This lab guides you through exploiting an Active Directory environment. You'll experience a simulated red team operation, covering key stages like service enumeration, exploiting vulnerabilities, and privilege escalation.

Key Activities

• Service Enumeration
• Exploit misconfigurations and weak credentials
• Abusing Active Directory features for full control

Tools You'll Use

• Reconnaissance: Nmap
• Enumeration: smbclient, ldapsearch, kerbrute
• Exploitation: netxexc, evil-winrm
• Privilege Escalation: ldapdomaindump, BloodHound, winPEAS
• Post-Exploitation: Windows CLI, RPC Commands

Note: All required files and tools for this lab are preloaded and can be found on the kali Desktop

Attacker IP: 10.0.15.99                                                                                         
Target IP: 192.168.10.4

# █████▒▒░░💀 Let's begin 💀░░▒▒█████

To begin any pentest, you must discover what services the machine is running. A full TCP port scan helps uncover all active ports, even if services are running on unusual ports.

Tool Used: nmap

Chosen for its speed, versatility, and accuracy in network scanning.

nmap -Pn -sS -p- [TARGET_IP]

• -Pn: Skip ping (Treat host as online)
• -sS: SYN scan for stealth and speed (if you are not root, run it with sudo)
• -p-: Scan all 65535 TCP ports

Hints & Tips:

1. Always scan all ports (-p-) to avoid missing hidden services.
2. Use -Pn if ICMP is blocked or when you treat host as online.

Question: What TCP port is Kerberos running on?

From Task 2: You discovered open ports like 88, 389, 445.

Knowing the open ports isn't enough. We now identify what applications are running and their versions — key to finding known vulnerabilities.

88/tcp     open  kerberos-sec       # Kerberos authentication for domain logins
135/tcp    open  msrpc              # Microsoft RPC endpoint mapper
139/tcp    open  netbios-ssn        # NetBIOS session service (legacy file sharing)
389/tcp    open  ldap               # LDAP directory service (domain controller indicator)
445/tcp    open  microsoft-ds       # SMB over TCP for file sharing and remote access
464/tcp    open  kpasswd5           # Kerberos password change service
593/tcp    open  http-rpc-epmap     # RPC over HTTP, used for remote management
636/tcp    open  ldapssl            # LDAP over SSL/TLS (secure LDAP)
3268/tcp   open  globalcatLDAP      # Global Catalog LDAP (non-SSL)
3269/tcp   open  globalcatLDAPssl   # Global Catalog LDAP over SSL

Tool Used: nmap

Open your terminal again and type

nmap -sV -p [PORTS] [TARGET_IP] -Pn

• -sV: Enables version detection
• -p: Specifies the ports to scan
• -Pn: Skip ping (Treat host as online)

Tips:

• Version info helps to find service vulnerabilities and match against CVEs.

• Add -A for deeper detection (OS, scripts) but use with caution.

Question: What is the service running on port 139?

From Task 3: We saw that Port 445 (SMB) is open and running.

This protocol is often used for file sharing and remote access on windows system. Sometimes misconfigured SMB servers may allow anonymous access, which can leak valuable domain info like usernames, shares, or hostnames.

Method1:

Tool Used: smbclient

Open your terminal and type following command

smbclient -NL //[TARGET_IP]

• -N: No password prompt
• -L: List available shares

Method2:

Tool Used: netexec

netexec smb [TARGET-IP] -u '' -p '' --shares

• -u , -p: Empty username and password (null session).

• --shares: Explicitly request share enumeration.

Tips:

1. Look for shares like Users, IPC$, or NETLOGON.
2. If denied, try authenticated access later.

Question: What is the fully qualified domain name (FQDN) discovered for the SMB target?

Answer format: ch****.me********.nyx

From Task 2: We saw that port 389 (LDAP) is open.

LDAP is used to query Active Directory information. If LDAP allows anonymous binding, you can extract domain details — such as domain names, organizational units, and naming contexts to understand the domain structure (e.g., DC=megachange,DC=nyx). — without credentials. 

Tool Used: ldapsearch

Command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter

ldapsearch -x -H ldap://[TARGET_IP] -s base namingcontexts

• -x: Simple auth.

• -H: LDAP URI.

• -s base: Search base only (not recursive).

This gives you the domain name for Kerberos enumeration.

Question: What is the root domain naming context discovered from the LDAP anonymous query?

Answer format: m********* , n**

From Task 5: We discovered the domain name (megachange.nyx) from LDAP output

Now, we attempt to identify valid usernames using Kerberos. A valid username is essential for brute-force attacks, AS-REP roasting, or kerberoasting.

Tool Used: kerbrute

Why? It can enumerate valid usernames without triggering account lockouts on most systems

Navigate to ~/Desktop and type:

./kerbrute userenum --dc [TARGET_IP] -d [DOMAIN NAME] /path/to/userlist.txt

• --dc: Domain controller IP

• -d: Domain name

Note: you will find the user list (names.txt) on the ~/Desktop 

Question: What valid username was found using kerbrute?

From Task 6: Valid username alfredo discovered.

Try brute-forcing alfredo's password against SMB (port 445). If successful, it provides authenticated access to domain resources.

Tool Used: netexec

netexec smb [TARGET_IP] -u '[USERNAME]' -p /path/to/passwords.txt

• smb: SMB protocol

• -u: Username

• -p: Password list (Use fasttrack.txt under /usr/share/wordlists)

Question: What is the successful password discovered for user alfredo?