Active Directory Pentest

AD Pentest

Introduction to Active Directory Pentesting

Active Directory (AD) Pentesting is a critical skill for cybersecurity professionals aiming to secure enterprise environments or identify potential vulnerabilities. This blog is designed to guide you through the fundamental concepts and advanced techniques involved in testing and securing Active Directory setups.

You will delve into topics like AD enumeration, identifying misconfigurations, exploiting common vulnerabilities, and simulating real-world attack scenarios. The techniques discussed are not only useful for offensive security practitioners but also invaluable for strengthening defenses against AD-based attacks.

By the end of this blog, you will gain a comprehensive understanding of Active Directory pentesting methodologies, equipping you to assess and enhance the security posture of AD environments effectively. Whether you’re a penetration tester or a defender, this resource is an essential step toward mastering Active Directory security.

Introduction

This PowerShell script is designed for penetration testers to perform comprehensive Active Directory (AD) enumeration using LDAP. It scans for potential attack vectors such as Kerberoasting, AESRoasting, password policy violations, and identifies workstation administrators. The script provides a detailed overview of the AD environment and actionable insights for exploitation.

PowerShell Script

<#
Author: Mohamed Haytham (0xdragon)
Purpose: Comprehensive AD enumeration and attack surface analysis using LDAP.
#>

# Parameters
param (
    [string]$Domain = "example.com",
    [string]$Username = "administrator",
    [string]$Password = "password123",
    [string]$LDAPServer = "ldap.example.com"
)

# Establish LDAP Connection
try {
    $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
    $Credential = New-Object System.Management.Automation.PSCredential ($Username, $SecurePassword)

    Write-Host "[+] Connecting to LDAP server..." -ForegroundColor Green
    $LDAPConnection = [ADSI]"LDAP://$LDAPServer"
    Write-Host "[+] Successfully connected to $LDAPServer" -ForegroundColor Green
} catch {
    Write-Host "[-] Failed to connect to LDAP server: $_" -ForegroundColor Red
    exit
}

# Enumerate Domain Details
Write-Host "\n[Domain Details]" -ForegroundColor Cyan
try {
    $DomainRoot = $LDAPConnection.distinguishedName
    Write-Host "Domain Root: $DomainRoot"
} catch {
    Write-Host "[-] Error enumerating domain details: $_" -ForegroundColor Red
}

# Enumerate Users
Write-Host "\n[Users]" -ForegroundColor Cyan
try {
    $Users = Get-ADUser -Filter * -Properties DisplayName, MemberOf, Description -Credential $Credential
    foreach ($User in $Users) {
        Write-Host "User: $($User.SamAccountName), Groups: $($User.MemberOf)"
    }
} catch {
    Write-Host "[-] Error enumerating users: $_" -ForegroundColor Red
}

# Enumerate Groups
Write-Host "\n[Groups]" -ForegroundColor Cyan
try {
    $Groups = Get-ADGroup -Filter * -Properties Members -Credential $Credential
    foreach ($Group in $Groups) {
        Write-Host "Group: $($Group.Name), Members: $($Group.Members)"
    }
} catch {
    Write-Host "[-] Error enumerating groups: $_" -ForegroundColor Red
}

# Enumerate Organizational Units (OUs)
Write-Host "\n[Organizational Units]" -ForegroundColor Cyan
try {
    $OUs = Get-ADOrganizationalUnit -Filter * -Credential $Credential
    foreach ($OU in $OUs) {
        Write-Host "OU: $($OU.Name), DistinguishedName: $($OU.DistinguishedName)"
    }
} catch {
    Write-Host "[-] Error enumerating OUs: $_" -ForegroundColor Red
}

# Kerberoasting Candidates
Write-Host "\n[Kerberoasting Candidates]" -ForegroundColor Cyan
try {
    $SPNUsers = Get-ADUser -Filter { ServicePrincipalName -like "*" } -Properties ServicePrincipalName -Credential $Credential
    foreach ($User in $SPNUsers) {
        Write-Host "User: $($User.SamAccountName), SPN: $($User.ServicePrincipalName)"
    }
} catch {
    Write-Host "[-] Error finding Kerberoasting candidates: $_" -ForegroundColor Red
}

