Active Directory
Also, consider taking a look at my Active Directory Attack Map.
While it doesn't cover every possible attack avenue, and isn't as sophisticated as some other mindmaps, I think it does a pretty good job of visualizing some of the information found in this book.
Initial Attack Vectors: Local Area Network
This chapter is Local Area Network (LAN) specific, as it requires the attacker's system to be con...
Initial Attack Vectors: Multipurpose
This chapter is "multipurpose" in the sense that the attacks listed here could be carried out on ...
Enumerating Hosts and Identifying the Domain Controllers
Fingerprinting Domain Controllers PORT STATE SERVICE 53/tcp open domain 88/tcp open...
Passback Attacks
What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -...
SMB Relay
Note: Network Environment This attack works best in a flat network. However, as long as the atta...
NULL Session Enumeration
NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providin...
Kerberos Pre-Auth Username Enumeration
How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Ker...
AS-REP Roasting
AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory...
NTLM Credential Stuffing
NTLM Basic Authentication Could obtain a list of usernames via OSINT, or via something like RI...
PrintNightmare
Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning ...
Initial Attack Vectors: Assumed Breach
STUB PAGE You are operating "assumed breach", and already possess a credential. Proceed to post...
Post Exploitation: Enumeration
Using Faketime for Ad-Hoc Kerberos Authentication
Installing Faketime sudo apt install faketime faketime -h This will run the specified 'program' ...
Kerberos Authentication from Kali
NetExec nxc smb DC01.domain.tld -d 'domain.tld' -u 'username' -p 'P@$$word123!' -k Use a user...
LdapDomainDump
When to Use You'll know when you've found a domain controller, because it will have ...
Remote Bloodhound
Nmap LDAP Enumeration Acquire DC DNS Name sudo nmap -Pn -T4 -p 389,636 --script ldap-rootdse <d...
BloodHound
Install and Initial Setup Kali Linux When changing the neo4j user password at initial setup, I ...
LdapSearch
When to Use You'll know when you've found a domain controller, because it will have several port...
Dumping DNS Records with adidnsdump
Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation pipx install ...
Enum4Linux
Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...
NetExec
When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...
GetADUsers.py
When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...
GetUserSPNs.py
When to Use Useful in post-compromise enumeration. If you acquire domain user passwords or hashe...
PowerShell AD Module on Any Domain Host as Any User
Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...
PowerView
Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...
Manual Enumeration
Linux LdapSearch ldapsearch -x -H ldap://DC01.ad.lab -D 'john.doe@ad.lab' -W -b 'DC=ad,DC=lab' ...
Extracting Secrets from PCAPs
PCAP Analysis Kerberos AS-REQ Pre-Auth Hashes Note the existence of KRB5 protocol traffic on tcp...
Post Exploitation: Attacks
Linux Remote Desktop Client
Usage and Help Display the xfreerdp3 man page man xfreerdp3 Display the xfreerdp3 help output ...
Pass the Hash
Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and...
Pass the Password
Overview Cracked a hash or discovered a password for a domain user. Use the password and nxc to ...
Pass the Key
Kerberos Encryption Keys Policies on the domain controller will dictate which encryption algorit...
Pass the Certificate
Cracking PFX Archives A .pfx archive is a way to bundle the certificate, key, and metadata in on...
Pass the Ticket
Anatomy of a Kerberos Ticket [0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirb...
Password & Credential Brute Force
User Emumeration You have enumerated users with one of the methods defined here: NetExec Pow...
Spawn Processes as Other Users
RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spaw...
Kerberoasting
Overview The attacker uses a known username and password of a user on a domain. A typical Kerbe...
Dumping Passwords from Windows Credential Manager
Credential Enumeration cmdkey /list In reverse shells, I have noticed that it's impossible to s...
Dumping Hashes without Mimikatz
Post-Compromise on Target Lsass Process Dump Sysinternals ProcDump Download ProcDump here # D...
LdapModify
When to Use You'll know when you've found a domain controller, because it will have several port...
Mimikatz
Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz pro...
Group Policy Preferences (GPP)
Overview GPP allows admins to create policies with embedded credentials. The credentials are enc...
Impacket-Addcomputer
When to Use Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy....
DCSync
DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain...
Token Impersonation
Overview Tokens are temporary keys that allow a user to perform actions on a system or network w...
Evil-WinRM Alternatives
Problem evil-winrm works great in a pinch, but is often very buggy, so I've documented some work...
PrintNightmare
Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675
ZeroLogon
Caution This can potentially break a domain controller, due the fact that this attack temporaril...