We demonstrated the steps taken to perform penetration testing for Windows machine with Active Directory installed. We escalated our privileges with Mimikatz and winrm. This was part of Cybeseclabs Secret walkthrough.
Windows Active Directory Penetration Testing Study Notes
Introduction to Active Directory Penetration Testing
The video focuses on testing an Active Directory (AD) box in a Windows environment, a common scenario in real-world penetration tests since most businesses use AD.The goal is to enumerate the system, find vulnerabilities, and escalate privileges.
Initial Enumeration
An Nmap scan reveals several open ports, such as:
- Port 53 (DNS)
- Port 88 (Kerberos)
- Ports 139 and 445 (SMB for file shares)
- Port 3268 (Global Catalog, indicating Active Directory)
From this, the tester concludes that the machine likely hosts Active Directory and could be a domain controller.
Enumerating SMB Shares
SMB enumeration is where we begin, and it yields a cleartext password. We locate the user in the domain who is using the password by using a list of potential users. From there, it was found that the autologon credentials were present in the registry and that they were valid for a different user who, as a result of an overly liberal nested group membership, had replication privileges over the domain object.
Using the Password to Attack Active Directory
After obtaining the plain text password, the tester deduces that it could belong to one of the employees. They create a username list based on the names of employees discovered in the SMB shares.The tester uses CrackMapExec, a tool for testing SMB credentials, to check which username/password combination works. They find that the password belongs to jcakes.
Gaining Initial Access with Evil-WinRM
With the credentials jcakes/Secret!, the tester logs into the Active Directory system using Evil-WinRM, a tool for remote management.This grants them initial non-privileged access to the Active Directory environment.
Privilege Escalation
Once inside the system, the tester begins the process of privilege escalation. The next steps include enumerating users, groups, and organizational units (OUs) within the Active Directory to target sensitive accounts or the domain controller.The tester uses a custom PowerShell script to enumerate all users in the Active Directory.