Windows Active Directory Penetration Testing Study Notes
3 min readJun 18, 2024
Table of Contents
AD Basics
- Windows Domain
- Active Directory
- Domain Controller
- Trees
- Forests
- AD Trust
- Security Groups vs OUs
- Group Policy
- Authentication Protocols in AD
Enumeration
- Users, Groups and Machines Enumeration
- Enumerating Defences and SecuritySettings
- Enumeration with Automated Scripts
- Enumeration with Powerview.ps1
- Enumeration with Metasploit andPowerspolit
- AD Enumeration with DSquery
- Enumerating Services and Processes
Exploitation and Privilege Escalation
- BloodHound
- Data Interpretation in BloodHound
- Exploiting ACEs and PermissionDelegations
- Exploiting Active Directory using DCOMwith Macro-Enabled MS Excel
- Performing DCSync Attack
- Exploiting SeBackupPrivilege
- Using the Diskshadow method andPowershell
- By copying the SAM and SYSTEM
- Registry hives
- Exploiting PAC in Kerebros
- Exploiting Server Operators Group
- Exploiting DNS Admin Group
- Exploiting Group Policy Preferences
- Manual Methods
- Exploitation with Powersploit
- Token Impersonation
- Kerberos Delegation Exploitation
- Exploiting Delegation With Powerview.ps1
Credential Harvesting & Persistence Attacks
- Kerberos Attacks
- Password Spraying Attack
- ASREP ROASTING
- Brute forcing usernames and passwords with Kereberos
- Keberosting using cracked credentials
- Brute forcing a user hash given a list of users and hashes by performing TGTs retrieval
- Kerberos Golden and Silver Tickets
- Cracking ntds.dit and registry file system
- LDAP Pass-back attack
- Harvesting Credentials from Config Files
- Harvesting Credentials From SAM
- Harvesting From Credential Manager
- Harvesting using Local Administrator
- Password Solution (LAPS)
- Persistence through SID History
- Persistence Through Group Policy
- Persistence through Nested Groups
- Persistence Through Logon Script
- Deployment
Post Exploitation
- Credential Harvesting
- Dumping certificates from target machine with powershell and Mimikatz in memory
- Infecting other domain joined machines using WMI method from Powerview
- Downloading and executing a powershell script in memory ( Mimikatz.ps1 ) to harvest admin password on the targeted domain controller.
- Powershell script that Downloads Mimikatz and executes it on multiple defined machines using WMI.
- Credential Harvesting Using LDAP Queries
- Accessing the netlogon share on DC
Lateral Movement
- Definition
- With PsExec
- With WINRM
- With Service Management Tools SC
- With Scheduled Tasks
- With WMI
- Using PassTheHash
- Using Pass The Ticket
- Using Overpass-the-hash / Pass-the-Key
- Using Port Forwarding
- SSH Tunneling
- With Socat
- Dynamic Forwarding with SOCKS
Who is this study guide for?
- Penetration Testers
- Aspiring learners who are looking to learn Windows Active Directory Penetration Testing
Format:
- Markup
Page count: 174
