I am sure there are more than one ways of performing a penetration test on windows active directory. In this article, I am listing some of the tricks that I would generally use when I will encounter a windows domain.
The aim of performing a pen test on windows active directory could vary, however, I believe gaining administrative level privileges on the “Domain Controller” is the ultimate challenge for a pen tester. Here are some scenarios you may encounter:-
Case 1: You are allowed to plug your laptop to the internal network and all you have been given is the target range:
This is the most common scenario. I would usually proceed in the following manner:
1. Identify the vulnerabilities:
Use nmap to identify the open ports and then run Nessus. Nessus will give u a very good idea as to how good/bad is the overall security. Hopefully, nessus will come back with certain high risk issues
2. Exploit the vulnerability:
Fire metasploit and verify if the nessus findings are not false positives. If the exploit is successful, you will now have a remote shell on that box.
3. Add a dummy account :
The first thing to do now is to add a localuser with admin privileges to that box:
Net user pentest p3nt3st /add
Net localgroup administrators pentest /add Sometimes you need to do this too:
net group “domain admins” pentest /add
PS: Make sure that this account is removed after the test is over.
4. Get Hashes from the Box you owned:
Now its time to fire cain. Go to the quick list section, add the ip address of the box you have just owned, and supply the credentials for the account that you have just created.(pentest/pentest). Go to services section right click, install abel disconnect connect again with the same credentials.
Now you will see a new section called abel which will have a sub section to dump all users and another subsection to dump the hashes. After you dump the hashes, send them to the inbuilt cain cracker and start cracking. Also it’s worth mentioning about ‘fgdump’ which can be used for similar purposes. It’s a modern tool that can evade AV and avoid crashing fully patched systems.
5. Lets focus on the Domain Now
Hopefully at this point in time, you will have the usernames and passwords for all users on the box which you have just owned. Remember, the entire aim of cracking the hashes is to try if the same passwords work on other boxes as well. If you are lucky, you may be surprised to find the same admin password which you just cracked works for all the local admin accounts. Now, lets see if the same password works on the domain controller as well.
Question: How do I find out if the box I owned is a part of domain or not?
Answer: the following the command will tell you the domain name as well as the domain controller as well as the groups present on the domain:
Net localgroup /domain
You can also get a list of all the ‘domain users’ with this command’ Net users /doman
6. Owning the Domain Controller
Now then since you know the domain controller, try the same admin password on this box, and it could be game over.
If the same password does not work on the domain controller, things to try are:
You can obtain the domain users either by issuing a “net users /domain” command on the box you owned or you obtain this information through nessus provided the null
1 session settings are enabled on any of the test boxes. As you already have the list of domain users now, identify the domain admin accounts and try to crack the passwords for these accounts against services like smb, rdp etc. If you succeed, you can go home early. Tools to use THCHydra, ntenum3.3, tsgrinder
It could be possible that the box which you owned in step 2 could have been used by a domain admin to log into some service, so try cache dump and also dumping the LSA secrets to gain all the passwords you could possibly gain. A cached domain admin password will again imply game over. I would quote someone here, “lsadump is a really important thing to try. It gives the clear text passwords for all service accounts. Some of which might be of ‘domain admins’. Not so common on 2k3 networks, but common enough.”
Of course, you will be running nessus against all the boxes including the domain controller and you will have the list of vulnerabilities against every box. Try exploiting the domain controller directly using metasploit modules. One of the things which has a very
1 Null session can give out a vast amount of information to an attacker. The recommended registry settings to disable a null session and the related security issues in windows 2003 server are :
Name: RestrictAnonymous-1 (set it to 2 on windows 2000)
high probability to succeed is the ms07-029 issue which exploits a flaw in the MS DNS RPC interface. This service is enabled by default on the ‘Domain Controllers’.
7. Get the Domain Users Hashes
Repeat the step 4 to connect to the domain controller as an admin user and get the hash of all the domain users. Should we crack the domain users’ hash? Well, not really, but, just do it. ?
Case2: You are not allowed to plug your laptop to the target network. You have been given access to a workstation and a standard domain account.
Things to try:
Search milw0rm for local windows exploit against that particular OS and the service pack, and try to gain local ‘system’ level access on the workstation and repeat the processes 1-6 mentioned above.
Try to gain access to command prompt. It is a common practise to not allow access to cmd.exe. However, in most of the cases it is not very difficult to break this protection. After you have access to cmd.exe run the net users and the net localgroup command to identify the admin domain users and try cracking a domain admin password against services like smb, rdp etc. However, this may/may not work as you will not have admin access to run these tools.
If the BIOS password is not enabled, you make the workstation book from the CD released by eeye sysrq2 to gain system level privileges on the workstation and then repeat process 1-7.
Hopefully, you know now something about pen testing an active directory.
• Nmap –port scanner command line:-
Nmap –sV –sS –O –oA myreport –vvv -iL targets.txt –p 1-65535 –P0 www.insecure.org
• Nessus Use the GUI
Both command line and web interface available.
Command line:- nbtenum3.3.exe –s ips.txt mydictionary.txt
• Cain (www.oxid.it )
• Pwdump • Nltest
• SYSrq2 (http://research.eeye.com/html/tools/RT20060801-8.html )