In fact, Active Directory – AD – is a key component to manage Entreprise wide networks. It is frequently reaching a high degree of complexity in Companies, who have thousands of workstations, servers, and devices to manage. This complexity brings Security risks

Because it is a high profile target, Active Directory is therefore often attacked. Several tools have been developed to achieve this goal

As it is not OK to attack a real Active Directory, I will therefore create a simplified Hacking Lab, and then check different methods to explore the AD

Active Directory basics

There are many good resources available out there, to discover the basics of AD. I suggest this one : https://bit.ly/3877fAw, and also this one : https://bit.ly/38cgnEd

So, I will not go into details. In a nutshell, bear in mind the four main components of an AD

Implementation of the Active Directory Hacking Lab

Architecture & Installation

I’m going to implement the following architecture, using Virtual Machines (I use Oracle VirtualBox as Hypervisor)

The attacker will be using Kali Linux. The “network” to attack is made of an Active Directory Domain Controller, implemented on Windows Server 2016 Essentials, and a Workstation implemented on Windows 10 Enterprise

To proceed with the installation of each VM, I downloaded the ISO files of each OS – Microsoft provides evaluation versions – and initialized each VM. Here is a YouTube video to help you proceed with the installation if needed (example : Windows 10)

You will need to adjust the RAM memory allocated to each VM, and make sure this does not overshoot the RAM of your PC. Make sure to keep enough memory margin, to avoid saturating your PC, and face heavy performance losses or even crashes

After installation, I grouped the VMs in the Group “Active Directory Hacking Lab”

Here are the three VMs, all fired up, after installation :

Here below some parameters I defined during the installation, which are of interest for the next steps

Our Domain is configured as follows. During the installation of Windows Server, I also promoted this machine as Domain Controller

Configuration of the Network

Now, let’s make sure that each VM can talk to each other, and can also access Internet. For this, close down the VMs and go in the parameters of each individual VM. Then open the Network tab. You shall select, for each VM, the “Bridged Adapter”

This will make sure that each VM is accessible in the local network and identified with a unique IP adress. VirtualBox will allocate the IP adresses of each VMs, for you

For further detailed overview of each network options and the way each VM will communicate to each other, here is a good summary

After doing this, you can restart each VMs, and discover the IP allocations, and ping each VM with the others, to check that your VMs network is working

In Kali Linux, open the Terminal, and type “ip addr show“, then use the ping command

In the Windows VMs, open Powershell, and type “ipconfig“, then use the ping command

Here is a summary of the IP adresses allocated by VirtualBox in my Lab

Kali Linux (ping the Windows Server VM in this screen)

Windows 10 Enterprise (ping the Windows Server VM in this screen)

Windows Server 2016 (ping back the Kali Linux VM in this screen)

Shared Folders

To share files easily between each VM and your Host PC, you shall install shared folders in each VM. The necessary steps are different between Windows VMs and Linux VMs

For Windows, follow these steps : https://bit.ly/35uTxWn

For Linux, on the menu bar, go to Devices >Insert Guest Additions CD Image (as done on the Windows VMs). Then, open your file explorer. You will see that a virtual CD drive has been mounted with the following content

Open the Terminal, and follow these steps to run the installer

You should get the following messages

Then, restart the VM, open the Terminal and check that the installation is successfull, as follows

Implementation of Active Directory

Now, let’s proceed with the installation of a basic Active Directory structure. Let’s open the VM Windows Server 2016 and launch the Server Manager

Follow this sequence : Add roles and features -> Next (take care of the warnings and proceed with the necessary configurations before moving on) -> Role-based or feature-based installation -> Select a server from the server pool (choose the available server creared during the installation of Windows Server 2016) -> Active Directory Domain Services -> Next

Now, let’s create objects inside our Active Directory. For this, right click on the Domain, click New, and choose the object you want to create

I created a basic corporate organization and user names, as follows

Then, we link our Windows 10 Workstation in our Domain : Windows Settings -> System -> About -> Join a domain -> Type in the domain name and User name/Password

Discovering the Active Directory

Now let’s explore some key components of Active Directory, using mimikatz. First of all, you need to know the process lsass

lsass.exe

This process is the Local Security Authority Subsystem Service. It is an essential part of any Windows device. It has a key role during authentification, whatever its nature. As soon as a user logs in, authentification informations are sent to the process lsass. Inside this process, authentification management services, so called SSP – Security Service Provider, are here to manage every different type of authentifications

It is possible to dump the content of lsass, just right clicking on the process lsass in the Task Manager

Here is a good blog post documenting the different possible ways to dump the content of lsass : https://bit.ly/3bTwCs1

Windows hashes

The passwords stored in Windows are Hashed. Here is a very good explanation about password hashes in Windows

Windows Authentification

Here is a summary of Windows authentification mechanisms between AD level and local level, and what could be extracted

