Active Directory

Discovering your domain

  • ipconfig /all

  • crackmapexec smb 10.10.10.0/24 # your subnet

Discovering the domain controller

  • nslookup <domain>

  • If logged into a domain-joined computer, run "echo %logonserver%"

  • If logged into a domain-joined computer, run nltest /dclist:yourdomain.com

  • crackmapexec smb 192.168.12.0/24 This also identifies server vulnerabilities (signing: False) means you can do an NLTM relay. (SMBv1:True) means you can do pass the hash

  • After completing a port scan, look for servers that have TCP port 389 (LDAP), 636 (LDAPS), 3268 (LDAP Global Catalog), or 3269 (LDAPS Global Catalog). Ports 3268 and 3269 are especially indicative of a domain controller, since only a DC can fulfill Global Catalog roles.

Logo🖥AD Lab: External Pentesting 🔐Medium
LogoActive Directory Penetration TestingMedium
LogoActive directory pentesting: Cheatsheet and beginner guideHack The Box

https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b

https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/

Checklist:

  • Run Responder to collect hashes traversing the network

PreviousTesting out credentialsNextPretest phase

Last updated