💾
kurare
  • 🤸Welcome!
  • 🔤Alphabet Soup
  • Training
    • CTFs & Labs
  • Directory Traver
  • Reporting
  • Toolbox
  • Rando Links
  • GRC (The box-checkers)
  • Common Software Repository
  • Social Networking
  • Penetration Testing Frameworks
  • Playbooks
    • Playbook: Figuring out software versions
    • Playbook: web applications
    • Playbook: Finding exploits
    • Playbook: Cloud Environments
  • Testing out credentials
  • Active Directory
  • Checklists
    • Pretest phase
    • Host Discovery
    • Website (external)
    • Black-box External Test
    • Host Enumeration
    • SMB enumeration
    • Page
  • Reporting
  • Services
    • VOIP / SIP
Powered by GitBook
On this page

Active Directory

PreviousTesting out credentialsNextPretest phase

Last updated 1 year ago

Discovering your domain

  • ipconfig /all

  • crackmapexec smb 10.10.10.0/24 # your subnet

Discovering the domain controller

  • nslookup <domain>

  • If logged into a domain-joined computer, run "echo %logonserver%"

  • If logged into a domain-joined computer, run nltest /dclist:yourdomain.com

  • crackmapexec smb 192.168.12.0/24 This also identifies server vulnerabilities (signing: False) means you can do an NLTM relay. (SMBv1:True) means you can do pass the hash

  • After completing a port scan, look for servers that have TCP port 389 (LDAP), 636 (LDAPS), 3268 (LDAP Global Catalog), or 3269 (LDAPS Global Catalog). Ports 3268 and 3269 are especially indicative of a domain controller, since only a DC can fulfill Global Catalog roles.

Checklist:

  • Run Responder to collect hashes traversing the network

https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b
https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/
Logo🖥AD Lab: External Pentesting 🔐Medium
LogoActive Directory Penetration TestingMedium
LogoActive directory pentesting: Cheatsheet and beginner guideHack The Box