AD Testing Checklist
Below are the things you should check on every Active Directory assessment
Shortlist
Short bullet point to jog your memory. If this is not enough, click on the check to get full notes.
Extra Attacks
Coercion Attacks
Local Network Poising
IPv6 MITM
Stale Half-Duplex ARP
WPAD
WebDAV
LNK file drop
ADIDNS Wildcard Attack (Dangerous and not well understood)
Confirm AD Access (Linux)
Define Shell Variables (Bash)
Define Shell Variables (zsh)
If you define the above variables, you can just copy and paste the below command into the terminal
Sync Clock to Domain Controller
Syncing the clock to the domain controller is VERY important for Kerberos and tools that utilize Kerberos
Check access (NTLM)
Check access (Kerberos)
If you are getting the error:Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
, you need to sync your local lock to the DC. You can do this with sudo ntpdate
$ADCONTROLLER
Search for abusable ACLs (Bloodhound)
To search for abuseable ACLs, Bloodhound is the tool of choice. For further informational about how to analyze the information once you collect it, see Analyzing Data with Bloodhound.
Install Bloodhound.py
Collect Data (NTLM)
Collect Data (Kerberos)
The above has given me some issues during testing and sometimes reverted to NTLM instead of Kerberos. If you have issues, try using the NTLM version which will often attempt to use Kerberos regardless.
Collect Data (w/ Channel Binding)
The current Bloodhound.py does not support connection to LDAPS that has channel binding. In my experience, it will throw a vague issue related to a failed connection or invalid address (ldap3.core.exceptions.LDAPSocketOpenError: invalid server address
). There is a pull request out there that fixes this issue but it has not been merged so far (it has been waiting about half a year). Therefore, you will have to manually install a forked version from deadjakk that supports channel binding. You will also need a forked version of LDAP3 to run the forked version of bloodhound.py.
Search for passwords in user descriptions
Run the following commands against the unzipped Bloodhound.py output
Install JQ
Search for quick hits
List sorted user descriptions (Full Review)
Search for Kerberoastable accounts
Search for all SPNs in the domain that are vulnerable to Kerberoasting. For exploit information, see Kerberoasting.
Searching for affected accounts can also be done easily using Bloodhound
Check for affected accounts (NTLM)
Check for affected accounts (Kerberos)
Search for As-Rep Roastable accounts
Search for all user accounts that do not require pre-authentication. For exploit information, see As-Rep Roasting.
Check for affected accounts (NTLM)
Check for affected accounts (Kerberos)
Check for default Machine Account Quota
Get Machine Account Quota (NTLM)
Get Machine Account Quota (Kerberos)
Get Machine Account Quota (NTLM) - Alternate
Check password policy
Get Password Policy (NTLM)
Note that $(read -sp "PWD: " PWD;echo $PWD)
is used to prompt for a password instead of putting it into the terminal. However, this leaves a cleartext password in the $PWD
variable in the current shell sessions, so it is overwritten using PWD=""
at the end of the command.
Check for active WebDAV clients
Method 1 (WebClientScanner) - Faster
Install
NTLM
Kerberos
Method 2 (NetExec) - CSV Output
Scan hosts
Create affected host CSV
Check for missing SMB signing
Check for SMBv1 Support
Check for writable shares
NTLM
Check for sensitive data in shares
Collect Info (NTLM)
See Searching SMB Shares for info on how to search these results
Check for anonymous access
Check LDAP Configuration
NTLM
Check MsSQL Configuration
Install MsSQLRelay
Run all checks (Coercion, Command Execution, Signing)
Look for the following vulnerabilities
Missing Signing/Channel Binding =
Encryption: not enforced
Coercible =
Privileges: ['xp_dirtree', 'xp_fileexist']
(Either one)Command Execution:
Privileges: ['xp_cmdshell']
(I'm not sure if mssqlrelay checks for this)
Additional info is needed on checking for Impersonation and Server Links (Impacket's MsSQL module will be used to perform checks)
Check ADCS Configuration
Install Certipy
Run all checks
Check for CA when Certipy does not find CA
Exploit Information can be found at ADCS Exploitation
Check SCCM Configuration
A new tool called SCCHound was recently released and could make this process easier. Once I test it I will add notes here.
Install Tools
Find SCCM Server (w/ SCCMHunter)
Search for SCCM user accounts (Bloodhound data)
Send PXE Boot Request via DHCP (PXEThief)
This will not only send the request, but also auto exploit by downloading the encrypted media file and attempting to steal data if there is no password.
If you know the SCCM server IP, you can use: pxethief.py 2 <SCCM SERVER IP>
Check for Open SCCM Ports
It's not uncommon to see a lot of these ports open even when SCCM is not enabled. Check the output carefully
Last updated