This website uses cookies

To provide the highest level of service we use cookies on this site.
Your continued use of the site means that you agree to their use in accordance with our terms and conditions.

Pentest Chronicles

Insider threat - The average insider threat attack scenario. How attackers can take over an entire domain in a few steps. Part 2.

Dominik Antończak

February 23, 2024

Have you ever wondered how little it takes to take over an Active Directory domain? Have you considered using some exploit? Nah, using exploits is not a fancy way and can be easily detected, and if anything, that option remains as a last resort. As savvy "hackers", we possess the right knowledge to navigate the network smoothly without making noise. Sometimes it takes a few steps, and just as Neil Armstrong said, it's one small step for man…, but for us hackers, taking over one system is a small step towards taking over the entire network. In this scenario, I'll demonstrate how the ability to analyze acquired information, coupled with a few sublime actions, was sufficient to take over the entire domain of a company consisting of 500-1000 users.


As an advanced attacker, I already have access to the "unhackable.corp" LAN and I start by analyzing what's on the local network. I always like to check what is in the shared directories because you can always find very, very interesting things there, just like in this case. The "dev" directory, the first thing that comes to mind is "ah, the DEV directory, source code, access data, configuration files", so I'll probably be able to get some data from this directory.



In this directory, there are about 30 folders. The first one that caught my attention is AWS, and what I found in it I didn't expect at all.



If you didn't say, “Oh, here may be the passwords for some AD account”, then you need more practice ;).
And this time my intuition didn't fail me - domain account credentials.



Time to see what the user “serverdeveloper” has to offer in the attacked AD. Ideally suited for this purpose is BloodHound, a graphical tool that reveals any connections within Active Directory. Mmmm, and such links are more than welcome. Time to extract secrets from the A-SAP92 system.



Oh, and there are credentials for another AD account. This time, the name suggests that I'm dealing with a user who can potentially cause quite a stir in the AD.



I'll tell you, when it comes to "stars", only these will do:



The user backupadmin is in the Domain Admins group - how nice… :)
Now, just like in Mortal Kombat, it's time to use the right combination to execute a fatality: a DCSync, which will dump all secrets from the domain controller:



Great, in a few steps, I managed to take over the entire network of the unhackable.corp company. As an additional tidbit for the keen reader, I'll mention that the percentage of cracked hashes was 15.08%, with 232 unique passwords out of 1538 available, granting access to 323 accounts. It may not be a lot but considering that each of the 323 users can take over the entire AD in their own way, it's quite an interesting result.



#CyberSecurity #InsiderThreat #APT #ActiveDirectory #NetworkSecurity #PenetrationTesting #PentestChronicles


Next Pentest Chronicles

When Usernames Become Passwords: A Real-World Case Study of Weak Password Practices

Michał WNękowicz

9 June 2023

In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep ...

SOCMINT – or rather OSINT of social media

Tomasz Turba

October 15 2022

SOCMINT is the process of gathering and analyzing the information collected from various social networks, channels and communication groups in order to track down an object, gather as much partial data as possible, and potentially to understand its operation. All this in order to analyze the collected information and to achieve that goal by making …

PyScript – or rather Python in your browser + what can be done with it?

michał bentkowski

10 september 2022

PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …

Any questions?

Happy to get a call or email
and help!

Terms and conditions
© 2023 Securitum. All rights reserved.