DISCLAIMER: This is an honest review from my personal experience and knowledge. There is no affilation or any sponsorship taken from any organization for publishing this blog.
Active Directory or AD is by far the most interesting and research topic from last few years in terms of exploitation. As microsoft keeps releasing new patches and updates it becomes quite difficult to breach a AD environment, but if you stick to the basics you can conquer it.
From past few weeks, I am also trying to brush up my Active Directory Exploitation skills and have improved to a good extent. I'll be sharing some resources and the pathway which I took to understand AD and it's exploitation. Some of them are free and some are paid, but they are worth paying for.
This is a key question to many new researchers that from where they should start. For this, I'll suggest to start with the TryHackMe's Windows Fundamental Module.
URL: TryHackMe Windows Fundamentals
This modules has 3 rooms and will cover everything from basic windows desktop, file system, UAC to configuration and basic security measures. With this you will be having a good knowledge of windows environment and how things work and maybe able to identify some potential targets.
Once you are done with the windows fundamentals, now its time to get a overview of Active Directory. For this as well, we have TryHackMe to back us up. There is a complete module on TryHackMe for Learning and Compromising Active Directory.
URL: TryHackMe Compromising Active Directory
Here, what I will suggest is to just do the initial room first, i.e. Active Directory Basics
This room is a great option to a initial start on Active Directory Learning as this takes the following topics:
Once you are well familiar with these topics, you try to setup your own Active Directory lab as well and explore more features of Active Directory. I would highly suggest to setup your own lab as it will be help you understanding common security misconfigurations which you might have done and how can use exploit them.
This is a paid course offered by TCM security, it is optional but if you have it then its worth to check and go through. The mentor Heath Adam explains how can you setup up your own AD Lab and then also go throughs the exploitation from initial access to taking over the complete domain in the same lab which you have built.
He starts by building a Lab Environment, and then moves to initial attack vectors like LLMNR Poisoning and SMB Relay attacks. Here you learn about a nice tool called responder
which just responds. It captures every interesting event that is happening in the selected network interface and protocols. You are also introduced a collection of amazing tools for AD exploitation i.e. impacket
Once you have the initial access, you will now be taught about two tools for enumerating an Active Directory environment i.e. PoweView
and BloodHound
. These two are very interesting and useful tools while enumerating an AD environment as they provide you with a birds eye view of the environment and BloodHound
suggests some exploitation pathways as well.
As you have enumerated the target now, you need to move to the exploitation part. Heath explains the following attack methods in a amazing way which helps you understand the tool very well. He covers the following topics:
Many terms might be unfamiliar but once you have go through the course you will understand them well and even how can you perform these attacks.
The course would be an amazing option to learn the AD and other hacking methodologies with a practical approach.
Course URL: TCM PEH
Next, we are now back to TryHackMe Resources
Once you are done with PEH Course
, you are now familiar with a lot of attack methods and terms. But learning is a never ending thing and when you are learning AD there is a lot always left.
To cover some of the left part, you can take this room Breaching Active Directory
by TryHackMe
. This room covers some more options to gain a initial access to the AD Environment.
You will learn about Open Source Intellegence and Phishing in a theoritical way. Next, you will learn how can you exploit a authentication service running NTLM based authentication which could also be leveraged to get a list of available users in the domain.
Next, you will learning about exploiting a LDAP
Server and how can you host a rogue one.
The most interesting method you will learn is Microsoft Deployment Toolkit
. It is a service that assits you with deploying a Microsoft OS with automation.
It is an amazing topic, teaching you about Preboot Execution Environment or PXE Boot.
As you have now breached the AD Environment and you are now in a domain joined machine, it is time to enumerate them.
This room will teach you about some key methods to enumerate the AD, depending upon the access type you have. By access type, I mean you could have a RDP access or a normal SSH access.
With an RDP access you can use the Microsoft Management Console
to enumerate and view the AD Structure. You can view the users, groups, computers connected, and OUs. With such access, you can easily check the permission level of various users and groups.
If you have a SSH or CLI access, you can then use Command Prompt
or PowerShell
to enumerate. CMD
has a built-in command net
which could be used to get detailed information about user and group. Similarly for PowerShell we have Get-
Command which performs similar or rather better enumeration.
Some Examples Below
# Command Prompt List Users -> net user /domain Single User -> net user [USERNAME] /domain List Groups -> net group /domain Single Group -> net group "[GROUP_NAME]" /domain Password Policy -> net accounts /domain # PowerShell Users -> Get-ADUsers Single User -> Get-ADUsers -Identity [USER_NAME] Groups -> Get-ADGroup Single Group -> Get-ADGroup -Identity [GROUP_NAME]
Again here, you will learn about Bloodhound
. As said, it is an amazing tool which allows attackers to visualize the AD environment in a graphical interconnected nodes format.
It has a script to collected information known as Sharphound
and collects data in a zip
format.
As you have enumerated much and also might be knowing about some other connected computers in the network, you need to perform Pivoting to gain access.
Lateral Movement is a group of techniques used by attackers to move around a network. Once you have access to the initial machine, you can now use that machine to establish additional points of entry or just create a confusion to avoid detection.
Before going further, we need to understand the two types of administrators:
The key difference is that local admins are not allowed to remotely connect to a machine and perform admin tasks unless something interactive is going through RDP session.
