Project Icon

Active-Directory-Exploitation-Cheat-Sheet

Windows Active Directory渗透测试实战指南

这是一个全面的Windows Active Directory渗透测试资源库,涵盖域枚举、特权提升、横向移动等多个环节。项目收录了PowerView、BloodHound等常用工具,并提供详细的攻击技术说明,可帮助安全人员深入评估Active Directory环境。

Active Directory Exploitation Cheat Sheet

This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

This cheat sheet is inspired by the PayloadAllTheThings repo.

Just Walking The Dog

Summary

Tools

Domain Enumeration

Using PowerView

Powerview v.3.0
Powerview Wiki

  • Get Current Domain: Get-Domain

  • Enumerate Other Domains: Get-Domain -Domain <DomainName>

  • Get Domain SID: Get-DomainSID

  • Get Domain Policy:

    Get-DomainPolicy
    
    #Will show us the policy configurations of the Domain about system access or kerberos
    Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
    Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
    
  • Get Domain Controllers:

    Get-DomainController
    Get-DomainController -Domain <DomainName>
    
  • Enumerate Domain Users:

    #Save all Domain Users to a file
    Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
    
    #Will return specific properties of a specific user
    Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
    
    #Enumerate user logged on a machine
    Get-NetLoggedon -ComputerName <ComputerName>
    
    #Enumerate Session Information for a machine
    Get-NetSession -ComputerName <ComputerName>
    
    #Enumerate domain machines of the current/specified domain where specific users are logged into
    Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
    
  • Enum Domain Computers:

    Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
    
    #Enumerate Live machines
    Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
    
  • Enum Groups and Group Members:

    #Save all Domain Groups to a file:
    Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt
    
    #Return members of Specific Group (eg. Domain Admins & Enterprise Admins)
    Get-DomainGroup -Identity '<GroupName>' | Select-Object -ExpandProperty Member
    Get-DomainGroupMember -Identity '<GroupName>' | Select-Object MemberDistinguishedName
    
    #Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine
    Get-NetLocalGroup | Select-Object GroupName
    
    #Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine
    Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
    
    #Return all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
    Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
    
  • Enumerate Shares:

    #Enumerate Domain Shares
    Find-DomainShare
    
    #Enumerate Domain Shares the current user has access
    Find-DomainShare -CheckShareAccess
    
    #Enumerate "Interesting" Files on accessible shares
    Find-InterestingDomainShareFile -Include *passwords*
    
  • Enum Group Policies:

    Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
    
    #Enumerate all GPOs to a specific computer
    Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName
    
    #Get users that are part of a Machine's local Admin group
    Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>
    
  • Enum OUs:

    Get-DomainOU -Properties Name | Sort-Object -Property Name
    
  • Enum ACLs:

    # Returns the ACLs associated with the specified account
    Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
    
    #Search for interesting ACEs
    Find-InterestingDomainAcl -ResolveGUIDs
    
    #Check the ACLs associated with a specified path (e.g smb share)
    Get-PathAcl -Path "\\Path\Of\A\Share"
    
  • Enum Domain Trust:

    Get-DomainTrust
    Get-DomainTrust -Domain <DomainName>
    
    #Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
    Get-DomainTrustMapping
    
  • Enum Forest Trust:

    Get-ForestDomain
    Get-ForestDomain -Forest <ForestName>
    
    #Map the Trust of the Forest
    Get-ForestTrust
    Get-ForestTrust -Forest <ForestName>
    
  • User Hunting:

    #Finds all machines on the current domain where the current user has local admin access
    Find-LocalAdminAccess -Verbose
    
    #Find local admins on all machines of the domain
    Find-DomainLocalGroupMember -Verbose
    
    #Find computers were a Domain Admin OR a spesified user has a session
    Find-DomainUserLocation | Select-Object UserName, SessionFromName
    
    #Confirming admin access
    Test-AdminAccess
    

    :heavy_exclamation_mark: Priv Esc to Domain Admin with User Hunting:
    I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> Profit!

