I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me that one of their initial obstacles in getting an engagement is fear from IT that the pen testers will bring down the system.
Some of the most interesting pen testing can be accomplished by passively gathering information. I’ve already covered some of these ideas in my “pen testing explained” series, where I showed that the more you know about your environment — IP addresses, computer names, users and especially admin accounts, as well as where sensitive content is likely to reside — the better position you’re in as a hacker to get the goodies and do real damage to the victim.
Hackers have known for a long time that Active Directory is a very rich source of this kind of incidental information – really metadata – that can be used to accelerate the post-exploitation process.
The origin of this ebook comes out of my own experiences exploring and blogging about the detailed data on users, groups, and other system information held within Active Directory. In this ebook, we’ll learn more about PowerView, which is part of the PowerShell Empire, a post-exploitation environment. PowerView essentially gives you easy access to AD information, wrapping the raw API calls into a more useful set of PowerShell cmldlets.
Active Directory information is also about connections, so it makes sense to understand some graph theory to get the most out of the Active Directory data. We’ll be looking into basic graph ideas as well.
In writing this ebook, I’m very aware that I’m standing on the shoulders of giants. This includes Will Schroeder and Justin Warner, who co-founded the PowerShell Empire project, as well as Andy Robbins.
Pentesting Active Directory Environments by VARONIS