svc-elite\r\n<\/code><\/pre>\n
                    \n
                  • -L<\/code>: List available shares on the target machine.<\/li>\n
                  • -U<\/code>: Use the cracked credentials to authenticate.<\/li>\n<\/ul>\n
                    Key Discovery:<\/strong><\/p>\n
                      \n
                    • Accessed critical files within the backup-pro<\/code> share, potentially leading to further network compromise.<\/li>\n<\/ul>\n
                      \n
                      Step 6: Full Domain Control with Secretsdump.py<\/strong><\/p>\n
                      Achieving full domain control was the final goal, accomplished by dumping critical data from the domain controller using secretsdump.py<\/code>.<\/p>\n
                      Tool Used: Secretsdump.py from Impacket Suite<\/strong><\/p>\n
                      Command:<\/strong><\/p>\n
                      secretsdump.py -just-dc-user admin target_IP\r\n<\/code><\/pre>\n
                        \n
                      • -just-dc-user<\/code>: Targets a specific domain controller account for credential extraction.<\/li>\n<\/ul>\n
                        \n
                        Conclusion<\/strong><\/p>\n
                        This exercise illustrated how various tools can be systematically used to expose and exploit vulnerabilities in a hardened AD environment. Each tool brought us closer to understanding the security posture and necessary defenses required to protect such critical systems.<\/p>\n
                        \n
                        Mayank Nauni,\u00a0<\/strong> Cybersecurity Researcher<\/p>\n
                        \n
                        Join the discussion on effective strategies for securing AD environments. Reach out with your insights or queries, and let\u2019s enhance our collective cybersecurity knowledge together!<\/p>\n","protected":false},"excerpt":{"rendered":"
                        Introduction In this exploration, I aim to demonstrate a basic penetration test against a Active Directory (AD) setup, showcasing how even robust systems can exhibit exploitable vulnerabilities. The journey starts with initial reconnaissance using nmap, a cornerstone tool in network...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[53],"tags":[157,58,50],"class_list":["post-5001","post","type-post","status-publish","format-standard","hentry","category-cyber-security","tag-active-directory","tag-cybersecurity","tag-red-team"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/5001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5001"}],"version-history":[{"count":2,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/5001\/revisions"}],"predecessor-version":[{"id":5003,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/5001\/revisions\/5003"}],"wp:attachment":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}