I’ve seen guides scattered across the internet on how to conduct a penetration test on a domain. The aim at this is to centralize those techniques with examples of my own as well as a few tips and tricks along the way. It’s important to remember a few thing when pentesting a domain:
- This isn’t a Vulnhub VM network. You cannot be loud and you need to be as stealthy as possible. This means no running hydra -t 100 against everything, you don’t want to get locked out or discovered by blue team.
- This is all about taking advantage of misconfigurations around the network, from default credentials to bad group policy settings. This is much more than your typical “find exploitable service and exploit it”.
- The goal isn’t just domain admin. Domain admin is an excellent milestone to reach, but it isn’t the endgame. The endgame is to show your customer their vulnerabilities which may mean there’s several avenues to domain admin. Once you have that account, it’s then time to recon and see what you can find, e.g. if they’re storing PCI data in plain text (violation) or have a spreadsheet of everyone’s SSNs (violation).