In my job as a pentester, I often show some of the tools I use to the system administrators at a client. They are often astounded by the amount of information I get from them and the ease with which I get them. That's why I decided to collect and describe some of these tools on my blog. One of the biggest factors in enterprise security these days is Active Directory, which is the realm I want to focus on here.
BloodHound is a tool to visualize objects and attack paths within a (or several) Active Directory domain(s). While the paid Enterprise Edition offers some cool features like continuous analysis, remediation guidance and improvement measurement over time, the Legacy Edition and Community Edition are free to use and can give an overview based on a snapshot, which, in my experience, is already a lot more than a lot of system administrators have access to.
The BloodHound GUI (and underlying neo4j database) is fed with data from so-called Collectors, of which there are several available. There is SharpHound, which is written in C#, as well as a wrapper for it written in PowerShell. Note that these might trigger AV/EDR alerts. There is also the python-based collector written by Dirk-Jan Mölleman, called BloodHound.py. This one even works on Linux systems!
Once the data is collected, the resulting .json or .zip files can then be uploaded via the BloodHound GUI and visualized as graphs. From then on out, a lot of powerful queries can be crafted to detect potential attack paths. But, for starters, the Pre-Built Analytics Queries in the Analytics tab of the GUI already offer a good overview of what might be interesting to attackers.
Microsoft's Active Directory Certificate Services (ADCS) can potentially be affected by a series of critical vulnerabilities
allowing privilege escalation within a domain, sometimes even to domain administrator.
The tools Certify
(written in C#) and Certipy
(written in Python) can help identify these vulnerabilities.
The commands for that are Certify.exe find /vulnerable and certipy find -vulnerable respectively.
The vulnerabilites are called ESC[n], where [n] is a number between 1 and (at the time of writing) 15.
Googling these will quickly give more information about the nature of these vulnerabilities and how to remediate them.
PingCastle is a good tool to quickly get a visual overview of the security posture of an Active Directory domain. While there are different paid licenses with tons of additional features, the basic health check provided with the free version can already be a good foundation for most organizations. The resulting report can be in either .xml oder .html format, whereas the former is meant more for machines and the latter is meant to be parsed by humans - it has lots of colors!
To find accounts vulnerable to the so-called
Kerberoast
attack, one would have to look for Active Directory domain accounts that are configured with a Service Prinicpal Name (SPN).
While this is a default feature of BloodHound, it can also be achieved in a myriad of other ways, in case
BloodHound is not an option.
One such way is using the tool
GetUserSPNs,
which is a part of the incredibly useful impacket.
Another tool that can achieve the same (and even more) is
Rubeus.
Running Rubeus.exe kerberoast /stats will give quite a bit of info about kerberoastable accounts.
Once again it is to be noted that these tools might (and should preferably) trigger AV/EDR alerts.
These tools often show critical vulnerabilities and fixing them can already do wonders in terms of Active Directory security. While they certainly won't be sufficient to achieve 100% security - far from it, actually - they can definitely help prevent the infamous "domain admin before lunch" that me and my coworkers often try to achieve during an Active Directory pentest.
Note: These are just the tools that I have most often experienced system administrators asking about. If you think there are other tools that should be on this list, let me know. My Mastodon DMs are open!