Exploitation Methodology

Exploiting the systems within the domain of an Active Directory can be viewed as a quicker process of exploiting the individual systems as most recon necessary for the exploitation of those systems can be gathered from either one of the systems or the Domain Controller.

In order to leverage the information that can be gathered through the Domain Controller one has to first compromise a system within that domain and elevate the privilege to administrator level.

Once the privilege is elevated, then a wide variety of tools can be used for extracting information out of that system and the domain controller.

The exploitation of systems within a domain can be broadly classified into 3 categories,

1. Recon of the entire domain

Recon of the Domain

The recon of the domain can comprise of multiple steps to gather various information of the systems, users and objects in that domain. The following are the information that can be gathered from within the domain,

• List of local accounts on that system

• List of user accounts present within the domain

• Account related information as per the domain such as password policy, groups, privileges, etc

• List of groups present within the domain

• Group privileges

• Groups to User mapping

• List of Objects along with their attributes within the domain

• List of active users currently logged

• Total systems present in the domain

• Available SPNs in the domain