Active directory penetration testing this article can be helpful for penetration testers and security experts who want to secure their network.
“Active Directory” Calles as “AD” is a directory service that Microsoft developed for the windows domain network. using it you can to control domain computers and services that are running on every node of your domain.
Penetration Testing Active Directory:
in this section, we have some levels, the first level is reconnaissance your network. every user can enter a domain by having an account in the domain controller (DC). all this information is just gathered by the user that is an AD user. in the
+ c: > net user
by running this
command in CMD (Command Prompt) you can easily see local users on your PC.
+ c: >whoami
this command can help
you to see current user logged in.
+ c: >whoami /groups
this command helps
you to show you current group
+ c: > net user domain
this command shows
you all users from any group in the active directory.
also you can see every user’s group by running this command :
+ c: > net user [username] domain.
to have a better look, you can user “AD Recon” script. AD Recon is a script
you can download this script from GitHub :
screenshots of the report of this app:
when you get all AD users, now you should to take a look to the group policy. group policy is a feature of Microsoft windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy you can see environment policy such as”Account Lockout Policy“.
when you get all
Brute force :
for brute force attack on active directory, you can use Metasploit Framework auxiliaries. you can
msf > use auxiliary/scanner/smb/smb_login
in options of this auxiliary you can set username file and password file. and set an IP that have SMB service as open.
then you can running this auxiliary by entering “run” command.
if you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.
if you try it on all accounts, all users will
All hashes are stored in a file named “NTDS.dit” in this location :
you will extract hashes from this file by using
Then you can see hashes and password (if
Source & Credits
The Article Prepared by Omid