Active Directory authentification

Local authentification

Here is also a good flowchart about identification mechanisms inside Windows

mimikatz

Now, let’s run mimikatz. The installation is easy but Windows Defender is going to treat this as a virus. In fact, this hacking tool is very efficient, but so famous now, that its signature is blocked by all main antivirus programs. I deactivated Defender for this exercise. For the installation, just download the zip from here : https://github.com/gentilkiwi/mimikatz/releases

The lsass dump has to be in the same directory as mimikatz

You shall run the mimikatz.exe as administrator. We can get password hashes, Kerberos tickets, and more, using the below commands

sekurlsa :: logonPasswords

Lists all available login credentials. This usually shows recently logged on user and computer credentials

sekurlsa :: tickets / export

Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD

sekurlsa uses memory reading and can access tickets of others sessions (users)

lsadump :: lsa /patch

Ask LSA server to retrieve SAM/AD. Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file

Often these accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Tickets

hashcat

From all this, we can now crack the hashes and read the passwords in clear. There is a good built in Kali Linux facility for this : hashcat -> https://hashcat.net/wiki/doku.php?id=hashcat

Here is an example with the Active Directory user declared above “Bob Sinclair” -> we find – very quickly, less than 1 second ! – the password “Test1234”

lsassy

mimikatz is being detected by Windows Defender and almost all popular anti-virus. Lsassy has been implemented with stealth in mind. It has the following characteristics :

• dump lsass remotely, using default Windows tools such as WMI
• analyze lsass dumps remotely, without downloading the whole dump

Here is a basic way to extract secrets by using lsassy, demonstrating its capability

In the example below, we can recover the LM:NTLM hash. This is not spectacular but shows the potential of lsassy

bloodhound

This tool allows to map the Active Directory in a graphical manner, which is very usefull as soon as your AD gets complex. This facility also allows to track the compromized machines in the network and therefore plot the progress of an attacker

At first, let’s install bloodhound on my Kali Linux machine, and launch the neo4j console

The launch of neo4j triggers the events below and launches the event listener on the localhost:7474

Once the listener is active, you need to open a web page and configure neo4j to listen on the localhost

Once this is done, you need to dump the Active Directory objects from the Windows Machine, in this case Windows Server 2016, using a module called SharpHound.exe

Then, it is easy to dump the objects and transfer them back to Kali Linux, for analysis in bloodhound. Then, we can generate a bunch of different graphs and analysis

Find Shortest Paths to Domain Admins

Shortest Paths from Domain Users to High Value Targets

Additionallly, we can gather many details about our Domain Controller

This is definitely a tool to master to reckon an Active Directory

PowerSploit

It is a tool used to recover some informations from the Active Directory and more actions such as persistence, based upon Windows Powershell. Attackers are using PowerSploit, including some commands in their exploitation scripts

For the purpose of this article, I have just installed PowerSploit inside the Windows Server machine, to discover the main functions. For installation, check this good video

Here below, we can see all the modules are installed inside System32

Now, let’s make sure the PowerSploit module is imported inside the PowerShell ISE

Now, we can start some basic reconnaissance of the Domain HACKERONE.local

PowerSploit allows you to search for “interesting” files, using some keywords or other search criteria. For example, I use the keyword “Admin”

We can identify the logged users

We can also get a bunch of interesting informations about the users of our Domain

Overall, PowerSploit is rather good to extract some key informations about our Domain

Ping Castle

This tool allows to get an overview of the safety situation of your Active Directory. Installation is made directly on the Windows Server 2016. There is an .EXE file that launches some scripts. We have to choose between several options

The data collection is started and done fairly quickly

We get a PDF report with some KPI and rankings, providing an overall rating

We also get a much detailed report about configuration issues and potential remediations

We also get some further details about our administrator accounts

CrackMapExec

This Python framework is very modular, and allows to automate a number of tasks to collect dumps on several machines. Installation is pretty straightforward

Here below all the available modules. We can see some tooling to inject shellcode, mimikatz in Python, lsassy as seen above, some scripts similar to PowerSploit to dump the AD, integration with bloodhound,…

Conclusion

We have learned to setup a basic Active Directory Hacking Lab and local network, with communications made possible between Kali Linux, Windows Server 2016, Windows 10 machines. We have configured a basic Active Directory infrastructure, and explored its objects with several hacking tools, either based upon C, C#, Java, Python, PowerShell

We have seen that Active Directory configuration is a complex topic and that the AD is really the backbone of any Windows based network. This complexity brings some significant risks. It is quite astonishing to see all the informations that can be recovered with the available hacking tools. However, I want to say that my Lab lacks some realism and I just scratched the surface of the network exploration, as most of the tools I used were detected by Windows Defender and I could not go through all the manipulations I had planned for initially

In any case, it is a very good way to understand Windows network infrastructure !