Exploitation Methodology
Exploiting the systems within the domain of an Active Directory can be viewed as a quicker process of exploiting the individual systems as most recon necessary for the exploitation of those systems can be gathered from either one of the systems or the Domain Controller.
In order to leverage the information that can be gathered through the Domain Controller one has to first compromise a system within that domain and elevate the privilege to administrator level.
Once the privilege is elevated, then a wide variety of tools can be used for extracting information out of that system and the domain controller.
The exploitation of systems within a domain can be broadly classified into 3 categories,
Recon of the entire domain
Recon of the Domain
The recon of the domain can comprise of multiple steps to gather various information of the systems, users and objects in that domain. The following are the information that can be gathered from within the domain,
List of local accounts on that system
List of user accounts present within the domain
Account related information as per the domain such as password policy, groups, privileges, etc
List of groups present within the domain
Group privileges
Groups to User mapping
List of Objects along with their attributes within the domain
List of active users currently logged
Total systems present in the domain
Available SPNs in the domain
Last updated