Now, you need to understand the process of Spawning Process Remotely and for this, we have a few methods and protocols to exploit.
Tool | Protocol | Required Membership |
---|---|---|
Psexec | Port 445/TCP - SMB | Administrators |
WinRM | Port 5985/TCP or 5986/TCP - WinRM HTTP(S) | Remote Management Users |
Other than this, you can use either of the following process explained in the room.
Another method to move laterally is to use Windows Management Instrumentation (WMI)
. It is a windows implementation of Web-Based Enterprise Management (WBEM) for accessing management information across devices.
Other than these, we also have some interesting mechanisms:
And at last, you will learn about Port Forwarding which is the most important topic if you want to pivor through machines in the network.
After pivoting into the network, it is time to exploit the AD and gain access to domain.
Now its time to exploit the AD and gain access to the Domain Controller.
This room will first explain exploiting Permission Delegation. These exploits are often referred to as a ACL-based attack. AD allows adminsitrators to configure Access Control Entities (ACE).
With this, you can Force Change Passwords, Add Members to a Group, provide complete control over an object and much more.
Then, we move further with Kerberos Delegation Exploitation. This enables the application to access a resource hosted on a different server. Without a delegation we need to use a AD service account to access the resource.
In this, we use two important tools i.e. mimikatz
and kekeo
. With mimikatz
we dump the passwords and then use them in kekeo
to generate a TGT
and force use it to get a TGS
. Once we have the TGS
, we again use mimikatz
to import that ticket in our session, gaining access to the target machine.
Along with this, you will also get to know how we can use Bloodhound
to find a Exploitating Path.
We also get to know about Exploiting Domain Trusts which is usually the Golden Ticket
method.
This is an amazing room or one of my favorites as we learn alot of techniques here, some of which I might have even forgot to mention as well.
And now we are in the end game. As we have access to the Domain Controller we have now compromised the complete network. But if we need to access the DC we have to perform all the steps of pivoting and exploiting again, instead why can't we just create a persistent access to the DC. The last room in the series explains such techniques.
To gain persistence, the very initial thought we all have is to just create our own set of credentials to gain accesss or just use any of the compromised ones.
Another thing we could do to gain access to AD is by performing a DC Sync
attack. A DC Sync
is just a synchronization between various AD forests which have been built by an organization.
But we need to understand that Not all credentials are equal.
But these could be identified by the Blue Team and could be removed.
A more sleath way is to use a Golden Ticket
as they are forged TGTs and having a valid TGT for a privilged account could leverage us to gain access to almost any service we want.
Other than these there are some interesting ways as well which are explain well in the room and a must.
After having a persistant access we can access the Domain Controller anytime we want, making us a owner of that domain.
At the end, I would just want to recommend some labs from TryHackMe again which you should take if you want to enhance your AD Exploitation Skills and these labs are also in my todo/redo list.
I would suggest to do them in the same order as above due to the difficulty level they have.
Another recommendation is none other than HackTheBox Machines. There are many which are related to AD and they are amazing. Some of them which I have done and would suggest are:
There is alot of content more on the internet, you can try and practice as much as you want.
But if you are already familiar with these concepts and TryHackMe seems basic or introductory to you then you can check some advance learning resources.
When we start talking about some advance resources, it is not possible we don't even check the HackTheBox Advance Labs.
My very suggest suggestion would be take the HackTheBox ProLabs. They are paid, but are really worth it. These labs contain some real-world like scenarios not CTFish and they require some good level of knowledge to be cracked.
I once got an oppotunity to go through Dante
and it was an amazing lab. I was not able to complete it, but the initial access and Pivoting was quite a tricky thing.
Once you are done with the HackTheBox labs, you can move further to the OffSec Academy and even Pentester's Academy. These two contain some amazing resources to learn not only AD but other domains of hacking as well.
Obviously they are paid and a bit expensive, but are highly recognized in the industry and adds a lot of value in your resume too. OffSec has some extremely high level of content and labs which will give you the "Try Harder" mindset.
Along with this, Pentester Academy has complete course focused on AD and for the content it also teaches some defense measures which are really helpful as you can know how you could be detected and the ways to bypass them.
Course Link: Pentester Academy AD
I have done enough courses and want some certifications? Let's go through some amazing certifications as well.
The very first one which I would recommend in Practical Network Penetration Tester (PNPT)
offered by TCM Security
. This is a new and amazing certification as it is completely focused on Active Directory. This certification teaches you everything from OSINT to Internal Pentest letting you gain access to the Domain. A must do for beginners!
Next is none other than the famous Offensive Security Certified Professional (OSCP) or PEN-200
. This certification needs to introduction, it is by far the most famous and highly recognized industry certification. And it is a bit tough as there are some restrictions to the toolset you can use.
If you already done with OSCP
then you can go for the next one in the Offensive Security's list that is Offensive Security Experienced Pentestet (OSEP) or PEN-300
. This is build upon the knowledge you have from OSCP
and covers some more advance topics as well.
But if you want something more advanced then you should definately check the Certified Red Team Operator (CRTO)
exam provided by Zero Point Security
. For what I have heard, this is a completely Red Team focused certification, so it is like very advanced and it teaches you how to be less noisy while doing a pentest, giving you a real-world scenario.
There are alot of certifications offered by various providers which are good, but the above are what I have read about and are highly recognized in the industry as well.
Best of Luck in your Journey!
Happy Hacking :)