Our great sponsors
-
ADRecon
ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
You can run ADRecon to create an Excel report with all AD objects like users, groups, computers etc. Very useful to get an overview of you AD. Especially inspect the Excel tab "users" and go through the columns "info" and "description". Many companies store cleartext credentials or initial passwords in these fields. Those fields can be read by any authenticated AD user and is not a great place to put sensitive data
Another default misconfiguration or attack scenario is Kerberoasting. If you have SPN user accounts, those are susceptible to said attack. Any authenticated AD user can retrieve the hash of a SPN user account and crack the hash offline. If you get lucky, you can obtain the cleartext password of a SPN user. Since many companies are lazy, those service accounts often run with high privileges such as domain admin. You can retrieve those SPN hashes via PowerView and the following command Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | % { $_.Hash } > kerberos-hashes.txt. Crack those hashes offline with hashcat.