Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is widely used by organizations to manage their network resources and user accounts. As such, it is a prime target for attackers. Therefore, penetration testing of Active Directory is an essential aspect of securing any IT infrastructure.
Reconnaissance
The first level of Active Directory penetration testing involves reconnaissance of your network. Every user can enter a domain by having an account in the domain controller (DC). This information can be gathered by an AD user. The username typically consists of two parts: the domain name and the username.
Several commands can be used for reconnaissance:
net user: This command, when run in CMD (Command Prompt), displays local users on your PC.whoami: This command helps you see the current user associated with Active Directory logged in.whoami /groups: This command shows the current group.net user \\domain: This command shows all users from any group in the active directory. You can also see every user’s group by runningnet user [username] domain.
For a more comprehensive look, you can use the “AD Recon” script, a PowerShell script that provides a detailed view of AD and all the information you will need. This script can be downloaded from GitHub.
Group Policy
The group policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. It includes environmental policies such as the “Account Lockout Policy” and the “Password Policy”. The former provides security from password-guessing attacks, while the latter encourages users to employ strong passwords and use them properly.
Brute Force Active Directory
To brute force an attack on an active directory, you can use Metasploit Framework auxiliaries. If you try false passwords more than the Account Lockout Policy allows, you can see the message “Account Has Been Locked out“. If you try it on all accounts, all users will be disabled and you can see disorder in the network.
Extracting Hashes
All hashes are stored in a file named “NTDS.dit” in the location C:\\Windows\\NTDS. You can extract hashes from this file using mimikatz, which has a feature that utilizes the Directory Replication Service (DRS) to retrieve password hashes from the NTDS.DIT file.
Active Directory includes several services that run on Windows servers, including user groups, applications, printers, and other resources. It helps server administrators manage devices connected with the network. Active directory penetration testing is required for any organization, as APT groups actively target Active Directories using different techniques.
