🖥️ Active Directory Hacking Course for Beginners

Jul 7, 2024

Active Directory Hacking Course for Beginners

Introduction

  • Instructor: Heath Adams
  • Course: Addition to Practical Ethical Hacking Course (25-hour comprehensive course)
  • Access: Available on YouTube and all-access plan with up-to-date materials
  • Content: 5 hours of free material on Active Directory (AD) Hacking
  • Prerequisites: Linux machine setup, basic knowledge of computers and networks

Setting up a Virtual Machine

Virtual Machine (VM) Basics

  • VM: Machine inside a machine; E.g., Running Windows 10 inside Windows 10
  • Software Needed: VMware Workstation Player (for Windows/Linux) or Oracle VirtualBox (for Mac)

Steps to Install VM Software

  1. Download VMware: From VMware Workstation Player official page
  2. Download VirtualBox: From Oracle’s VirtualBox download page
  3. Installation: Follow the installation wizard, set preferences
  4. Restart System: Necessary to apply configurations

Installing Kali Linux

  1. Download Kali Linux: Get the appropriate version for a VM
  2. Extract & Open: Open the Kali Linux image in your VM software
  3. Configure Settings: Allocate RAM (preferably >2GB), set to NAT Network
  4. First Run: Default credentials (username: kali, password: kali)

Additional Configurations (VirtualBox)

  • Install Extension Pack: Needed for additional features
  • NAT Network Setup: Ensure VMs can communicate within the same network subnet

Final Configuration and Tools

  • Set Up Pimp My Kali: Install necessary tools for AD hacking
  • Ensure Stability: 16GB of RAM, 60GB disk space recommended

Active Directory Basics

Understanding Active Directory

  • Definition: Directory service for managing users, computers, and other resources
  • Common Uses: Centralized login, Kerberos authentication
  • Relevance: Widely used (95% of Fortune 1000 companies)

AD Components

Physical Components

  • Domain Controller (DC): Main server managing AD, hosts directory services
    • Functions: Authentication, Authorization, Replication, Administrative Access
    • Key File: ntds.dit holds all directory data, including password hashes

Logical Components

  • Schema: Rule book; enforces object creation rules
  • Domain: Logical grouping of objects (users, computers)
  • Trees: Hierarchal group of domains sharing contiguous namespace
  • Forest: Collection of trees (independent AD installations)
  • OU (Organizational Units): Containers for organizing users, groups, computers
  • Trusts: Relationships allowing resource access between domains
  • Objects: Users, groups, computers, etc.

Implementing a Lab Environment

Setting up the Lab

  • Components Needed:
    • 1 x Windows Server 2019 (DC)
    • 2 x Windows 10 Enterprise machines
  • Resources: Minimum 16GB RAM, 60GB+ disk space

Installation and Configuration

  • Windows Server: Domain Controller setup, essential features (ADDS, Group Policies)
  • Client Machines: Basic installation, domain join, enabling shared directories

Attacking Active Directory

Initial Attack Vectors

  1. LMNR Poisoning

    • Tool: Responder (Impacket toolkit)
    • Goal: Capture password hashes by impersonating DNS responses
    • Steps:
      • Run Responder
      • Force DNS failure to trigger LMNR
      • Capture NTLMv2 hash
      • Crack with Hashcat (Module 5600)

  2. SMB Relay

    • Requirement: SMB Signing disabled
    • Goal: Use captured hashes to gain access to other machines
    • Steps:
      • Configure responder to not respond on SMB/HTTP
      • Use NTLMRelayX to relay captured credentials
      • Gain access, dump SAM hashes

  3. IPv6 Attacks

    • Tool: MITM6, NTLMRelayX
    • Goal: Spoof DNS via IPv6, capture, and relay LDAP credentials
    • Steps:
      • Setup MITM6 to spoof IPv6 DNS
      • Use NTLMRelayX to relay credentials to LDAP
      • Gain access, manipulate AD objects

Post-Compromise Enumeration

  1. PowerView

    • Usage: Enumerate users, groups, policies, computers within AD
    • Commands:
      • Get-NetDomain: Domain information
      • Get-NetUser: User details
      • Get-NetComputer: List computers
      • Get-NetGroup: List and query groups

  2. BloodHound

    • Usage: Visualize domain relationships and attack paths
    • Setup: Install via apt, run Neo4j, upload AD data via SharpHound
    • Queries: Find shortest path to domain admins, analyze trust relationships

Post-Compromise Attacks

Pass-the-Hash/Password

  • Tool: CrackMapExec
  • Steps:
    • Use valid password/hashes to authenticate across the network
    • CrackMapExec to locate accessible machines

Token Impersonation

  • Tool: Incognito in Meterpreter
  • Steps:
    • Identify tokens (sessions)
    • Impersonate tokens
    • Gain higher privileges via impersonation

Kerberoasting

  • Concept: Abuse Kerberos service tickets for offline cracking
  • Steps:
    • Request TGS from DC using valid SPN
    • Crack returned hash via Hashcat (Module 13100)

GPP C Password Attack

  • Vulnerability: Pre-2014 group policies with embedded credentials
  • Steps:
    • Access groups.xml in SYSVOL
    • Decrypt CPassword using GPP-Decrypt tool

Mimikatz Usage

  • Function: Extract credentials, manipulate Kerberos tickets
  • Key Commands:
    • privilege::debug: Enable debug mode
    • sekurls:logonpasswords: Dump logged-on credentials
    • dcsync: Dump credentials from DC

Golden Ticket Attack

  • Concept: Create Kerberos tickets granting full domain access
  • Key Elements: Extract krbtgt hash, craft TGTs
  • Steps:
    • Use Mimikatz to extract krbtgt hash
    • Generate TGT, pass ticket

Mitigations

  • LMNR/SMB Relay:
    • Disable LMNR/NetBIOS, enable SMB signing
  • IPv6 Attacks:
    • Disable IPv6 if not needed
    • Enable LDAP signing/binding
  • Pass-the-Hash: Strong unique passwords, limit local admins
  • Token Impersonation: Implementing account tiering
  • Kerberoasting: Use strong, complex SPN account passwords
  • GPP/Vulnerabilities: Remove old policies, monitor SYSVOL changes
  • Golden Ticket: Monitor logs for unauthorized ticket creation, reseed krbtgt accounts periodically

Conclusion

Next Steps: Advanced penetration testing courses, obtaining certifications like PJPT and PMPT, hands-on labs

Resources: Further reading materials, SpecterOps team blogs

Practice: Hack the Box, other CTF platforms

Thank you for participating in this course!