Movement

This is a work-in-progress

Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter .

NTLM configuration

Obsolete versions of this protocol (LM, LMv2 and NTLM(v1)) are disabled and NTLM (all versions) is disabled when possible. This allows to stay safe from , and and attacks.

Kerberos configuration

krbtgt's password has been changed in the last 6 months to prevent persistence attacks. From UNIX-like systems, this can be checked with 's script.
The RC4 etype is disabled for Kerberos to prevent and and to attacks. This can be checked by attempting to obtain a TGT with an NT hash.
No account is configured with Do not require Kerberos Pre-Authentication allowing for attacks, or make sure those account have strong password resistant to .
User accounts that have at least one ServicePrincipalName, hence vulnerable to , have a strong password, resistant to

Patch management

Domain Controllers are patched against .
Domain Controllers are patched against .
is patched, preventing forging of powerful Kerberos tickets.
patches are applied, protecting Exchange servers from , and attacks relying on the EXCHANGE WINDOWS PERMISSION group having WriteDacl permissions against the domain object allowing for .
Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit attacks.
Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...).

Access Management (IAM/PAM)

Credentials Management

Domain-level configuration and best-practices

Networking, protocols and services

Active Directory Certificate Services

PreviousPassword policy NextCredentials

Last updated 12 months ago

Was this helpful?

Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting (i.e. trying to log in on other resources with that password/hash).

Strong exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential , , and attacks.

Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential , , and attacks.

Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other .

No account is configured with capabilities.

No computer account has admin privileges over another one. This limits attacks.

Caching of domain users is limited on workstations and avoided on servers to prevent of LSA secrets from registry.

are not used.

LSA protection are enabled to prevent .

Network shares readable by all domain users don't contain sensitive data like passwords or certificates limiting .

The domain-level attribute is set to 0, preventing domain users from creating domain-joined computer accounts.

Default are empty, limiting, among other things, out-of-box ACE abuses.

SMB signing is required when possible, especially on sensitive servers, preventing attacks.

LDAP signing is required on Domain Controllers, preventing attacks.

Extended Protection for Authentication (EPA) is required, especially for Domain Controllers supporting LDAPS, preventing attacks.

IPv6 is either fully configured and used or disabled, preventing attacks.

are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols.

WPAD is disabled, preventing .

A record exists in ADIDNS for the * (wildcard) preventing powerful attacks. Preferably, this is a TXT record.

The print spooler is disabled on Domain Controllers and sensitive servers to prevent the authentication coercion attack.

The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with attacks.

Set-up packet filtering & inspection and enable port security on network switched to prevent attacks and .

Set-up VLANs, 802.1X or other securities to limit the attackers progress within the network.

Plaintext protocols are avoided when using credentials (HTTP, FTP, ...), in order to minimize the risks of the .

The CA is configured correctly (the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is not set). This prevents .

There are no certificate templates that are badly configured. This prevents .

AD-CS web and RPC endpoints are secured against (HTTPS, EPA (Extended Protection for Authentication) and encryption enforced).

credential stuffing

password and lockout policies

credential-based attacks

NTLM relay

credential dumping

Group Policy Preferences Passwords

LSASS dumping

credential dumping

Machine Account Quota

special groups

NTLM relay

DHCPv6 spoofing with DNS poisoning

LLMNR, NBT-NS and mDNS

network secrets dumping

NAC (Network Access Control)

capture of credentials transiting on the network

the corresponding domain escalation attack

AD-CS NTLM relay attacks

😉

Kerberos sAMAccountName spoofing

MS14-068

PrivExchange

authentication coercion attacks relying on the PushSubscription API

ACE abuse

DCSync

NTLM relay

Kerberos Unconstrained Delegation

cracking