Active Directory pentesting

An internal penetration test in a Windows environment consists of simulating the actions of an attacker having access to the corporate network, this access can be physical or through an infected workstation. The objectives of this type of test are multiple:

1. List the technical vulnerabilities affecting the perimeter and analyze their impact
2. Take control of the Active Directory domain
3. List the methods of remote access persistence and data exfiltration to the internet
4. Issue an action plan to improve the level of security

Here are some examples of points verified by our auditors during this type of service :

Active Directory

• Network
  • Passive listening to authentication requests
  • MITM attacks to collect identifiers
  • Enumeration and scan of in the domain's servers
  • Retrieving the content of the SYSVOL share and searching for information in the GPOs and scripts
  • Search for anonymously accessible file shares
• List of accounts
  • Replay of identifiers coming from stolen databases exposed on the Internet
  • Search for identifiers in the metadata of files published on the Internet
  • Collection of Active Directory groups and users from spoofed accounts
  • Bruteforce of domain accounts and local server accounts
• Kerberos
  • Retrieving the list of Service Principal Names
  • Attempt to decipher TGS and ASREP
  • Exploiting dangerous Kerberos delegation
• Domain
  • Identification of domain controllers
  • Search for vulnerabilities on domain controllers
  • Exploitation of dangerous ACLs
  • Analysis of trust relationships

Windows servers and clients

• Updates
  • Exploitation of the absence of a patch on the system
  • Exploitation of the absence of a patch on the installed software
  • Search for software vulnerabilities on the services provided by the servers
• Bypassing Microsoft protections
  • UAC
  • SRP
  • AppLocker
• Accounts and passwords
  • List of identifiers and bruteforce of local accounts
  • List of service accounts and scheduled tasks
  • Retrieving authentication traces in the memory of the LSASS process
  • Password collection and cracking of high privilege accounts
• Various
  • Retrieving authentication data within scripts
  • Attacking the antivirus (forced shutdown, addition of exception, etc.)
  • Malicious USB media insertion