# AESRoasting Candidates
Write-Host "\n[AESRoasting Candidates]" -ForegroundColor Cyan
try {
    $AESUsers = Get-ADUser -Filter { msDS-SupportedEncryptionTypes -ne $null } -Properties msDS-SupportedEncryptionTypes -Credential $Credential
    foreach ($User in $AESUsers) {
        Write-Host "User: $($User.SamAccountName), Encryption Types: $($User.'msDS-SupportedEncryptionTypes')"
    }
} catch {
    Write-Host "[-] Error finding AESRoasting candidates: $_" -ForegroundColor Red
}

# Password Policy Violations
Write-Host "\n[Password Policy Violations]" -ForegroundColor Cyan
try {
    $WeakAccounts = Get-ADUser -Filter { PasswordNotRequired -eq $true -or Enabled -eq $false } -Credential $Credential
    foreach ($Account in $WeakAccounts) {
        Write-Host "User: $($Account.SamAccountName), Status: Weak Configuration"
    }
} catch {
    Write-Host "[-] Error finding password policy violations: $_" -ForegroundColor Red
}

# Workstation Admins
Write-Host "\n[Workstation Admins]" -ForegroundColor Cyan
try {
    $AdminGroups = Get-ADGroup -Filter { Name -like "*Admins*" } -Properties Members -Credential $Credential
    foreach ($Group in $AdminGroups) {
        Write-Host "Group: $($Group.Name), Members: $($Group.Members)"
    }
} catch {
    Write-Host "[-] Error enumerating workstation admins: $_" -ForegroundColor Red
}

Write-Host "\n[+] Enumeration and attack surface analysis completed successfully!" -ForegroundColor Green

Usage

1. Open PowerShell as Administrator.
2. Save the script as AD_Enum.ps1.

3. Run the script with the required parameters:

    .\AD_Enum.ps1 -Domain "example.com" -Username "administrator" -Password "password123" -LDAPServer "ldap.example.com"
       
   

4. Review the output for actionable insights and potential attack vectors.

Key Features

• Enumerates domain details, users, groups, and OUs.
• Identifies Kerberoasting and AESRoasting candidates.
• Detects weak password policies and disabled accounts.
• Lists workstation admins and privileged groups.

This script provides a comprehensive overview of an AD environment for penetration testers, leveraging LDAP queries to extract critical information for exploitation.

How to Automate Active Directory Enumeration Using PowerOverview

Introduction

PowerView is a powerful PowerShell script for enumerating Active Directory environments. It’s part of the PowerSploit framework and is widely used in penetration testing and red team operations to gather information about domains, users, groups, and more.

🔗 Download PowerView: PowerSploit GitHub Repository

---

Basic Setup

1. Clone the PowerSploit repository:

    git clone https://github.com/PowerShellMafia/PowerSploit.git
    cd PowerSploit/Recon
   

2. Load the PowerView.ps1 script in PowerShell:

    Import-Module .\PowerView.ps1
   

---

Examples

1. Domain Enumeration

• Get domain information:Output: Displays domain name, SID, and other details.

    Get-NetDomain
  

2. User Enumeration

• List all domain users:

    Get-NetUser
  

• Find users with specific attributes (e.g., admin accounts):

    Get-NetUser -AdminCount 1
  

3. Group Enumeration

• Get all domain groups:

    Get-NetGroup
  

• Find members of a specific group:

    Get-NetGroupMember -GroupName "Domain Admins"
  

4. Computer Enumeration

• List all computers in the domain:

    Get-NetComputer
  

• Filter by operating system:

    Get-NetComputer -OperatingSystem "*Server*"
  

5. Organizational Units (OUs)

• Enumerate OUs:

    Get-NetOU
  

6. Trust Relationships

• Check domain trust relationships:

    Get-NetDomainTrust
  

7. Service Principal Names (SPNs)

• Identify accounts with SPNs (useful for Kerberoasting):

    Get-NetUser -SPN
  

8. Group Policy Objects (GPOs)

• List GPOs in the domain:

    Get-NetGPO
  

• Find the machines linked to a specific GPO:

    Get-NetGPO -ComputerName "TargetComputer"
  

9. Access Control Lists (ACLs)

• Identify interesting ACLs in the domain:

    Find-InterestingDomainAcl
  

---

Additional Resources

• 🔗 PowerSploit Documentation