Active Directory (AD) & Domain #473
Description
Hi,
I'm opening this issue to propose adding Active Directory (AD) & Domain vulnerabilities to the VRT. Below are suggested entries and short justifications:
Active Directory (AD) & Domain > Anonymous FTP Servers > Varies
Anonymous FTP on internal AD networks can expose sensitive files or scripts, aiding attackers in lateral movement or privilege escalation. While not inherently critical, it presents a clear misconfiguration in AD environments that weakens internal defenses.
Active Directory (AD) & Domain > Anonymous SMB File Shares > Varies
Exposing SMB shares without authentication in a domain environment often leaks sensitive credentials, configuration files, or scripts. This significantly aids internal recon and privilege escalation, making it more impactful than a typical file disclosure.
Active Directory (AD) & Domain > Hosts Vulnerable to PetitPotam Attacks > P1
PetitPotam can force NTLM authentication to a relay server, enabling full domain compromise via AD CS abuse or credential relay. It’s highly exploitable and has been weaponized in real-world attacks, warranting critical severity.
Active Directory (AD) & Domain > LDAP Anonymous Bind > P2
Allowing anonymous LDAP binds in AD exposes directory structure and user data, which supports recon for privilege escalation or lateral movement. Though not immediately exploitable, it's a dangerous misconfiguration in enterprise environments.
Active Directory (AD) & Domain > LLMNR Poisoning > P2
LLMNR allows credential capture through spoofed responses, letting attackers steal NTLM hashes in AD environments. It’s a well-documented, impactful vector in internal attack chains, especially when paired with relay tools.
Active Directory (AD) & Domain > NULL Sessions on Domain Controller > P3
NULL sessions on DCs give unauthenticated access to sensitive data like user lists and shares. This is a severe AD misconfiguration that facilitates recon and lays groundwork for privilege escalation or lateral movement.
Active Directory (AD) & Domain > NetBIOS Poisoning > P3
Similar to LLMNR, NetBIOS spoofing can capture hashes or redirect traffic internally. While its impact is limited on hardened networks, it's still a viable vector in poorly segmented AD setups.