top of page


Public·13 members
Michael Lukin
Michael Lukin

Active Directory Penetration Testing Checklist

As you were auditing an active directory network and got a valid NTLMv2 hash from a domain user with Responder, the best thing to do is crack it with hashcat. Imagine you have the following NTLMv2 from the Mango domain captured with Responder:

Active Directory Penetration Testing Checklist


Active Directory has been used for a long time in on-prem systems. The prevalence of Microsoft Windows operating systems and the use of Active Directory has become almost a necessity for corporate companies. It has made it necessary to meet Azure AD for companies that want to use cloud technology. After developing cloud technologies in recent years, Microsoft Azure AD has opened the IAM service in cloud technologies. We already know the popular attack methods on On-Prem Active Directory. This article will get to know Azure AD technology, learn the attack surface, and learn the tools used in penetration testing.

Due to the prevalence of Azure AD Active Directory usage, corporate companies widely use it. As it is a hybrid technology, there are access control risks such as On-Prem to Cloud and On-Cloud to On-Prem. It is possible to access the on-prem Active Directory controller through a compromised system on the cloud, and it is also possible to log in to Azure AD via the on-prem Windows systems. Attackers can also exploit a detected vulnerability in web applications on Azure, and your on-prem or on-cloud active directory infrastructure can be exploited.

For penetration testers who do many internal network penetration tests, the process tends to follow a familiar rhythm: Default Active Directory and Windows OS settings often lead to easy footholds and escalation paths to Domain Admin, meaning the same few tricks often yield wild success. Domain Admin is often achieved on the first day of testing by running Responder to obtain user hashes, cracking a weak password to obtain domain credentials, then Kerberoasting and cracking a weak service password.

To run Bloodhound on your network, grab the latest release of SharpHound from their Github page. The binary will likely be flagged by AV, so you will have to create an exception to run it. SharpHound is used to collect information from the domain and provide files to be ingested by BloodHound. BloodHound then provides a nice graphical interface for viewing your active directory environment and potential attack paths.

BloodHound ( ) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours.

To actually use BloodHound other than the example graph you will likely want to use an ingestor on the target system or domain. Essentially these are used to query the domain controllers and active directory to retrieve all of the trust relationships, group policy settings and active directory objects.

Just as visualising attack paths is incredibly useful for a red team to work out paths to high value targets, however it is just as useful for blue teams to visualise their active directory environment and view the same paths and how to prevent such attacks.

In addition to leveraging the same tooling as attackers, it is important for the blue team to be able to employ techniques to detect usage of such tooling for better time to detection and reaction for incident response. To identify usage of BloodHound in your environment it is recommended that endpoints be monitored for access and requests to TCP port 389(LDAP) and TCP port 636(LDAPS) and similar traffic between your endpoints and your domain controllers. A large set of queries to active directory would be very suspicious too and point to usage of BloodHound or similar on your domain.

The GIAC Penetration Tester certification validates a practitioner's ability to properly conduct a penetration test, using best practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits and engage in detailed reconnaissance, as well as utilize a process-oriented approach to penetration testing projects.

The GIAC Penetration Tester certification validates a practitioner's \nability to properly conduct a penetration test, using best practice \ntechniques and methodologies. GPEN certification holders have the \nknowledge and skills to conduct exploits and engage in detailed \nreconnaissance, as well as utilize a process-oriented approach to \npenetration testing projects.

The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing and how to properly conduct a penetration test as well as best practice technical and non-technical techniques specific to conduct a penetration test.

While similar, a penetration test and a vulnerability assessment are not the same thing. Used together however, especially if you are doing both active and passive vulnerability scanning, they can be extremely complementary.

Active scanning for vulnerabilities can complement the penetration test. For example, if a pentester is looking for an exploitable hole in a website, the tester could use a web application scanner to identify where web applications are vulnerable to cross-site scripting or SQL injection and then explore those areas more using a penetration testing tool or manual methods.

Our Azure penetration testing service identifies cloud configuration and other security issues on your Azure infrastructure and provides actionable recommendations to improve your Azure cloud security posture.

Whether you are migrating to Azure, developing cloud native applications in Azure, using Azure Kubernetes Service (AKS), or pentesting Azure annually for compliance, penetration testing your Microsoft Azure infrastructure helps you ensure your cloud is secure.

Our Azure pentesters follow manual and automated pentesting processes that use commercial, open source, and proprietary Azure penetration testing tools to evaluate your Azure cloud infrastructure from the perspective of anonymous and authenticated users.

How to understand our roadmap: Available - Feature now available for use by applicable customers. May not be available in all AWS regions. Preview - Feature released in preview to gather feedback. May not be available to all applicable customers or in all AWS regions. Developing - Feature in active development and testing. Planned - Feature under consideration or planned for future development.


Welcome to the group! You can connect with other members, ge...


bottom of page