Scribd
Upload
25 views

PENTEST Sur AD

The document discusses reconnaissance commands for Active Directory including commands to view local users, current user, current groups, and all domain users. It then discusses using the AD Recon script to gather more information from Active Directory such as users, groups, and DNS records. It also discusses techniques for brute forcing credentials and dumping password hashes from the NTDS.dit file.

Uploaded by

Sébastien Hommais
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views

PENTEST Sur AD

The document discusses reconnaissance commands for Active Directory including commands to view local users, current user, current groups, and all domain users. It then discusses using the AD Recon script to gather more information from Active Directory such as users, groups, and DNS records. It also discusses techniques for brute forcing credentials and dumping password hashes from the NTDS.dit file.

Uploaded by

Sébastien Hommais
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

https://gbhackers.

com/amp/

Reconnaissance Commands:
+ c:\ > net user

By running this command in CMD (Command Prompt) you can easily see local users on your PC.

+ c:\ >whoami

This command can help you to see the current user associated with Active Directory logged in.

+ c:\ >whoami /groups

This command helps you to show you the current group

+ c:\ > net user \domain

This command shows you all users from any group in the active directory.
also, you can see every user’s group by running this command :

+ c:\ > net user [username] domain.

To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of
Security“.

It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that
you will need it.

You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots


of the report of this app:

active directory penetration Testing

active directory penetration Testing


Picture2 – List of AD Groups

active directory penetration Testing


Picture3 – List of DNS Record Zones
When you get all AD users, now you should take a look at the group policy. The group policy is a
feature of Microsoft Windows NT family of operating systems that controls the working environment of
user accounts and computer accounts. in the group policy, you can see environment policy such
as”Account Lockout Policy“.

It is a method that provides you networks users to be secure from password-guessing attacks. Also,
you can see “Password Policy“. A password policy is a set of rules designed to enhance computer
security by encouraging users to employ strong passwords and use them properly.

When you get all the data that you need, now you can execute different attacks on users like :

Brute Force Active Directory


To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use
below auxiliary:

msf > use auxiliary/scanner/smb/smb_login

The options of this auxiliary you can set username file and password file. and set an IP that has SMB
service open.

then you can run this auxiliary by entering “run” command.

If you try false passwords more than Account Lockout Policy, you can see this message “Account
Has Been Locked out“.

If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you
can see in Password Policy, you can set your password list to brute-force.

All hashes are stored in a file named “NTDS.dit” in this location :

C:\Windows\NTDS

You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the
Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run
it as you can see below :
mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv

Then you can see hashes and password (if the password can be found).

The active directory includes several services that run on Windows servers, it includes user groups,
applications, printers, and other resources.

It helps server administrators to manage devices connected with the network and it includes a
number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory
Federation and rights management.

Active directory penetration testing is required for any organization, nowaday APT groups actively
targeting Active Directories using different techniques.

You might also like