Introduction

Active Directory (AD) is the cornerstone of identity and access management in many organizations, especially in environments relying on Microsoft-based networks. It stores critical information such as user credentials, group memberships, system policies, and network resources. Due to its significance, AD is a frequent target for penetration testers (pentesters) and attackers alike. In this post, we will dive into an effective Active Directory pentesting methodology—an approach that simulates the steps an adversary might take to gain unauthorized access to the network while providing useful guidance to red teams and pentesters.

The Importance of Active Directory in Penetration Testing

Active Directory (AD) is often described as the "keys to the kingdom" in enterprise environments because it holds sensitive data and provides access control over the entire network. Compromising an AD infrastructure often leads to high-value assets, including:
I. Domain Administrator (DA) privileges
II. Access to critical network services and applications
III. Lateral movement across the network
IV. Sensitive data, including credentials and personal information

Understanding how AD operates is critical for penetration testers, as it allows them to identify vulnerabilities that could be exploited to escalate privileges, exfiltrate data, or disrupt operations.

Key Phases of Active Directory Pentesting

I. Information Gathering & Reconnaissance

Before attempting to exploit vulnerabilities in AD, pentesters need to gather as much information as possible about the target environment. This can be achieved through both passive and active methods.
I. Passive Reconnaissance: This involves gathering publicly available information (like IP addresses, domain names, etc.). Tools like Google Dorking, WHOIS lookups, and social media analysis can be useful here.
II. Active Reconnaissance:

1. DNS Enumeration: Query DNS records to uncover domain names, subdomains, and server configurations. Tools like nslookup and dnsrecon are helpful here.

2. Netview & SMB Enumeration: Use tools such as nmap with SMB scripts or enum4linux to gather information about the target domain controllers, file shares, and network services.

3. Active Directory Enumeration: Leverage tools like BloodHound, Rubeus, or LDAP enumeration scripts to gather detailed information about AD objects, including users, groups, and permissions.

Tools:
I. Nmap
II. Enum4Linux
III. BloodHound
IV. DNSRecon
V. SNMPWalk

II. Identifying Weaknesses in Active Directory Configuration

Once initial reconnaissance is complete, pentesters begin identifying misconfigurations or vulnerabilities that could be exploited. Common weaknesses in AD configurations include:
I. Weak Password Policies: If the organization has weak password policies (such as allowing short or simple passwords), it opens the door for password spraying or brute-force attacks.
II. Unsecured Service Accounts: Many environments have service accounts with poor security hygiene, such as no strong password or a password that hasn’t been rotated in years.
III. Kerberos Misconfigurations: Vulnerabilities like the "Kerberos Golden Ticket" attack occur when there are weaknesses in the way tickets are granted and validated in the AD environment.
IV. Excessive Privileges: Some users may have excessive permissions for their role, creating an opportunity for privilege escalation.

Tools:
I. Mimikatz
II. PowerView
III. Kerberos Exploitation Tools

III. Credential Harvesting and Initial Exploitation

In the initial exploitation phase, attackers attempt to harvest credentials or exploit weak authentication mechanisms. This could involve:
I. Password Spraying: Attempting to log in to multiple accounts using a single password across multiple services (e.g., RDP, SMB, web apps). Tools like Hydra or CrackMapExec can be useful here.
II. Kerberos Ticket Harvesting: By exploiting Kerberos misconfigurations, pentesters can extract service tickets and attempt to impersonate other users using tools like Rubeus.
III. NTLM Relay Attacks: Exploiting weaknesses in the authentication process, especially in SMB, to capture NTLM hashes and relay them to other services.

Tools:
I. Mimikatz
II. CrackMapExec
III. Impacket
IV. Rubeus

IV. Lateral Movement

Once initial access is gained, attackers will attempt to move laterally across the network, gaining additional privileges and access to other systems. In the case of AD, lateral movement often involves:
I. Pass-the-Hash: Using stolen NTLM hashes to authenticate to other systems without needing to know the actual password.
II. Pass-the-Ticket (Kerberos): Using a stolen Kerberos ticket to impersonate a user.
III. AD Replication: Exploiting vulnerabilities in AD replication mechanisms to escalate privileges or move across domains.

Tools:
I. PsExec
II. Mimikatz (Pass-the-Hash, Pass-the-Ticket)
III. BloodHound
IV. Impacket
V. CrackMapExec

V. Privilege Escalation

Privilege escalation in Active Directory environments can happen in various ways, often depending on misconfigurations in AD or within the local machine settings:
I. Abuse of Group Memberships: Elevating access through groups such as "Enterprise Admins" or "Domain Admins."
II. Delegated Permissions Misconfigurations: Exploiting delegated administrative rights to gain higher access.
III. Kerberos Golden Ticket: If an attacker has valid Service Principal Names (SPNs) and access to the Ticket Granting Ticket (TGT), they can create a "Golden Ticket" to impersonate any user in the domain, including Domain Admins.

Tools:
I. Mimikatz
II. BloodHound
III. Impacket
IV. Kerberos Exploitation Tools

VI. Data Exfiltration & Impact

Once an attacker has escalated privileges, they may attempt to exfiltrate sensitive data or cause damage to the network. Common tactics include:
I. Dumping Password Hashes: Using tools like Mimikatz or Impacket to extract password hashes for offline cracking.
II. Data Theft: Using PowerShell or SMB to steal sensitive files from file shares or user directories.
III. Destruction or Alteration: Deleting important domain objects or altering configurations to disrupt services, often as part of a ransomware attack or advanced persistent threat (APT).

Tools:
I. Mimikatz
II. PowerShell Empire
III. BloodHound

Conclusion

Active Directory penetration testing is a critical skill for red teams and penetration testers alike. By following a structured methodology, pentesters can identify and exploit misconfigurations and weaknesses in the AD infrastructure, potentially gaining access to highly sensitive assets. Understanding AD's role in enterprise security and the tools available to exploit it is key to detecting and mitigating potential risks.

The tools and techniques discussed in this post are only a starting point. As AD environments evolve, new attack vectors and defensive measures will continue to emerge, making ongoing education and adaptation essential for effective pentesting.