Introduction
In this project, I conducted a full-scope Active Directory penetration test against a simulated enterprise environment to emulate a real-world attacker. The objective was to identify and exploit common AD misconfigurations, privilege escalation paths, and authentication flaws that could lead to full domain compromise.
Read the report here
Assessment Overview
The penetration test simulated an attacker who gains initial access to an internal Windows workstation. From there, I used various techniques to pivot through the network and escalate privileges within the domain.
Key techniques used:
-
Credential dumping via Mimikatz
-
Pass-the-Hash (PTH) and Kerberoasting
-
AS-REP roasting
-
Abuse of DCSync rights
-
Golden Ticket attack using compromised krbtgt hash
Key Attack Paths Discovered
1. Credential Dumping + Pass-the-Hash
After gaining local admin on a Windows 10 machine, I used Mimikatz to dump hashes and perform a Pass-the-Hash attack to impersonate a Domain Admin.
Recommendation: Implement Local Admin Password Solution (LAPS) and disable unnecessary local admin access.
2. AS-REP Roasting
I identified user accounts with "Do not require Kerberos pre-authentication" enabled. This allowed me to request and crack AS-REP hashes to retrieve plaintext passwords.
Recommendation: Disable the pre-auth exemption using PowerShell:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True}
3. Kerberoasting
Using a standard domain user, I requested service tickets (TGS) for SPNs and cracked the hashes offline using John the Ripper with rockyou.txt.
Recommendation: Use strong, randomly generated passwords for service accounts, especially those tied to SPNs.
4. Golden Ticket Attack
With the krbtgt hash obtained via DCSync, I generated a forged TGT (Golden Ticket) and authenticated to the domain controller as any user.
Recommendation: Reset the krbtgt account twice and monitor for unusual Kerberos activity via event logs.
Tools Used
-
Mimikatz
-
Impacket
-
BloodHound
-
Responder
-
John the Ripper
-
CrackMapExec
-
SharpHound
-
hashcat
What I Learned
This project sharpened my hands-on skills in Active Directory exploitation, including lateral movement, persistence, and credential-based attacks. I also learned how to document attack chains, map BloodHound paths, and provide actionable remediation steps.
Conclusion
This AD penetration test highlights how common misconfigurations—like weak service account passwords or overly permissive ACLs—can be chained to compromise an entire domain. By addressing these gaps, organizations can significantly reduce their exposure to internal threats.
No comments:
Post a Comment