Skip to main content

Active Directory

Also, consider taking a look at my Active Directory Attack Map.
While it doesn't cover every possible attack avenue, and isn't as sophisticated as some other mindmaps, I think it does a pretty good job of visualizing some of the information found in this book.

Initial Attack Vectors

Internal: --------- Attack vectors that are ideal for internal penetration tests, where the att...

Enumerating Hosts and Identifying the Domain Controllers

Enumerating Live Hosts Internal ARP-Scan Since this is an internal assessment, Kali is on the ...

LLMNR Poisoning (Internal)

Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local...

SMB Relay (Internal/External)

Note: Network Environment This attack works best in a flat network. However, as long as the atta...

IPv6 DNS Spoofing (Internal)

Note: Network Environment This spoofing attack and works by sending a router announcement to mul...

NULL Session Enumeration (Internal/External)

NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providin...

Using Faketime for Ad-Hoc Kerberos Authentication

Installing Faketime sudo apt install faketime faketime -h This will run the specified 'progr...

Kerberos Pre-Auth Username Enumeration

How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Ke...

AS-REP Roasting (Internal/External)

AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory...

Passback Attacks (Internal/External)

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -...

PrintNightmare (Internal/External)

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scannin...

NTLM Credential Stuffing (Internal/External)

NTLM Basic Authentication Could obtain a list of usernames via OSINT, or via something like RI...

Post Exploitation: Enumeration

PowerShell AD Module on Any Domain Host as Any User

Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...

Dumping DNS Records with adidnsdump

Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation python3 -m pi...

CrackMapExec

When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...

PowerView

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...

BloodHound

1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navi...

Remote Bloodhound

GitHub Repo Prerequisites impacket ldap3 dnspython  Installation python3 -m pip insta...

LdapDomainDump

When to Use    You'll know when you've found a domain controller, because it will have ...

LdapSearch

When to Use  You'll know when you've found a domain controller, because it will have several por...

Enum4Linux

Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...

GetADUsers.py

When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...

GetUserSPNs.py

When to Use Useful in post-compromise enumeration. If you acquire user passwords or hashes for a...

Manual Enumeration

net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a u...

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

PCAP Analysis Note the existence of KRB5 protocol traffic on tcp/88, which is further identifi...

Post Exploitation: Attacks

Mimikatz

Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz pro...

Dumping Passwords from Windows Credential Manager

Credential Enumeration cmdkey /list In reverse shells, I have noticed that it's impossible to s...

Dumping Hashes without Mimikatz

Post-Compromise on Target Lsass Process Dump Sysinternals ProcDump Download ProcDump here # D...

Impacket-Addcomputer

When to Use Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy....

DCSync

DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain...

Pass the Password

Overview Cracked a hash or discovered a password for a domain user. Use the password and crackma...

Pass the Hash

Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and...

Pass the Ticket

Anatomy of a Kerberos Ticket [0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirb...

Pass the Key

Kerberos Encryption Keys Policies on the domain controller will dictate which encryption algorit...

Password & Credential Brute Force

User Emumeration You have enumerated users with one of the methods defined here: CrackMapExec...

Token Impersonation

Overview Tokens are temporary keys that allow a user to perform actions on a system or network w...

Spawn Processes as Other Users

RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spaw...

Kerberoasting

Overview The attacker uses a known username and password of a user on a domain. A typical Kerbe...

Group Policy Preferences (GPP)

Overview GPP allows admins to create policies with embedded credentials. The credentials are enc...

PrintNightmare

Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675

ZeroLogon

Caution This can potentially break a domain controller, due the fact that this attack temporaril...

xfreerdp

Usage and Help Display the xfreerdp man page man xfreerdp Display the xfreerdp help output on ...