Red teaming tutorial: Active directory pentesting approach and tools

Infosec Institute - 

There are a number of tools you should use when it comes to active directory (AD).

Inveigh and responder as a start point

Many new and legacy networks still use some protocols that adversaries can spoof and use to collect and relay authentication requests. 

NBT-NS, LLMNR, and mDNS protocols broadcast a request to the internal network, and adversaries can take advantage of this mechanism by listening and spoofing responses. As there is no validation of the integrity of the responses, a bad actor can use this scenario to steal credentials or relay the authenticated requests to other machines impersonating, thus, the user and accessing internal assets in the context of the authenticated user.

In this sense, Inveigh and Responder tools can be used as a man-in-the-middle agent on the network. The figure below shows a user NTLMv2 hash collected by Responder during the spoofing process.

After that, adversaries could try to crack the NTMLv2 hash, and in case the user password is weak and not complex, a valid password could be retrieved in a few minutes because NTMLv2 cracking complexity is a bit hard in contrast to NTLM hashes.

Hashcat is your best friend

As you were auditing

Read More: https://resources.infosecinstitute.com/topic/red-teaming-tutorial-active-directory-pentesting-approach-and-tools/