Posted on 2022-09-23 by Alexei Doudkine in Tools of the Trade
On Saturday 24th of September, I gave a presentation at CSECcon titled, “Active Directory Hacking Speedrun! 14 attacks in 30 minutes.” This post is here to provide some post-talk resources to those wanting to learn about any of these attacks, how they work and recreate them.
Firstly, here’s a pre-recorded video of all the attacks I was planning to demo:
The AD Lab
For the lab, I used Game of Active Directory by the talented Mayfly. It takes a bit of effort to get going, which is kind of outside the scope of this post, but here are a few suggestions:
- Use a spare laptop with at least 32GB of RAM.
- Install a Linux distro as the host OS and use VirtualBox.
- Take a snapshot once everything is setup.
Mayfly has also written an amazing multi-part guide for pwning the lab: https://mayfly277.github.io/posts/GOADv2/. I strongly recommend going through their entire guide and doing the attacks yourself.
The attacks
This is by no means a comprehensive list. I’ve tried to choose the most common and impactful attacks that we use in almost every internal pentest. My intention is to simply show you that they exist and encourage you to learn about each one on your own.
Keep in mind that each attack is often just a piece of the puzzle, so try mixing and matching different attacks to achieve the results you want.
Here we go!
1. Null session enumeration
| Tools used | CrackMapExec |
| Additional reading | https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/ |
2. Password in description
| Tools used | CrackMapExec LDAPDomainDump |
3. Password spray
| Tools used | CrackMapExec |
| Additional reading | https://www.ired.team/offensive-security-experiments/active-dir…ectory-kerberos-abuse/active-directo… |
4. Name Resolution Poisoning
| Tools used | Responder mitm6 |
| Additional reading | https://g-laurent.blogspot.com/ |
5. Coerced Authentication (creds & no creds)
6. Pass-the-Hash
| Tools used | CrackMapExec impacket |
| Additional reading | https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4 |
7. Kerberoasting
| Tools used | GetUserSPN.py (impacket) |
| Additional reading | https://adsecurity.org/?p=2293 |
8. LSASS dump
| Tools used | lsassy |
| Additional reading | https://book.hacktricks.xyz/windows-hardening/stealing-credentials |
9. Machine account quota
| Tools used | addcomputer.py (impacket) |
| Additional reading | https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ |
10. NTLM Relay (to SMB)
| Tools used | RidRelay |
| Additional reading | https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ |
11. Active Directory Certificate Services (ADCS) ESC8
| Tools used | Certipy |
| Additional reading | https://posts.specterops.io/certified-pre-owned-d95910965cd2 |
12. NTLM Relay (to HTTP)
| Tools used | Certipy |
| Additional reading | https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ |
13. Resource-Base Constrained Delegation attack
14. NTLM Relay (to LDAP)
| Tools used | ntlmrelayx.py (impacket) |
| Additional reading | https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ |
There are so, so many more attacks you can do in an AD environment. Just to hint at a few:
- Constrained/Unconstrained delegation abuse
- Writeable web root shares
- GPP Passwords
- Token Impersonation
Have fun exploring and playing with these until you feel comfortable! 🙂
As always, hit me up on the socials if you ever want to talk hacking.
About the author
Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn