So this article will include theoretical concepts supplied with practical examples demonstrated with videos.
Table of content
2-Active Directory Enumeration
3- Enumerating users, groups, and computers
4- Eunmerating logged in users and active sessions
5- Dumping password hashes
6- Privilege escalation and lateral movements with pass the hash technique
7-Establishing persistence and maintaining access with Kerberos golden tickets
Active directory is installed mostly on windows server and consists of different components among which is the domain controller which is considered the administrator workstation.
When you first install active directory, you are prompted to create a domain for your organization, for example, company.com and then all computers in the organization would join this domain to become part of the active directory structure. In the end you will have a domain admin and under it, there are users, computers, and groups.
Administrators would group users according to their organizational unit. For example, there would be IT, HR, Finance, Sales, and so on.
Active Directory Enumeration
Active directory enumeration starts with gaining knowledge about the existing users, groups, and computers for the sake of locating high-value groups such as Domain admins and finding out what are the connected members.
Most of the time and during your penetration testing, you will have already gained access to a machine that’s part of the domain controller and from this machine, you will use different tools and scripts to perform your enumeration.
In the following scenarios, we will have two machines one is the windows workstation we have just compromised and one is the windows server 2012 that is the domain controller which we need to target.
Enumerating users, groups, and computers
In the below video, we used the Powershell script to enumerate users, groups, memberships, and their associated permissions. This gave us a complete map of the active directory hierarchy and paved the road for us to decide what is our next target
One important note is that for the method explained in the video to work you need to understand how LDAP Provider paths and Directory searcher work in order to modify the script as needed to enumerate different aspects
Enumerating logged in users, active sessions and service principals names
The next step in the process is to locate those who are logged on in the current compromised workstation. If we do so, we will be able to dump the password hashes of these users and use it to do privilege escalation on the current windows machine which is part of the domain controller.
Also we can enumerate the currently logged in users and active sessions on the domain controller which will enable us to determine whom we can target among domain admins.
Enumerating the above mentioned relies on two windows APIs. NetSessionEnum and NetWkstaUserEnum. NetWkstaUserEnum requires administrative privilege permissions and returns a list of logged on users on a target workstation but NetSessionEnum returns the active sessions on the existing servers such as file server and domain controllers.
To accomplish this we would use Powerview script
Now we come to service principal names. Service Principal Names are the association or the connection between a specific server and a service account. Think of them as identifiers that identify a service account to an existing server such as HTTP, DNS, or FTP server.
We can enumerate SPNs on a server to find out the IP Address and port numbers associated with the service being used. Example enumerating the presence of the IIS server running on the domain controller.
Watch the video below for the practical part of this section
Dumping password hashes
Since Windows stores a copy of the password hashes in-memory cache, we can use mimikatz to dump all password hashes of the workstation we have compromised. These hashes we can crack them to obtain the clear text password or reuse them for other purposes.
However, since password hashes are handled by LSASS process that runs as SYSTEM we need SYSTEM permissions to access password hashes which makes sense to elevate our privilege before any password dump attempt.
Mimikaz has many modules to dump password hashes among them is sekurlsa::logonpasswords
The video below illustrates this,
Privilege escalation and lateral movements with pass the hash technique
So far we have learned how to enumerate active directory, gained knowledge about logged in users and active sessions and dumped the password hashes of the workstation. Next step would be to use all of we have and gain privilege access to the domain controller.
We do that with a technique called Overpass the Hash.
This technique relies on abusing the NTLM user hash and converting it into an authenticated Kerberos ticket which grants us access to the target machine which in our case is the domain controller.
One condition for this attack to work is that the administrator of the domain controller needs to have their NTLM hash stored in the memory cache of the windows machine we have compromised which means they must have logged into the windows machine in the past for this to happen.
Assuming they did so, we can dump their hashes and use mimikatz to convert it into a Kerberos ticket to create a powershell process in the context of the admin user of the domain controller.
Then we would use PsExec.exe to gain command prompot access to the domain controller as the administrator
The video below demonstrates this
Establishing persistence and maintaining access with Kerberos golden tickets
Golden tickets are self-made tickets we create after we gain administrative access or administrative cmd on the domain controller to establish a new fake user and maintain our access.
Golden tickets use the domain identifier and the NTLM hash of krbtgt which is an account used to create the secret key to encrypt the TGT during kerebros authentication.
The video below demonstrates this
I hope this was helpful and don’t forget to subscribe to my channel for more content