Using AD Module

  • Get Current Domain: Get-ADDomain

  • Enum Other Domains: Get-ADDomain -Identity <Domain>

  • Get Domain SID: Get-DomainSID

  • Get Domain Controlers:

    Get-ADDomainController
    Get-ADDomainController -Identity <DomainName>
    
  • Enumerate Domain Users:

    Get-ADUser -Filter * -Identity <user> -Properties *
    
    #Get a spesific "string" on a user's attribute
    Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
    
  • Enum Domain Computers:

    Get-ADComputer -Filter * -Properties *
    Get-ADGroup -Filter *
    
  • Enum Domain Trust:

    Get-ADTrust -Filter *
    Get-ADTrust -Identity <DomainName>
    
  • Enum Forest Trust:

    Get-ADForest
    Get-ADForest -Identity <ForestName>
    
    #Domains of Forest Enumeration
    (Get-ADForest).Domains
    
  • Enum Local AppLocker Effective Policy:

    Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
    

Using BloodHound

Remote BloodHound

Python BloodHound Repository or install it with pip3 install bloodhound

bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All

On Site BloodHound

#Using exe ingestor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>

#Using PowerShell module ingestor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>

Using Adalanche

Remote Adalanche

# kali linux:
./adalanche collect activedirectory --domain <Domain> \
--username <Username@Domain> --password <Password> \
--server <DC>

# Example:
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb
## -> Terminating successfully

## Any error?:

# LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority ?

./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389

# Invalid Credentials ?
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389 \
--authmode basic

# Analyze data 
# go to web browser -> 127.0.0.1:8080
./adalanche analyze

Useful Enumeration Tools

  • ldapdomaindump Information dumper via LDAP
  • adidnsdump Integrated DNS dumping by any authenticated user
  • ACLight Advanced Discovery of Privileged Accounts
  • ADRecon Detailed Active Directory Recon Tool

Local Privilege Escalation

Useful Local Priv Esc Tools

  • PowerUp Misconfiguration Abuse
  • BeRoot General Priv Esc Enumeration Tool
  • Privesc General Priv Esc Enumeration Tool
  • FullPowers Restore A Service Account's Privileges

Lateral Movement

PowerShell Remoting

#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -ComputerName <Name> OR -Sessions <SessionName>

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}

Import a PowerShell Module and Execute its Functions Remotely

#Execute the command and start a session
Invoke-Command
项目侧边栏1项目侧边栏2
推荐项目
Project Cover

豆包MarsCode

豆包 MarsCode 是一款革命性的编程助手,通过AI技术提供代码补全、单测生成、代码解释和智能问答等功能,支持100+编程语言,与主流编辑器无缝集成,显著提升开发效率和代码质量。

Project Cover

AI写歌

Suno AI是一个革命性的AI音乐创作平台,能在短短30秒内帮助用户创作出一首完整的歌曲。无论是寻找创作灵感还是需要快速制作音乐,Suno AI都是音乐爱好者和专业人士的理想选择。

Project Cover

白日梦AI

白日梦AI提供专注于AI视频生成的多样化功能,包括文生视频、动态画面和形象生成等,帮助用户快速上手,创造专业级内容。

Project Cover

有言AI

有言平台提供一站式AIGC视频创作解决方案,通过智能技术简化视频制作流程。无论是企业宣传还是个人分享,有言都能帮助用户快速、轻松地制作出专业级别的视频内容。

Project Cover

Kimi

Kimi AI助手提供多语言对话支持,能够阅读和理解用户上传的文件内容,解析网页信息,并结合搜索结果为用户提供详尽的答案。无论是日常咨询还是专业问题,Kimi都能以友好、专业的方式提供帮助。

Project Cover

讯飞绘镜

讯飞绘镜是一个支持从创意到完整视频创作的智能平台,用户可以快速生成视频素材并创作独特的音乐视频和故事。平台提供多样化的主题和精选作品,帮助用户探索创意灵感。

Project Cover

讯飞文书

讯飞文书依托讯飞星火大模型,为文书写作者提供从素材筹备到稿件撰写及审稿的全程支持。通过录音智记和以稿写稿等功能,满足事务性工作的高频需求,帮助撰稿人节省精力,提高效率,优化工作与生活。

Project Cover

阿里绘蛙

绘蛙是阿里巴巴集团推出的革命性AI电商营销平台。利用尖端人工智能技术,为商家提供一键生成商品图和营销文案的服务,显著提升内容创作效率和营销效果。适用于淘宝、天猫等电商平台,让商品第一时间被种草。

Project Cover

AIWritePaper论文写作

AIWritePaper论文写作是一站式AI论文写作辅助工具,简化了选题、文献检索至论文撰写的整个过程。通过简单设定,平台可快速生成高质量论文大纲和全文,配合图表、参考文献等一应俱全,同时提供开题报告和答辩PPT等增值服务,保障数据安全,有效提升写作效率和论文质量。

投诉举报邮箱: service@vectorlightyear.com
@2024 懂AI·鲁ICP备2024100362号-6·鲁公网安备37021002001498号