10 Controlling the entire network
This chapter covers
- Identifying domain admin users
- Locating systems with domain admin users logged in
- Enumerating domain controller volume shadow copies (VSS)
- Stealing ntds.dit from VSS
- Extracting Active Directory password hashes from ntds.dit
It’s time to explain the final step in the privilege-escalation phase of an internal network penetration test (INTP). That of course is to take complete control of the enterprise network by gaining domain admin privileges within Active Directory. Domain admin users can log into any machine on the network, provided the machine is managed through Active Directory. If an attacker manages to gain domain admin privileges on an enterprise network, the outcome could be catastrophic for the business. If it’s not clear why, just think about the number of business-critical systems that are managed and operated by computer systems joined to the domain:
- Payroll & Accounting
- Human Resources
- Shipping & Receiving
- IT & Networking
- Research & Development
- Sales & Marketing
You get the idea. Name a function within the business and it is likely managed by people who use computer systems that are joined to an Active Directory domain. Therefore, as penetration testers, we can conclude that our simulated cyber-attack can’t get much worse than gaining domain admin privileges on our client’s network.