Active Directory Penetration Testing and Security

Resources for AD penetration testing and security

Videos by yours truly

Setup Domain Controller and Active Directory For Penetration Testing https://www.youtube.com/watch?v=j5AI-BKXmCw

Create and configure domain accounts for multiple password attacks https://www.youtube.com/watch?v=MigPswiQFOg

Kerberos AS-REP Roasting with HTB Sauna https://www.youtube.com/watch?v=3GvcfQSOj5E

More coming soon...

Pentest/Red Team General

https://zer1t0.gitlab.io/posts/attacking_ad/

https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

https://lolbas-project.github.io/

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#active-directory-recon

https://adsecurity.org/?p=2362

https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf

General Active Directory Concepts

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771568(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759186(v=ws.10)

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/security-identifiers-in-windows

https://adsecurity.org/?p=2288

Active Directory Enumeration

http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/

http://www.harmj0y.net/blog/redteaming/local-group-enumeration/

https://www.sans.org/security-resources/posters/bloodhound-cheat-sheet/430/download

Authentication Attacks

NTLM

https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/

https://infinitelogins.com/2020/11/16/capturing-relaying-net-ntlm-hashes-without-kali-linux-using-inveigh/

Kerberos Attacks

https://blog.redforce.io/windows-authentication-attacks-part-2-kerberos/

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf

https://stealthbits.com/blog/what-is-kerberos/

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html

https://stealthbits.com/blog/how-to-detect-pass-the-ticket-attacks/

https://book.hacktricks.xyz/windows/active-directory-methodology/over-pass-the-hash-pass-the-key

Password Spraying

https://github.com/dafthack/DomainPasswordSpray

https://medium.com/walmartglobaltech/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5

Mimikatz

https://www.sentinelone.com/blog/windows-security-essentials-preventing-4-common-methods-of-credentials-exfiltration/

https://ivanitlearning.wordpress.com/2019/09/07/mimikatz-and-password-dumps/

https://en.hackndo.com/remote-lsass-dump-passwords/#mimikatz-module

https://www.hackingarticles.in/powershell-empire-for-pentester-mimikatz-module/

Lateral Movement

https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f

https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/

ACLs

https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf

Lab Setup

https://github.com/WazeHell/vulnerable-AD

https://thedarksource.com/setting-up-an-active-directory-lab-for-red-teaming/