” Active Directory” Called as “AD” is a directory site service that Microsoft developed for the Windows domain network. Utilizing it you can to control domain computers and services that are working on every node of your domain.
This article covers Active directory site penetration testing that can assist for penetration testers and security specialists who wish to secure their network.
Active Directory Penetration Testing
In this area, we have some levels, the first level is reconnaissance your network. every user can go into a domain by having an account in the domain controller (DC).
All this details is just collected by the user that is an AD user. In the username, there are 2 parts that first is the domain name and the second part is your username. like listed below:
Reconnaissance Commands:
+ c: > > net user
+ c: > > net user domain.
C: WindowsNTDS.
It is a method that supplies you networks users to be secure from password-guessing attacks. You can see “Password Policy”. A password policy is a set of rules designed to enhance computer system security by motivating users to use strong passwords and utilize them appropriately.
If you try incorrect passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out”.
Active directory site penetration testing is needed for any company, nowaday APT groups actively targeting Active Directories using various methods.
When you get all the information that you require, now you can carry out different attacks on users like:.
Strength Active Directory.
All this info is simply gathered by the user that is an Advertisement user. When you get all Advertisement users, now you ought to take an appearance at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. It is a technique that provides you networks users to be safe from password-guessing attacks. A password policy is a set of rules created to enhance computer security by encouraging users to utilize strong passwords and use them effectively.
+ c: >> whoami/ groups.
When you get all AD users, now you must have a look at the group policy. The group policy is a function of Microsoft Windows NT family of operating systems that controls the workplace of user accounts and computer accounts. in the group policy, you can see environment policy such as” Account Lockout Policy”.
All users will be disabled and you can see condition in the network if you attempt it on all accounts. As you can see in Password Policy, you can set your password list to brute-force.
To strength attack on active directory, you can utilize Metasploit Framework auxiliaries. You can use listed below auxiliary:.
+ c: >> whoami.
Picture2– List of AD Groups.
msf > > use auxiliary/scanner/smb/ smb_login.
It assists server administrators to manage gadgets connected with the network and it includes a variety of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.
The Article Prepared by Omid Shojaei. All the Content of this Article Belongs to above Original Author. This article is only for educational purposes.
+ c: > > net user [username] domain.
You can run this auxiliary by getting in “run” command.
The choices of this auxiliary you can set username file and password file. and set an IP that has SMB service open.
You can see hashes and password (if the password can be discovered).
You will draw out hashes from this file by using mimikatz. mimikatz has a feature which energies the Directory Replication Service (DRS) to obtain the password hashes from NTDS.DIT file. you can run it as you can see below: mimikatz # lsadump:: dcsync/ domain: pentestlab.local/ all/ csv.
To have a better look, you can user “AD Recon” script. AD Recon is a script composed by “Sense of Security”.
This command helps you to reveal you the present group.
Picture3– List of DNS Record Zones.
You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:.
By running this command in CMD (Command Prompt) you can easily see regional users on your PC.
Source & & Credits.
You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates likewise you can take the Best Cybersecurity courses online to keep your self-updated.
This command can assist you to see the current user related to Active Directory visited.
It uses about 12 thousand lines of PowerShell script that gives you a great aim to AD and all details that you will need it.
This command shows you all users from any group in the active directory.also, you can see every users group by running this command:.
The active directory site consists of numerous services that run on Windows servers, it consists of user groups, applications, printers, and other resources.
All hashes are saved in a file called “NTDS.dit” in this location:.